diff --git a/avm/res/machine-learning-services/workspace/README.md b/avm/res/machine-learning-services/workspace/README.md index 310e4097f9..1a0acebd4e 100644 --- a/avm/res/machine-learning-services/workspace/README.md +++ b/avm/res/machine-learning-services/workspace/README.md @@ -1752,7 +1752,7 @@ The customer managed key definition. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, the deployment will use the latest version available at deployment time. | | [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` @@ -1771,7 +1771,7 @@ The resource ID of a key vault to reference a customer managed key for encryptio ### Parameter: `customerManagedKey.keyVersion` -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, the deployment will use the latest version available at deployment time. - Required: No - Type: string @@ -1807,7 +1807,7 @@ The diagnostic settings of the service. | [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. | | [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | | [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting. | | [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | @@ -1917,7 +1917,7 @@ Enable or disable the category explicitly. Default is `true`. ### Parameter: `diagnosticSettings.name` -The name of diagnostic setting. +The name of the diagnostic setting. - Required: No - Type: string @@ -2044,19 +2044,19 @@ The managed identity definition for this resource. At least one identity type is | Parameter | Type | Description | | :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. Must be false if `primaryUserAssignedIdentity` is provided. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | +| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` -Enables system assigned managed identity on the resource. Must be false if `primaryUserAssignedIdentity` is provided. +Enables system assigned managed identity on the resource. - Required: No - Type: bool ### Parameter: `managedIdentities.userAssignedResourceIds` -The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - Required: No - Type: array @@ -2132,22 +2132,22 @@ Configuration details for private endpoints. For security reasons, it is recomme | Parameter | Type | Description | | :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the Private Endpoint IP configuration is included. | | [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the Private Endpoint. | | [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. | | [`isManualConnection`](#parameter-privateendpointsismanualconnection) | bool | If Manual Private Link Connection is required. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the Private Endpoint to. | | [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | | [`manualConnectionRequestMessage`](#parameter-privateendpointsmanualconnectionrequestmessage) | string | A message passed to the owner of the remote resource with the manual connection request. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS zone group to configure for the private endpoint. | +| [`name`](#parameter-privateendpointsname) | string | The name of the Private Endpoint. | +| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS Zone Group to configure for the Private Endpoint. | | [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. | -| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. | +| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. | | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | +| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/Resource Groups in this deployment. | ### Parameter: `privateEndpoints.subnetResourceId` @@ -2158,7 +2158,7 @@ Resource ID of the subnet where the endpoint needs to be created. ### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Application security groups in which the private endpoint IP configuration is included. +Application security groups in which the Private Endpoint IP configuration is included. - Required: No - Type: array @@ -2198,7 +2198,7 @@ FQDN that resolves to private endpoint IP address. ### Parameter: `privateEndpoints.customNetworkInterfaceName` -The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the Private Endpoint. - Required: No - Type: string @@ -2212,7 +2212,7 @@ Enable/Disable usage telemetry for module. ### Parameter: `privateEndpoints.ipConfigurations` -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. - Required: No - Type: array @@ -2276,7 +2276,7 @@ If Manual Private Link Connection is required. ### Parameter: `privateEndpoints.location` -The location to deploy the private endpoint to. +The location to deploy the Private Endpoint to. - Required: No - Type: string @@ -2326,14 +2326,14 @@ A message passed to the owner of the remote resource with the manual connection ### Parameter: `privateEndpoints.name` -The name of the private endpoint. +The name of the Private Endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.privateDnsZoneGroup` -The private DNS zone group to configure for the private endpoint. +The private DNS Zone Group to configure for the Private Endpoint. - Required: No - Type: object @@ -2342,7 +2342,7 @@ The private DNS zone group to configure for the private endpoint. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. | +| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. | **Optional parameters** @@ -2352,7 +2352,7 @@ The private DNS zone group to configure for the private endpoint. ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs` -The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones. +The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. - Required: Yes - Type: array @@ -2367,7 +2367,7 @@ The private DNS zone groups to associate the private endpoint. A DNS zone group | Parameter | Type | Description | | :-- | :-- | :-- | -| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS zone group config. | +| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS Zone Group config. | ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.privateDnsZoneResourceId` @@ -2378,7 +2378,7 @@ The resource id of the private DNS zone. ### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.name` -The name of the private DNS zone group config. +The name of the private DNS Zone Group config. - Required: No - Type: string @@ -2399,7 +2399,7 @@ The name of the private link connection to create. ### Parameter: `privateEndpoints.resourceGroupName` -Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. +Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. - Required: No - Type: string @@ -2514,14 +2514,14 @@ The principal type of the assigned principal ID. ### Parameter: `privateEndpoints.service` -The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". +The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/Resource Groups in this deployment. - Required: No - Type: object @@ -2756,6 +2756,7 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | | `br/public:avm/res/network/private-endpoint:0.7.0` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | ## Notes diff --git a/avm/res/machine-learning-services/workspace/compute/README.md b/avm/res/machine-learning-services/workspace/compute/README.md index 3f4ac7771e..28cfdd97e4 100644 --- a/avm/res/machine-learning-services/workspace/compute/README.md +++ b/avm/res/machine-learning-services/workspace/compute/README.md @@ -9,6 +9,7 @@ Attaching a compute is not idempotent and will fail in case you try to redeploy - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types @@ -133,7 +134,7 @@ The managed identity definition for this resource. | Parameter | Type | Description | | :-- | :-- | :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` @@ -144,7 +145,7 @@ Enables system assigned managed identity on the resource. ### Parameter: `managedIdentities.userAssignedResourceIds` -The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - Required: No - Type: array @@ -195,3 +196,11 @@ Contains resource tags defined as key-value pairs. Ignored when attaching a comp | `resourceGroupName` | string | The resource group the compute was deployed into. | | `resourceId` | string | The resource ID of the compute. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | diff --git a/avm/res/machine-learning-services/workspace/compute/main.bicep b/avm/res/machine-learning-services/workspace/compute/main.bicep index 20d79284e1..7c8a9a2983 100644 --- a/avm/res/machine-learning-services/workspace/compute/main.bicep +++ b/avm/res/machine-learning-services/workspace/compute/main.bicep @@ -64,8 +64,9 @@ param computeType string @sys.description('Optional. The properties of the compute. Will be ignored in case "resourceId" is set.') param properties object? +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType +param managedIdentities managedIdentityAllType? // ================// // Variables // @@ -145,15 +146,3 @@ output systemAssignedMIPrincipalId string = compute.?identity.?principalId ?? '' @sys.description('The location the resource was deployed into.') output location string = compute.location - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @sys.description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? diff --git a/avm/res/machine-learning-services/workspace/compute/main.json b/avm/res/machine-learning-services/workspace/compute/main.json index c3832c8377..5c12864576 100644 --- a/avm/res/machine-learning-services/workspace/compute/main.json +++ b/avm/res/machine-learning-services/workspace/compute/main.json @@ -5,15 +5,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6461308246344228681" + "version": "0.31.92.45157", + "templateHash": "2023974498049700881" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, "definitions": { - "managedIdentitiesType": { + "managedIdentityAllType": { "type": "object", "properties": { "systemAssigned": { @@ -30,11 +30,16 @@ }, "nullable": true, "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } } }, "parameters": { @@ -140,7 +145,8 @@ } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, "metadata": { "description": "Optional. The managed identity definition for this resource." } diff --git a/avm/res/machine-learning-services/workspace/connection/main.json b/avm/res/machine-learning-services/workspace/connection/main.json index f4efdf611d..f84e4da3c1 100644 --- a/avm/res/machine-learning-services/workspace/connection/main.json +++ b/avm/res/machine-learning-services/workspace/connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11897886685116125832" + "version": "0.31.92.45157", + "templateHash": "342595729147977821" }, "name": "Machine Learning Services Workspaces Connections", "description": "This module creates a connection in a Machine Learning Services workspace.", diff --git a/avm/res/machine-learning-services/workspace/main.bicep b/avm/res/machine-learning-services/workspace/main.bicep index 7ec6ee71d0..a7aedfa371 100644 --- a/avm/res/machine-learning-services/workspace/main.bicep +++ b/avm/res/machine-learning-services/workspace/main.bicep @@ -41,8 +41,9 @@ param associatedApplicationInsightsResourceId string? @sys.description('Optional. The resource ID of the associated Container Registry.') param associatedContainerRegistryResourceId string? +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? @sys.description('Optional. The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service.') param hbiWorkspace bool = false @@ -50,11 +51,13 @@ param hbiWorkspace bool = false @sys.description('Conditional. The resource ID of the hub to associate with the workspace. Required if \'kind\' is set to \'Project\'.') param hubResourceId string? +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? +import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType +param privateEndpoints privateEndpointSingleServiceType[]? @sys.description('Optional. Computes to create respectively attach to the workspace.') param computes array? @@ -68,19 +71,20 @@ param tags object? @sys.description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. The managed identity definition for this resource. At least one identity type is required.') -param managedIdentities managedIdentitiesType = { +param managedIdentities managedIdentityAllType = { systemAssigned: true } @sys.description('Conditional. Settings for feature store type workspaces. Required if \'kind\' is set to \'FeatureStore\'.') -param featureStoreSettings featureStoreSettingType +param featureStoreSettings featureStoreSettingType? @sys.description('Optional. Managed Network settings for a machine learning workspace.') -param managedNetworkSettings managedNetworkSettingType +param managedNetworkSettings managedNetworkSettingType? @sys.description('Optional. Settings for serverless compute created in the workspace.') -param serverlessComputeSettings serverlessComputeSettingType +param serverlessComputeSettings serverlessComputeSettingType? @sys.description('Optional. The authentication mode used by the workspace when connecting to the default storage account.') @allowed([ @@ -90,12 +94,12 @@ param serverlessComputeSettings serverlessComputeSettingType param systemDatastoresAuthMode string? @sys.description('Optional. Configuration for workspace hub settings.') -param workspaceHubConfig workspaceHubConfigType +param workspaceHubConfig workspaceHubConfigType? // Diagnostic Settings - +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType +param diagnosticSettings diagnosticSettingFullType[]? @sys.description('Optional. The description of this workspace.') param description string? @@ -103,8 +107,9 @@ param description string? @sys.description('Optional. URL for the discovery service to identify regional endpoints for machine learning experimentation services.') param discoveryUrl string? +import { customerManagedKeyType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @sys.description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType +param customerManagedKey customerManagedKeyType? @sys.description('Optional. The compute name for image build.') param imageBuildCompute string? @@ -237,51 +242,48 @@ resource workspace 'Microsoft.MachineLearningServices/workspaces@2024-04-01-prev tier: sku } identity: identity - properties: union( - // Always added parameters - { - friendlyName: name - storageAccount: associatedStorageAccountResourceId - keyVault: associatedKeyVaultResourceId - applicationInsights: associatedApplicationInsightsResourceId - containerRegistry: associatedContainerRegistryResourceId - hbiWorkspace: hbiWorkspace - description: description - discoveryUrl: discoveryUrl - encryption: !empty(customerManagedKey) - ? { - status: 'Enabled' - identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) - ? { - userAssignedIdentity: cMKUserAssignedIdentity.id - } - : null - keyVaultProperties: { - keyVaultArmId: cMKKeyVault.id - keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') - ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' - : cMKKeyVault::cMKKey.properties.keyUriWithVersion - } + properties: { + friendlyName: name + storageAccount: associatedStorageAccountResourceId + keyVault: associatedKeyVaultResourceId + applicationInsights: associatedApplicationInsightsResourceId + containerRegistry: associatedContainerRegistryResourceId + hbiWorkspace: hbiWorkspace + description: description + discoveryUrl: discoveryUrl + encryption: !empty(customerManagedKey) + ? { + status: 'Enabled' + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) + ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } + : null + keyVaultProperties: { + keyVaultArmId: cMKKeyVault.id + keyIdentifier: !empty(customerManagedKey.?keyVersion ?? '') + ? '${cMKKeyVault::cMKKey.properties.keyUri}/${customerManagedKey!.keyVersion}' + : cMKKeyVault::cMKKey.properties.keyUriWithVersion } - : null - imageBuildCompute: imageBuildCompute - primaryUserAssignedIdentity: primaryUserAssignedIdentity - systemDatastoresAuthMode: systemDatastoresAuthMode - publicNetworkAccess: publicNetworkAccess - serviceManagedResourcesSettings: serviceManagedResourcesSettings - featureStoreSettings: featureStoreSettings - hubResourceId: hubResourceId - managedNetwork: managedNetworkSettings - serverlessComputeSettings: serverlessComputeSettings - workspaceHubConfig: workspaceHubConfig - }, + } + : null + imageBuildCompute: imageBuildCompute + primaryUserAssignedIdentity: primaryUserAssignedIdentity + systemDatastoresAuthMode: systemDatastoresAuthMode + publicNetworkAccess: publicNetworkAccess + serviceManagedResourcesSettings: serviceManagedResourcesSettings + featureStoreSettings: featureStoreSettings + hubResourceId: hubResourceId + managedNetwork: managedNetworkSettings + serverlessComputeSettings: serverlessComputeSettings + workspaceHubConfig: workspaceHubConfig // Parameters only added if not empty - !empty(sharedPrivateLinkResources) + ...(!empty(sharedPrivateLinkResources) ? { sharedPrivateLinkResources: sharedPrivateLinkResources } - : {} - ) + : {}) + } kind: kind } @@ -449,7 +451,7 @@ output resourceGroupName string = resourceGroup().name output name string = workspace.name @sys.description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = workspace.?identity.?principalId ?? '' +output systemAssignedMIPrincipalId string? = workspace.?identity.?principalId @sys.description('The location the resource was deployed into.') output location string = workspace.location @@ -458,135 +460,7 @@ output location string = workspace.location // Definitions // // =============== // -type managedIdentitiesType = { - @sys.description('Optional. Enables system assigned managed identity on the resource. Must be false if `primaryUserAssignedIdentity` is provided.') - systemAssigned: bool? - - @sys.description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -} - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') - name: string? - - @sys.description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @sys.description('Optional. The name of the private endpoint.') - name: string? - - @sys.description('Optional. The location to deploy the private endpoint to.') - location: string? - - @sys.description('Optional. The name of the private link connection to create.') - privateLinkServiceConnectionName: string? - - @sys.description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".') - service: string? - - @sys.description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string - - @sys.description('Optional. The private DNS zone group to configure for the private endpoint.') - privateDnsZoneGroup: { - @sys.description('Optional. The name of the Private DNS Zone Group.') - name: string? - - @sys.description('Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneGroupConfigs: { - @sys.description('Optional. The name of the private DNS zone group config.') - name: string? - - @sys.description('Required. The resource id of the private DNS zone.') - privateDnsZoneResourceId: string - }[] - }? - - @sys.description('Optional. If Manual Private Link Connection is required.') - isManualConnection: bool? - - @sys.description('Optional. A message passed to the owner of the remote resource with the manual connection request.') - @maxLength(140) - manualConnectionRequestMessage: string? - - @sys.description('Optional. Custom DNS configurations.') - customDnsConfigs: { - @sys.description('Optional. FQDN that resolves to private endpoint IP address.') - fqdn: string? - - @sys.description('Required. A list of private IP addresses of the private endpoint.') - ipAddresses: string[] - }[]? - - @sys.description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @sys.description('Required. The name of the resource that is unique within a resource group.') - name: string - - @sys.description('Required. Properties of private endpoint IP configurations.') - properties: { - @sys.description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @sys.description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @sys.description('Required. A private IP address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @sys.description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @sys.description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @sys.description('Optional. Specify the type of lock.') - lock: lockType - - @sys.description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @sys.description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @sys.description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? - - @sys.description('Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.') - resourceGroupName: string? -}[]? - +@export() type featureStoreSettingType = { @sys.description('Optional. Compute runtime config for feature store type workspace.') computeRuntime: { @@ -599,12 +473,14 @@ type featureStoreSettingType = { @sys.description('Optional. The online store connection name.') onlineStoreConnectionName: string? -}? +} +@export() @discriminator('type') -type OutboundRuleType = FqdnOutboundRuleType | PrivateEndpointOutboundRule | ServiceTagOutboundRule +type outboundRuleType = fqdnoutboundRuleType | privateEndpointoutboundRuleType | serviceTagoutboundRuleType -type FqdnOutboundRuleType = { +@export() +type fqdnoutboundRuleType = { @sys.description('Required. Type of a managed network Outbound Rule of a machine learning workspace. Only supported when \'isolationMode\' is \'AllowOnlyApprovedOutbound\'.') type: 'FQDN' @@ -615,7 +491,8 @@ type FqdnOutboundRuleType = { category: 'Dependency' | 'Recommended' | 'Required' | 'UserDefined'? } -type PrivateEndpointOutboundRule = { +@export() +type privateEndpointoutboundRuleType = { @sys.description('Required. Type of a managed network Outbound Rule of a machine learning workspace. Only supported when \'isolationMode\' is \'AllowOnlyApprovedOutbound\' or \'AllowInternetOutbound\'.') type: 'PrivateEndpoint' @@ -635,7 +512,8 @@ type PrivateEndpointOutboundRule = { category: 'Dependency' | 'Recommended' | 'Required' | 'UserDefined'? } -type ServiceTagOutboundRule = { +@export() +type serviceTagoutboundRuleType = { @sys.description('Required. Type of a managed network Outbound Rule of a machine learning workspace. Only supported when \'isolationMode\' is \'AllowOnlyApprovedOutbound\'.') type: 'ServiceTag' @@ -655,6 +533,7 @@ type ServiceTagOutboundRule = { category: 'Dependency' | 'Recommended' | 'Required' | 'UserDefined'? } +@export() type managedNetworkSettingType = { @sys.description('Required. Isolation mode for the managed network of a machine learning workspace.') isolationMode: 'AllowInternetOutbound' | 'AllowOnlyApprovedOutbound' | 'Disabled' @@ -662,86 +541,31 @@ type managedNetworkSettingType = { @sys.description('Optional. Outbound rules for the managed network of a machine learning workspace.') outboundRules: { @sys.description('Required. The outbound rule. The name of the rule is the object key.') - *: OutboundRuleType + *: outboundRuleType }? -}? +} +@export() type serverlessComputeSettingType = { @sys.description('Optional. The resource ID of an existing virtual network subnet in which serverless compute nodes should be deployed.') serverlessComputeCustomSubnet: string? @sys.description('Optional. The flag to signal if serverless compute nodes deployed in custom vNet would have no public IP addresses for a workspace with private endpoint.') serverlessComputeNoPublicIP: bool? -}? +} +@export() type workspaceHubConfigType = { @sys.description('Optional. The resource IDs of additional storage accounts to attach to the workspace.') additionalWorkspaceStorageAccounts: string[]? @sys.description('Optional. The resource ID of the default resource group for projects created in the workspace hub.') defaultWorkspaceResourceGroup: string? -}? - -type diagnosticSettingType = { - @sys.description('Optional. The name of diagnostic setting.') - name: string? - - @sys.description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection.') - logCategoriesAndGroups: { - @sys.description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @sys.description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.') - categoryGroup: string? - - @sys.description('Optional. Enable or disable the category explicitly. Default is `true`.') - enabled: bool? - }[]? - - @sys.description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection.') - metricCategories: { - @sys.description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.') - category: string - - @sys.description('Optional. Enable or disable the category explicitly. Default is `true`.') - enabled: bool? - }[]? - - @sys.description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @sys.description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @sys.description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @sys.description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @sys.description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? - -type customerManagedKeyType = { - @sys.description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @sys.description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @sys.description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @sys.description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') - userAssignedIdentityResourceId: string? -}? +} import { categoryType, connectionPropertyType } from 'connection/main.bicep' +@export() type connectionType = { @sys.description('Required. Name of the connection to create.') name: string diff --git a/avm/res/machine-learning-services/workspace/main.json b/avm/res/machine-learning-services/workspace/main.json index 54b4c5b3f5..8040bd62ee 100644 --- a/avm/res/machine-learning-services/workspace/main.json +++ b/avm/res/machine-learning-services/workspace/main.json @@ -5,354 +5,14 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "1720825561395705058" + "version": "0.31.92.45157", + "templateHash": "13439990734076953525" }, "name": "Machine Learning Services Workspaces", "description": "This module deploys a Machine Learning Services Workspace.", "owner": "Azure/module-maintainers" }, "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource. Must be false if `primaryUserAssignedIdentity` is provided." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - } - }, - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "privateLinkServiceConnectionName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private link connection to create." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroup": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the Private DNS Zone Group." - } - }, - "privateDnsZoneGroupConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group config." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of the private DNS zone." - } - } - } - }, - "metadata": { - "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone group to configure for the private endpoint." - } - }, - "isManualConnection": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If Manual Private Link Connection is required." - } - }, - "manualConnectionRequestMessage": { - "type": "string", - "nullable": true, - "maxLength": 140, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." - } - }, - "resourceGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource." - } - } - } - }, - "nullable": true - }, "featureStoreSettingType": { "type": "object", "properties": { @@ -387,26 +47,31 @@ } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, - "OutboundRuleType": { + "outboundRuleType": { "type": "object", "discriminator": { "propertyName": "type", "mapping": { "FQDN": { - "$ref": "#/definitions/FqdnOutboundRuleType" + "$ref": "#/definitions/fqdnoutboundRuleType" }, "PrivateEndpoint": { - "$ref": "#/definitions/PrivateEndpointOutboundRule" + "$ref": "#/definitions/privateEndpointoutboundRuleType" }, "ServiceTag": { - "$ref": "#/definitions/ServiceTagOutboundRule" + "$ref": "#/definitions/serviceTagoutboundRuleType" } } + }, + "metadata": { + "__bicep_export!": true } }, - "FqdnOutboundRuleType": { + "fqdnoutboundRuleType": { "type": "object", "properties": { "type": { @@ -437,9 +102,12 @@ "description": "Optional. Category of a managed network Outbound Rule of a machine learning workspace." } } + }, + "metadata": { + "__bicep_export!": true } }, - "PrivateEndpointOutboundRule": { + "privateEndpointoutboundRuleType": { "type": "object", "properties": { "type": { @@ -491,9 +159,12 @@ "description": "Optional. Category of a managed network Outbound Rule of a