{ "$schema": "", "view": { "kind": "Form", "properties": { "title": "Cloud-Scale Analytics Scenario - Data Management Zone", "steps": [ { "name": "basics", "label": "Data Management Zone", "elements": [ { "name": "infoBoxDataManagementAnalytics", "type": "Microsoft.Common.InfoBox", "visible": true, "options": { "text": "Cloud-Scale Analytics Scenario is a prescriptive reference architecture for data with reference implementation provided by Microsoft. Visit 'aka.ms/adopt/datamanagement' for more details about the solution pattern.", "style": "Info", "uri": "https://aka.ms/adopt/cloudscaleanalytics" } }, { "name": "infoBoxPurview", "type": "Microsoft.Common.InfoBox", "visible": true, "options": { "text": "Before you start the deployment, please make sure you register the 'Microsoft.Purview', 'Microsoft.EventHub' and 'Microsoft.Storage' Resource Provider (RP) in your Data Management Zone Subscription. Otherwise, the deployment may fail. If you have registered the Purview RP in an early preview phase, you may be required to re-register the 'Microsoft.Purview' RP. Please follow the link to learn how this can be done.", "style": "Warning", "uri": "https://docs.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types" } }, { "name": "deploymentDetails", "label": "Deployment Details", "type": "Microsoft.Common.Section", "visible": true, "elements": [ { "name": "deploymentDetailsText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Select the subscription as well as the location to specify the scope of your Data Management Zone deployment.", "link": { "label": "", "uri": "" } } }, { "name": "subscriptionApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "subscriptions?api-version=2020-01-01" } }, { "name": "subscriptionId", "label": "Subscription", "type": "Microsoft.Common.DropDown", "visible": true, "defaultValue": "", "toolTip": "Select the Subscription for your Data Management Zone.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(steps('basics').deploymentDetails.subscriptionApi.value, (item) => parse(concat('{\"label\":\"', item.displayName, '\",\"value\":\"', item.id, '\",\"description\":\"', 'ID: ', item.subscriptionId, '\"}')))]", "required": true } }, { "name": "eventHubProviderApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.EventHub/register?api-version=2021-04-01')]" } }, { "name": "storageProviderApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.Storage/register?api-version=2021-04-01')]" } }, { "name": "purviewProviderApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.Purview/register?api-version=2021-04-01')]" } }, { "name": "infoBoxLocation", "type": "Microsoft.Common.InfoBox", "visible": true, "options": { "text": "Since not all service features are available in all regions, this deployment is available in a subset of regions.", "style": "Info" } }, { "name": "locationsApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "locations?api-version=2019-11-01" } }, { "name": "locationName", "label": "Location", "type": "Microsoft.Common.DropDown", "visible": true, "defaultValue": "", "toolTip": "Select the Location for your Data Management Zone.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('basics').deploymentDetails.locationsApi.value,(item) => contains(split('southafricanorth,australiaeast,centralindia,japaneast,southeastasia,southindia,canadacentral,francecentral,germanywestcentral,northeurope,uksouth,westeurope,brazilsouth,centralus,eastus,eastus2,southcentralus,westcentralus,westus2', ','), item.name)),(item) => parse(concat('{\"label\":\"', item.regionalDisplayName, '\",\"value\":\"', item.name, '\"}')))]", "required": true } } ] }, { "name": "dataManagementZoneName", "label": "Data Management Zone Name", "type": "Microsoft.Common.Section", "visible": true, "elements": [ { "name": "dataManagementZoneNameText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Specify a prefix and select an environment (Development, Test, Production) which will both be used as a prefix for all resource names. Independent of the environment, the same resources get deployed.", "link": { "label": "", "uri": "" } } }, { "name": "environment", "label": "Environment", "type": "Microsoft.Common.DropDown", "visible": true, "defaultValue": "Development", "toolTip": "Select the environment for the deployment.