Merge branch 'main' into avm-authorization-policyexemptions

avm/ptn/network/hub-networking/README.md

@@ -905,7 +905,7 @@ module hubNetworking 'br/public:avm/ptn/network/hub-networking:<version>' = {
           publicIPAddressObject: {
             name: 'hub1PublicIp'
           }
-          threatIntelMode: 'Alert'
+          threatIntelMode: 'Deny'
           zones: [
             1
             2
@@ -1008,7 +1008,7 @@ module hubNetworking 'br/public:avm/ptn/network/hub-networking:<version>' = {
             "publicIPAddressObject": {
               "name": "hub1PublicIp"
             },
-            "threatIntelMode": "Alert",
+            "threatIntelMode": "Deny",
             "zones": [
               1,
               2,
@@ -1111,7 +1111,7 @@ param hubVirtualNetworks = {
       publicIPAddressObject: {
         name: 'hub1PublicIp'
       }
-      threatIntelMode: 'Alert'
+      threatIntelMode: 'Deny'
       zones: [
         1
         2

avm/ptn/network/hub-networking/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "15226702818499942359"
+      "version": "0.31.92.45157",
+      "templateHash": "10817443316191820673"
     },
     "name": "Hub Networking",
     "description": "This module is designed to simplify the creation of multi-region hub networks in Azure. It will create a number of virtual networks and subnets, and optionally peer them together in a mesh topology with routing.",
@@ -2345,8 +2345,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "5568850224456572684"
+              "version": "0.31.92.45157",
+              "templateHash": "5407453106862679302"
             },
             "name": "Virtual Networks",
             "description": "This module deploys a Virtual Network.",
@@ -6473,8 +6473,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "16563975082451649304"
+              "version": "0.31.92.45157",
+              "templateHash": "16076301727176806098"
             },
             "name": "Existing Virtual Network Subnets",
             "description": "This module retrieves an existing Virtual Network Subnet.",
@@ -6556,8 +6556,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.30.3.12046",
-              "templateHash": "10294962787410461549"
+              "version": "0.31.92.45157",
+              "templateHash": "3114934486774261221"
             },
             "name": "Virtual Network Subnets",
             "description": "This module deploys a Virtual Network Subnet.",

avm/ptn/network/hub-networking/tests/e2e/waf-aligned/main.test.bicep

@@ -69,7 +69,7 @@ module testDeployment '../../../main.bicep' = [
             publicIPAddressObject: {
               name: 'hub1PublicIp'
             }
-            threatIntelMode: 'Alert'
+            threatIntelMode: 'Deny'
             zones: [
               1
               2

avm/res/cache/redis/README.md

@@ -19,6 +19,8 @@ This module deploys a Redis Cache.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Cache/redis` | [2024-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis) |
+| `Microsoft.Cache/redis/accessPolicies` | [2024-04-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/accessPolicies) |
+| `Microsoft.Cache/redis/accessPolicyAssignments` | [2024-04-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/accessPolicyAssignments) |
 | `Microsoft.Cache/redis/linkedServers` | [2024-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/linkedServers) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
 | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) |
@@ -118,6 +120,19 @@ module redis 'br/public:avm/res/cache/redis:<version>' = {
     // Required parameters
     name: 'crentrid001'
     // Non-required parameters
+    accessPolicies: [
+      {
+        name: 'Prefixed Contributor'
+        permissions: '+@read +set ~Az*'
+      }
+    ]
+    accessPolicyAssignments: [
+      {
+        accessPolicyName: 'Data Contributor'
+        objectId: '<objectId>'
+        objectIdAlias: '<objectIdAlias>'
+      }
+    ]
     location: '<location>'
     redisConfiguration: {
       'aad-enabled': 'true'
@@ -143,6 +158,23 @@ module redis 'br/public:avm/res/cache/redis:<version>' = {
       "value": "crentrid001"
     },
     // Non-required parameters
+    "accessPolicies": {
+      "value": [
+        {
+          "name": "Prefixed Contributor",
+          "permissions": "+@read +set ~Az*"
+        }
+      ]
+    },
+    "accessPolicyAssignments": {
+      "value": [
+        {
+          "accessPolicyName": "Data Contributor",
+          "objectId": "<objectId>",
+          "objectIdAlias": "<objectIdAlias>"
+        }
+      ]
+    },
     "location": {
       "value": "<location>"
     },
@@ -168,6 +200,19 @@ using 'br/public:avm/res/cache/redis:<version>'
 // Required parameters
 param name = 'crentrid001'
 // Non-required parameters
+param accessPolicies = [
+  {
+    name: 'Prefixed Contributor'
+    permissions: '+@read +set ~Az*'
+  }
+]
+param accessPolicyAssignments = [
+  {
+    accessPolicyName: 'Data Contributor'
+    objectId: '<objectId>'
+    objectIdAlias: '<objectIdAlias>'
+  }
+]
 param location = '<location>'
 param redisConfiguration = {
   'aad-enabled': 'true'
@@ -749,7 +794,6 @@ module redis 'br/public:avm/res/cache/redis:<version>' = {
         workspaceResourceId: '<workspaceResourceId>'
       }
     ]
-    enableNonSslPort: true
     location: '<location>'
     lock: {
       kind: 'CanNotDelete'
@@ -831,9 +875,6 @@ module redis 'br/public:avm/res/cache/redis:<version>' = {
         }
       ]
     },
-    "enableNonSslPort": {
-      "value": true
-    },
     "location": {
       "value": "<location>"
     },
@@ -933,7 +974,6 @@ param diagnosticSettings = [
     workspaceResourceId: '<workspaceResourceId>'
   }
 ]
-param enableNonSslPort = true
 param location = '<location>'
 param lock = {
   kind: 'CanNotDelete'
@@ -992,6 +1032,8 @@ param zones = [
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`accessPolicies`](#parameter-accesspolicies) | array | Array of access policies to create. |
+| [`accessPolicyAssignments`](#parameter-accesspolicyassignments) | array | Array of access policy assignments. |
 | [`capacity`](#parameter-capacity) | int | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
 | [`disableAccessKeyAuthentication`](#parameter-disableaccesskeyauthentication) | bool | Disable authentication via access keys. |
@@ -1025,6 +1067,72 @@ The name of the Redis cache resource.
 - Required: Yes
 - Type: string
 
