[Modules] Updated locks to UDT as per AVM specs (#4112)

* Updated locks & implementation. Parameter and UDT pending * Replaced param * Added UDT * Small fix * Fixed diverse templates * Refreshed json * Fixed bicep templates * Further fixes * Updated PE lock * File regen * small api fixes * Fix for healthcare lock * Fixed power BI lock * Fixed insights data collection * Updated RG * Fixed lock passthru on several instances * Adjusted scope * Adjusted cmk for service bus ns * Updated ref * Updated cmk with udt workaround * Updated storage * Updated cmk * Fixed readme * Updated cmk for app-config * Updated cmk for batch * Updated cmk for cognitive * Updated cmk for container instance * Updated logs for data collection * Updated cmk for auto * Updated batch pe test * Updated cog ser json * Updated VM * Container group refresh * Updated reg * Updated managed service * Updated databricks * Udated data factory * Fixed msi ref * Fixed script ref & cog * Fixed cotainer reg * Atempted to fix managed-cluster * Try & fix new key treating in databricks * Updated db-for * Updated log for digital twin * Updated ML * Update synapse * Updated databricks to work around new bicep limitation * Updated KVLT + Purview * Added batch to security center to how to fix update bug * Added write host for readme in case of diff for troubleshooting * Rollback
Azure · Oct 21, 2023 · 293175c · 293175c
1 parent 351abb1
commit 293175c
Show file tree

Hide file tree

Showing 488 changed files with 14,290 additions and 6,347 deletions.
diff --git a/docs/wiki/The library - Module design.md b/docs/wiki/The library - Module design.md
@@ -143,19 +143,14 @@ The locks extension can be added as a `resource` to the resource template direct
 <summary>Details</summary>
 
 ```bicep
-@allowed([
- ''
- 'CanNotDelete'
- 'ReadOnly'
-])
-@description('Optional. Specify the type of lock.')
-param lock string = ''
+@description('Optional. The lock settings of the service.')
+param lock lockType
 
-resource <mainResource>_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) {
- name: '${<mainResource>.name}-${lock}-lock'
+resource <mainResource>_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+ name: lock.?name ?? 'lock-${name}'
  properties: {
- level: any(lock)
- notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+ level: lock.?kind ?? ''
+ notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.'
  }
  scope: <mainResource>
 }
@@ -165,12 +160,12 @@ resource <mainResource>_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!e
 >
 > - Child and extension resources
 >  - Locks are not automatically passed down, as they are inherited by default in Azure
->  - The reference of the child/extension template should look similar to: `lock: contains(<childExtensionObject>, 'lock') ? <childExtensionObject>.lock : ''`
+>  - The reference of the child/extension template should look similar to: `lock: <childExtensionObject>.?lock ?? lock`
 >  - Using this implementation, a lock is only deployed to the child/extension resource if explicitly specified in the module's test file
 >  - For example, the lock of a Storage Account module is not automatically passed to a Storage Container child-deployment. Instead, the Storage Container resource is automatically locked by Azure together with a locked Storage Account
 > - Cross-referenced resources
 >  - All cross-referenced resources share the lock with the main resource to prevent depending resources to be changed or deleted
->  - The reference of the cross-referenced resource template should look similar to: `lock: contains(<referenceObject>, 'lock') ? <referenceObject>.lock : lock`
+>  - The reference of the cross-referenced resource template should look similar to: `lock: <referenceObject>.?lock ?? lock`
 >  - Using this implementation, a lock of the main resource is implicitly passed to the referenced module template
 >  - For example, the lock of a Key Vault module is automatically passed to an also deployed Private Endpoint module deployment
 

diff --git a/modules/aad/domain-service/.test/common/main.test.bicep b/modules/aad/domain-service/.test/common/main.test.bicep
@@ -82,7 +82,10 @@ module testDeployment '../../main.bicep' = {
  diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
  diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
  diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
- lock: 'CanNotDelete'
+ lock: {
+ kind: 'CanNotDelete'
+ name: 'myCustomLockName'
+ }
  pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName)
  pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName)
  replicaSets: [

diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md
