[Modules] Express-route-gateway: Updated RBAC handling & added min te…

…st (#3927) * Updated RBAC handling & added min test * Added ref * Added missing lock implementation * Updated JSON
Azure · Sep 6, 2023 · 07869c8 · 07869c8
1 parent bf8ca74
commit 07869c8
Show file tree

Hide file tree

Showing 9 changed files with 446 additions and 13 deletions.
diff --git a/modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep b/modules/network/express-route-gateway/.bicep/nested_roleAssignments.bicep
@@ -78,12 +78,12 @@ var builtInRoleNames = {
   'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')
 }
 
-resource applicationGateway 'Microsoft.Network/applicationGateways@2023-04-01' existing = {
+resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01' existing = {
   name: last(split(resourceId, '/'))!
 }
 
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
-  name: guid(applicationGateway.id, principalId, roleDefinitionIdOrName)
+  name: guid(expressRouteGateway.id, principalId, roleDefinitionIdOrName)
   properties: {
     description: description
     roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
@@ -93,5 +93,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
     conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
     delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
   }
-  scope: applicationGateway
+  scope: expressRouteGateway
 }]
diff --git a/modules/network/express-route-gateway/.test/common/dependencies.bicep b/modules/network/express-route-gateway/.test/common/dependencies.bicep
@@ -3,9 +3,18 @@ param virtualWANName string
 
 @description('Required. The name of the virtual Hub to create.')
 param virtualHubName string
+
 @description('Optional. The location to deploy resources to.')
 param location string = resourceGroup().location
 
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
+  name: managedIdentityName
+  location: location
+}
+
 resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = {
   name: virtualWANName
   location: location
@@ -24,3 +33,6 @@ resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = {
 
 @description('The resource ID of the created Virtual Hub.')
 output virtualHubResourceId string = virtualHub.id
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
diff --git a/modules/network/express-route-gateway/.test/common/main.test.bicep b/modules/network/express-route-gateway/.test/common/main.test.bicep
@@ -37,6 +37,7 @@ module nestedDependencies 'dependencies.bicep' = {
   params: {
     virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}'
     virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}'
+    managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
   }
 }
 // ============== //
@@ -56,5 +57,15 @@ module testDeployment '../../main.bicep' = {
     autoScaleConfigurationBoundsMin: 2
     autoScaleConfigurationBoundsMax: 3
     virtualHubId: nestedDependencies.outputs.virtualHubResourceId
+    lock: 'CanNotDelete'
+    roleAssignments: [
+      {
+        roleDefinitionIdOrName: 'Reader'
+        principalIds: [
+          nestedDependencies.outputs.managedIdentityPrincipalId
+        ]
+        principalType: 'ServicePrincipal'
+      }
+    ]
   }
 }
diff --git a/modules/network/express-route-gateway/.test/main.test.bicep b/modules/network/express-route-gateway/.test/main.test.bicep
@@ -13,3 +13,11 @@ module common 'common/main.test.bicep' = {
     namePrefix: namePrefix
   }
 }
+
+// TEST 2 - MIN
+module min 'min/main.test.bicep' = {
+  name: '${uniqueString(deployment().name)}-min-test'
+  params: {
+    namePrefix: namePrefix
+  }
+}
diff --git a/modules/network/express-route-gateway/.test/min/dependencies.bicep b/modules/network/express-route-gateway/.test/min/dependencies.bicep
@@ -0,0 +1,27 @@
+@description('Required. The name of the virtual WAN to create.')
+param virtualWANName string
+
+@description('Required. The name of the virtual Hub to create.')
+param virtualHubName string
+
+@description('Optional. The location to deploy resources to.')
+param location string = resourceGroup().location
+
+resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = {
+  name: virtualWANName
+  location: location
+}
+
+resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = {
+  name: virtualHubName
+  location: location
+  properties: {
+    addressPrefix: '10.0.0.0/16'
+    virtualWan: {
+      id: virtualWan.id
+    }
+  }
+}
+
+@description('The resource ID of the created Virtual Hub.')
+output virtualHubResourceId string = virtualHub.id
diff --git a/modules/network/express-route-gateway/.test/min/main.test.bicep b/modules/network/express-route-gateway/.test/min/main.test.bicep
@@ -0,0 +1,55 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.network.expressRouteGateway-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nergmin'
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '[[namePrefix]]'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-nestedDependencies'
+  params: {
+    virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}'
+    virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}'
+  }
+}
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../main.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-test-${serviceShort}'
+  params: {
+    enableDefaultTelemetry: enableDefaultTelemetry
+    name: '${namePrefix}${serviceShort}001'
+    virtualHubId: nestedDependencies.outputs.virtualHubResourceId
+
+  }
+}
diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md
@@ -14,6 +14,8 @@ This module deploys an Express Route Gateway.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Network/expressRouteGateways` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/expressRouteGateways) |
 
