Azure · AlexanderSehr · Aug 14, 2023 · Aug 14, 2023 · Aug 14, 2023 · Aug 15, 2023
@@ -7,6 +7,9 @@ param virtualNetworkName string
 @description('Required. The name of the Managed Identity to create.')
 param managedIdentityName string
 
+@description('Required. The name of the Key Vault to create.')
+param keyVaultName string
+
 var addressPrefix = '10.0.0.0/16'
 
 resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
@@ -42,6 +45,42 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-
     location: location
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+    name: keyVaultName
+    location: location
+    properties: {
+        sku: {
+            family: 'A'
+            name: 'standard'
+        }
+        tenantId: tenant().tenantId
+        enablePurgeProtection: true // Required by batch account
+        softDeleteRetentionInDays: 7
+        enabledForTemplateDeployment: true
+        enabledForDiskEncryption: true
+        enabledForDeployment: true
+        enableRbacAuthorization: true
+        accessPolicies: []
+    }
+
+    resource key 'keys@2022-07-01' = {
+        name: 'keyEncryptionKey'
+        properties: {
+            kty: 'RSA'
+        }
+    }
+}
+
+resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment')
+    scope: keyVault::key
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User
+        principalType: 'ServicePrincipal'
+    }
+}
+
 @description('The resource ID of the created Virtual Network Subnet.')
 output subnetResourceId string = virtualNetwork.properties.subnets[0].id
 
@@ -50,3 +89,9 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI
 
 @description('The resource ID of the created Managed Identity.')
 output managedIdentityResourceId string = managedIdentity.id
+
+@description('The resource ID of the created Key Vault.')
+output keyVaultResourceId string = keyVault.id
+
+@description('The name of the created Key Vault encryption key.')
+output keyVaultKeyName string = keyVault::key.name
@@ -12,7 +12,10 @@ param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg'
 param location string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-param serviceShort string = 'nanaanfs41'
+param serviceShort string = 'naanfs41'
+
+@description('Generated. Used as a basis for unique resource names.')
+param baseTime string = utcNow('u')
 
 @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
 param enableDefaultTelemetry bool = true
@@ -37,6 +40,8 @@ module nestedDependencies 'dependencies.bicep' = {
   params: {
     virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
     managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
+    // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total)
+    keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}'
   }
 }
 
@@ -148,5 +153,8 @@ module testDeployment '../../main.bicep' = {
     userAssignedIdentities: {
       '${nestedDependencies.outputs.managedIdentityResourceId}': {}
     }
+    cMKKeyName: nestedDependencies.outputs.keyVaultKeyName
+    cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
+    cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId
   }
 }
@@ -16,9 +16,9 @@ This module deploys an Azure NetApp File.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `Microsoft.NetApp/netAppAccounts` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) |
-| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) |
-| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) |
+| `Microsoft.NetApp/netAppAccounts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) |
+| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) |
+| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) |
 
 ## Parameters
 
@@ -28,11 +28,19 @@ This module deploys an Azure NetApp File.
 | :-- | :-- | :-- |
 | `name` | string | The name of the NetApp account. |
 
+**Conditional parameters**
+
+| Parameter Name | Type | Default Value | Description |
+| :-- | :-- | :-- | :-- |
+| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. |
+| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. |
+
 **Optional parameters**
 
