feat: Improvements of the avm/res/network/bastion-host module (#3611)

## Description Several improvements of the Azure Bastion module: - Updated the API version of `Microsoft.Network/bastionHosts` to `2024-01-01` [(F2a8b179L18R18)](https://github.com - Added support for the `Premium` SKU and its features: - private only Bastion (incl. a dedicated test case) - session recording - Added support for availability zones Resolves #3308 > Note: due to resource provider errors, the support for the `Developer` SKU is not included in this update ## Pipeline Reference  | Pipeline | | -------- | | [![avm.res.network.bastion-host](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.bastion-host.yml/badge.svg?branch=users%2Fkrbar%2FbastionUpdate)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.network.bastion-host.yml) | ## Type of Change  - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings  --------- Co-authored-by: Alexander Sehr <[email protected]>
Azure · Oct 25, 2024 · a14318a · a14318a
1 parent 71226ac
commit a14318a
Show file tree

Hide file tree

Showing 14 changed files with 384 additions and 80 deletions.
diff --git a/avm/res/network/bastion-host/README.md b/avm/res/network/bastion-host/README.md
@@ -18,7 +18,7 @@ This module deploys a Bastion Host.
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
-| `Microsoft.Network/bastionHosts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2022-11-01/bastionHosts) |
+| `Microsoft.Network/bastionHosts` | [2024-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-01-01/bastionHosts) |
 | `Microsoft.Network/publicIPAddresses` | [2023-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-09-01/publicIPAddresses) |
 
 ## Usage examples
@@ -32,7 +32,8 @@ The following section provides usage examples for the module, which were used to
 - [With a custom public IP address deployed by the module](#example-1-with-a-custom-public-ip-address-deployed-by-the-module)
 - [Using only defaults](#example-2-using-only-defaults)
 - [Using large parameter set](#example-3-using-large-parameter-set)
-- [WAF-aligned](#example-4-waf-aligned)
+- [Private-only deployment](#example-4-private-only-deployment)
+- [WAF-aligned](#example-5-waf-aligned)
 
 ### Example 1: _With a custom public IP address deployed by the module_
 
@@ -350,6 +351,11 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
       'hidden-title': 'This is visible in the resource name'
       Role: 'DeploymentValidation'
     }
+    zones: [
+      1
+      2
+      3
+    ]
   }
 }
 ```
@@ -442,6 +448,13 @@ module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
         "hidden-title": "This is visible in the resource name",
         "Role": "DeploymentValidation"
       }
+    },
+    "zones": {
+      "value": [
+        1,
+        2,
+        3
+      ]
     }
   }
 }
@@ -506,12 +519,101 @@ param tags = {
   'hidden-title': 'This is visible in the resource name'
   Role: 'DeploymentValidation'
 }
+param zones = [
+  1
+  2
+  3
+]
 ```
 
 </details>
 <p>
 
-### Example 4: _WAF-aligned_
+### Example 4: _Private-only deployment_
+
+This instance deploys the module as private-only Bastion deployment.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module bastionHost 'br/public:avm/res/network/bastion-host:<version>' = {
+  name: 'bastionHostDeployment'
+  params: {
+    // Required parameters
+    name: 'nbhprv001'
+    virtualNetworkResourceId: '<virtualNetworkResourceId>'
+    // Non-required parameters
+    enablePrivateOnlyBastion: true
+    enableSessionRecording: true
+    location: '<location>'
+    skuName: 'Premium'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON parameters file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "nbhprv001"
+    },
+    "virtualNetworkResourceId": {
+      "value": "<virtualNetworkResourceId>"
+    },
+    // Non-required parameters
+    "enablePrivateOnlyBastion": {
+      "value": true
+    },
+    "enableSessionRecording": {
+      "value": true
+    },
+    "location": {
+      "value": "<location>"
+    },
+    "skuName": {
+      "value": "Premium"
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via Bicep parameters file</summary>
+
+```bicep-params
+using 'br/public:avm/res/network/bastion-host:<version>'
+
+// Required parameters
+param name = 'nbhprv001'
+param virtualNetworkResourceId = '<virtualNetworkResourceId>'
+// Non-required parameters
+param enablePrivateOnlyBastion = true
+param enableSessionRecording = true
+param location = '<location>'
+param skuName = 'Premium'
+```
+
+</details>
+<p>
+
+### Example 5: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -674,21 +776,24 @@ param tags = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. |
+| [`bastionSubnetPublicIpResourceId`](#parameter-bastionsubnetpublicipresourceid) | string | The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
-| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. |
-| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. |
-| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. |
+| [`disableCopyPaste`](#parameter-disablecopypaste) | bool | Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled. |
+| [`enableFileCopy`](#parameter-enablefilecopy) | bool | Choose to disable or enable File Copy. Not supported for Basic SKU. |
+| [`enableIpConnect`](#parameter-enableipconnect) | bool | Choose to disable or enable IP Connect. Not supported for Basic SKU. |
 | [`enableKerberos`](#parameter-enablekerberos) | bool | Choose to disable or enable Kerberos authentication. |
-| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. |
+| [`enablePrivateOnlyBastion`](#parameter-enableprivateonlybastion) | bool | Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature. |
+| [`enableSessionRecording`](#parameter-enablesessionrecording) | bool | Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled. |
+| [`enableShareableLink`](#parameter-enableshareablelink) | bool | Choose to disable or enable Shareable Link. Not supported for Basic SKU. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
-| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. |
+| [`publicIPAddressObject`](#parameter-publicipaddressobject) | object | Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
-| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. |
+| [`scaleUnits`](#parameter-scaleunits) | int | The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units. |
 | [`skuName`](#parameter-skuname) | string | The SKU of this Bastion Host. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
+| [`zones`](#parameter-zones) | array | A list of availability zones denoting where the Bastion Host resource needs to come from. |
 
