-
Notifications
You must be signed in to change notification settings - Fork 405
/
Copy pathmain.bicep
709 lines (607 loc) · 28.7 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
metadata name = 'Azure SQL Servers'
metadata description = 'This module deploys an Azure SQL Server.'
metadata owner = 'Azure/module-maintainers'
@description('Conditional. The administrator username for the server. Required if no `administrators` object for AAD authentication is provided.')
param administratorLogin string = ''
@description('Conditional. The administrator login password. Required if no `administrators` object for AAD authentication is provided.')
@secure()
param administratorLoginPassword string = ''
@description('Optional. Location for all resources.')
param location string = resourceGroup().location
@description('Required. The name of the server.')
param name string
@description('Optional. The managed identity definition for this resource.')
param managedIdentities managedIdentitiesType
@description('Conditional. The resource ID of a user assigned identity to be used by default. Required if "userAssignedIdentities" is not empty.')
param primaryUserAssignedIdentityId string = ''
@description('Optional. The lock settings of the service.')
param lock lockType
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType
@description('Optional. Tags of the resource.')
param tags object?
@description('Optional. Enable/Disable usage telemetry for module.')
param enableTelemetry bool = true
@description('Optional. The databases to create in the server.')
param databases array = []
@description('Optional. The Elastic Pools to create in the server.')
param elasticPools array = []
@description('Optional. The firewall rules to create in the server.')
param firewallRules array = []
@description('Optional. The virtual network rules to create in the server.')
param virtualNetworkRules array = []
@description('Optional. The security alert policies to create in the server.')
param securityAlertPolicies array = []
@description('Optional. The keys to configure.')
param keys array = []
@description('Conditional. The Azure Active Directory (AAD) administrator authentication. Required if no `administratorLogin` & `administratorLoginPassword` is provided.')
param administrators object = {}
@allowed([
'1.0'
'1.1'
'1.2'
'1.3'
])
@description('Optional. Minimal TLS version allowed.')
param minimalTlsVersion string = '1.2'
@allowed([
'Disabled'
'Enabled'
])
@description('Optional. Whether or not to enable IPv6 support for this server.')
param isIPv6Enabled string = 'Disabled'
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints privateEndpointType
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set.')
@allowed([
''
'Enabled'
'Disabled'
'SecuredByPerimeter'
])
param publicNetworkAccess string = ''
@description('Optional. Whether or not to restrict outbound network access for this server.')
@allowed([
''
'Enabled'
'Disabled'
])
param restrictOutboundNetworkAccess string = ''
var formattedUserAssignedIdentities = reduce(
map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
{},
(cur, next) => union(cur, next)
) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
var identity = !empty(managedIdentities)
? {
type: (managedIdentities.?systemAssigned ?? false)
? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned')
: (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : null)
userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
}
: null
@description('Optional. The encryption protection configuration.')
param encryptionProtectorObj object = {}
@description('Optional. The vulnerability assessment configuration.')
param vulnerabilityAssessmentsObj object = {}
@description('Optional. The audit settings configuration.')
param auditSettings auditSettingsType?
@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
param secretsExportConfiguration secretsExportConfigurationType?
var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Reservation Purchaser': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f7b75c60-3036-4b75-91c3-6b41c27c1689'
)
'Role Based Access Control Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
)
'SQL DB Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'9b7fa17d-e63e-47b0-bb0a-15c516ac86ec'
)
'SQL Managed Instance Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4939a1f6-9ae0-4e48-a1e0-f2cbe897382d'
)
'SQL Security Manager': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'056cd41c-7e88-42e1-933e-88ba6a50c9c3'
)
'SQL Server Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437'
)
'SqlDb Migration Role': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'189207d4-bb67-4208-a635-b06afe8b2c57'
)
'SqlMI Migration Role': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'1d335eef-eee1-47fe-a9e0-53214eba8872'
)
'User Access Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
)
}
var formattedRoleAssignments = [
for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
roleAssignment.roleDefinitionIdOrName,
'/providers/Microsoft.Authorization/roleDefinitions/'
)
? roleAssignment.roleDefinitionIdOrName
: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
})
]
#disable-next-line no-deployments-resources
resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
name: '46d3xbcp.res.sql-server.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