 ## Parameters
@@ -27,15 +29,17 @@ This module deploys an Express Route Gateway.
 
 **Optional parameters**
 
-| Parameter Name | Type | Default Value | Description |
-| :-- | :-- | :-- | :-- |
-| `allowNonVirtualWanTraffic` | bool | `False` | Configures this gateway to accept traffic from non Virtual WAN networks. |
-| `autoScaleConfigurationBoundsMax` | int | `2` | Maximum number of scale units deployed for ExpressRoute gateway. |
-| `autoScaleConfigurationBoundsMin` | int | `2` | Minimum number of scale units deployed for ExpressRoute gateway. |
-| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). |
-| `expressRouteConnections` | array | `[]` | List of ExpressRoute connections to the ExpressRoute gateway. |
-| `location` | string | `[resourceGroup().location]` | Location for all resources. |
-| `tags` | object | `{object}` | Tags of the Firewall policy resource. |
+| Parameter Name | Type | Default Value | Allowed Values | Description |
+| :-- | :-- | :-- | :-- | :-- |
+| `allowNonVirtualWanTraffic` | bool | `False` |  | Configures this gateway to accept traffic from non Virtual WAN networks. |
+| `autoScaleConfigurationBoundsMax` | int | `2` |  | Maximum number of scale units deployed for ExpressRoute gateway. |
+| `autoScaleConfigurationBoundsMin` | int | `2` |  | Minimum number of scale units deployed for ExpressRoute gateway. |
+| `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via a Globally Unique Identifier (GUID). |
+| `expressRouteConnections` | array | `[]` |  | List of ExpressRoute connections to the ExpressRoute gateway. |
+| `location` | string | `[resourceGroup().location]` |  | Location for all resources. |
+| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
+| `roleAssignments` | array | `[]` |  | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
+| `tags` | object | `{object}` |  | Tags of the Firewall policy resource. |
 
 
 ### Parameter Usage: `roleAssignments`
@@ -208,6 +212,16 @@ module expressRouteGateway './network/express-route-gateway/main.bicep' = {
     autoScaleConfigurationBoundsMax: 3
     autoScaleConfigurationBoundsMin: 2
     enableDefaultTelemetry: '<enableDefaultTelemetry>'
+    lock: 'CanNotDelete'
+    roleAssignments: [
+      {
+        principalIds: [
+          '<managedIdentityPrincipalId>'
+        ]
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Reader'
+      }
+    ]
     tags: {
       hello: 'world'
       'hidden-title': 'This is visible in the resource name'
@@ -245,6 +259,20 @@ module expressRouteGateway './network/express-route-gateway/main.bicep' = {
     "enableDefaultTelemetry": {
       "value": "<enableDefaultTelemetry>"
     },
+    "lock": {
+      "value": "CanNotDelete"
+    },
+    "roleAssignments": {
+      "value": [
+        {
+          "principalIds": [
+            "<managedIdentityPrincipalId>"
+          ],
+          "principalType": "ServicePrincipal",
+          "roleDefinitionIdOrName": "Reader"
+        }
+      ]
+    },
     "tags": {
       "value": {
         "hello": "world",
@@ -257,3 +285,52 @@ module expressRouteGateway './network/express-route-gateway/main.bicep' = {
 
 </details>
 <p>
+
+<h3>Example 2: Min</h3>
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module expressRouteGateway './network/express-route-gateway/main.bicep' = {
+  name: '${uniqueString(deployment().name, location)}-test-nergmin'
+  params: {
+    // Required parameters
+    name: 'nergmin001'
+    virtualHubId: '<virtualHubId>'
+    // Non-required parameters
+    enableDefaultTelemetry: '<enableDefaultTelemetry>'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "nergmin001"
+    },
+    "virtualHubId": {
+      "value": "<virtualHubId>"
+    },
+    // Non-required parameters
+    "enableDefaultTelemetry": {
+      "value": "<enableDefaultTelemetry>"
+    }
+  }
+}
+```
+
+</details>
+<p>
diff --git a/modules/network/express-route-gateway/main.bicep b/modules/network/express-route-gateway/main.bicep
@@ -26,9 +26,20 @@ param expressRouteConnections array = []
 @description('Required. Resource ID of the Virtual Wan Hub.')
 param virtualHubId string
 
+@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
+param roleAssignments array = []
+
 @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
 param enableDefaultTelemetry bool = true
 
+@allowed([
+  ''
+  'CanNotDelete'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = ''
+
 resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
   name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
   properties: {
@@ -60,6 +71,28 @@ resource expressRouteGateway 'Microsoft.Network/expressRouteGateways@2023-04-01'
   }
 }
 
+resource expressRouteGateway_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) {
+  name: '${expressRouteGateway.name}-${lock}-lock'
+  properties: {
+    level: any(lock)
+    notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+  }
+  scope: expressRouteGateway
+}
+
+module expressRouteGateway_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
+  name: '${uniqueString(deployment().name, location)}-ExpressRouteGateway-Rbac-${index}'
+  params: {
+    description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
+    principalIds: roleAssignment.principalIds
+    principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
+    roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
+    condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
+    delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
+    resourceId: expressRouteGateway.id
+  }
+}]
+
 @description('The resource ID of the ExpressRoute Gateway.')
 output resourceId string = expressRouteGateway.id