+### Parameter: `accessPolicies`
+
+Array of access policies to create.
+
+- Required: No
+- Type: array
+- Default: `[]`
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`name`](#parameter-accesspoliciesname) | string | Name of the access policy. |
+| [`permissions`](#parameter-accesspoliciespermissions) | string | Permissions associated with the access policy. |
+
+### Parameter: `accessPolicies.name`
+
+Name of the access policy.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `accessPolicies.permissions`
+
+Permissions associated with the access policy.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `accessPolicyAssignments`
+
+Array of access policy assignments.
+
+- Required: No
+- Type: array
+- Default: `[]`
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`accessPolicyName`](#parameter-accesspolicyassignmentsaccesspolicyname) | string | Name of the access policy to be assigned. |
+| [`objectId`](#parameter-accesspolicyassignmentsobjectid) | string | Object id to which the access policy will be assigned. |
+| [`objectIdAlias`](#parameter-accesspolicyassignmentsobjectidalias) | string | Alias for the target object id. |
+
+### Parameter: `accessPolicyAssignments.accessPolicyName`
+
+Name of the access policy to be assigned.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `accessPolicyAssignments.objectId`
+
+Object id to which the access policy will be assigned.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `accessPolicyAssignments.objectIdAlias`
+
+Alias for the target object id.
+
+- Required: Yes
+- Type: string
+
 ### Parameter: `capacity`
 
 The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4).

avm/res/cache/redis/linked-servers/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "6993324639761594928"
+      "version": "0.31.92.45157",
+      "templateHash": "4764248912015671674"
     },
     "name": "Redis Cache Linked Servers",
     "description": "This module connects a primary and secondary Redis Cache together for geo-replication.",
@@ -98,4 +98,4 @@
       "value": "[resourceGroup().name]"
     }
   }
-}
+}

avm/res/cache/redis/main.bicep

@@ -111,6 +111,12 @@ param diagnosticSettings diagnosticSettingType
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
 
+@description('Optional. Array of access policies to create.')
+param accessPolicies accessPolicyType[] = []
+
+@description('Optional. Array of access policy assignments.')
+param accessPolicyAssignments accessPolicyAssignmentType[] = []
+
 var availabilityZones = skuName == 'Premium'
   ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : []
   : []
@@ -207,6 +213,31 @@ resource redis 'Microsoft.Cache/redis@2024-03-01' = {
   zones: availabilityZones
 }
 
+resource redis_accessPolicies 'Microsoft.Cache/redis/accessPolicies@2024-04-01-preview' = [
+  for policy in accessPolicies: {
+    name: policy.name
+    parent: redis
+    properties: {
+      permissions: policy.permissions
+    }
+  }
+]
+
+resource redis_accessPolicyAssignments 'Microsoft.Cache/redis/accessPolicyAssignments@2024-04-01-preview' = [
+  for assignment in accessPolicyAssignments: {
+    name: assignment.objectId
+    parent: redis
+    properties: {
+      objectId: assignment.objectId
+      objectIdAlias: assignment.objectIdAlias
+      accessPolicyName: assignment.accessPolicyName
+    }
+    dependsOn: [
+      redis_accessPolicies
+    ]
+  }
+]
+
 resource redis_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
   name: lock.?name ?? 'lock-${name}'
   properties: {
@@ -537,3 +568,19 @@ type diagnosticSettingType = {
   @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
   marketplacePartnerResourceId: string?
 }[]?
+
+type accessPolicyType = {
+  @description('Required. Name of the access policy.')
+  name: string
+  @description('Required. Permissions associated with the access policy.')
+  permissions: string
+}
+
+type accessPolicyAssignmentType = {
+  @description('Required. Object id to which the access policy will be assigned.')
+  objectId: string
+  @description('Required. Alias for the target object id.')
+  objectIdAlias: string
+  @description('Required. Name of the access policy to be assigned.')
+  accessPolicyName: string
+}