machine learning workspace." } } + }, + "metadata": { + "__bicep_export!": true } }, - "ServiceTagOutboundRule": { + "serviceTagoutboundRuleType": { "type": "object", "properties": { "type": { @@ -550,6 +221,9 @@ "description": "Optional. Category of a managed network Outbound Rule of a machine learning workspace." } } + }, + "metadata": { + "__bicep_export!": true } }, "managedNetworkSettingType": { @@ -570,7 +244,7 @@ "type": "object", "properties": {}, "additionalProperties": { - "$ref": "#/definitions/OutboundRuleType", + "$ref": "#/definitions/outboundRuleType", "metadata": { "description": "Required. The outbound rule. The name of the rule is the object key." } @@ -581,7 +255,9 @@ } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, "serverlessComputeSettingType": { "type": "object", @@ -601,7 +277,9 @@ } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, "workspaceHubConfigType": { "type": "object", @@ -624,159 +302,9 @@ } } }, - "nullable": true - }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } - } - } - }, - "nullable": true - }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "userAssignedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." - } - } - }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, "connectionType": { "type": "object", @@ -850,9 +378,121 @@ "description": "Required. The properties of the connection, specific to the auth type." } } + }, + "metadata": { + "__bicep_export!": true + } + }, + "_1.privateEndpointCustomDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. FQDN that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "_1.privateEndpointIpConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } + } + }, + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "_1.privateEndpointPrivateDnsZoneGroupType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private DNS Zone Group." + } + }, + "privateDnsZoneGroupConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS Zone Group config." + } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." + } + } + } + }, + "metadata": { + "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } } }, - "_1.aadAuthTypeWorkspaceConnectionPropertyType": { + "_2.aadAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -871,7 +511,7 @@ } } }, - "_1.accessKeyAuthTypeWorkspaceConnectionPropertyType": { + "_2.accessKeyAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -884,7 +524,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionAccessKeyType", + "$ref": "#/definitions/_2.workspaceConnectionAccessKeyType", "metadata": { "description": "Required. The credentials for the connection." } @@ -896,7 +536,7 @@ } } }, - "_1.apiKeyAuthWorkspaceConnectionPropertyType": { + "_2.apiKeyAuthWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -909,7 +549,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionApiKeyType", + "$ref": "#/definitions/_2.workspaceConnectionApiKeyType", "metadata": { "description": "Required. The credentials for the connection." } @@ -921,7 +561,7 @@ } } }, - "_1.customKeysType": { + "_2.customKeysType": { "type": "object", "properties": { "keys": { @@ -944,7 +584,7 @@ } } }, - "_1.customKeysWorkspaceConnectionPropertyType": { + "_2.customKeysWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -957,7 +597,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.customKeysType", + "$ref": "#/definitions/_2.customKeysType", "metadata": { "description": "Required. The credentials for the connection." } @@ -969,7 +609,7 @@ } } }, - "_1.managedIdentityAuthTypeWorkspaceConnectionPropertyType": { + "_2.managedIdentityAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -982,7 +622,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionManagedIdentityType", + "$ref": "#/definitions/_2.workspaceConnectionManagedIdentityType", "metadata": { "description": "Required. The credentials for the connection." } @@ -994,7 +634,7 @@ } } }, - "_1.noneAuthTypeWorkspaceConnectionPropertyType": { + "_2.noneAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1013,7 +653,7 @@ } } }, - "_1.oauth2AuthTypeWorkspaceConnectionPropertyType": { + "_2.oauth2AuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1026,7 +666,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionOAuth2Type", + "$ref": "#/definitions/_2.workspaceConnectionOAuth2Type", "metadata": { "description": "Required. The credentials for the connection." } @@ -1038,7 +678,7 @@ } } }, - "_1.patAuthTypeWorkspaceConnectionPropertyType": { + "_2.patAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1051,7 +691,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionPersonalAccessTokenType", + "$ref": "#/definitions/_2.workspaceConnectionPersonalAccessTokenType", "metadata": { "description": "Required. The credentials for the connection." } @@ -1063,7 +703,7 @@ } } }, - "_1.sasAuthTypeWorkspaceConnectionPropertyType": { + "_2.sasAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1076,7 +716,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionSharedAccessSignatureType", + "$ref": "#/definitions/_2.workspaceConnectionSharedAccessSignatureType", "metadata": { "description": "Required. The credentials for the connection." } @@ -1088,7 +728,7 @@ } } }, - "_1.servicePrincipalAuthTypeWorkspaceConnectionPropertyType": { + "_2.servicePrincipalAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1101,7 +741,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionServicePrincipalType", + "$ref": "#/definitions/_2.workspaceConnectionServicePrincipalType", "metadata": { "description": "Required. The credentials for the connection." } @@ -1113,7 +753,7 @@ } } }, - "_1.usernamePasswordAuthTypeWorkspaceConnectionPropertyType": { + "_2.usernamePasswordAuthTypeWorkspaceConnectionPropertyType": { "type": "object", "properties": { "authType": { @@ -1126,7 +766,7 @@ } }, "credentials": { - "$ref": "#/definitions/_1.workspaceConnectionUsernamePasswordType", + "$ref": "#/definitions/_2.workspaceConnectionUsernamePasswordType", "metadata": { "description": "Required. The credentials for the connection." } @@ -1138,7 +778,7 @@ } } }, - "_1.workspaceConnectionAccessKeyType": { + "_2.workspaceConnectionAccessKeyType": { "type": "object", "properties": { "accessKeyId": { @@ -1160,7 +800,7 @@ } } }, - "_1.workspaceConnectionApiKeyType": { + "_2.workspaceConnectionApiKeyType": { "type": "object", "properties": { "key": { @@ -1176,7 +816,7 @@ } } }, - "_1.workspaceConnectionManagedIdentityType": { + "_2.workspaceConnectionManagedIdentityType": { "type": "object", "properties": { "clientId": { @@ -1198,7 +838,7 @@ } } }, - "_1.workspaceConnectionOAuth2Type": { + "_2.workspaceConnectionOAuth2Type": { "type": "object", "properties": { "authUrl": { @@ -1219,295 +859,729 @@ "clientSecret": { "type": "string", "metadata": { - "description": "Required. The connection client secret." + "description": "Required. The connection client secret." + } + }, + "developerToken": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The connection developer token. Required by GoogleAdWords connection category." + } + }, + "password": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The connection password. Required by Concur and ServiceNow connection categories where AccessToken grant type is 'Password'." + } + }, + "refreshToken": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The connection refresh token. Required by GoogleBigQuery, GoogleAdWords, Hubspot, QuickBooks, Square, Xero and Zoho connection categories." + } + }, + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Required. The connection tenant ID. Required by QuickBooks and Xero connection categories." + } + }, + "username": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The connection username. Required by Concur and ServiceNow connection categories where AccessToken grant type is 'Password'." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "_2.workspaceConnectionPersonalAccessTokenType": { + "type": "object", + "properties": { + "pat": { + "type": "string", + "metadata": { + "description": "Required. The connection personal access token." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "_2.workspaceConnectionServicePrincipalType": { + "type": "object", + "properties": { + "clientId": { + "type": "string", + "metadata": { + "description": "Required. The connection client ID." + } + }, + "clientSecret": { + "type": "string", + "metadata": { + "description": "Required. The connection client secret." + } + }, + "tenantId": { + "type": "string", + "metadata": { + "description": "Required. The connection tenant ID." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "_2.workspaceConnectionSharedAccessSignatureType": { + "type": "object", + "properties": { + "sas": { + "type": "string", + "metadata": { + "description": "Required. The connection SAS token." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "_2.workspaceConnectionUsernamePasswordType": { + "type": "object", + "properties": { + "password": { + "type": "string", + "metadata": { + "description": "Required. The connection password." + } + }, + "securityToken": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The connection security token. Required by connections like SalesForce for extra security in addition to 'UsernamePassword'." + } + }, + "username": { + "type": "string", + "metadata": { + "description": "Required. The connection username." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "categoryType": { + "type": "string", + "allowedValues": [ + "ADLSGen2", + "AIServices", + "AmazonMws", + "AmazonRdsForOracle", + "AmazonRdsForSqlServer", + "AmazonRedshift", + "AmazonS3Compatible", + "ApiKey", + "AzureBlob", + "AzureDataExplorer", + "AzureDatabricksDeltaLake", + "AzureMariaDb", + "AzureMySqlDb", + "AzureOneLake", + "AzureOpenAI", + "AzurePostgresDb", + "AzureSqlDb", + "AzureSqlMi", + "AzureSynapseAnalytics", + "AzureTableStorage", + "BingLLMSearch", + "Cassandra", + "CognitiveSearch", + "CognitiveService", + "Concur", + "ContainerRegistry", + "CosmosDb", + "CosmosDbMongoDbApi", + "Couchbase", + "CustomKeys", + "Db2", + "Drill", + "Dynamics", + "DynamicsAx", + "DynamicsCrm", + "Eloqua", + "FileServer", + "FtpServer", + "GenericContainerRegistry", + "GenericHttp", + "GenericRest", + "Git", + "GoogleAdWords", + "GoogleBigQuery", + "GoogleCloudStorage", + "Greenplum", + "Hbase", + "Hdfs", + "Hive", + "Hubspot", + "Impala", + "Informix", + "Jira", + "Magento", + "MariaDb", + "Marketo", + "MicrosoftAccess", + "MongoDbAtlas", + "MongoDbV2", + "MySql", + "Netezza", + "ODataRest", + "Odbc", + "Office365", + "OpenAI", + "Oracle", + "OracleCloudStorage", + "OracleServiceCloud", + "PayPal", + "Phoenix", + "PostgreSql", + "Presto", + "PythonFeed", + "QuickBooks", + "Redis", + "Responsys", + "S3", + "Salesforce", + "SalesforceMarketingCloud", + "SalesforceServiceCloud", + "SapBw", + "SapCloudForCustomer", + "SapEcc", + "SapHana", + "SapOpenHub", + "SapTable", + "Serp", + "Serverless", + "ServiceNow", + "Sftp", + "SharePointOnlineList", + "Shopify", + "Snowflake", + "Spark", + "SqlServer", + "Square", + "Sybase", + "Teradata", + "Vertica", + "WebTable", + "Xero", + "Zoho" + ], + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "connectionPropertyType": { + "type": "secureObject", + "discriminator": { + "propertyName": "authType", + "mapping": { + "AAD": { + "$ref": "#/definitions/_2.aadAuthTypeWorkspaceConnectionPropertyType" + }, + "AccessKey": { + "$ref": "#/definitions/_2.accessKeyAuthTypeWorkspaceConnectionPropertyType" + }, + "ApiKey": { + "$ref": "#/definitions/_2.apiKeyAuthWorkspaceConnectionPropertyType" + }, + "CustomKeys": { + "$ref": "#/definitions/_2.customKeysWorkspaceConnectionPropertyType" + }, + "ManagedIdentity": { + "$ref": "#/definitions/_2.managedIdentityAuthTypeWorkspaceConnectionPropertyType" + }, + "None": { + "$ref": "#/definitions/_2.noneAuthTypeWorkspaceConnectionPropertyType" + }, + "OAuth2": { + "$ref": "#/definitions/_2.oauth2AuthTypeWorkspaceConnectionPropertyType" + }, + "PAT": { + "$ref": "#/definitions/_2.patAuthTypeWorkspaceConnectionPropertyType" + }, + "SAS": { + "$ref": "#/definitions/_2.sasAuthTypeWorkspaceConnectionPropertyType" + }, + "ServicePrincipal": { + "$ref": "#/definitions/_2.servicePrincipalAuthTypeWorkspaceConnectionPropertyType" + }, + "UsernamePassword": { + "$ref": "#/definitions/_2.usernamePasswordAuthTypeWorkspaceConnectionPropertyType" + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connection/main.bicep" + } + } + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, the deployment will use the latest version available at deployment time." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a customer-managed key. To be used if the resource type does not support auto-rotation of the customer-managed key.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "diagnosticSettingFullType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } + }, + "privateEndpointSingleServiceType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private Endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the Private Endpoint to." + } + }, + "privateLinkServiceConnectionName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private link connection to create." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The subresource to deploy the Private Endpoint for. For example \"vault\" for a Key Vault Private Endpoint." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroup": { + "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS Zone Group to configure for the Private Endpoint." + } + }, + "isManualConnection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. If Manual Private Link Connection is required." + } + }, + "manualConnectionRequestMessage": { + "type": "string", + "nullable": true, + "maxLength": 140, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the Private Endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the Private Endpoint." } }, - "developerToken": { - "type": "string", + "lock": { + "$ref": "#/definitions/lockType", "nullable": true, "metadata": { - "description": "Conditional. The connection developer token. Required by GoogleAdWords connection category." + "description": "Optional. Specify the type of lock." } }, - "password": { - "type": "string", + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, "nullable": true, "metadata": { - "description": "Conditional. The connection password. Required by Concur and ServiceNow connection categories where AccessToken grant type is 'Password'." + "description": "Optional. Array of role assignments to create." } }, - "refreshToken": { - "type": "string", + "tags": { + "type": "object", "nullable": true, "metadata": { - "description": "Conditional. The connection refresh token. Required by GoogleBigQuery, GoogleAdWords, Hubspot, QuickBooks, Square, Xero and Zoho connection categories." + "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment." } }, - "tenantId": { - "type": "string", + "enableTelemetry": { + "type": "bool", "nullable": true, "metadata": { - "description": "Required. The connection tenant ID. Required by QuickBooks and Xero connection categories." + "description": "Optional. Enable/Disable usage telemetry for module." } }, - "username": { + "resourceGroupName": { "type": "string", "nullable": true, "metadata": { - "description": "Conditional. The connection username. Required by Concur and ServiceNow connection categories where AccessToken grant type is 'Password'." + "description": "Optional. Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource." } } }, "metadata": { + "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).", "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, - "_1.workspaceConnectionPersonalAccessTokenType": { + "roleAssignmentType": { "type": "object", "properties": { - "pat": { + "name": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The connection personal access token." + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" - } - } - }, - "_1.workspaceConnectionServicePrincipalType": { - "type": "object", - "properties": { - "clientId": { + }, + "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The connection client ID." + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, - "clientSecret": { + "principalId": { "type": "string", "metadata": { - "description": "Required. The connection client secret." + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." } }, - "tenantId": { + "principalType": { "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, "metadata": { - "description": "Required. The connection tenant ID." + "description": "Optional. The principal type of the assigned principal ID." } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" - } - } - }, - "_1.workspaceConnectionSharedAccessSignatureType": { - "type": "object", - "properties": { - "sas": { + }, + "description": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The connection SAS token." + "description": "Optional. The description of the role assignment." } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" - } - } - }, - "_1.workspaceConnectionUsernamePasswordType": { - "type": "object", - "properties": { - "password": { + }, + "condition": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The connection password." + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." } }, - "securityToken": { + "conditionVersion": { "type": "string", + "allowedValues": [ + "2.0" + ], "nullable": true, "metadata": { - "description": "Conditional. The connection security token. Required by connections like SalesForce for extra security in addition to 'UsernamePassword'." + "description": "Optional. Version of the condition." } }, - "username": { + "delegatedManagedIdentityResourceId": { "type": "string", + "nullable": true, "metadata": { - "description": "Required. The connection username." - } - } - }, - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" - } - } - }, - "categoryType": { - "type": "string", - "allowedValues": [ - "ADLSGen2", - "AIServices", - "AmazonMws", - "AmazonRdsForOracle", - "AmazonRdsForSqlServer", - "AmazonRedshift", - "AmazonS3Compatible", - "ApiKey", - "AzureBlob", - "AzureDataExplorer", - "AzureDatabricksDeltaLake", - "AzureMariaDb", - "AzureMySqlDb", - "AzureOneLake", - "AzureOpenAI", - "AzurePostgresDb", - "AzureSqlDb", - "AzureSqlMi", - "AzureSynapseAnalytics", - "AzureTableStorage", - "BingLLMSearch", - "Cassandra", - "CognitiveSearch", - "CognitiveService", - "Concur", - "ContainerRegistry", - "CosmosDb", - "CosmosDbMongoDbApi", - "Couchbase", - "CustomKeys", - "Db2", - "Drill", - "Dynamics", - "DynamicsAx", - "DynamicsCrm", - "Eloqua", - "FileServer", - "FtpServer", - "GenericContainerRegistry", - "GenericHttp", - "GenericRest", - "Git", - "GoogleAdWords", - "GoogleBigQuery", - "GoogleCloudStorage", - "Greenplum", - "Hbase", - "Hdfs", - "Hive", - "Hubspot", - "Impala", - "Informix", - "Jira", - "Magento", - "MariaDb", - "Marketo", - "MicrosoftAccess", - "MongoDbAtlas", - "MongoDbV2", - "MySql", - "Netezza", - "ODataRest", - "Odbc", - "Office365", - "OpenAI", - "Oracle", - "OracleCloudStorage", - "OracleServiceCloud", - "PayPal", - "Phoenix", - "PostgreSql", - "Presto", - "PythonFeed", - "QuickBooks", - "Redis", - "Responsys", - "S3", - "Salesforce", - "SalesforceMarketingCloud", - "SalesforceServiceCloud", - "SapBw", - "SapCloudForCustomer", - "SapEcc", - "SapHana", - "SapOpenHub", - "SapTable", - "Serp", - "Serverless", - "ServiceNow", - "Sftp", - "SharePointOnlineList", - "Shopify", - "Snowflake", - "Spark", - "SqlServer", - "Square", - "Sybase", - "Teradata", - "Vertica", - "WebTable", - "Xero", - "Zoho" - ], - "metadata": { - "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" - } - } - }, - "connectionPropertyType": { - "type": "secureObject", - "discriminator": { - "propertyName": "authType", - "mapping": { - "AAD": { - "$ref": "#/definitions/_1.aadAuthTypeWorkspaceConnectionPropertyType" - }, - "AccessKey": { - "$ref": "#/definitions/_1.accessKeyAuthTypeWorkspaceConnectionPropertyType" - }, - "ApiKey": { - "$ref": "#/definitions/_1.apiKeyAuthWorkspaceConnectionPropertyType" - }, - "CustomKeys": { - "$ref": "#/definitions/_1.customKeysWorkspaceConnectionPropertyType" - }, - "ManagedIdentity": { - "$ref": "#/definitions/_1.managedIdentityAuthTypeWorkspaceConnectionPropertyType" - }, - "None": { - "$ref": "#/definitions/_1.noneAuthTypeWorkspaceConnectionPropertyType" - }, - "OAuth2": { - "$ref": "#/definitions/_1.oauth2AuthTypeWorkspaceConnectionPropertyType" - }, - "PAT": { - "$ref": "#/definitions/_1.patAuthTypeWorkspaceConnectionPropertyType" - }, - "SAS": { - "$ref": "#/definitions/_1.sasAuthTypeWorkspaceConnectionPropertyType" - }, - "ServicePrincipal": { - "$ref": "#/definitions/_1.servicePrincipalAuthTypeWorkspaceConnectionPropertyType" - }, - "UsernamePassword": { - "$ref": "#/definitions/_1.usernamePasswordAuthTypeWorkspaceConnectionPropertyType" + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, "metadata": { + "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "connection/main.bicep" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -1581,6 +1655,7 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } @@ -1600,13 +1675,21 @@ } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } }, "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", + "type": "array", + "items": { + "$ref": "#/definitions/privateEndpointSingleServiceType" + }, + "nullable": true, "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -1643,7 +1726,7 @@ } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityAllType", "defaultValue": { "systemAssigned": true }, @@ -1653,18 +1736,21 @@ }, "featureStoreSettings": { "$ref": "#/definitions/featureStoreSettingType", + "nullable": true, "metadata": { "description": "Conditional. Settings for feature store type workspaces. Required if 'kind' is set to 'FeatureStore'." } }, "managedNetworkSettings": { "$ref": "#/definitions/managedNetworkSettingType", + "nullable": true, "metadata": { "description": "Optional. Managed Network settings for a machine learning workspace." } }, "serverlessComputeSettings": { "$ref": "#/definitions/serverlessComputeSettingType", + "nullable": true, "metadata": { "description": "Optional. Settings for serverless compute created in the workspace." } @@ -1682,12 +1768,17 @@ }, "workspaceHubConfig": { "$ref": "#/definitions/workspaceHubConfigType", + "nullable": true, "metadata": { "description": "Optional. Configuration for workspace hub settings." } }, "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", + "type": "array", + "items": { + "$ref": "#/definitions/diagnosticSettingFullType" + }, + "nullable": true, "metadata": { "description": "Optional. The diagnostic settings of the service." } @@ -1708,6 +1799,7 @@ }, "customerManagedKey": { "$ref": "#/definitions/customerManagedKeyType", + "nullable": true, "metadata": { "description": "Optional. The customer managed key definition." } @@ -1836,7 +1928,7 @@ "tier": "[parameters('sku')]" }, "identity": "[variables('identity')]", - "properties": "[union(createObject('friendlyName', parameters('name'), 'storageAccount', parameters('associatedStorageAccountResourceId'), 'keyVault', parameters('associatedKeyVaultResourceId'), 'applicationInsights', parameters('associatedApplicationInsightsResourceId'), 'containerRegistry', parameters('associatedContainerRegistryResourceId'), 'hbiWorkspace', parameters('hbiWorkspace'), 'description', parameters('description'), 'discoveryUrl', parameters('discoveryUrl'), 'encryption', if(not(empty(parameters('customerManagedKey'))), createObject('status', 'Enabled', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyVaultArmId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null()), 'imageBuildCompute', parameters('imageBuildCompute'), 'primaryUserAssignedIdentity', parameters('primaryUserAssignedIdentity'), 'systemDatastoresAuthMode', parameters('systemDatastoresAuthMode'), 'publicNetworkAccess', parameters('publicNetworkAccess'), 'serviceManagedResourcesSettings', parameters('serviceManagedResourcesSettings'), 'featureStoreSettings', parameters('featureStoreSettings'), 'hubResourceId', parameters('hubResourceId'), 'managedNetwork', parameters('managedNetworkSettings'), 'serverlessComputeSettings', parameters('serverlessComputeSettings'), 'workspaceHubConfig', parameters('workspaceHubConfig')), if(not(empty(parameters('sharedPrivateLinkResources'))), createObject('sharedPrivateLinkResources', parameters('sharedPrivateLinkResources')), createObject()))]", + "properties": "[shallowMerge(createArray(createObject('friendlyName', parameters('name'), 'storageAccount', parameters('associatedStorageAccountResourceId'), 'keyVault', parameters('associatedKeyVaultResourceId'), 'applicationInsights', parameters('associatedApplicationInsightsResourceId'), 'containerRegistry', parameters('associatedContainerRegistryResourceId'), 'hbiWorkspace', parameters('hbiWorkspace'), 'description', parameters('description'), 'discoveryUrl', parameters('discoveryUrl'), 'encryption', if(not(empty(parameters('customerManagedKey'))), createObject('status', 'Enabled', 'identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keyVaultProperties', createObject('keyVaultArmId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), 'keyIdentifier', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), format('{0}/{1}', reference('cMKKeyVault::cMKKey').keyUri, parameters('customerManagedKey').keyVersion), reference('cMKKeyVault::cMKKey').keyUriWithVersion))), null()), 'imageBuildCompute', parameters('imageBuildCompute'), 'primaryUserAssignedIdentity', parameters('primaryUserAssignedIdentity'), 'systemDatastoresAuthMode', parameters('systemDatastoresAuthMode'), 'publicNetworkAccess', parameters('publicNetworkAccess'), 'serviceManagedResourcesSettings', parameters('serviceManagedResourcesSettings'), 'featureStoreSettings', parameters('featureStoreSettings'), 'hubResourceId', parameters('hubResourceId'), 'managedNetwork', parameters('managedNetworkSettings'), 'serverlessComputeSettings', parameters('serverlessComputeSettings'), 'workspaceHubConfig', parameters('workspaceHubConfig')), if(not(empty(parameters('sharedPrivateLinkResources'))), createObject('sharedPrivateLinkResources', parameters('sharedPrivateLinkResources')), createObject())))]", "kind": "[parameters('kind')]", "dependsOn": [ "cMKKeyVault", @@ -1981,15 +2073,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6461308246344228681" + "version": "0.31.92.45157", + "templateHash": "2023974498049700881" }, "name": "Machine Learning Services Workspaces Computes", "description": "This module deploys a Machine Learning Services Workspaces Compute.\n\nAttaching a compute is not idempotent and will fail in case you try to redeploy over an existing compute in AML (see parameter `deployCompute`).", "owner": "Azure/module-maintainers" }, "definitions": { - "managedIdentitiesType": { + "managedIdentityAllType": { "type": "object", "properties": { "systemAssigned": { @@ -2006,11 +2098,16 @@ }, "nullable": true, "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" + } + } } }, "parameters": { @@ -2116,7 +2213,8 @@ } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, "metadata": { "description": "Optional. The managed identity definition for this resource." } @@ -2244,8 +2342,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11897886685116125832" + "version": "0.31.92.45157", + "templateHash": "342595729147977821" }, "name": "Machine Learning Services Workspaces Connections", "description": "This module creates a connection in a Machine Learning Services workspace.", @@ -3749,10 +3847,11 @@ }, "systemAssignedMIPrincipalId": { "type": "string", + "nullable": true, "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[coalesce(tryGet(tryGet(reference('workspace', '2024-04-01-preview', 'full'), 'identity'), 'principalId'), '')]" + "value": "[tryGet(tryGet(reference('workspace', '2024-04-01-preview', 'full'), 'identity'), 'principalId')]" }, "location": { "type": "string", diff --git a/avm/res/machine-learning-services/workspace/version.json b/avm/res/machine-learning-services/workspace/version.json index 9a9a06e897..6b6be93891 100644 --- a/avm/res/machine-learning-services/workspace/version.json +++ b/avm/res/machine-learning-services/workspace/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.8", + "version": "0.9", "pathFilters": [ "./main.json" ]