Azure · AlexanderSehr · Oct 19, 2021 · Oct 15, 2021 · Oct 15, 2021 · Oct 15, 2021
@@ -39,8 +39,13 @@ param eventHubAuthorizationRuleId string = ''
 @description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
 param eventHubName string = ''
 
-@description('Optional. Switch to lock Key Vault from deletion.')
-param lockForDeletion bool = false
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
 
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
 param roleAssignments array = []
@@ -115,10 +120,11 @@ resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = {
   }
 }
 
-resource server_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
-  name: '${server.name}-DoNotDelete'
+resource server_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
+  name: '${server.name}-${lock}-lock'
   properties: {
-    level: 'CanNotDelete'
+    level: lock
+    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: server
 }

@@ -85,8 +85,13 @@ param identityProviderType string = 'aad'
 @description('Optional. Location for all Resources.')
 param location string = resourceGroup().location
 
-@description('Optional. Switch to lock Key Vault from deletion.')
-param lockForDeletion bool = false
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
 
 @description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.')
 param minApiVersion string = ''
@@ -248,10 +253,11 @@ resource apiManagementService 'Microsoft.ApiManagement/service@2020-12-01' = {
   }
 }
 
-resource apiManagementService_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
-  name: '${apiManagementService.name}-apiManagementServiceDoNotDelete'
+resource apiManagementService_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
+  name: '${apiManagementService.name}-${lock}-lock'
   properties: {
-    level: 'CanNotDelete'
+    level: lock
+    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: apiManagementService
 }

@@ -51,8 +51,13 @@ param eventHubAuthorizationRuleId string = ''
 @description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
 param eventHubName string = ''
 
-@description('Optional. Switch to lock Automation Account from deletion.')
-param lockForDeletion bool = false
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
 
 @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'')
 param roleAssignments array = []
@@ -202,10 +207,11 @@ resource automationAccount 'Microsoft.Automation/automationAccounts@2020-01-13-p
   }]
 }
 
-resource automationAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
-  name: '${automationAccount.name}-DoNotDelete'
+resource automationAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
+  name: '${automationAccount.name}-${lock}-lock'
   properties: {
-    level: 'CanNotDelete'
+    level: lock
+    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: automationAccount
 }

@@ -37,41 +37,11 @@ This module deploys an Azure Automation Account, with resource lock.
 | `privateEndpoints`              | array  | System.Object[]              |                               | Optional. Configuration Details for private endpoints.                                                                                                                                                                                                                                                                                                                                                          |
 | `eventHubAuthorizationRuleId`   | string |                              |                               | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.                                                                                                                                                                                                                                                                 |
 | `eventHubName`                  | string |                              |                               | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.                                                                                                                                                                                                                                                                   |
-| `lockForDeletion`               | bool   | `false`                      |                               | Optional. Switch to lock Automation Account from deletion.                                                                                                                                                                                                                                                                                                                                                      |
+| `lock` | string | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' | Optional. Specify the type of lock |
 | `roleAssignments`               | array  | []                           | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `tags`                          | object |                              |                               | Optional. Tags of the Automation Account resource.                                                                                                                                                                                                                                                                                                                                                              |
 | `sasTokenValidityLength`        | string | PT8H                         |                               | Optional. SAS token validity length. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours.                                                                                                                                                                                                                         |
 
-### Parameter Usage: `automationAccountName`
-
-Name of the Azure Automation Account
-
-```json
-"automationAccountName": {
-    "value": "avd-scaling-autoaccount"
-}
-```
-
-### Parameter Usage: `location`
-
-Location for all resources.
-
-```json
-"location": {
-    "value": "westeurope"
-}
-```
-
-### Parameter Usage: `skuName`
-
-Specifies the SKU for the Automation Account
-
-```json
-"skuName": {
-    "value": "Basic"
-}
-```
-
 ### Parameter Usage: `modules`
 
