Azure · eriqua · Sep 28, 2024 · Sep 6, 2024 · Sep 26, 2024
@@ -27,7 +27,8 @@ The following section provides usage examples for the module, which were used to
 >**Note**: To reference the module, please use the following syntax `br/public:avm/res/network/service-endpoint-policy:<version>`.
 
 - [Using only defaults](#example-1-using-only-defaults)
-- [WAF-aligned](#example-2-waf-aligned)
+- [Using large parameter set](#example-2-using-large-parameter-set)
+- [WAF-aligned](#example-3-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -77,9 +78,9 @@ module serviceEndpointPolicy 'br/public:avm/res/network/service-endpoint-policy:
 </details>
 <p>
 
-### Example 2: _WAF-aligned_
+### Example 2: _Using large parameter set_
 
-This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
+This instance deploys the module with most of its features enabled.
 
 
 <details>
@@ -91,13 +92,32 @@ module serviceEndpointPolicy 'br/public:avm/res/network/service-endpoint-policy:
  name: 'serviceEndpointPolicyDeployment'
  params: {
  // Required parameters
- name: 'nsepwaf001'
+ name: 'nsepmax001'
  // Non-required parameters
  location: '<location>'
  lock: {
  kind: 'CanNotDelete'
  name: 'myCustomLockName'
  }
+ roleAssignments: [
+ {
+ name: '36fbc5db-13e9-4bda-9594-1b1cc9db2d6d'
+ principalId: '<principalId>'
+ principalType: 'ServicePrincipal'
+ roleDefinitionIdOrName: 'Owner'
+ }
+ {
+ name: '<name>'
+ principalId: '<principalId>'
+ principalType: 'ServicePrincipal'
+ roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+ }
+ {
+ principalId: '<principalId>'
+ principalType: 'ServicePrincipal'
+ roleDefinitionIdOrName: '<roleDefinitionIdOrName>'
+ }
+ ]
  tags: {
  Environment: 'Non-Prod'
  'hidden-title': 'This is visible in the resource name'
@@ -121,7 +141,7 @@ module serviceEndpointPolicy 'br/public:avm/res/network/service-endpoint-policy:
  "parameters": {
  // Required parameters
  "name": {
- "value": "nsepwaf001"
+ "value": "nsepmax001"
  },
  // Non-required parameters
  "location": {
@@ -133,6 +153,87 @@ module serviceEndpointPolicy 'br/public:avm/res/network/service-endpoint-policy:
  "name": "myCustomLockName"
  }
  },
+ "roleAssignments": {
+ "value": [
+ {
+ "name": "36fbc5db-13e9-4bda-9594-1b1cc9db2d6d",
+ "principalId": "<principalId>",
+ "principalType": "ServicePrincipal",
+ "roleDefinitionIdOrName": "Owner"
+ },
+ {
+ "name": "<name>",
+ "principalId": "<principalId>",
+ "principalType": "ServicePrincipal",
+ "roleDefinitionIdOrName": "b24988ac-6180-42a0-ab88-20f7382dd24c"
+ },
+ {
+ "principalId": "<principalId>",
+ "principalType": "ServicePrincipal",
+ "roleDefinitionIdOrName": "<roleDefinitionIdOrName>"
+ }
+ ]
+ },
+ "tags": {
+ "value": {
+ "Environment": "Non-Prod",
+ "hidden-title": "This is visible in the resource name",
+ "Role": "DeploymentValidation"
+ }
+ }
+ }
+}
+```
+
+</details>
+<p>
+
+### Example 3: _WAF-aligned_
+
+This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module serviceEndpointPolicy 'br/public:avm/res/network/service-endpoint-policy:<version>' = {
+ name: 'serviceEndpointPolicyDeployment'
+ params: {
+ // Required parameters
+ name: 'nsepwaf001'
+ // Non-required parameters
+ location: '<location>'
+ tags: {
+ Environment: 'Non-Prod'
+ 'hidden-title': 'This is visible in the resource name'
+ Role: 'DeploymentValidation'
+ }
+ }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ // Required parameters
+ "name": {
+ "value": "nsepwaf001"
+ },
+ // Non-required parameters
+ "location": {
+ "value": "<location>"
+ },
  "tags": {
  "value": {
  "Environment": "Non-Prod",

