From c4c4aa1939a25b73a503fa6383ee1daa2caf22b7 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 2 Feb 2022 16:16:53 +0100 Subject: [PATCH 1/2] Updated Storage Templates --- infra/main.json | 163 ++++++++++--------- infra/modules/services/externalstorage.bicep | 59 ++++++- infra/modules/services/storage.bicep | 22 ++- 3 files changed, 154 insertions(+), 90 deletions(-) diff --git a/infra/main.json b/infra/main.json index f71298f..d2837e9 100644 --- a/infra/main.json +++ b/infra/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "6542674684264803931" + "templateHash": "9106505077982618289" } }, "parameters": { @@ -448,7 +448,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16882101118127557101" + "templateHash": "13883560175464909401" } }, "parameters": { @@ -732,53 +732,6 @@ ] } }, - { - "type": "Microsoft.Network/networkSecurityGroups", - "apiVersion": "2020-11-01", - "name": "[format('{0}-adfssis-nsg', parameters('prefix'))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "securityRules": [ - { - "name": "AllowBatchNodeManagement", - "properties": { - "description": "Required for Azure SSIS with public IP.", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "29876-29877", - "sourceAddressPrefix": "BatchNodeManagement", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 110, - "direction": "Inbound", - "sourcePortRanges": [], - "destinationPortRanges": [], - "sourceAddressPrefixes": [], - "destinationAddressPrefixes": [] - } - }, - { - "name": "AllowAzureCloud", - "properties": { - "description": "Required for Azure SSIS workers to access Azure services, such as Azure Storage and Azure Event Hubs.", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 120, - "direction": "Outbound", - "sourcePortRanges": [], - "destinationPortRanges": [], - "sourceAddressPrefixes": [], - "destinationAddressPrefixes": [] - } - } - ] - } - }, { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2020-06-01", @@ -2678,7 +2631,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "16664940655471776009" + "templateHash": "1278385076163611463" } }, "parameters": { @@ -2772,7 +2725,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "2297446507511138895" + "templateHash": "9514805346555719957" } }, "parameters": { @@ -2855,7 +2808,7 @@ "resources": [ { "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[variables('storageNameCleaned')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -2869,7 +2822,9 @@ "properties": { "accessTier": "Hot", "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, "allowSharedKeyAccess": false, + "defaultToOAuthAuthentication": true, "encryption": { "keySource": "Microsoft.Storage", "requireInfrastructureEncryption": false, @@ -2892,6 +2847,9 @@ } } }, + "immutableStorageWithVersioning": { + "enabled": false + }, "isHnsEnabled": true, "isNfsV3Enabled": false, "largeFileSharesState": "Disabled", @@ -2903,12 +2861,13 @@ "virtualNetworkRules": [], "resourceAccessRules": "[variables('resourceAccessRules')]" }, + "publicNetworkAccess": "Disabled", "supportsHttpsTrafficOnly": true } }, { "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "policy": { @@ -2952,7 +2911,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "containerDeleteRetentionPolicy": { @@ -2961,6 +2920,10 @@ }, "cors": { "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 } }, "dependsOn": [ @@ -2973,7 +2936,7 @@ "count": "[length(parameters('fileSystemNames'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}/{2}', variables('storageNameCleaned'), 'default', parameters('fileSystemNames')[copyIndex()])]", "properties": { "publicAccess": "None", @@ -3142,7 +3105,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "2297446507511138895" + "templateHash": "9514805346555719957" } }, "parameters": { @@ -3225,7 +3188,7 @@ "resources": [ { "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[variables('storageNameCleaned')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -3239,7 +3202,9 @@ "properties": { "accessTier": "Hot", "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, "allowSharedKeyAccess": false, + "defaultToOAuthAuthentication": true, "encryption": { "keySource": "Microsoft.Storage", "requireInfrastructureEncryption": false, @@ -3262,6 +3227,9 @@ } } }, + "immutableStorageWithVersioning": { + "enabled": false + }, "isHnsEnabled": true, "isNfsV3Enabled": false, "largeFileSharesState": "Disabled", @@ -3273,12 +3241,13 @@ "virtualNetworkRules": [], "resourceAccessRules": "[variables('resourceAccessRules')]" }, + "publicNetworkAccess": "Disabled", "supportsHttpsTrafficOnly": true } }, { "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "policy": { @@ -3322,7 +3291,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "containerDeleteRetentionPolicy": { @@ -3331,6 +3300,10 @@ }, "cors": { "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 } }, "dependsOn": [ @@ -3343,7 +3316,7 @@ "count": "[length(parameters('fileSystemNames'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}/{2}', variables('storageNameCleaned'), 'default', parameters('fileSystemNames')[copyIndex()])]", "properties": { "publicAccess": "None", @@ -3512,7 +3485,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "2297446507511138895" + "templateHash": "9514805346555719957" } }, "parameters": { @@ -3595,7 +3568,7 @@ "resources": [ { "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[variables('storageNameCleaned')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -3609,7 +3582,9 @@ "properties": { "accessTier": "Hot", "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, "allowSharedKeyAccess": false, + "defaultToOAuthAuthentication": true, "encryption": { "keySource": "Microsoft.Storage", "requireInfrastructureEncryption": false, @@ -3632,6 +3607,9 @@ } } }, + "immutableStorageWithVersioning": { + "enabled": false + }, "isHnsEnabled": true, "isNfsV3Enabled": false, "largeFileSharesState": "Disabled", @@ -3643,12 +3621,13 @@ "virtualNetworkRules": [], "resourceAccessRules": "[variables('resourceAccessRules')]" }, + "publicNetworkAccess": "Disabled", "supportsHttpsTrafficOnly": true } }, { "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "policy": { @@ -3692,7 +3671,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "containerDeleteRetentionPolicy": { @@ -3701,6 +3680,10 @@ }, "cors": { "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 } }, "dependsOn": [ @@ -3713,7 +3696,7 @@ "count": "[length(parameters('fileSystemNames'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}/{2}', variables('storageNameCleaned'), 'default', parameters('fileSystemNames')[copyIndex()])]", "properties": { "publicAccess": "None", @@ -3911,7 +3894,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "15595935015946830721" + "templateHash": "364934465028692397" } }, "parameters": { @@ -3989,7 +3972,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "17102192983244728525" + "templateHash": "13378408615101952102" } }, "parameters": { @@ -4041,12 +4024,36 @@ "tenantId": "[subscription().tenantId]", "resourceId": "[parameters('purviewId')]" }, - "resourceAccessRules": "[if(empty(parameters('purviewId')), variables('synapseResourceAccessrules'), union(variables('synapseResourceAccessrules'), array(variables('purviewResourceAccessRules'))))]" + "resourceAccessRules": "[if(empty(parameters('purviewId')), variables('synapseResourceAccessrules'), union(variables('synapseResourceAccessrules'), array(variables('purviewResourceAccessRules'))))]", + "storageZrsRegions": [ + "southafricanorth", + "australiaeast", + "centralindia", + "eastasia", + "japaneast", + "koreacentral", + "southeastasia", + "canadacentral", + "francecentral", + "germanywestcentral", + "northeurope", + "norwayeast", + "swedencentral", + "uksouth", + "westeurope", + "brazilsouth", + "centralus", + "eastus", + "eastus2", + "southcentralus", + "westus2", + "westus3" + ] }, "resources": [ { "type": "Microsoft.Storage/storageAccounts", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[variables('storageNameCleaned')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -4054,13 +4061,15 @@ "type": "SystemAssigned" }, "sku": { - "name": "Standard_ZRS" + "name": "[if(contains(variables('storageZrsRegions'), parameters('location')), 'Standard_ZRS', 'Standard_LRS')]" }, "kind": "StorageV2", "properties": { "accessTier": "Hot", "allowBlobPublicAccess": false, + "allowCrossTenantReplication": false, "allowSharedKeyAccess": false, + "defaultToOAuthAuthentication": true, "encryption": { "keySource": "Microsoft.Storage", "requireInfrastructureEncryption": false, @@ -4083,6 +4092,9 @@ } } }, + "immutableStorageWithVersioning": { + "enabled": false + }, "isHnsEnabled": false, "isNfsV3Enabled": false, "largeFileSharesState": "Disabled", @@ -4094,12 +4106,13 @@ "virtualNetworkRules": [], "resourceAccessRules": "[variables('resourceAccessRules')]" }, + "publicNetworkAccess": "Disabled", "supportsHttpsTrafficOnly": true } }, { "type": "Microsoft.Storage/storageAccounts/managementPolicies", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "policy": { @@ -4143,7 +4156,7 @@ }, { "type": "Microsoft.Storage/storageAccounts/blobServices", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}', variables('storageNameCleaned'), 'default')]", "properties": { "containerDeleteRetentionPolicy": { @@ -4152,6 +4165,10 @@ }, "cors": { "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": true, + "days": 7 } }, "dependsOn": [ @@ -4164,7 +4181,7 @@ "count": "[length(parameters('fileSytemNames'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", - "apiVersion": "2021-02-01", + "apiVersion": "2021-06-01", "name": "[format('{0}/{1}/{2}', variables('storageNameCleaned'), 'default', parameters('fileSytemNames')[copyIndex()])]", "properties": { "publicAccess": "None", diff --git a/infra/modules/services/externalstorage.bicep b/infra/modules/services/externalstorage.bicep index c656d78..5d951f9 100644 --- a/infra/modules/services/externalstorage.bicep +++ b/infra/modules/services/externalstorage.bicep @@ -28,9 +28,44 @@ var purviewResourceAccessRules = { resourceId: purviewId } var resourceAccessRules = empty(purviewId) ? synapseResourceAccessrules : union(synapseResourceAccessrules, array(purviewResourceAccessRules)) +var storageZrsRegions = [ + // Africa + 'southafricanorth' + + // Asia + 'australiaeast' + 'centralindia' + 'eastasia' + 'japaneast' + 'koreacentral' + 'southeastasia' + + // Canada + 'canadacentral' + + // Europe + 'francecentral' + 'germanywestcentral' + 'northeurope' + 'norwayeast' + 'swedencentral' + 'uksouth' + 'westeurope' + + // South America + 'brazilsouth' + + // US + 'centralus' + 'eastus' + 'eastus2' + 'southcentralus' + 'westus2' + 'westus3' +] // Resources -resource storageExternal 'Microsoft.Storage/storageAccounts@2021-02-01' = { +resource storageExternal 'Microsoft.Storage/storageAccounts@2021-06-01' = { name: storageNameCleaned location: location tags: tags @@ -38,13 +73,15 @@ resource storageExternal 'Microsoft.Storage/storageAccounts@2021-02-01' = { type: 'SystemAssigned' } sku: { - name: 'Standard_ZRS' + name: contains(storageZrsRegions, location) ? 'Standard_ZRS' : 'Standard_LRS' } kind: 'StorageV2' properties: { accessTier: 'Hot' allowBlobPublicAccess: false + allowCrossTenantReplication: false allowSharedKeyAccess: false + defaultToOAuthAuthentication: true encryption: { keySource: 'Microsoft.Storage' requireInfrastructureEncryption: false @@ -67,6 +104,9 @@ resource storageExternal 'Microsoft.Storage/storageAccounts@2021-02-01' = { } } } + immutableStorageWithVersioning: { + enabled: false + } isHnsEnabled: false isNfsV3Enabled: false largeFileSharesState: 'Disabled' @@ -78,6 +118,7 @@ resource storageExternal 'Microsoft.Storage/storageAccounts@2021-02-01' = { virtualNetworkRules: [] resourceAccessRules: resourceAccessRules } + publicNetworkAccess: 'Disabled' // routingPreference: { // Not supported for thsi account // routingChoice: 'MicrosoftRouting' // publishInternetEndpoints: false @@ -87,7 +128,7 @@ resource storageExternal 'Microsoft.Storage/storageAccounts@2021-02-01' = { } } -resource storageExternalManagementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2021-02-01' = { +resource storageExternalManagementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2021-06-01' = { parent: storageExternal name: 'default' properties: { @@ -150,7 +191,7 @@ resource storageExternalManagementPolicies 'Microsoft.Storage/storageAccounts/ma } } -resource storageExternalBlobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-02-01' = { +resource storageExternalBlobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01' = { parent: storageExternal name: 'default' properties: { @@ -167,10 +208,10 @@ resource storageExternalBlobServices 'Microsoft.Storage/storageAccounts/blobServ // retentionInDays: 7 // } // defaultServiceVersion: '' - // deleteRetentionPolicy: { - // enabled: true - // days: 7 - // } + deleteRetentionPolicy: { + enabled: true + days: 7 + } // isVersioningEnabled: true // lastAccessTimeTrackingPolicy: { // name: 'AccessTimeTracking' @@ -187,7 +228,7 @@ resource storageExternalBlobServices 'Microsoft.Storage/storageAccounts/blobServ } } -resource storageExternalFileSystems 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-02-01' = [for fileSytemName in fileSytemNames: { +resource storageExternalFileSystems 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = [for fileSytemName in fileSytemNames: { parent: storageExternalBlobServices name: fileSytemName properties: { diff --git a/infra/modules/services/storage.bicep b/infra/modules/services/storage.bicep index f70eae3..9a0ddf9 100644 --- a/infra/modules/services/storage.bicep +++ b/infra/modules/services/storage.bicep @@ -65,7 +65,7 @@ var storageZrsRegions = [ ] // Resources -resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = { +resource storage 'Microsoft.Storage/storageAccounts@2021-06-01' = { name: storageNameCleaned location: location tags: tags @@ -79,7 +79,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = { properties: { accessTier: 'Hot' allowBlobPublicAccess: false + allowCrossTenantReplication: false allowSharedKeyAccess: false + defaultToOAuthAuthentication: true encryption: { keySource: 'Microsoft.Storage' requireInfrastructureEncryption: false @@ -102,6 +104,9 @@ resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = { } } } + immutableStorageWithVersioning: { + enabled: false + } isHnsEnabled: true isNfsV3Enabled: false largeFileSharesState: 'Disabled' @@ -113,6 +118,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = { virtualNetworkRules: [] resourceAccessRules: resourceAccessRules } + publicNetworkAccess: 'Disabled' // routingPreference: { // Not supported for thsi account // routingChoice: 'MicrosoftRouting' // publishInternetEndpoints: false @@ -122,7 +128,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2021-02-01' = { } } -resource storageManagementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2021-02-01' = { +resource storageManagementPolicies 'Microsoft.Storage/storageAccounts/managementPolicies@2021-06-01' = { parent: storage name: 'default' properties: { @@ -185,7 +191,7 @@ resource storageManagementPolicies 'Microsoft.Storage/storageAccounts/management } } -resource storageBlobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-02-01' = { +resource storageBlobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01' = { parent: storage name: 'default' properties: { @@ -202,10 +208,10 @@ resource storageBlobServices 'Microsoft.Storage/storageAccounts/blobServices@202 // retentionInDays: 7 // } // defaultServiceVersion: '' - // deleteRetentionPolicy: { - // enabled: true - // days: 7 - // } + deleteRetentionPolicy: { + enabled: true + days: 7 + } // isVersioningEnabled: true // lastAccessTimeTrackingPolicy: { // name: 'AccessTimeTracking' @@ -222,7 +228,7 @@ resource storageBlobServices 'Microsoft.Storage/storageAccounts/blobServices@202 } } -resource storageFileSystems 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-02-01' = [for fileSystemName in fileSystemNames: { +resource storageFileSystems 'Microsoft.Storage/storageAccounts/blobServices/containers@2021-06-01' = [for fileSystemName in fileSystemNames: { parent: storageBlobServices name: fileSystemName properties: { From a05a47f9dacfd801090c41a68c0401158209a5ba Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Wed, 2 Feb 2022 16:24:17 +0100 Subject: [PATCH 2/2] updated linter --- .github/linters/.arm-ttk.psd1 | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/linters/.arm-ttk.psd1 b/.github/linters/.arm-ttk.psd1 index c2388e1..4610173 100644 --- a/.github/linters/.arm-ttk.psd1 +++ b/.github/linters/.arm-ttk.psd1 @@ -12,5 +12,6 @@ 'apiVersions Should Be Recent' 'Parameters Must Be Referenced' 'Variables Must Be Referenced' + 'URIs Should Be Properly Constructed' ) }