From 04d79359e8572486438fee915fe126d86f1b08e6 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Fri, 4 Aug 2023 10:59:32 +0200 Subject: [PATCH] Added PE draft --- ...in.test.bicep => disabled-main.test.bicep} | 0 ...in.test.bicep => disabled-main.test.bicep} | 0 ...in.test.bicep => disabled-main.test.bicep} | 0 .../.test/sqldb/dependencies.bicep | 47 +++++++++++++++++++ .../.test/sqldb/main.test.bicep | 16 +++++++ .../document-db/database-accounts/main.bicep | 26 ++++++++++ 6 files changed, 89 insertions(+) rename modules/document-db/database-accounts/.test/gremlindb/{main.test.bicep => disabled-main.test.bicep} (100%) rename modules/document-db/database-accounts/.test/mongodb/{main.test.bicep => disabled-main.test.bicep} (100%) rename modules/document-db/database-accounts/.test/plain/{main.test.bicep => disabled-main.test.bicep} (100%) diff --git a/modules/document-db/database-accounts/.test/gremlindb/main.test.bicep b/modules/document-db/database-accounts/.test/gremlindb/disabled-main.test.bicep similarity index 100% rename from modules/document-db/database-accounts/.test/gremlindb/main.test.bicep rename to modules/document-db/database-accounts/.test/gremlindb/disabled-main.test.bicep diff --git a/modules/document-db/database-accounts/.test/mongodb/main.test.bicep b/modules/document-db/database-accounts/.test/mongodb/disabled-main.test.bicep similarity index 100% rename from modules/document-db/database-accounts/.test/mongodb/main.test.bicep rename to modules/document-db/database-accounts/.test/mongodb/disabled-main.test.bicep diff --git a/modules/document-db/database-accounts/.test/plain/main.test.bicep b/modules/document-db/database-accounts/.test/plain/disabled-main.test.bicep similarity index 100% rename from modules/document-db/database-accounts/.test/plain/main.test.bicep rename to modules/document-db/database-accounts/.test/plain/disabled-main.test.bicep diff --git a/modules/document-db/database-accounts/.test/sqldb/dependencies.bicep b/modules/document-db/database-accounts/.test/sqldb/dependencies.bicep index b20bc53e8f..520130acf4 100644 --- a/modules/document-db/database-accounts/.test/sqldb/dependencies.bicep +++ b/modules/document-db/database-accounts/.test/sqldb/dependencies.bicep @@ -4,13 +4,60 @@ param location string = resourceGroup().location @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { name: managedIdentityName location: location } +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: addressPrefix + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.documents.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSResourceId string = privateDNSZone.id diff --git a/modules/document-db/database-accounts/.test/sqldb/main.test.bicep b/modules/document-db/database-accounts/.test/sqldb/main.test.bicep index 25cf7a06de..711dfcf861 100644 --- a/modules/document-db/database-accounts/.test/sqldb/main.test.bicep +++ b/modules/document-db/database-accounts/.test/sqldb/main.test.bicep @@ -36,6 +36,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' } } @@ -81,6 +82,21 @@ module testDeployment '../../main.bicep' = { diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName diagnosticLogsRetentionInDays: 7 location: location + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDNSResourceIds: [ + nestedDependencies.outputs.privateDNSResourceId + ] + } + service: 'Sql' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] roleAssignments: [ { roleDefinitionIdOrName: 'Reader' diff --git a/modules/document-db/database-accounts/main.bicep b/modules/document-db/database-accounts/main.bicep index e78aa959a9..01115a9e6c 100644 --- a/modules/document-db/database-accounts/main.bicep +++ b/modules/document-db/database-accounts/main.bicep @@ -173,6 +173,9 @@ param backupRetentionIntervalInHours int = 8 @description('Optional. Enum to indicate type of backup residency. Only applies to periodic backup type.') param backupStorageRedundancy string = 'Local' +@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param privateEndpoints array = [] + var diagnosticsLogsSpecified = [for category in filter(diagnosticLogCategoriesToEnable, item => item != 'allLogs' && item != ''): { category: category enabled: true @@ -365,6 +368,29 @@ module databaseAccount_gremlinDatabases 'gremlin-databases/main.bicep' = [for gr } }] +module databaseAccount_privateEndpoints '../../network/private-endpoints/main.bicep' = [for (privateEndpoint, index) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-CosmosDB-PrivateEndpoint-${index}' + params: { + groupIds: [ + privateEndpoint.service + ] + name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(databaseAccount.id, '/'))}-${privateEndpoint.service}-${index}' + serviceResourceId: databaseAccount.id + subnetResourceId: privateEndpoint.subnetResourceId + enableDefaultTelemetry: enableReferencedModulesTelemetry + location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location + lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock + privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {} + roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : [] + tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {} + manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : [] + customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : [] + ipConfigurations: contains(privateEndpoint, 'ipConfigurations') ? privateEndpoint.ipConfigurations : [] + applicationSecurityGroups: contains(privateEndpoint, 'applicationSecurityGroups') ? privateEndpoint.applicationSecurityGroups : [] + customNetworkInterfaceName: contains(privateEndpoint, 'customNetworkInterfaceName') ? privateEndpoint.customNetworkInterfaceName : '' + } +}] + @description('The name of the database account.') output name string = databaseAccount.name