Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Modules] Added CMK to Net-App module & updated API version #3577

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

[Modules] Added CMK to Net-App module & updated API version #3577

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1ce7fe8
Added CMK etc. to Net-App
AlexanderSehr Aug 14, 2023
77ee5fa
Updated encrpytion default
AlexanderSehr Aug 14, 2023
f91b7ec
Updated JSON
AlexanderSehr Aug 14, 2023
365a92c
Update to latest
AlexanderSehr Aug 15, 2023
13e7466
Updated json templates
AlexanderSehr Aug 15, 2023
6399ed6
Extended limit of API versions
AlexanderSehr Aug 15, 2023
03dfd5d
Shortened test resource name
AlexanderSehr Aug 15, 2023
16abd94
Update to latest
AlexanderSehr Aug 15, 2023
1dd46da
Shortened test
AlexanderSehr Aug 15, 2023
f19ce04
Resolved conflicts
AlexanderSehr Aug 26, 2023
e401134
Merged latest main
AlexanderSehr Aug 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions modules/net-app/net-app-account/.test/nfs41/dependencies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ param virtualNetworkName string
@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

@description('Required. The name of the Key Vault to create.')
param keyVaultName string

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
Expand Down Expand Up @@ -42,6 +45,42 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
location: location
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: keyVaultName
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enablePurgeProtection: true // Required by batch account
softDeleteRetentionInDays: 7
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
enabledForDeployment: true
enableRbacAuthorization: true
accessPolicies: []
}

resource key 'keys@2022-07-01' = {
name: 'keyEncryptionKey'
properties: {
kty: 'RSA'
}
}
}

resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment')
scope: keyVault::key
properties: {
principalId: managedIdentity.properties.principalId
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User
principalType: 'ServicePrincipal'
}
}

@description('The resource ID of the created Virtual Network Subnet.')
output subnetResourceId string = virtualNetwork.properties.subnets[0].id

Expand All @@ -50,3 +89,9 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI

@description('The resource ID of the created Managed Identity.')
output managedIdentityResourceId string = managedIdentity.id

@description('The resource ID of the created Key Vault.')
output keyVaultResourceId string = keyVault.id

@description('The name of the created Key Vault encryption key.')
output keyVaultKeyName string = keyVault::key.name
10 changes: 9 additions & 1 deletion modules/net-app/net-app-account/.test/nfs41/main.test.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@ param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg'
param location string = deployment().location

@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
param serviceShort string = 'nanaanfs41'
param serviceShort string = 'naanfs41'

@description('Generated. Used as a basis for unique resource names.')
param baseTime string = utcNow('u')

@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true
Expand All @@ -37,6 +40,8 @@ module nestedDependencies 'dependencies.bicep' = {
params: {
virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
// Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total)
keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}'
}
}

Expand Down Expand Up @@ -148,5 +153,8 @@ module testDeployment '../../main.bicep' = {
userAssignedIdentities: {
'${nestedDependencies.outputs.managedIdentityResourceId}': {}
}
cMKKeyName: nestedDependencies.outputs.keyVaultKeyName
cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId
}
}
42 changes: 31 additions & 11 deletions modules/net-app/net-app-account/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,19 @@ This module deploys an Azure NetApp File.
| :-- | :-- | :-- |
| `name` | string | The name of the NetApp account. |

**Conditional parameters**

| Parameter Name | Type | Default Value | Description |
| :-- | :-- | :-- | :-- |
| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. |
| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. |