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": [ { "label": "Development", "description": "Select if you want to deploy a development environment.", "value": "dev" }, { "label": "Test", "description": "Select if you want to deploy a test environment.", "value": "tst" }, { "label": "Production", "description": "Select if you want to deploy a production environment.", "value": "prd" } ], "required": true } }, { "name": "dataManagementZonePrefix", "label": "Data Management Zone Prefix", "type": "Microsoft.Common.TextBox", "visible": true, "defaultValue": "", "toolTip": "Specify a prefix (min 1 and max 10 lowercase characters and numbers).", "constraints": { "required": true, "validations": [ { "regex": "^[a-z0-9]{1,10}$", "message": "The prefix must be between 1-10 lowercase characters and numbers." }, { "isValid": "[not(equals(steps('basics').dataManagementZoneName.keyVaultNameApi.nameAvailable, false))]", "message": "Prefix currently unavailable. Please choose a different one." }, { "isValid": "[not(equals(steps('basics').dataManagementZoneName.containerRegistryNameApi.nameAvailable, false))]", "message": "Prefix currently unavailable. Please choose a different one." }, { "isValid": "[not(equals(steps('basics').dataManagementZoneName.purviewNameApi.nameAvailable, false))]", "message": "Prefix currently unavailable. Please choose a different one." } ] } }, { "name": "keyVaultNameApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2019-09-01')]", "body": { "name": "[concat(steps('basics').dataManagementZoneName.dataManagementZonePrefix, '-', steps('basics').dataManagementZoneName.environment, '-vault001')]", "type": "Microsoft.KeyVault/vaults" } } }, { "name": "containerRegistryNameApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.ContainerRegistry/checkNameAvailability?api-version=2019-05-01')]", "body": { "name": "[concat(steps('basics').dataManagementZoneName.dataManagementZonePrefix, steps('basics').dataManagementZoneName.environment, 'containerregistry001')]", "type": "Microsoft.ContainerRegistry/registries" } } }, { "name": "purviewNameApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "POST", "path": "[concat(steps('basics').deploymentDetails.subscriptionId, '/providers/Microsoft.Purview/checkNameAvailability?api-version=2020-12-01-preview')]", "body": { "name": "[concat(steps('basics').dataManagementZoneName.dataManagementZonePrefix, '-', steps('basics').dataManagementZoneName.environment, '-purview001')]", "type": "Microsoft.Purview/accounts" } } } ] } ] }, { "name": "generalSettings", "label": "General Settings", "subLabel": { "preValidation": "Provide settings for your Data Management Zone deployment.", "postValidation": "Done" }, "bladeTitle": "General Settings", "bladeSubtitle": "General Settings", "elements": [ { "name": "purviewSettings", "label": "Purview Settings", "type": "Microsoft.Common.Section", "visible": true, "elements": [ { "name": "purviewSettingsText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Specify Azure Purview settings for this deployment.", "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/en-us/azure/purview/overview" } } }, { "name": "purviewRootCollectionAdminObjectIds", "label": "Purview Root Collection Admin Object ID", "type": "Microsoft.Common.TextBox", "visible": true, "defaultValue": "", "toolTip": "Specify an AAD User Object ID of a the user in your AAD tenant that should be added as collection admin to the root collection of your Purview account.", "constraints": { "required": false, "regex": "^(([a-z0-9-]{36})(,)?)*$", "validationMessage": "Invalid Object ID(s) (36 lower-case chars, hyphens and numbers). Please specify one or more valid object IDs seperated by a comma (e.g. '{object-id}' or '{object-id-1},{object-id-2}') and remove whitespaces from your input." } } ] } ] }, { "name": "connectivitySettings", "label": "Connectivity Settings", "subLabel": { "preValidation": "Provide all connectivity settings for your Data Management Zone.", "postValidation": "Done" }, "bladeTitle": "Connectivity Settings", "bladeSubtitle": "Connectivity Settings", "elements": [ { "name": "virtualNetworkConfiguration", "label": "Virtual Network Configuration", "type": "Microsoft.Common.Section", "visible": true, "elements": [ { "name": "virtualNetworkConfigurationText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Specify the Virtual network and subnet CIDR range for your Data Management Zone.", "link": { "label": "", "uri": "" } } }, { "name": "virtualNetworkAddressCidrRange", "label": "Vnet Address CIDR Range", "type": "Microsoft.Common.TextBox", "visible": true, "defaultValue": "10.0.0.0/16", "toolTip": "Specify a Vnet address CIDR range within the range [10,24].", "constraints": { "required": true, "validations": [ { "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-4]))$", "message": "Invalid CIDR range. The address prefix must be in the range [10,24]." } ] } }, { "name": "azureFirewallSubnetCidrRange", "label": "Azure Firewall Subnet CIDR Range", "type": "Microsoft.Common.TextBox", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'no')]", "defaultValue": "10.0.0.0/24", "toolTip": "Specify a CIDR range for the Azure Firewall Subnet within the range [24,26].", "constraints": { "required": true, "validations": [ { "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[4-6]))$", "message": "Invalid CIDR range. The address prefix must be in the range [24,26]." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 8), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 1)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange, '/')), '.'), 1))), true)]", "message": "CIDR range not within virtual network CIDR range (first octet)." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 16), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 2)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange, '/')), '.'), 2))), true)]", "message": "CIDR range not within virtual network CIDR range (second octet)." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 24), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 3)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange, '/')), '.'), 3))), true)]", "message": "CIDR range not within virtual network CIDR range (third octet)." }, { "isValid": "[lessOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), last(split(steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange, '/')))]", "message": "CIDR range not within virtual network CIDR range (subnet mask)." } ] } }, { "name": "servicesSubnetCidrRange", "label": "Services Subnet CIDR Range", "type": "Microsoft.Common.TextBox", "visible": true, "defaultValue": "10.0.1.0/24", "toolTip": "Specify a CIDR range for the Subnet to which privat endpoints and other services will be connected. The subnet should be within the range [24,28].", "constraints": { "required": true, "validations": [ { "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(2[4-8]))$", "message": "Invalid CIDR range. The address prefix must be in the range [24,28]." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 8), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 1)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange, '/')), '.'), 1))), true)]", "message": "CIDR range not within virtual network CIDR range (first octet)." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 16), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 2)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange, '/')), '.'), 2))), true)]", "message": "CIDR range not within virtual network CIDR range (second octet)." }, { "isValid": "[if(greaterOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), 24), equals(last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), '.'), 3)), last(take(split(first(split(steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange, '/')), '.'), 3))), true)]", "message": "CIDR range not within virtual network CIDR range (third octet)." }, { "isValid": "[lessOrEquals(last(split(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange, '/')), last(split(steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange, '/')))]", "message": "CIDR range not within virtual network CIDR range (subnet mask)." } ] } } ] }, { "name": "firewallConfiguration", "label": "Firewall & DNS Configuration", "type": "Microsoft.Common.Section", "visible": true, "elements": [ { "name": "firewallConfigurationText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Specify whether the deployment takes place in an existing Azure Landing Zone (former Enterprise-Scale Landing Zone) environment. If so, it is recommended to make use of the existing network infrastructure in your connectivity hub in your tenant.", "link": { "label": "Learn more", "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#high-level-architecture" } } }, { "name": "disableDnsAndFirewallDeployment", "label": "Deploy into Azure Landing Zone (former Enterprise-Scale Landing Zone) environment", "type": "Microsoft.Common.OptionsGroup", "visible": true, "toolTip": "If 'Yes' is selected, you can configure the deployment to make use of the networking infrastructure in your ESLZ Connectivity Hub.", "defaultValue": "No", "constraints": { "allowedValues": [ { "label": "Yes", "value": "yes" }, { "label": "No", "value": "no" } ] } }, { "name": "firewallTier", "label": "Firewall Tier", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'no')]", "defaultValue": "Premium (recommended)", "toolTip": "Select the Firewall tier that is used inside your environment.", "multiselect": false, "selectAll": false, "filter": false, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": [ { "label": "Standard", "description": "Standard Azure Firewall", "value": "Standard" }, { "label": "Premium (recommended)", "description": "Premium Azure Firewall adds support for TLS inspection, IDPS, URL filtering and web categories.", "value": "Premium" } ], "required": true } }, { "name": "existingFirewallType", "label": "Existing Firewall", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'yes')]", "defaultValue": "Azure Firewall", "toolTip": "Select the Firewall that is used inside your environment.", "multiselect": false, "selectAll": false, "filter": false, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": [ { "label": "Azure Firewall", "value": "azureFirewall" }, { "label": "Third Party Appliance", "value": "custom" } ], "required": true } }, { "name": "infoBoxFirewallRulesCustomDeployment", "type": "Microsoft.Common.InfoBox", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'custom')]", "options": { "text": "Please follow the link and make sure you apply the network and application rules to your Firewall. Otherwise, functionality of some services inside your data platform will be limited or may not function. This includes but is not limited to DataFactory, Databricks, Azure Machine Learning and