diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_cuaId.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep new file mode 100644 index 0000000000..725a4a37d4 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_privateEndpoint.bicep @@ -0,0 +1,52 @@ +param privateEndpointResourceId string +param privateEndpointVnetLocation string +param privateEndpointDef object +param tags object + +var privateEndpointResourceName = last(split(privateEndpointResourceId, '/')) +var privateEndpoint_var = { + name: (contains(privateEndpointDef, 'name') ? (empty(privateEndpointDef.name) ? '${privateEndpointResourceName}-${privateEndpointDef.service}' : privateEndpointDef.name) : '${privateEndpointResourceName}-${privateEndpointDef.service}') + subnetResourceId: privateEndpointDef.subnetResourceId + service: [ + privateEndpointDef.service + ] + privateDnsZoneResourceIds: (contains(privateEndpointDef, 'privateDnsZoneResourceIds') ? (empty(privateEndpointDef.privateDnsZoneResourceIds) ? [] : privateEndpointDef.privateDnsZoneResourceIds) : []) + customDnsConfigs: (contains(privateEndpointDef, 'customDnsConfigs') ? (empty(privateEndpointDef.customDnsConfigs) ? json('null') : privateEndpointDef.customDnsConfigs) : json('null')) +} + +resource privateEndpoint 'Microsoft.Network/privateEndpoints@2020-05-01' = { + name: privateEndpoint_var.name + location: privateEndpointVnetLocation + tags: tags + properties: { + privateLinkServiceConnections: [ + { + name: privateEndpoint_var.name + properties: { + privateLinkServiceId: privateEndpointResourceId + groupIds: privateEndpoint_var.service + } + } + ] + manualPrivateLinkServiceConnections: [] + subnet: { + id: privateEndpoint_var.subnetResourceId + } + customDnsConfigs: privateEndpoint_var.customDnsConfigs + } +} + +resource privateEndpoint_default 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-05-01' = if (!empty(privateEndpoint_var.privateDnsZoneResourceIds)) { + name: '${privateEndpoint_var.name}/default' + properties: { + privateDnsZoneConfigs: [for j in range(0, length(privateEndpoint_var.privateDnsZoneResourceIds)): { + name: last(split(privateEndpoint_var.privateDnsZoneResourceIds[j], '/')) + properties: { + privateDnsZoneId: privateEndpoint_var.privateDnsZoneResourceIds[j] + } + }] + } + dependsOn: [ + privateEndpoint + ] +} diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..067e223503 --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep @@ -0,0 +1,13 @@ +param roleAssignment object +param builtInRoleNames object +param keyVaultName string + + +resource nested_rbac 'Microsoft.Storage/storageAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { + name: '${keyVaultName}/Microsoft.Authorization/${guid(keyVaultName, principalId, roleAssignment.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + principalId: principalId + } + dependsOn: [] +}] diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep new file mode 100644 index 0000000000..370cc1b23e --- /dev/null +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -0,0 +1,271 @@ +@description('Optional. Name of the Key Vault. If no name is provided, then unique name will be created.') +@maxLength(24) +param keyVaultName string = '' + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Array of access policies object') +param accessPolicies array = [] + +@description('Optional. All secrets [{"secretName":"","secretValue":""} wrapped in a secure object]') +@secure() +param secretsObject object = { + secrets: [] +} + +@description('Optional. All keys [{"keyName":"","keyType":"","keyOps":"","keySize":"","curvename":""} wrapped in a secure object]') +@secure() +param keysObject object = { + keys: [] +} + +@description('Optional. Specifies if the vault is enabled for deployment by script or compute') +@allowed([ + true + false +]) +param enableVaultForDeployment bool = true + +@description('Optional. Specifies if the vault is enabled for a template deployment') +@allowed([ + true + false +]) +param enableVaultForTemplateDeployment bool = true + +@description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.') +@allowed([ + true + false +]) +param enableVaultForDiskEncryption bool = true + +@description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.') +param enableSoftDelete bool = true + +@description('Optional. softDelete data retention days. It accepts >=7 and <=90.') +param softDeleteRetentionInDays int = 90 + +@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.') +param enableRbacAuthorization bool = false + +@description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.') +param createMode string = 'default' + +@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') +param enablePurgeProtection bool = false + +@description('Optional. Specifies the SKU for the vault') +@allowed([ + 'premium' + 'standard' +]) +param vaultSku