 ### Parameter: `name`
 
@@ -706,7 +811,7 @@ Shared services Virtual Network resource Id.
 
 ### Parameter: `bastionSubnetPublicIpResourceId`
 
-The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet.
+The Public IP resource ID to associate to the azureBastionSubnet. If empty, then the Public IP that is created as part of this module will be applied to the azureBastionSubnet. This parameter is ignored when enablePrivateOnlyBastion is true.
 
 - Required: No
 - Type: string
@@ -826,23 +931,23 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it
 
 ### Parameter: `disableCopyPaste`
 
-Choose to disable or enable Copy Paste.
+Choose to disable or enable Copy Paste. For Basic SKU Copy/Paste is always enabled.
 
 - Required: No
 - Type: bool
 - Default: `False`
 
 ### Parameter: `enableFileCopy`
 
-Choose to disable or enable File Copy.
+Choose to disable or enable File Copy. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
 - Default: `True`
 
 ### Parameter: `enableIpConnect`
 
-Choose to disable or enable IP Connect.
+Choose to disable or enable IP Connect. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
@@ -856,9 +961,25 @@ Choose to disable or enable Kerberos authentication.
 - Type: bool
 - Default: `False`
 
+### Parameter: `enablePrivateOnlyBastion`
+
+Choose to disable or enable Private-only Bastion deployment. The Premium SKU is required for this feature.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
+### Parameter: `enableSessionRecording`
+
+Choose to disable or enable Session Recording feature. The Premium SKU is required for this feature. If Session Recording is enabled, the Native client support will be disabled.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `enableShareableLink`
 
-Choose to disable or enable Shareable Link.
+Choose to disable or enable Shareable Link. Not supported for Basic SKU.
 
 - Required: No
 - Type: bool
@@ -918,7 +1039,7 @@ Specify the name of lock.
 
 ### Parameter: `publicIPAddressObject`
 
-Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided.
+Specifies the properties of the Public IP to create and be used by Azure Bastion, if no existing public IP was provided. This parameter is ignored when enablePrivateOnlyBastion is true.
 
 - Required: No
 - Type: object
@@ -1034,7 +1155,7 @@ The principal type of the assigned principal ID.
 
 ### Parameter: `scaleUnits`
 
-The scale units for the Bastion Host resource.
+The scale units for the Bastion Host resource. The Basic SKU only supports 2 scale units.
 
 - Required: No
 - Type: int
@@ -1051,6 +1172,7 @@ The SKU of this Bastion Host.
   ```Bicep
   [
     'Basic'
+    'Premium'
     'Standard'
   ]
   ```
@@ -1062,6 +1184,22 @@ Tags of the resource.
 - Required: No
 - Type: object
 
+### Parameter: `zones`
+
+A list of availability zones denoting where the Bastion Host resource needs to come from.
+
+- Required: No
+- Type: array
+- Default: `[]`
+- Allowed:
+  ```Bicep
+  [
+    1
+    2
+    3
+  ]
+  ```
+
 ## Outputs
 
 | Output | Type | Description |
@@ -1078,7 +1216,7 @@ This section gives you an overview of all local-referenced module files (i.e., o
 
 | Reference | Type |
 | :-- | :-- |
-| `br/public:avm/res/network/public-ip-address:0.5.1` | Remote reference |
+| `br/public:avm/res/network/public-ip-address:0.6.0` | Remote reference |
 
 ## Data Collection