HDInsight.", "style": "Warning", "uri": "https://github.com/Azure/data-management-zone/blob/main/infra/modules/services/firewallPolicyRules.bicep" } }, { "name": "existingDnsForwarderType", "label": "Existing DNS Forwarder", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'yes')]", "defaultValue": "Azure Firewall", "toolTip": "Select the DNS Forwarder that is used inside your environment.", "multiselect": false, "selectAll": false, "filter": false, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": [ { "label": "Azure Firewall", "value": "azureFirewall" }, { "label": "Other", "value": "custom" } ], "required": true } }, { "name": "subscriptionFirewallApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "subscriptions?api-version=2020-01-01" } }, { "name": "azureFirewallSub", "label": "Azure Firewall Subscription", "type": "Microsoft.Common.DropDown", "visible": "[or(equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'azureFirewall'), equals(steps('connectivitySettings').firewallConfiguration.existingDnsForwarderType, 'azureFirewall'))]", "defaultValue": "", "toolTip": "Select the Subscription of your Azure Firewall.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(steps('connectivitySettings').firewallConfiguration.subscriptionFirewallApi.value, (item) => parse(concat('{\"label\":\"', item.displayName, '\",\"value\":\"', item.id, '\",\"description\":\"', 'ID: ', item.subscriptionId, '\"}')))]", "required": true } }, { "name": "azureFirewallApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "[concat(steps('connectivitySettings').firewallConfiguration.azureFirewallSub, '/providers/Microsoft.Network/azureFirewalls?api-version=2020-11-01')]" } }, { "name": "azureFirewallId", "label": "Azure Firewall", "type": "Microsoft.Common.DropDown", "visible": "[or(equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'azureFirewall'), equals(steps('connectivitySettings').firewallConfiguration.existingDnsForwarderType, 'azureFirewall'))]", "defaultValue": "", "toolTip": "Select the central Azure Firewall that should be used.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(steps('connectivitySettings').firewallConfiguration.azureFirewallApi.value, (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Subscription ID: ', last(take(split(item.id, '/'), 3)), '\"}')))]", "required": true } }, { "name": "azureFirewallPrivateIpApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "[concat(steps('connectivitySettings').firewallConfiguration.azureFirewallId, '?api-version=2020-11-01')]" } }, { "name": "enableFirewallRulesDeployment", "label": "Deploy Rules to Azure Firewall Policy", "type": "Microsoft.Common.OptionsGroup", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'azureFirewall')]", "toolTip": "If 'Yes' is selected, you will have to select an Azure Firewall Policy to which network and application rules will be deployed.", "defaultValue": "No", "constraints": { "allowedValues": [ { "label": "Yes", "value": "yes" }, { "label": "No", "value": "no" } ] } }, { "name": "infoBoxFirewallRulesDeployment", "type": "Microsoft.Common.InfoBox", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.enableFirewallRulesDeployment, 'yes')]", "options": { "text": "Please follow the link for more details about the application and network firewall policy rules that are being applied.", "style": "Info", "uri": "https://github.com/Azure/data-management-zone/blob/main/infra/modules/services/firewallPolicyRules.bicep" } }, { "name": "firewallPolicyApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "[concat(steps('connectivitySettings').firewallConfiguration.azureFirewallSub, '/providers/Microsoft.Network/firewallPolicies?api-version=2020-11-01')]" } }, { "name": "firewallPolicyId", "label": "Firewall Policy", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.enableFirewallRulesDeployment, 'yes')]", "defaultValue": "", "toolTip": "Select the Firewall Policy where the rules will be deployed.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(steps('connectivitySettings').firewallConfiguration.firewallPolicyApi.value, (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Subscription ID: ', last(take(split(item.id, '/'), 3)), '\"}')))]", "required": true } }, { "name": "firewallPrivateIp", "label": "Firewall Private IP Address", "type": "Microsoft.Common.TextBox", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'custom')]", "defaultValue": "10.0.0.4", "toolTip": "Specify the private IP address of your Firewall.", "constraints": { "required": true, "validations": [ { "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)$", "message": "Invalid IP address. Please specify a single valid IP adress (e.g. '10.0.0.4')." } ] } }, { "name": "dnsServerAdresses", "label": "DNS Forwarder IP Addresses", "type": "Microsoft.Common.TextBox", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.existingDnsForwarderType, 'custom')]", "defaultValue": "10.0.0.4", "toolTip": "Specify the private IP addresses of your DNS forwarders. You can specify more than one private IP address ('10.0.0.4,10.0.0.5').", "constraints": { "required": true, "validations": [ { "regex": "^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(,)?)