}
}
}
}
resource server 'Microsoft.Sql/servers@2023-08-01-preview' = {
location: location
name: name
tags: tags
identity: identity
properties: {
administratorLogin: !empty(administratorLogin) ? administratorLogin : null
administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null
administrators: !empty(administrators)
? {
administratorType: 'ActiveDirectory'
azureADOnlyAuthentication: administrators.azureADOnlyAuthentication
login: administrators.login
principalType: administrators.principalType
sid: administrators.sid
tenantId: administrators.?tenantId ?? tenant().tenantId
}
: null
version: '12.0'
minimalTlsVersion: minimalTlsVersion
primaryUserAssignedIdentityId: !empty(primaryUserAssignedIdentityId) ? primaryUserAssignedIdentityId : null
publicNetworkAccess: !empty(publicNetworkAccess)
? publicNetworkAccess
: (!empty(privateEndpoints) && empty(firewallRules) && empty(virtualNetworkRules) ? 'Disabled' : null)
restrictOutboundNetworkAccess: !empty(restrictOutboundNetworkAccess) ? restrictOutboundNetworkAccess : null
isIPv6Enabled: isIPv6Enabled
}
}
resource server_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: server
}
resource server_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
name: roleAssignment.?name ?? guid(server.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
properties: {
roleDefinitionId: roleAssignment.roleDefinitionId
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
condition: roleAssignment.?condition
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
}
scope: server
}
]
module server_databases 'database/main.bicep' = [
for (database, index) in databases: {
name: '${uniqueString(deployment().name, location)}-Sql-DB-${index}'
params: {
name: database.name
serverName: server.name
skuTier: database.?skuTier ?? 'GeneralPurpose'
skuName: database.?skuName ?? 'GP_Gen5_2'
skuCapacity: database.?skuCapacity
skuFamily: database.?skuFamily ?? ''
skuSize: database.?skuSize ?? ''
collation: database.?collation ?? 'SQL_Latin1_General_CP1_CI_AS'
maxSizeBytes: database.?maxSizeBytes ?? 34359738368
autoPauseDelay: database.?autoPauseDelay ?? 0
diagnosticSettings: database.?diagnosticSettings
isLedgerOn: database.?isLedgerOn ?? false
location: location
licenseType: database.?licenseType ?? ''
maintenanceConfigurationId: database.?maintenanceConfigurationId
minCapacity: database.?minCapacity ?? ''
highAvailabilityReplicaCount: database.?highAvailabilityReplicaCount ?? 0
readScale: database.?readScale ?? 'Disabled'
requestedBackupStorageRedundancy: database.?requestedBackupStorageRedundancy ?? ''
sampleName: database.?sampleName ?? ''
tags: database.?tags ?? tags
zoneRedundant: database.?zoneRedundant ?? true
elasticPoolId: database.?elasticPoolId ?? ''
backupShortTermRetentionPolicy: database.?backupShortTermRetentionPolicy ?? {}
backupLongTermRetentionPolicy: database.?backupLongTermRetentionPolicy ?? {}
createMode: database.?createMode ?? 'Default'
sourceDatabaseResourceId: database.?sourceDatabaseResourceId ?? ''
sourceDatabaseDeletionDate: database.?sourceDatabaseDeletionDate ?? ''
recoveryServicesRecoveryPointResourceId: database.?recoveryServicesRecoveryPointResourceId ?? ''
restorePointInTime: database.?restorePointInTime ?? ''
}
dependsOn: [
server_elasticPools // Enables us to add databases to existing elastic pools
]
}
]
module server_elasticPools 'elastic-pool/main.bicep' = [
for (elasticPool, index) in elasticPools: {
name: '${uniqueString(deployment().name, location)}-SQLServer-ElasticPool-${index}'
params: {
name: elasticPool.name
serverName: server.name
databaseMaxCapacity: elasticPool.?databaseMaxCapacity ?? 2
databaseMinCapacity: elasticPool.?databaseMinCapacity ?? 0
highAvailabilityReplicaCount: elasticPool.?highAvailabilityReplicaCount
licenseType: elasticPool.?licenseType ?? 'LicenseIncluded'
maintenanceConfigurationId: elasticPool.?maintenanceConfigurationId
maxSizeBytes: elasticPool.?maxSizeBytes ?? 34359738368
minCapacity: elasticPool.?minCapacity
skuCapacity: elasticPool.?skuCapacity ?? 2
skuName: elasticPool.?skuName ?? 'GP_Gen5'
skuTier: elasticPool.?skuTier ?? 'GeneralPurpose'
zoneRedundant: elasticPool.?zoneRedundant ?? true
location: location
tags: elasticPool.?tags ?? tags
}
}
]
module server_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.7.1' = [
for (privateEndpoint, index) in (privateEndpoints ?? []): {
name: '${uniqueString(deployment().name, location)}-server-PrivateEndpoint-${index}'
scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
params: {
name: privateEndpoint.?name ?? 'pep-${last(split(server.id, '/'))}-${privateEndpoint.?service ?? 'sqlServer'}-${index}'
privateLinkServiceConnections: privateEndpoint.?isManualConnection != true
? [
{
name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(server.id, '/'))}-${privateEndpoint.?service ?? 'sqlServer'}-${index}'
properties: {
privateLinkServiceId: server.id
groupIds: [
privateEndpoint.?service ?? 'sqlServer'
]
}
}
]
: null
manualPrivateLinkServiceConnections: privateEndpoint.?isManualConnection == true
? [
{
name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(server.id, '/'))}-${privateEndpoint.?service ?? 'sqlServer'}-${index}'
properties: {
privateLinkServiceId: server.id
groupIds: [
privateEndpoint.?service ?? 'sqlServer'
]
requestMessage: privateEndpoint.?manualConnectionRequestMessage ?? 'Manual approval required.'