@@ -54,7 +54,10 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = {
  diagnosticStorageAccountId: '<diagnosticStorageAccountId>'
  diagnosticWorkspaceId: '<diagnosticWorkspaceId>'
  enableDefaultTelemetry: '<enableDefaultTelemetry>'
- lock: 'CanNotDelete'
+ lock: {
+ kind: 'CanNotDelete'
+ name: 'myCustomLockName'
+ }
  name: 'aaddscom001'
  pfxCertificate: '<pfxCertificate>'
  pfxCertificatePassword: '<pfxCertificatePassword>'
@@ -112,7 +115,10 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = {
  "value": "<enableDefaultTelemetry>"
  },
  "lock": {
- "value": "CanNotDelete"
+ "value": {
+ "kind": "CanNotDelete",
+ "name": "myCustomLockName"
+ }
  },
  "name": {
  "value": "aaddscom001"
@@ -182,7 +188,7 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = {
 | [`kerberosRc4Encryption`](#parameter-kerberosrc4encryption) | string | The value is to enable Kerberos requests that use RC4 encryption. |
 | [`ldaps`](#parameter-ldaps) | string | A flag to determine whether or not Secure LDAP is enabled or disabled. |
 | [`location`](#parameter-location) | string | The location to deploy the Azure ADDS Services. |
-| [`lock`](#parameter-lock) | string | Specify the type of lock. |
+| [`lock`](#parameter-lock) | object | The lock settings of the service. |
 | [`name`](#parameter-name) | string | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. |
 | [`notifyDcAdmins`](#parameter-notifydcadmins) | string | The value is to notify the DC Admins. |
 | [`notifyGlobalAdmins`](#parameter-notifyglobaladmins) | string | The value is to notify the Global Admins. |
@@ -307,11 +313,30 @@ The location to deploy the Azure ADDS Services.
 
 ### Parameter: `lock`
 
-Specify the type of lock.
+The lock settings of the service.
+- Required: No
+- Type: object
+
+
+| Name | Required | Type | Description |
+| :-- | :-- | :--| :-- |
+| [`kind`](#parameter-lockkind) | No | string | Optional. Specify the type of lock. |
+| [`name`](#parameter-lockname) | No | string | Optional. Specify the name of lock. |
+
+### Parameter: `lock.kind`
+
+Optional. Specify the type of lock.
+
+- Required: No
+- Type: string
+- Allowed: `[CanNotDelete, None, ReadOnly]`
+
+### Parameter: `lock.name`
+
+Optional. Specify the name of lock.
+
 - Required: No
 - Type: string
-- Default: `''`
-- Allowed: `['', CanNotDelete, ReadOnly]`
 
 ### Parameter: `name`
 

diff --git a/modules/aad/domain-service/main.bicep b/modules/aad/domain-service/main.bicep
@@ -133,13 +133,8 @@ param tags object = {}
 @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
 param enableDefaultTelemetry bool = true
 
-@allowed([
- ''
- 'CanNotDelete'
- 'ReadOnly'
-])
-@description('Optional. Specify the type of lock.')
-param lock string = ''
+@description('Optional. The lock settings of the service.')
+param lock lockType
 
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
 param roleAssignments array = []
@@ -230,11 +225,11 @@ resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings
  scope: domainService
 }
 
-resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) {
- name: '${domainService.name}-${lock}-lock'
+resource domainService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+ name: lock.?name ?? 'lock-${name}'
  properties: {
- level: any(lock)
- notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
+ level: lock.?kind ?? ''
+ notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.'
  }
  scope: domainService
 }
@@ -263,3 +258,15 @@ output resourceId string = domainService.id
 
 @description('The location the resource was deployed into.')
 output location string = domainService.location
+
+// =============== //
+// Definitions //
+// =============== //
+
+type lockType = {
+ @description('Optional. Specify the name of lock.')
+ name: string?
+
+ @description('Optional. Specify the type of lock.')
+ kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
+}?
diff --git a/modules/aad/domain-service/main.json b/modules/aad/domain-service/main.json
@@ -1,16 +1,44 @@
 {
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "languageVersion": "2.0",
  "contentVersion": "1.0.0.0",
  "metadata": {
  "_generator": {
  "name": "bicep",
  "version": "0.22.6.54827",
- "templateHash": "10694057578652449276"
+ "templateHash": "15488600110889393374"
  },
  "name": "Azure Active Directory Domain Services",
  "description": "This module deploys an Azure Active Directory Domain Services (AADDS).",
  "owner": "Azure/module-maintainers"
  },
+ "definitions": {
+ "lockType": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string",
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the name of lock."