**Optional parameters**

| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `capacityPools` | array | `[]` | | Capacity pools to create. |
| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. |
| `dnsServers` | string | `''` | | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. |
| `domainJoinOU` | string | `''` | | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). |
| `domainJoinPassword` | securestring | `''` | | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. |
Expand Down Expand Up @@ -478,14 +486,14 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {

```bicep
module netAppAccount './net-app/net-app-account/main.bicep' = {
name: '${uniqueString(deployment().name, location)}-test-nanaanfs41'
name: '${uniqueString(deployment().name, location)}-test-naanfs41'
params: {
// Required parameters
name: 'nanaanfs41001'
name: 'naanfs41001'
// Non-required parameters
capacityPools: [
{
name: 'nanaanfs41-cp-001'
name: 'naanfs41-cp-001'
roleAssignments: [
{
principalIds: [
Expand All @@ -509,7 +517,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
unixReadWrite: true
}
]
name: 'nanaanfs41-vol-001'
name: 'naanfs41-vol-001'
protocolTypes: [
'NFSv4.1'
]
Expand All @@ -536,7 +544,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
unixReadWrite: true
}
]
name: 'nanaanfs41-vol-002'
name: 'naanfs41-vol-002'
protocolTypes: [
'NFSv4.1'
]
Expand All @@ -546,7 +554,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
]
}
{
name: 'nanaanfs41-cp-002'
name: 'naanfs41-cp-002'
roleAssignments: [
{
principalIds: [
Expand All @@ -561,6 +569,9 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
volumes: []
}
]
cMKKeyName: '<cMKKeyName>'
cMKKeyVaultResourceId: '<cMKKeyVaultResourceId>'
cMKUserAssignedIdentityResourceId: '<cMKUserAssignedIdentityResourceId>'
enableDefaultTelemetry: '<enableDefaultTelemetry>'
roleAssignments: [
{
Expand Down Expand Up @@ -600,13 +611,13 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
"parameters": {
// Required parameters
"name": {
"value": "nanaanfs41001"
"value": "naanfs41001"
},
// Non-required parameters
"capacityPools": {
"value": [
{
"name": "nanaanfs41-cp-001",
"name": "naanfs41-cp-001",
"roleAssignments": [
{
"principalIds": [
Expand All @@ -630,7 +641,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
"unixReadWrite": true
}
],
"name": "nanaanfs41-vol-001",
"name": "naanfs41-vol-001",
"protocolTypes": [
"NFSv4.1"
],
Expand All @@ -657,7 +668,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
"unixReadWrite": true
}
],
"name": "nanaanfs41-vol-002",
"name": "naanfs41-vol-002",
"protocolTypes": [
"NFSv4.1"
],
Expand All @@ -667,7 +678,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
]
},
{
"name": "nanaanfs41-cp-002",
"name": "naanfs41-cp-002",
"roleAssignments": [
{
"principalIds": [
Expand All @@ -683,6 +694,15 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
}
]
},
"cMKKeyName": {
"value": "<cMKKeyName>"
},
"cMKKeyVaultResourceId": {
"value": "<cMKKeyVaultResourceId>"
},
"cMKUserAssignedIdentityResourceId": {
"value": "<cMKUserAssignedIdentityResourceId>"
},
"enableDefaultTelemetry": {
"value": "<enableDefaultTelemetry>"
},
Expand Down
27 changes: 27 additions & 0 deletions modules/net-app/net-app-account/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,15 @@ param lock string = ''
@description('Optional. Tags for all resources.')
param tags object = {}

@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.')
param cMKKeyVaultResourceId string = ''

@description('Optional. The name of the customer managed key to use for encryption.')
param cMKKeyName string = ''

@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.')
param cMKUserAssignedIdentityResourceId string = ''

@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true

Expand All @@ -70,6 +79,11 @@ var identity = identityType != 'None' ? {
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
} : null

resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) {
name: last(split(cMKKeyVaultResourceId, '/'))!
scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4])
}

resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
properties: {
Expand All @@ -89,6 +103,19 @@ resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = {
location: location
properties: {
activeDirectories: !empty(domainName) ? activeDirectoryConnectionProperties : null
encryption: !empty(cMKKeyName) ? {
identity: !empty(cMKUserAssignedIdentityResourceId) ? {
userAssignedIdentity: cMKUserAssignedIdentityResourceId
} : null
keySource: 'Microsoft.KeyVault'
keyVaultProperties: {
keyName: cMKKeyName
keyVaultResourceId: cMKKeyVault.id
keyVaultUri: cMKKeyVault.properties.vaultUri
}
} : {
keySource: 'Microsoft.NetApp'
}
}
}

Expand Down
26 changes: 24 additions & 2 deletions modules/net-app/net-app-account/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,27 @@
"description": "Optional. Tags for all resources."
}
},
"cMKKeyVaultResourceId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty."
}
},
"cMKKeyName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Optional. The name of the customer managed key to use for encryption."
}
},
"cMKUserAssignedIdentityResourceId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty."
}
},
"enableDefaultTelemetry": {
"type": "bool",
"defaultValue": true,
Expand Down Expand Up @@ -153,7 +174,8 @@
"identity": "[variables('identity')]",
"location": "[parameters('location')]",
"properties": {
"activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]"
"activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]",
"encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyName', parameters('cMKKeyName'), 'keyVaultResourceId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri)), createObject('keySource', 'Microsoft.NetApp'))]"
}
},
{
Expand Down Expand Up @@ -1072,4 +1094,4 @@
"value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), '2022-11-01', 'full').location]"
}
}
}
}
2 changes: 1 addition & 1 deletion utilities/pipelines/staticValidation/module.tests.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1643,7 +1643,7 @@ Describe 'API version tests' -Tag 'ApiCheck' {

$approvedApiVersions = @()
if ($AllowPreviewVersionsInAPITests) {
# We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 3 non-preview
# We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 5 non-preview
eriqua marked this conversation as resolved.
Show resolved Hide resolved
$approvedApiVersions += $resourceTypeApiVersions | Select-Object -Last 5
$approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -Last 5
} else {
Expand Down