}
}
]
: null
subnetResourceId: privateEndpoint.subnetResourceId
enableTelemetry: privateEndpoint.?enableTelemetry ?? enableTelemetry
location: privateEndpoint.?location ?? reference(
split(privateEndpoint.subnetResourceId, '/subnets/')[0],
'2020-06-01',
'Full'
).location
lock: privateEndpoint.?lock ?? lock
privateDnsZoneGroup: privateEndpoint.?privateDnsZoneGroup
roleAssignments: privateEndpoint.?roleAssignments
tags: privateEndpoint.?tags ?? tags
customDnsConfigs: privateEndpoint.?customDnsConfigs
ipConfigurations: privateEndpoint.?ipConfigurations
applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds
customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName
}
}
]
module server_firewallRules 'firewall-rule/main.bicep' = [
for (firewallRule, index) in firewallRules: {
name: '${uniqueString(deployment().name, location)}-Sql-FirewallRules-${index}'
params: {
name: firewallRule.name
serverName: server.name
endIpAddress: firewallRule.?endIpAddress ?? '0.0.0.0'
startIpAddress: firewallRule.?startIpAddress ?? '0.0.0.0'
}
}
]
module server_virtualNetworkRules 'virtual-network-rule/main.bicep' = [
for (virtualNetworkRule, index) in virtualNetworkRules: {
name: '${uniqueString(deployment().name, location)}-Sql-VirtualNetworkRules-${index}'
params: {
name: virtualNetworkRule.name
serverName: server.name
ignoreMissingVnetServiceEndpoint: virtualNetworkRule.?ignoreMissingVnetServiceEndpoint ?? false
virtualNetworkSubnetId: virtualNetworkRule.virtualNetworkSubnetId
}
}
]
module server_securityAlertPolicies 'security-alert-policy/main.bicep' = [
for (securityAlertPolicy, index) in securityAlertPolicies: {
name: '${uniqueString(deployment().name, location)}-Sql-SecAlertPolicy-${index}'
params: {
name: securityAlertPolicy.name
serverName: server.name
disabledAlerts: securityAlertPolicy.?disabledAlerts ?? []
emailAccountAdmins: securityAlertPolicy.?emailAccountAdmins ?? false
emailAddresses: securityAlertPolicy.?emailAddresses ?? []
retentionDays: securityAlertPolicy.?retentionDays ?? 0
state: securityAlertPolicy.?state ?? 'Disabled'
storageAccountAccessKey: securityAlertPolicy.?storageAccountAccessKey ?? ''
storageEndpoint: securityAlertPolicy.?storageEndpoint ?? ''
}
}
]
module server_vulnerabilityAssessment 'vulnerability-assessment/main.bicep' = if (!empty(vulnerabilityAssessmentsObj)) {
name: '${uniqueString(deployment().name, location)}-Sql-VulnAssessm'
params: {
serverName: server.name
name: vulnerabilityAssessmentsObj.name
recurringScansEmails: vulnerabilityAssessmentsObj.?recurringScansEmails ?? []
recurringScansEmailSubscriptionAdmins: vulnerabilityAssessmentsObj.?recurringScansEmailSubscriptionAdmins ?? false
recurringScansIsEnabled: vulnerabilityAssessmentsObj.?recurringScansIsEnabled ?? false
storageAccountResourceId: vulnerabilityAssessmentsObj.storageAccountResourceId
useStorageAccountAccessKey: vulnerabilityAssessmentsObj.?useStorageAccountAccessKey ?? false
createStorageRoleAssignment: vulnerabilityAssessmentsObj.?createStorageRoleAssignment ?? true
}
dependsOn: [
server_securityAlertPolicies
]
}
module server_keys 'key/main.bicep' = [
for (key, index) in keys: {
name: '${uniqueString(deployment().name, location)}-Sql-Key-${index}'
params: {
name: key.?name
serverName: server.name
serverKeyType: key.?serverKeyType ?? 'ServiceManaged'
uri: key.?uri ?? ''
}
}
]
module server_encryptionProtector 'encryption-protector/main.bicep' = if (!empty(encryptionProtectorObj)) {
name: '${uniqueString(deployment().name, location)}-Sql-EncryProtector'
params: {
sqlServerName: server.name
