-
Notifications
You must be signed in to change notification settings - Fork 11
/
vNet2.bicep
105 lines (98 loc) · 3.41 KB
/
vNet2.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// ------------------------------------------------------------
// VNet - Build a vnet w/ subnets
//
// Use this table for sub-object creation
// NSG RouteTable ServEndPt
// GatewaySubnet X
// AzureBastionSubnet ?
// AzureFirewallSubnet X
// <AllOthers> X X X
// ------------------------------------------------------------
//Special vNet/Subnet objects
param vNetArray array
param subnetArray array
param tags object = {
'Environment': 'prop'
'Location': 'usce'
'application': 'Network'
'ALL_CAPS': 'ALL_CAPS'
'all_lower': 'all_lower'
'Mixed_Case' : 'Mixed_Case'
}
//Special Subnets
var subnetRTOnly = [
'GatewaySubnet'
'AzureFirewallSubnet'
]
var subnetNone = [
'AzureBastionSubnet' //Bastion can have an NSG. This code doesn't support it
]
var subnetNSGOnly = [
// 'AzureBastionSubnet'
]
//This is an array of all the above so we can separate special subnets
//from "normal" subnets
var specialSubnet = [
'GatewaySubnet'
'AzureBastionSubnet'
'AzureFirewallSubnet'
]
//Create route tables for subnets that require them
@batchSize(1)
module RouteTable 'modules/routetable.bicep' = [for (subnet, i) in subnetArray: if (contains(subnetRTOnly, subnet.subnetName) || !contains(specialSubnet, subnet.subnetName)) {
name: 'RouteTable-${subnet.vNetName}-${subnet.subnetName}-rt-${i}'
scope: resourceGroup()
params: {
rtName: '${subnet.vNetName}-${subnet.subnetName}-rt'
disableBGPProp: true
routes: subnet.routes
tags: tags
}
}]
//Create NSG tables for subnets that require them
module NSGTable 'modules/networksecuritygroup.bicep' = [for (subnet, i) in subnetArray: if (contains(subnetNSGOnly, subnet.subnetName) || !contains(specialSubnet, subnet.subnetName)) {
name: 'NSGTable-${subnet.vNetName}-${subnet.subnetName}-nsg-${i}'
scope: resourceGroup()
params: {
nsgName: '${subnet.vNetName}-${subnet.subnetName}-nsg'
secRules: subnet.securityRules
tags: tags
}
}]
//Vnet build out
@batchSize(1)
resource vnet 'Microsoft.Network/virtualNetworks@2020-06-01' = [for (vnet, i) in vNetArray: {
name: '${vnet.vnetName}'
location: resourceGroup().location
properties: {
addressSpace: {
addressPrefixes: [
vnet.vNetAddressSpace
]
}
enableDdosProtection: false
//This is a minimal subnet loop - this keeps the subnets from dropping
//but temporarily removes the RT/NSG/ServiceEndpoints
//Note it will probably break subnet delegation
subnets: [for subnet in vnet.subnets: {
name: subnet.SubnetName
properties: {
addressPrefix: subnet.SubnetAddressSpace
serviceEndpoints: subnet.serviceEndPoints
networkSecurityGroup: (contains(subnetNSGOnly, subnet.subnetName) || !contains(specialSubnet, subnet.subnetName)) ? {
id: resourceId('Microsoft.Networking/networkSecurityGroups', '${vnet.vnetName}-${subnet.SubnetName}-nsg')
} : json('null')
routeTable: (contains(subnetRTOnly, subnet.subnetName) || !contains(specialSubnet, subnet.subnetName)) ? {
id: resourceId('Microsoft.Networking/routeTables', '${vnet.vnetName}-${subnet.SubnetName}-rt')
} : json('null')
}
}]
}
dependsOn: [
RouteTable
NSGTable
]
tags: union(tags, {
'NetworkType' : vnet.NetworkType
} )
}]