string = 'premium' + +@description('Optional. Service endpoint object information') +param networkAcls object = {} + +@description('Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well') +param vNetId string = '' + +@description('Optional. The name of the Diagnostic setting.') +param diagnosticSettingName string = 'service' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource identifier of the Diagnostic Storage Account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of Log Analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Switch to lock Key Vault from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Configuration Details for private endpoints.') +param privateEndpoints array = [] + +@description('Optional. Resource tags.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') +param baseTime string = utcNow('u') + +var maxNameLength = 24 +var uniqueKeyVaultNameUntrim = uniqueString('Key Vault${baseTime}') +var uniqueKeyVaultName = ((length(uniqueKeyVaultNameUntrim) > maxNameLength) ? substring(uniqueKeyVaultNameUntrim, 0, maxNameLength) : uniqueKeyVaultNameUntrim) +var keyVaultName_var = (empty(keyVaultName) ? uniqueKeyVaultName : keyVaultName) +var virtualNetworkRules = [for networkrule in networkAcls.virtualNetworkRules: { + id: '${vNetId}/subnets/${networkrule.subnet}' +}] +var networkAcls_var = { + bypass: (empty(networkAcls) ? json('null') : networkAcls.bypass) + defaultAction: (empty(networkAcls) ? json('null') : networkAcls.defaultAction) + virtualNetworkRules: (empty(networkAcls) ? json('null') : virtualNetworkRules) + ipRules: (empty(networkAcls) ? json('null') : ((length(networkAcls.ipRules) == 0) ? [] : networkAcls.ipRules)) +} +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var diagnosticsLogs = [ + { + category: 'AuditEvent' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var builtInRoleNames = { + Owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + Contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + Reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Key Vault Administrator (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' + 'Key Vault Certificates Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' + 'Key Vault Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Key Vault Crypto Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' + 'Key Vault Crypto Service Encryption User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' + 'Key Vault Crypto User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' + 'Key Vault Reader (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' + 'Key Vault Secrets Officer (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' + 'Key Vault Secrets User (preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' + 'Log Analytics Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Managed Application Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Monitoring Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Resource Policy Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'User Access Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Azure Service Deploy Release Management Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21d96096-b162-414a-8302-d8354f9d91b2' + masterreader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a48d7796-14b4-4889-afef-fbb65a93e5a2' +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = { + name: keyVaultName_var + location: location + tags: tags + properties: { + enabledForDeployment: enableVaultForDeployment + enabledForTemplateDeployment: enableVaultForTemplateDeployment + enabledForDiskEncryption: enableVaultForDiskEncryption + enableSoftDelete: enableSoftDelete + softDeleteRetentionInDays: softDeleteRetentionInDays + enableRbacAuthorization: enableRbacAuthorization + createMode: createMode + enablePurgeProtection: ((!enablePurgeProtection) ? json('null') : enablePurgeProtection) + tenantId: subscription().tenantId + accessPolicies: accessPolicies + sku: { + name: vaultSku + family: 'A' + } + networkAcls: (empty(networkAcls) ? json('null') : networkAcls_var) + } +} + +resource keyVault_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${keyVaultName_var}-keyVaultDoNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: keyVault +} + +resource keyVault_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${keyVaultName_var}-${diagnosticSettingName}' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) + } + scope: keyVault +} + +resource keyVault_secrets 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for secret in secretsObject.secrets: if (!empty(secretsObject.secrets)) { + name: (empty(secretsObject.secrets) ? '${keyVaultName_var}/secretEntity' : '${keyVaultName_var}/${secret.secretName}') + properties: { + value: secret.secretValue + } + dependsOn: [ + keyVault + ] +}] + +resource keyVault_keys 'Microsoft.KeyVault/vaults/keys@2019-09-01' = [for key in keysObject.keys: if (!empty(keysObject.keys)) { + name: (empty(keysObject.keys) ? '${keyVaultName_var}/keyEntity' : '${keyVaultName_var}/${key.keyName}') + properties: { + kty: key.keyType + keyOps: key.keyOps + keySize: key.keySize + curveName: key.curveName + } + dependsOn: [ + keyVault + ] +}] + +module keyVault_privateEndpoints './.bicep/nested_privateEndpoint.bicep' = [for (item, i) in privateEndpoints: { + name: '${uniqueString(deployment().name, location)}-KeyVault-PrivateEndpoints-${i}' + params: { + privateEndpointResourceId: keyVault.id + privateEndpointVnetLocation: (empty(privateEndpoints) ? 