serverKeyName: encryptionProtectorObj.serverKeyName
serverKeyType: encryptionProtectorObj.?serverKeyType ?? 'ServiceManaged'
autoRotationEnabled: encryptionProtectorObj.?autoRotationEnabled ?? true
}
dependsOn: [
server_keys
]
}
module server_audit_settings 'audit-settings/main.bicep' = if (!empty(auditSettings)) {
name: '${uniqueString(deployment().name, location)}-Sql-AuditSettings'
params: {
serverName: server.name
name: auditSettings.?name ?? 'default'
state: auditSettings.?state ?? 'Disabled'
auditActionsAndGroups: auditSettings.?auditActionsAndGroups ?? [
'BATCH_COMPLETED_GROUP'
'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP'
'FAILED_DATABASE_AUTHENTICATION_GROUP'
]
isAzureMonitorTargetEnabled: auditSettings.?isAzureMonitorTargetEnabled ?? false
isDevopsAuditEnabled: auditSettings.?isDevopsAuditEnabled ?? false
isManagedIdentityInUse: auditSettings.?isManagedIdentityInUse ?? false
isStorageSecondaryKeyInUse: auditSettings.?isStorageSecondaryKeyInUse ?? false
queueDelayMs: auditSettings.?queueDelayMs ?? 1000
retentionDays: auditSettings.?retentionDays ?? 90
storageAccountResourceId: auditSettings.?storageAccountResourceId
}
}
module secretsExport 'modules/keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
name: '${uniqueString(deployment().name, location)}-secrets-kv'
scope: resourceGroup(
split((secretsExportConfiguration.?keyVaultResourceId ?? '//'), '/')[2],
split((secretsExportConfiguration.?keyVaultResourceId ?? '////'), '/')[4]
)
params: {
keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId ?? '//', '/'))
secretsToSet: union(
[],
contains(secretsExportConfiguration!, 'sqlAdminPasswordSecretName')
? [
{
name: secretsExportConfiguration!.sqlAdminPasswordSecretName
value: administratorLoginPassword
}
]
: [],
contains(secretsExportConfiguration!, 'sqlAzureConnectionStringSercretName')
? [
{
name: secretsExportConfiguration!.sqlAzureConnectionStringSercretName
value: 'Server=${server.properties.fullyQualifiedDomainName}; Database=${!empty(databases) ? databases[0].name : ''}; User=${administratorLogin}; Password=${administratorLoginPassword}'
}
]
: []
)
}
}
@description('The name of the deployed SQL server.')
output name string = server.name
@description('The resource ID of the deployed SQL server.')
output resourceId string = server.id
@description('The resource group of the deployed SQL server.')
output resourceGroupName string = resourceGroup().name
@description('The principal ID of the system assigned identity.')
output systemAssignedMIPrincipalId string = server.?identity.?principalId ?? ''
@description('The location the resource was deployed into.')
output location string = server.location
@description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
? toObject(secretsExport.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
: {}
@description('The private endpoints of the SQL server.')
output privateEndpoints array = [
for (pe, i) in (!empty(privateEndpoints) ? array(privateEndpoints) : []): {
name: server_privateEndpoints[i].outputs.name
resourceId: server_privateEndpoints[i].outputs.resourceId
groupId: server_privateEndpoints[i].outputs.groupId
customDnsConfig: server_privateEndpoints[i].outputs.customDnsConfig
networkInterfaceIds: server_privateEndpoints[i].outputs.networkInterfaceIds
}
]
// =============== //
// Definitions //
// =============== //
type managedIdentitiesType = {
@description('Optional. Enables system assigned managed identity on the resource.')
systemAssigned: bool?
@description('Optional. The resource ID(s) to assign to the resource.')
userAssignedResourceIds: string[]?