 List of modules to be created in the automation account
@@ -187,66 +157,6 @@ To use Private Endpoint the following dependencies must be deployed:
 }
 ```
 
-### Parameter Usage: `diagnosticLogsRetentionInDays`
-
-Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.
-
-```json
-"diagnosticLogsRetentionInDays": {
-    "value": 30
-}
-```
-
-### Parameter Usage: `diagnosticStorageAccountId`
-
-Resource identifier of the Diagnostic Storage Account.
-
-```json
-"diagnosticStorageAccountId": {
-    "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.Storage/storageAccounts/sharedSA"
-}
-```
-
-### Parameter Usage: `workspaceId`
-
-Resource identifier of Log Analytics.
-
-```json
-"workspaceId": {
-    "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/microsoft.operationalinsights/workspaces/my-sbx-eu-la"
-}
-```
-
-### Parameter Usage: `eventHubAuthorizationRuleId`
-
-Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.
-
-```json
-"eventHubAuthorizationRuleId": {
-    "value": "/subscriptions/396826c76-d304-46d8-a0f6-718dbded536c/resourceGroups/Base-RG/providers/Microsoft.EventHub/namespaces/my-sbx-02-eh/authorizationRules/myRule"
-}
-```
-
-### Parameter Usage: `eventHubName`
-
-Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.
-
-```json
-"eventHubName": {
-    "value": "myEventHub"
-}
-```
-
-### Parameter Usage: `lockForDeletion`
-
-Switch to lock Logic App from deletion.
-
-```json
-"lockForDeletion": {
-    "value": true
-}
-```
-
 ### Parameter Usage: `roleAssignments`
 
 ```json

@@ -21,8 +21,13 @@ param eventHubAuthorizationRuleId string = ''
 @description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
 param eventHubName string = ''
 
-@description('Optional. Switch to lock Key Vault from deletion.')
-param lockForDeletion bool = false
+@allowed([
+  'CanNotDelete'
+  'NotSpecified'
+  'ReadOnly'
+])
+@description('Optional. Specify the type of lock.')
+param lock string = 'NotSpecified'
 
 @description('Optional. Tags of the resource.')
 param tags object = {}
@@ -63,10 +68,11 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2020-09-01' = {
   properties: {}
 }
 
-resource batchAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) {
-  name: '${batchAccount.name}-doNotDelete'
+resource batchAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') {
+  name: '${batchAccount.name}-${lock}-lock'
   properties: {
-    level: 'CanNotDelete'
+    level: lock
+    notes: (lock == 'CanNotDelete') ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
   }
   scope: batchAccount
 }