 | Parameter Name | Type | Default Value | Allowed Values | Description |
 | :-- | :-- | :-- | :-- | :-- |
 | `capacityPools` | array | `[]` |  | Capacity pools to create. |
+| `cMKKeyName` | string | `''` |  | The name of the customer managed key to use for encryption. |
 | `dnsServers` | string | `''` |  | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. |
 | `domainJoinOU` | string | `''` |  | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). |
 | `domainJoinPassword` | securestring | `''` |  | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. |
@@ -478,14 +486,14 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
 
 ```bicep
 module netAppAccount './net-app/net-app-account/main.bicep' = {
-  name: '${uniqueString(deployment().name, location)}-test-nanaanfs41'
+  name: '${uniqueString(deployment().name, location)}-test-naanfs41'
   params: {
     // Required parameters
-    name: 'nanaanfs41001'
+    name: 'naanfs41001'
     // Non-required parameters
     capacityPools: [
       {
-        name: 'nanaanfs41-cp-001'
+        name: 'naanfs41-cp-001'
         roleAssignments: [
           {
             principalIds: [
@@ -509,7 +517,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
                 unixReadWrite: true
               }
             ]
-            name: 'nanaanfs41-vol-001'
+            name: 'naanfs41-vol-001'
             protocolTypes: [
               'NFSv4.1'
             ]
@@ -536,7 +544,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
                 unixReadWrite: true
               }
             ]
-            name: 'nanaanfs41-vol-002'
+            name: 'naanfs41-vol-002'
             protocolTypes: [
               'NFSv4.1'
             ]
@@ -546,7 +554,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
         ]
       }
       {
-        name: 'nanaanfs41-cp-002'
+        name: 'naanfs41-cp-002'
         roleAssignments: [
           {
             principalIds: [
@@ -561,6 +569,9 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
         volumes: []
       }
     ]
+    cMKKeyName: '<cMKKeyName>'
+    cMKKeyVaultResourceId: '<cMKKeyVaultResourceId>'
+    cMKUserAssignedIdentityResourceId: '<cMKUserAssignedIdentityResourceId>'
     enableDefaultTelemetry: '<enableDefaultTelemetry>'
     roleAssignments: [
       {
@@ -600,13 +611,13 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
   "parameters": {
     // Required parameters
     "name": {
-      "value": "nanaanfs41001"
+      "value": "naanfs41001"
     },
     // Non-required parameters
     "capacityPools": {
       "value": [
         {
-          "name": "nanaanfs41-cp-001",
+          "name": "naanfs41-cp-001",
           "roleAssignments": [
             {
               "principalIds": [
@@ -630,7 +641,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
                   "unixReadWrite": true
                 }
               ],
-              "name": "nanaanfs41-vol-001",
+              "name": "naanfs41-vol-001",
               "protocolTypes": [
                 "NFSv4.1"
               ],
@@ -657,7 +668,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
                   "unixReadWrite": true
                 }
               ],
-              "name": "nanaanfs41-vol-002",
+              "name": "naanfs41-vol-002",
               "protocolTypes": [
                 "NFSv4.1"
               ],
@@ -667,7 +678,7 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
           ]
         },
         {
-          "name": "nanaanfs41-cp-002",
+          "name": "naanfs41-cp-002",
           "roleAssignments": [
             {
               "principalIds": [
@@ -683,6 +694,15 @@ module netAppAccount './net-app/net-app-account/main.bicep' = {
         }
       ]
     },
+    "cMKKeyName": {
+      "value": "<cMKKeyName>"
+    },
+    "cMKKeyVaultResourceId": {
+      "value": "<cMKKeyVaultResourceId>"
+    },
+    "cMKUserAssignedIdentityResourceId": {
+      "value": "<cMKUserAssignedIdentityResourceId>"
+    },
     "enableDefaultTelemetry": {
       "value": "<enableDefaultTelemetry>"
     },

diff --git a/modules/net-app/net-app-account/capacity-pool/README.md b/modules/net-app/net-app-account/capacity-pool/README.md
@@ -14,8 +14,8 @@ This module deploys an Azure NetApp Files Capacity Pool.
 | Resource Type | API Version |
 | :-- | :-- |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) |
-| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) |
+| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) |
+| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) |
 
 ## Parameters
 
@@ -38,6 +38,7 @@ This module deploys an Azure NetApp Files Capacity Pool.
 | :-- | :-- | :-- | :-- | :-- |
 | `coolAccess` | bool | `False` |  | If enabled (true) the pool can contain cool Access enabled volumes. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via a Globally Unique Identifier (GUID). |
+| `encryptionType` | string | `'Single'` | `[Double, Single]` | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. |
 | `location` | string | `[resourceGroup().location]` |  | Location of the pool volume. |
 | `qosType` | string | `'Auto'` | `[Auto, Manual]` | The qos type of the pool. |
 | `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |

diff --git a/modules/net-app/net-app-account/capacity-pool/main.bicep b/modules/net-app/net-app-account/capacity-pool/main.bicep
@@ -42,6 +42,13 @@ param coolAccess bool = false
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
 param roleAssignments array = []
 
+@description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.')
+@allowed([
+  'Double'
+  'Single'
+])
+param encryptionType string = 'Single'
+
 @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
 param enableDefaultTelemetry bool = true
 
@@ -59,11 +66,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-09-01' existing = {
+resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = {
   name: netAppAccountName
 }
 
-resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-09-01' = {
+resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-11-01' = {
   name: name
   parent: netAppAccount
   location: location
@@ -73,6 +80,7 @@ resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-09-01'
     size: size
     qosType: qosType
     coolAccess: coolAccess
+    encryptionType: encryptionType
   }
 }