}?
type lockType = {
@description('Optional. Specify the name of lock.')
name: string?
@description('Optional. Specify the type of lock.')
kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
}?
type roleAssignmentType = {
@description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
name: string?
@description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
roleDefinitionIdOrName: string
@description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
principalId: string
@description('Optional. The principal type of the assigned principal ID.')
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
@description('Optional. The description of the role assignment.')
description: string?
@description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
condition: string?
@description('Optional. Version of the condition.')
conditionVersion: '2.0'?
@description('Optional. The Resource Id of the delegated managed identity resource.')
delegatedManagedIdentityResourceId: string?
}[]?
type privateEndpointType = {
@description('Optional. The name of the private endpoint.')
name: string?
@description('Optional. The location to deploy the private endpoint to.')
location: string?
@description('Optional. The name of the private link connection to create.')
privateLinkServiceConnectionName: string?
@description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".')
service: string?
@description('Required. Resource ID of the subnet where the endpoint needs to be created.')
subnetResourceId: string
@description('Optional. The private DNS zone group to configure for the private endpoint.')
privateDnsZoneGroup: {
@description('Optional. The name of the Private DNS Zone Group.')
name: string?
@description('Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.')
privateDnsZoneGroupConfigs: {
@description('Optional. The name of the private DNS zone group config.')
name: string?
@description('Required. The resource id of the private DNS zone.')
privateDnsZoneResourceId: string
}[]
}?
@description('Optional. If Manual Private Link Connection is required.')
isManualConnection: bool?
@description('Optional. A message passed to the owner of the remote resource with the manual connection request.')
@maxLength(140)
manualConnectionRequestMessage: string?
@description('Optional. Custom DNS configurations.')
customDnsConfigs: {
@description('Required. Fqdn that resolves to private endpoint IP address.')
fqdn: string?
@description('Required. A list of private IP addresses of the private endpoint.')
ipAddresses: string[]
}[]?
@description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.')
ipConfigurations: {
@description('Required. The name of the resource that is unique within a resource group.')
name: string
@description('Required. Properties of private endpoint IP configurations.')
properties: {
@description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.')
groupId: string
@description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.')
memberName: string
@description('Required. A private IP address obtained from the private endpoint\'s subnet.')
privateIPAddress: string
}
}[]?
@description('Optional. Application security groups in which the private endpoint IP configuration is included.')
applicationSecurityGroupResourceIds: string[]?
@description('Optional. The custom name of the network interface attached to the private endpoint.')
customNetworkInterfaceName: string?
@description('Optional. Specify the type of lock.')
lock: lockType
@description('Optional. Array of role assignments to create.')
roleAssignments: roleAssignmentType
@description('Optional. Tags to be applied on all resources/resource groups in this deployment.')
tags: object?
@description('Optional. Enable/Disable usage telemetry for module.')
enableTelemetry: bool?
@description('Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.')
resourceGroupName: string?
}[]?
type auditSettingsType = {
@description('Optional. Specifies the name of the audit settings.')
name: string?
@description('Optional. Specifies the Actions-Groups and Actions to audit.')
auditActionsAndGroups: string[]?
@description('Optional. Specifies whether audit events are sent to Azure Monitor.')
isAzureMonitorTargetEnabled: bool?
@description('Optional. Specifies the state of devops audit. If state is Enabled, devops logs will be sent to Azure Monitor.')
isDevopsAuditEnabled: bool?
@description('Optional. Specifies whether Managed Identity is used to access blob storage.')
isManagedIdentityInUse: bool?
@description('Optional. Specifies whether storageAccountAccessKey value is the storage\'s secondary key.')
isStorageSecondaryKeyInUse: bool?
@description('Optional. Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed.')
queueDelayMs: int?
@description('Optional. Specifies the number of days to keep in the audit logs in the storage account.')
retentionDays: int?
@description('Required. Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.')
state: 'Enabled' | 'Disabled'
@description('Optional. Specifies the identifier key of the auditing storage account.')
storageAccountResourceId: string?
}
type secretsExportConfigurationType = {
@description('Required. The resource ID of the key vault where to store the secrets of this module.')
keyVaultResourceId: string
@description('Optional. The sqlAdminPassword secret name to create.')
sqlAdminPasswordSecretName: string?
@description('Optional. The sqlAzureConnectionString secret name to create.')
sqlAzureConnectionStringSercretName: string?
}?
import { secretSetType } from 'modules/keyVaultExport.bicep'
type secretsOutputType = {
@description('An exported secret\'s references.')
*: secretSetType
}