feat(new): Azure Data Explorer (Kusto) (#440)

## Description closes: #287  If you haven't already, read the full [contribution guide](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md). The guide may have changed since the last time you read it, so please double-check. Once you are done and ready to submit your PR, edit the PR description and run through the relevant checklist below. Enable GitHub Worksflows in your fork to enable auto-generation of assets with our [GitHub Action](/.github/workflows/push-auto-generate.yml). To trigger GitHub Actions after auto-generation, [add a GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) as a secret in your forked repository called `PAT`. ## Adding a new module  - [x] A proposal has been submitted and approved. - [x] I have included "Closes #{module_proposal_issue_number}" in the PR description. - [x] I have run `brm validate` locally to verify the module files. - [x] I have run deployment tests locally to ensure the module is deployable. --------- Co-authored-by: Daniel Ciborowski <[email protected]> Co-authored-by: dciborow <[email protected]> Co-authored-by: vlahane <[email protected]>
Azure · Aug 23, 2023 · eb55bdd · eb55bdd
1 parent 7f020d3
commit eb55bdd
Show file tree

Hide file tree

Showing 10 changed files with 1,764 additions and 0 deletions.
diff --git a/modules/storage/data-explorer/.bicep/nested_privateEndpoint.bicep b/modules/storage/data-explorer/.bicep/nested_privateEndpoint.bicep
@@ -0,0 +1,58 @@
+param location string
+param tags object
+param manualApprovalEnabled bool
+param privateEndpoints array
+
+var varPrivateEndpoints = [for (p, i) in privateEndpoints: {
+  name: p.name
+  privateLinkServiceId: p.privateLinkServiceId
+  groupIds: p.groupIds
+  subnetId: p.subnetId
+  privateDnsZones: contains(p, 'privateDnsZones') ? p.privateDnsZones : []
+  customNetworkInterfaceName: contains(p, 'customNetworkInterfaceName') ? p.customNetworkInterfaceName : null
+}]
+
+@batchSize(1)
+resource privateEndpoint 'Microsoft.Network/privateEndpoints@2022-05-01' = [for endpoint in varPrivateEndpoints: {
+  name: '${endpoint.name}-${uniqueString(endpoint.name, endpoint.subnetId, endpoint.privateLinkServiceId)}'
+  location: location
+  tags: tags
+  properties: {
+    privateLinkServiceConnections: manualApprovalEnabled ? null : [
+      {
+        name: endpoint.name
+        properties: {
+          privateLinkServiceId: endpoint.privateLinkServiceId
+          groupIds: !empty(endpoint.groupIds) ? endpoint.groupIds : null
+        }
+      }
+    ]
+    manualPrivateLinkServiceConnections: manualApprovalEnabled ? [
+      {
+        name: endpoint.name
+        properties: {
+          privateLinkServiceId: endpoint.privateLinkServiceId
+          groupIds: !empty(endpoint.groupIds) ? endpoint.groupIds : null
+        }
+      }
+    ] : null
+    subnet: {
+      id: endpoint.subnetId
+    }
+    customNetworkInterfaceName: endpoint.customNetworkInterfaceName
+  }
+}]
+
+@batchSize(1)
+resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2022-05-01' = [for (endpoint, i) in varPrivateEndpoints: {
+  name: 'default'
+  parent: privateEndpoint[i]
+  properties: {
+    privateDnsZoneConfigs: [for privateDnsZone in endpoint.privateDnsZones: {
+      name: contains(privateDnsZone, 'name') ? privateDnsZone.name : 'default'
+      properties: {
+        privateDnsZoneId: privateDnsZone.zoneId
+      }
+    }]
+  }
+}]
diff --git a/modules/storage/data-explorer/.bicep/nested_rbac.bicep b/modules/storage/data-explorer/.bicep/nested_rbac.bicep
@@ -0,0 +1,67 @@
+@sys.description('Required. The IDs of the principals to assign the role to.')
+param principalIds array
+
+@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
+param roleDefinitionIdOrName string
+
+@sys.description('Required. The resource Id of the Kusto cluster.')
+param resourceId string
+
+@sys.description('Optional. The principal type of the assigned principal ID.')
+@allowed([
+  'ServicePrincipal'
+  'Group'
+  'User'
+  'ForeignGroup'
+  'Device'
+  ''
+])
+param principalType string = ''
+
+@sys.description('Optional. The description of the role assignment.')
+param description string = ''
+
+@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
+param condition string = ''
+
+@sys.description('Optional. Version of the condition.')
+@allowed([
+  '2.0'
+])
+param conditionVersion string = '2.0'
+
+@sys.description('Optional. Id of the delegated managed identity resource.')
+param delegatedManagedIdentityResourceId string = ''
+
+var builtInRoleNames = {
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f37683f-2463-46b6-9ce7-9b788b988ba2')
+  'App Compliance Automation Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')
+  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
+  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
+  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
+  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
+  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'Resource Policy Contributor')
+  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
+  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+}
+
+resource kustoClusters 'Microsoft.Kusto/clusters@2022-12-29' existing = {
+  name: last(split(resourceId, '/'))
+}
+
+@batchSize(1)
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
+  name: guid(kustoClusters.name, principalId, roleDefinitionIdOrName)
+  properties: {
+    description: description
+    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
+    principalId: principalId
+    principalType: !empty(principalType) ? any(principalType) : null
+    condition: !empty(condition) ? condition : null
+    conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
+    delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
+  }
+  scope: kustoClusters
+}]