+ }
+ },
+ "kind": {
+ "type": "string",
+ "allowedValues": [
+ "CanNotDelete",
+ "None",
+ "ReadOnly"
+ ],
+ "nullable": true,
+ "metadata": {
+ "description": "Optional. Specify the type of lock."
+ }
+ }
+ },
+ "nullable": true
+ }
+ },
  "parameters": {
  "name": {
  "type": "string",
@@ -243,15 +271,9 @@
  }
  },
  "lock": {
- "type": "string",
- "defaultValue": "",
- "allowedValues": [
- "",
- "CanNotDelete",
- "ReadOnly"
- ],
+ "$ref": "#/definitions/lockType",
  "metadata": {
- "description": "Optional. Specify the type of lock."
+ "description": "Optional. The lock settings of the service."
  }
  },
  "roleAssignments": {
@@ -297,8 +319,8 @@
  ],
  "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), if(contains(parameters('diagnosticLogCategoriesToEnable'), ''), createArray(), variables('diagnosticsLogsSpecified')))]"
  },
- "resources": [
- {
+ "resources": {
+ "defaultTelemetry": {
  "condition": "[parameters('enableDefaultTelemetry')]",
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2021-04-01",
@@ -312,7 +334,7 @@
  }
  }
  },
- {
+ "domainService": {
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2021-05-01",
  "name": "[parameters('name')]",
@@ -345,7 +367,7 @@
  "sku": "[parameters('sku')]"
  }
  },
- {
+ "domainService_diagnosticSettings": {
  "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]",
  "type": "Microsoft.Insights/diagnosticSettings",
  "apiVersion": "2021-05-01-preview",
@@ -359,24 +381,24 @@
  "logs": "[variables('diagnosticsLogs')]"
  },
  "dependsOn": [
- "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]"
+ "domainService"
  ]
  },
- {
- "condition": "[not(empty(parameters('lock')))]",
+ "domainService_lock": {
+ "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]",
  "type": "Microsoft.Authorization/locks",
  "apiVersion": "2020-05-01",
  "scope": "[format('Microsoft.AAD/domainServices/{0}', parameters('name'))]",
- "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]",
+ "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]",
  "properties": {
- "level": "[parameters('lock')]",
- "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]"
+ "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]",
+ "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]"
  },
  "dependsOn": [
- "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]"
+ "domainService"
  ]
  },
- {
+ "domainService_roleAssignments": {
  "copy": {
  "name": "domainService_roleAssignments",
  "count": "[length(parameters('roleAssignments'))]"
@@ -524,10 +546,10 @@
  }
  },
  "dependsOn": [
- "[resourceId('Microsoft.AAD/domainServices', parameters('name'))]"
+ "domainService"
  ]
  }
- ],
+ },
  "outputs": {
  "name": {
  "type": "string",
@@ -555,7 +577,7 @@
  "metadata": {
  "description": "The location the resource was deployed into."
  },
- "value": "[reference(resourceId('Microsoft.AAD/domainServices', parameters('name')), '2021-05-01', 'full').location]"
+ "value": "[reference('domainService', '2021-05-01', 'full').location]"
  }
  }
 }
diff --git a/modules/analysis-services/server/.test/common/main.test.bicep b/modules/analysis-services/server/.test/common/main.test.bicep
@@ -66,7 +66,10 @@ module testDeployment '../../main.bicep' = {
  params: {
  enableDefaultTelemetry: enableDefaultTelemetry
  name: '${namePrefix}${serviceShort}'
- lock: 'CanNotDelete'
+ lock: {
+ kind: 'CanNotDelete'
+ name: 'myCustomLockName'
+ }
  skuName: 'S0'
  roleAssignments: [
  {

diff --git a/modules/analysis-services/server/.test/max/main.test.bicep b/modules/analysis-services/server/.test/max/main.test.bicep
@@ -63,7 +63,10 @@ module testDeployment '../../main.bicep' = {
  params: {
  enableDefaultTelemetry: enableDefaultTelemetry
  name: '${namePrefix}${serviceShort}'
- lock: 'CanNotDelete'
+ lock: {
+ kind: 'CanNotDelete'
+ name: 'myCustomLockName'
+ }
  skuName: 'S0'
  skuCapacity: 1
  firewallSettings: {