'dummy' : reference(split(item.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location) + privateEndpointDef: item + tags: tags + } + dependsOn: [ + keyVault + ] +}] + +module keyVault_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { + name: 'rbac-${deployment().name}${i}' + params: { + roleAssignment: item + builtInRoleNames: builtInRoleNames + keyVaultName: keyVaultName_var + } + dependsOn: [ + keyVault + ] +}] + +output keyVaultResourceId string = keyVault.id +output keyVaultResourceGroup string = resourceGroup().name +output keyVaultName string = keyVaultName_var +output keyVaultUrl string = reference(keyVault.id, '2016-10-01').vaultUri diff --git a/arm/Microsoft.KeyVault/vaults/parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/parameters/parameters.json index fbcfd5abf6..734595bfd5 100644 --- a/arm/Microsoft.KeyVault/vaults/parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/parameters/parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "keyVaultName": { - "value": "sxx-az-kv-weu-x-001" + "value": "sxx-az-kv-weu-x-001" }, "keysObject": { "value": { @@ -25,44 +25,56 @@ ] } }, - "accessPolicies": { - "value": [ - { - "tenantId": "", - "objectId": "", - "permissions": { - "certificates": ["All"], - "keys": ["All"], - "secrets": ["All"] - } - }, - { + "accessPolicies": { + "value": [ + { "tenantId": "", "objectId": "", "permissions": { - "certificates": ["All"], - "keys": ["All"], - "secrets": ["All"] + "certificates": [ + "All" + ], + "keys": [ + "All" + ], + "secrets": [ + "All" + ] + } + }, + { + "tenantId": "", + "objectId": "", + "permissions": { + "certificates": [ + "All" + ], + "keys": [ + "All" + ], + "secrets": [ + "All" + ] } } - ] - }, - "enableSoftDelete": { - "value": true - }, - "softDeleteRetentionInDays": { - "value": 7 - }, -// "networkAcls": { -// "value": { -// "bypass": "AzureServices", -// "defaultAction": "Deny", -// "virtualNetworkRules": [], -// "ipRules": [] -// } -// }, - "enableRbacAuthorization": { - "value": false - } + ] + }, + "enableSoftDelete": { + "value": true + }, + "softDeleteRetentionInDays": { + "value": 7 + }, + // "networkAcls": { + // "value": { + // "bypass": "AzureServices", + // "defaultAction": "Deny", + // "virtualNetworkRules": [], + // "ipRules": [] + // } + // }, + "enableRbacAuthorization": { + "value": false + } } } \ No newline at end of file diff --git a/arm/Microsoft.Storage/storageAccounts/.bicep/nested_cuaId.bicep b/arm/Microsoft.Storage/storageAccounts/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index 91ff009394..d47c75443f 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -187,11 +187,9 @@ var builtInRoleNames = { 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c') } -resource pid_cuaId 'Microsoft.Resources/deployments@2020-06-01' = if (!empty(cuaId)) { +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' - properties: { - mode: 'Incremental' - } + params: {} } resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = { @@ -222,7 +220,6 @@ resource storageAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lo module storageAccount_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Storage-Rbac-${index}' - // scope: storageAccount // module scopes are not yet supported besides subscription & up params: { roleAssignment: roleassignment builtInRoleNames: builtInRoleNames @@ -233,7 +230,7 @@ module storageAccount_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, ] }] -module private_endpoints './.