*$", "message": "Invalid IP addresses. Please specify one or more valid IP adresses (e.g. '10.0.0.4' or '10.0.0.4,10.0.0.5') and remove whitespaces in your input." } ] } } ] }, { "name": "privateDnsZones", "label": "Private DNS Zones", "type": "Microsoft.Common.Section", "visible": "[equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'yes')]", "elements": [ { "name": "privateDnsZonesText", "type": "Microsoft.Common.TextBlock", "visible": true, "options": { "text": "Select the Private DNS Zone settings for your deployment.", "link": { "label": "", "uri": "" } } }, { "name": "infoBoxPrivateDnsZone", "type": "Microsoft.Common.InfoBox", "visible": true, "options": { "text": "We are deploying all services with private endpoints and disabled public network access to reduce the data exfiltration risk. For each private endpoint, DNS A-records need to be created in a Private DNS Zones. Therefore, these either need to deployed through Azure Policies or you have to provide the Private DNS Zones that should be used for this deployment. We are assuming that all Private DNS Zones are created in the same subscription. Deploying DNS A-Records through Private Endpoints is the recommended solution.", "style": "Info", "uri": "https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale" } }, { "name": "automatedPrivateDnsZoneGroups", "label": "DNS A-Records are deployed through Azure Policy", "type": "Microsoft.Common.OptionsGroup", "visible": true, "toolTip": "If 'No' is selected, you will have to choose private DNS Zones that will be used for the A-Record deployment of the private DNS Zones.", "defaultValue": "Yes", "constraints": { "allowedValues": [ { "label": "Yes", "value": "yes" }, { "label": "No", "value": "no" } ] } }, { "name": "subscriptionPrivateDnsZonesApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "subscriptions?api-version=2020-01-01" } }, { "name": "privateDnsZonesSub", "label": "Private DNS Zone Subscription", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Select the Subscription of your Private DNS Zones.", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(steps('connectivitySettings').privateDnsZones.subscriptionPrivateDnsZonesApi.value, (item) => parse(concat('{\"label\":\"', item.displayName, '\",\"value\":\"', item.id, '\",\"description\":\"', 'ID: ', item.subscriptionId, '\"}')))]", "required": true } }, { "name": "privateDnsZonesApi", "type": "Microsoft.Solutions.ArmApiControl", "request": { "method": "GET", "path": "[concat(steps('connectivitySettings').privateDnsZones.privateDnsZonesSub, '/providers/Microsoft.Network/privateDnsZones?api-version=2018-09-01')]" } }, { "name": "privateDnsZoneIdKeyVault", "label": "Private DNS Zone Key Vault (privatelink.vaultcore.azure.net)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Key Vault (privatelink.vaultcore.azure.net).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.vaultcore.azure.net')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdBlob", "label": "Private DNS Zone Blob Storage (privatelink.blob.core.windows.net)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Blob Storage (privatelink.blob.core.windows.net).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.blob.core.windows.net')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdQueue", "label": "Private DNS Zone Queue Storage (privatelink.queue.core.windows.net)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Queue Storage (privatelink.queue.core.windows.net).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.queue.core.windows.net')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdContainerRegistry", "label": "Private DNS Zone Container Registry (privatelink.azurecr.io)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Synapse Sql (privatelink.azurecr.io).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.azurecr.io')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdNamespace", "label": "Private DNS Zone EventHub Namespace (privatelink.servicebus.windows.net)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for EventHub Namespace (privatelink.servicebus.windows.net).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.servicebus.windows.net')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdPurview", "label": "Private DNS Zone Purview (privatelink.purview.azure.com)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Purview (privatelink.purview.azure.com).