@@ -9,14 +9,12 @@ metadata description = 'This instance deploys the module with the minimum set of
 
 @description('Optional. The name of the resource group to deploy for testing purposes.')
 @maxLength(90)
-// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg'
 param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicy-${serviceShort}-rg'
 
 @description('Optional. The location to deploy resources to.')
 param resourceLocation string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test
 param serviceShort string = 'nsepmin'
 
 @description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.')
@@ -42,7 +40,6 @@ module testDeployment '../../../main.bicep' = [
  scope: resourceGroup
  name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
  params: {
- // You parameters go here
  name: '${namePrefix}${serviceShort}001'
  location: resourceLocation
  }

@@ -0,0 +1,13 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+ name: managedIdentityName
+ location: location
+}
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
@@ -0,0 +1,87 @@
+targetScope = 'subscription'
+
+metadata name = 'Using large parameter set'
+metadata description = 'This instance deploys the module with most of its features enabled.'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicy-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'nsepmax'
+
+@description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.')
+param namePrefix string = '#_namePrefix_#'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+ name: resourceGroupName
+ location: resourceLocation
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+ scope: resourceGroup
+ name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies'
+ params: {
+ managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
+ location: resourceLocation
+ }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+ for iteration in ['init', 'idem']: {
+ scope: resourceGroup
+ name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+ params: {
+ name: '${namePrefix}${serviceShort}001'
+ location: resourceLocation
+ lock: {
+ kind: 'CanNotDelete'
+ name: 'myCustomLockName'
+ }
+ roleAssignments: [
+ {
+ name: '36fbc5db-13e9-4bda-9594-1b1cc9db2d6d'
+ roleDefinitionIdOrName: 'Owner'
+ principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+ principalType: 'ServicePrincipal'
+ }
+ {
+ name: guid('Custom seed ${namePrefix}${serviceShort}')
+ roleDefinitionIdOrName: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+ principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+ principalType: 'ServicePrincipal'
+ }
+ {
+ roleDefinitionIdOrName: subscriptionResourceId(
+ 'Microsoft.Authorization/roleDefinitions',
+ 'acdd72a7-3385-48ef-bd42-f606fba81ae7'
+ )
+ principalId: nestedDependencies.outputs.managedIdentityPrincipalId
+ principalType: 'ServicePrincipal'
+ }
+ ]
+ tags: {
+ 'hidden-title': 'This is visible in the resource name'
+ Environment: 'Non-Prod'
+ Role: 'DeploymentValidation'
+ }
+ }
+ }
+]
@@ -9,14 +9,12 @@ metadata description = 'This instance deploys the module in alignment with the b
 
 @description('Optional. The name of the resource group to deploy for testing purposes.')
 @maxLength(90)
-// e.g., for a module 'network/private-endpoint' you could use 'dep-dev-network.privateendpoints-${serviceShort}-rg'
 param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicy-${serviceShort}-rg'
 
 @description('Optional. The location to deploy resources to.')
 param resourceLocation string = deployment().location
 
 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
-// e.g., for a module 'network/private-endpoint' you could use 'npe' as a prefix and then 'waf' as a suffix for the waf-aligned test
 param serviceShort string = 'nsepwaf'
 
 @description('Optional. A token to inject into the name of each resource. This value can be automatically injected by the CI.')
@@ -42,13 +40,8 @@ module testDeployment '../../../main.bicep' = [
  scope: resourceGroup
  name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
  params: {
- // You parameters go here
  name: '${namePrefix}${serviceShort}001'
  location: resourceLocation
- lock: {
- kind: 'CanNotDelete'
- name: 'myCustomLockName'
- }
  tags: {
  'hidden-title': 'This is visible in the resource name'
  Environment: 'Non-Prod'