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { +module storageAccount_privateEndpoints './.bicep/nested_privateEndpoint.bicep' = [for (endpoint, index) in privateEndpoints: if (!empty(privateEndpoints)) { name: '${uniqueString(deployment().name, location)}-Storage-PrivateEndpoints-${index}' params: { privateEndpointResourceId: storageAccount.id @@ -247,7 +244,7 @@ module private_endpoints './.bicep/nested_privateEndpoint.bicep' = [for (endpoin }] // lifecycle policy -resource managementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2019-06-01' = if (enableArchiveAndDelete) { +resource storageAccount_managementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2019-06-01' = if (enableArchiveAndDelete) { name: 'default' parent: storageAccount properties: { @@ -289,7 +286,7 @@ resource managementPolicies 'Microsoft.Storage/storageAccounts/managementPolicie } // Containers -resource nested_blob_services 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = if (!empty(blobContainers)) { +resource storageAccount_nested_blob_services 'Microsoft.Storage/storageAccounts/blobServices@2019-06-01' = if (!empty(blobContainers)) { name: 'default' parent: storageAccount properties: { @@ -301,7 +298,7 @@ resource nested_blob_services 'Microsoft.Storage/storageAccounts/blobServices@20 } } -module nested_blob_container './.bicep/nested_container.bicep' = [for (blobContainer, index) in blobContainers: if (!empty(blobContainers)) { +module storageAccount_nested_blob_container './.bicep/nested_container.bicep' = [for (blobContainer, index) in blobContainers: if (!empty(blobContainers)) { name: '${uniqueString(deployment().name, location)}-Storage-Container-${(empty(blobContainers) ? 'dummy' : index)}' params: { blobContainer: blobContainer @@ -309,12 +306,12 @@ module nested_blob_container './.bicep/nested_container.bicep' = [for (blobConta storageAccountName: storageAccountName } dependsOn: [ - nested_blob_services + storageAccount_nested_blob_services ] }] // File Shares -module nested_fileShare './.bicep/nested_fileShare.bicep' = [for (fileShare, index) in fileShares: if (!empty(fileShares)) { +module storageAccount_nested_fileShare './.bicep/nested_fileShare.bicep' = [for (fileShare, index) in fileShares: if (!empty(fileShares)) { name: '${uniqueString(deployment().name, location)}-Storage-FileShare-${(empty(fileShares) ? 'dummy' : index)}' params: { fileShare: fileShare @@ -327,7 +324,7 @@ module nested_fileShare './.bicep/nested_fileShare.bicep' = [for (fileShare, ind }] // Queue -module nested_queue './.bicep/nested_queue.bicep' = [for (queue, index) in queues: if (!empty(queues)) { +module storageAccount_nested_queue './.bicep/nested_queue.bicep' = [for (queue, index) in queues: if (!empty(queues)) { name: '${uniqueString(deployment().name, location)}-Storage-Queue-${(empty(queues) ? 'dummy' : index)}' params: { queue: queue @@ -340,7 +337,7 @@ module nested_queue './.bicep/nested_queue.bicep' = [for (queue, index) in queue }] // Table -resource nested_table 'Microsoft.Storage/storageAccounts/tableServices/tables@2019-06-01' = [for table in tables: if (!empty(tables)) { +resource storageAccount_nested_table 'Microsoft.Storage/storageAccounts/tableServices/tables@2019-06-01' = [for table in tables: if (!empty(tables)) { name: (empty(tables) ? '${storageAccountName}/default/dummy' : '${storageAccountName}/default/${table}') dependsOn: [ storageAccount diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.json b/arm/Microsoft.Storage/storageAccounts/deploy.json index c02bb8174a..8023d36314 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.json +++ b/arm/Microsoft.Storage/storageAccounts/deploy.json @@ -253,13 +253,6 @@ "uniqueStoragenameUntrim": "[uniqueString(concat(variables('moduleName'),parameters('baseTime')))]", "uniqueStoragename": "[if(greater(length(variables('uniqueStoragenameUntrim')),variables('maxNameLength')),substring(variables('uniqueStoragenameUntrim'),0,variables('maxNameLength')),variables('uniqueStoragenameUntrim'))]", "storageAccountName": "[if(empty(parameters('storageAccountName')),variables('uniqueStoragename'),parameters('storageAccountName'))]", - "accountSasProperties": { - "signedServices": "bt", //Blob (b), Queue (q), Table (t), File (f). - "signedPermission": "racuw", //Read (r), Write (w), Delete (d), List (l), Add (a), Create (c), Update (u) and Process (p) - "signedExpiry": "[dateTimeAdd(parameters('baseTime'), parameters('sasTokenValidityLength'))]", //format: 2017-05-24T10:42:03Z - "signedResourceTypes": "co", //Service (s): Access to service-level APIs; Container (c): Access to container-level APIs; Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files. - "signedProtocol": "https" - }, "virtualNetworkRules": { "copy": [ { @@ -1078,20 +1071,6 @@ "description": "The name of the Resource Group the Storage Account was created in." } }, - "storageAccountsSasToken": { - "type": "securestring", - "value": "[listAccountSas(variables('storageAccountName'), '2019-04-01', variables('accountSasProperties')).accountSasToken]", - "metadata": { - "description": "The SAS Token for the Storage Account." - } - }, - "storageAccountsAccessKey": { - "type": "securestring", - "value": "[listKeys(variables('storageAccountName'), '2016-12-01').keys[0].value]", - "metadata": { - "description": "The Access Key for the Storage Account." - } - }, "storageAccountsPrimaryBlobEndpoint": { "type": "string", "value": "[reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2019-04-01').primaryEndpoints.blob]",