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.purview.azure.com')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } }, { "name": "privateDnsZoneIdSynapse", "label": "Private DNS Zone Synapse Private Link Hub (privatelink.azuresynapse.net)", "type": "Microsoft.Common.DropDown", "visible": "[equals(steps('connectivitySettings').privateDnsZones.automatedPrivateDnsZoneGroups, 'no')]", "defaultValue": "", "toolTip": "Private DNS Zone for Synapse Private Link Hub (privatelink.azuresynapse.net).", "multiselect": false, "selectAll": false, "filter": true, "filterPlaceholder": "Filter items ...", "multiLine": true, "constraints": { "allowedValues": "[map(filter(steps('connectivitySettings').privateDnsZones.privateDnsZonesApi.value,(item) => contains(item.name, 'privatelink.azuresynapse.net')),(item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.id, '\",\"description\":\"', 'Resource Group: ', last(take(split(item.id, '/'), 5)), '\"}')))]", "required": true } } ] } ] }, { "name": "tags", "label": "Tags", "subLabel": { "preValidation": "Provide tags that will be used for all resources.", "postValidation": "Done" }, "bladeTitle": "Tags", "bladeSubtitle": "Tags", "elements": [ { "name": "tagsByResource", "label": "Tags by Resource", "type": "Microsoft.Common.TagsByResource", "visible": true, "resources": [ "DataManagementAnalytics" ] } ] } ] }, "outputs": { "kind": "Subscription", "location": "[steps('basics').deploymentDetails.locationName]", "subscriptionId": "[steps('basics').deploymentDetails.subscriptionId]", "parameters": { "location": "[if(empty(steps('basics').deploymentDetails.locationName), '', steps('basics').deploymentDetails.locationName)]", "environment": "[if(empty(steps('basics').dataManagementZoneName.environment), '', steps('basics').dataManagementZoneName.environment)]", "prefix": "[if(empty(steps('basics').dataManagementZoneName.dataManagementZonePrefix), '', steps('basics').dataManagementZoneName.dataManagementZonePrefix)]", "tags": "[if(not(contains(steps('tags').tagsByResource, 'DataManagementAnalytics')), parse('{}'), first(map(parse(concat('[', string(steps('tags').tagsByResource), ']')), (item) => item.DataManagementAnalytics)))]", "purviewRootCollectionAdminObjectIds": "[if(empty(steps('generalSettings').purviewSettings.purviewRootCollectionAdminObjectIds), parse('[]'), split(replace(steps('generalSettings').purviewSettings.purviewRootCollectionAdminObjectIds, ' ', ''), ','))]", "vnetAddressPrefix": "[if(empty(steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange), '', steps('connectivitySettings').virtualNetworkConfiguration.virtualNetworkAddressCidrRange)]", "azureFirewallSubnetAddressPrefix": "[if(empty(steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange), '', steps('connectivitySettings').virtualNetworkConfiguration.azureFirewallSubnetCidrRange)]", "servicesSubnetAddressPrefix": "[if(empty(steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange), '', steps('connectivitySettings').virtualNetworkConfiguration.servicesSubnetCidrRange)]", "enableDnsAndFirewallDeployment": "[if(equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'no'), true, false)]", "firewallPrivateIp": "[if(equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'no'), '', if(equals(steps('connectivitySettings').firewallConfiguration.existingFirewallType, 'azureFirewall'), first(map(steps('connectivitySettings').firewallConfiguration.azureFirewallPrivateIpApi.properties.ipConfigurations, (item) => item.properties.privateIPAddress)), steps('connectivitySettings').firewallConfiguration.firewallPrivateIp))]", "dnsServerAdresses": "[if(equals(steps('connectivitySettings').firewallConfiguration.disableDnsAndFirewallDeployment, 'no'), parse('[]'), if(equals(steps('connectivitySettings').firewallConfiguration.existingDnsForwarderType, 'azureFirewall'), map(steps('connectivitySettings').firewallConfiguration.azureFirewallPrivateIpApi.properties.ipConfigurations, (item) => item.properties.privateIPAddress), split(replace(steps('connectivitySettings').firewallConfiguration.dnsServerAdresses, ' ', ''), ',')))]", "firewallPolicyId": "[if(empty(steps('connectivitySettings').firewallConfiguration.firewallPolicyId), '', steps('connectivitySettings').firewallConfiguration.firewallPolicyId)]", "firewallTier": "[if(empty(steps('connectivitySettings').firewallConfiguration.firewallTier), 'Premium', steps('connectivitySettings').firewallConfiguration.firewallTier)]", "privateDnsZoneIdBlob": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdBlob), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdBlob)]", "privateDnsZoneIdKeyVault": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdKeyVault), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdKeyVault)]", "privateDnsZoneIdNamespace": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdNamespace), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdNamespace)]", "privateDnsZoneIdPurview": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdPurview), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdPurview)]", "privateDnsZoneIdQueue": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdQueue), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdQueue)]", "privateDnsZoneIdSynapse": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdSynapse), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdSynapse)]", "privateDnsZoneIdContainerRegistry": "[if(empty(steps('connectivitySettings').privateDnsZones.privateDnsZoneIdContainerRegistry), '', steps('connectivitySettings').privateDnsZones.privateDnsZoneIdContainerRegistry)]" } } } }