@@ -24,7 +24,7 @@ The following resources are required to be able to deploy this resource.
 | `eventHubAuthorizationRuleId` | string | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |  |  |
 | `eventHubName` | string | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |  |  |
 | `location` | string | Optional. Location for all Resources. | [resourceGroup().location] |  |
-| `lockForDeletion` | bool | Optional. Switch to lock Key Vault from deletion. | False |  |
+| `lock` | string | Optional. Specify the type of lock. | 'NotSpecified' | 'CanNotDelete', 'NotSpecified', 'ReadOnly' |
 | `tags` | object | Optional. Tags of the resource. |  |  |
 | `workspaceId` | string | Optional. Resource identifier of Log Analytics. |  |  |
Resource Type	Api Version
`Microsoft.Resources/deployments`	2018-02-01
`Microsoft.AnalysisServices/servers`	2017-08-01
`Microsoft.Authorization/locks`	2016-09-01
`Microsoft.AnalysisServices/servers/providers/diagnosticsettings`	2017-05-01-preview
`Microsoft.AnalysisServices/servers/providers/roleAssignments`	2020-04-01-preview
Parameter Name	Type	Description	DefaultValue	Possible values
`analysisServicesName`	string	Required. The name of the Azure Analysis Services server to create.
`cuaId`	string	Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered
`diagnosticLogsRetentionInDays`	int	Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.	365
`diagnosticStorageAccountId`	string	Optional. Resource identifier of the Diagnostic Storage Account.
`eventHubAuthorizationRuleId`	string	Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.
`eventHubName`	string	Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.
`firewallSettings`	object	Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled.	firewallRules=System.Object[]; enablePowerBIService=True
`location`	string	Optional. Location for all Resources.	[resourceGroup().location]
`lockForDeletion`	bool	Optional. Switch to lock Key Vault from deletion.	False
`roleAssignments`	array	Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'	[]	Complex structure, see below.
`skuCapacity`	int	Optional. The total number of query replica scale-out instances.	1
`skuName`	string	Optional. The sku name of the Azure Analysis Services server to create.	S0
`tags`	object	Optional. Tags of the resource.
`workspaceId`	string	Optional. Resource identifier of Log Analytics.
Output Name	Type	Description
`analysisServicesName`	string	The Name of the Analysis Services.
`analysisServicesResourceGroup`	string	The name of the Resource Group with the Analysis Services.
`analysisServicesResourceId`	string	The Resource Id of the Analysis Services.
Resource Type	Api Version
`Microsoft.ApiManagement/service/identityProviders`	2020-06-01-preview
`Microsoft.ApiManagement/service/policies`	2020-06-01-preview
`Microsoft.ApiManagement/service/portalsettings`	2019-12-01
`Microsoft.ApiManagement/service/providers/roleAssignments`	2020-04-01-preview
`Microsoft.ApiManagement/service`	2020-12-01
`Microsoft.Authorization/locks`	2016-09-01
`Microsoft.Insights/diagnosticSettings`	2017-05-01-preview
`Microsoft.Resources/deployments`	2019-10-01
Parameter Name	Type	Default Value	Possible values	Description
`additionalLocations`	array	System.Object[]		Optional. Additional datacenter locations of the API Management service.
`apiManagementServiceName`	string			Required. The name of the of the Api Management service.
`apiManagementServicePolicy`	object			Optional. Policy content for the Api Management Service. Format: Format of the policyContent. - xml, xml-link, rawxml, rawxml-link. Value: Contents of the Policy as defined by the format.
`certificates`	array	System.Object[]		Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.
`cuaId`	string			Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered
`customProperties`	object			Optional. Custom properties of the API Management service.
`diagnosticLogsRetentionInDays`	int	365		Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.
`diagnosticStorageAccountId`	string			Optional. Resource identifier of the Diagnostic Storage Account.
`disableGateway`	bool	False		Optional. Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region.
`enableClientCertificate`	bool	False		Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.
`eventHubAuthorizationRuleId`	string			Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.
`eventHubName`	string			Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.
`hostnameConfigurations`	array	System.Object[]		Optional. Custom hostname configuration of the API Management service.
`identity`	object			Optional. Managed service identity of the Api Management service.
`identityProviderAllowedTenants`	array	System.Object[]		Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string
`identityProviderAuthority`	string			Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C.
`identityProviderClientId`	string			Optional. Client Id of the Application in the external Identity Provider. Required if identity provider is used.
`identityProviderClientSecret`	securestring			Optional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used.
`identityProviderPasswordResetPolicyName`	string			Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider.
`identityProviderProfileEditingPolicyName`	string			Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider.
`identityProviderSignInPolicyName`	string			Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider.
`identityProviderSignInTenant`	string			Optional. The TenantId to use instead of Common when logging into Active Directory
`identityProvider#PolicyName`	string			Optional. # Policy Name. Only applies to AAD B2C Identity Provider.
`identityProviderType`	string	'aad'	'aad', 'aadB2C', 'facebook', 'google', 'microsoft', 'twitter'	Optional. Identity Provider Type identifier.
`location`	string	[resourceGroup().location]		Optional. Location for all Resources.
`lockForDeletion`	bool	False		Optional. Switch to lock Key Vault from deletion.
`minApiVersion`	string			Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.
`notificationSenderEmail`	string	apimgmt-noreply@mail.windowsazure.com		Optional. The notification sender email address for the service.
`portalSignIn`	object			Optional. Portal # settings.
`portal#`	object			Optional. Portal # settings.
`publisherEmail`	string			Required. The email address of the owner of the service.
`publisherName`	string			Required. The name of the owner of the service.
`restore`	bool	False		Optional. Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.
`roleAssignments`	array	System.Object[]		Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
`sku`	string	Developer	System.Object[]	Optional. The # tier of this Api Management service.
`skuCount`	string	1	System.Object[]	Optional. The instance size of this Api Management service.
`subnetResourceId`	string			Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in.
`tags`	object			Optional. Tags of the resource.
`virtualNetworkType`	string	None	System.Object[]	Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.
`workspaceId`	string			Optional. Resource identifier of Log Analytics.
`zones`	array	System.Object[]		Optional. A list of availability zones denoting where the resource needs to come from.
Output Name	Type	Description
`apimServiceName`	string	The Api Management Service Name
`apimServiceResourceGroup`	string	The name of the Resource Group with the Api Management Service
`apimServiceResourceId`	string	The Resource Id of the Api Management Service