fix: Resolve issue when bastion/firewall is not deployed (#3356)

## Description Resolves issue when bastion and firewall are not deployed. Added test to confirm. Fixes #3343 Closes #3343 ## Pipeline Reference  | Pipeline | | -------- | | [![avm.ptn.network.hub-networking](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.ptn.network.hub-networking.yml/badge.svg?branch=fix%2Fissues%2F3343)](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.ptn.network.hub-networking.yml) | ## Type of Change  - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [X] Azure Verified Module updates: - [X] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [X] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [X] I'm sure there are no other open Pull Requests for the same update/change - [X] I have run `Set-AVMModule` locally to generate the supporting module files. - [X] My corresponding pipelines / checks run clean and green without any errors or warnings  --------- Co-authored-by: Máté Barabás <[email protected]> Co-authored-by: Rainer Halanek <[email protected]> Co-authored-by: JFolberth <[email protected]>
Azure · Sep 25, 2024 · 5fc18d3 · 5fc18d3
1 parent d213e8a
commit 5fc18d3
Show file tree

Hide file tree

Showing 4 changed files with 321 additions and 34 deletions.
diff --git a/avm/ptn/network/hub-networking/README.md b/avm/ptn/network/hub-networking/README.md
@@ -38,7 +38,8 @@ The following section provides usage examples for the module, which were used to
 
 - [Using only defaults](#example-1-using-only-defaults)
 - [Using large parameter set](#example-2-using-large-parameter-set)
-- [WAF-aligned](#example-3-waf-aligned)
+- [No Addons](#example-3-no-addons)
+- [WAF-aligned](#example-4-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -448,7 +449,175 @@ module hubNetworking 'br/public:avm/ptn/network/hub-networking:<version>' = {
 </details>
 <p>
 
-### Example 3: _WAF-aligned_
+### Example 3: _No Addons_
+
+This instance deploys the module with no add-ons (Firewall / Bastion) enabled.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module hubNetworking 'br/public:avm/ptn/network/hub-networking:<version>' = {
+  name: 'hubNetworkingDeployment'
+  params: {
+    hubVirtualNetworks: {
+      hub1: {
+        addressPrefixes: '<addressPrefixes>'
+        diagnosticSettings: [
+          {
+            eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
+            eventHubName: '<eventHubName>'
+            metricCategories: [
+              {
+                category: 'AllMetrics'
+              }
+            ]
+            name: 'customSetting'
+            storageAccountResourceId: '<storageAccountResourceId>'
+            workspaceResourceId: '<workspaceResourceId>'
+          }
+        ]
+        dnsServers: [
+          '10.0.1.6'
+          '10.0.1.7'
+        ]
+        enableAzureFirewall: false
+        enableBastion: false
+        enablePeering: false
+        enableTelemetry: true
+        flowTimeoutInMinutes: 30
+        location: '<location>'
+        lock: {
+          kind: 'CanNotDelete'
+          name: 'hub1Lock'
+        }
+        routes: [
+          {
+            name: 'defaultRoute'
+            properties: {
+              addressPrefix: '0.0.0.0/0'
+              nextHopType: 'Internet'
+            }
+          }
+        ]
+        subnets: [
+          {
+            addressPrefix: '<addressPrefix>'
+            name: 'GatewaySubnet'
+          }
+          {
+            addressPrefix: '<addressPrefix>'
+            name: 'AzureFirewallSubnet'
+          }
+          {
+            addressPrefix: '<addressPrefix>'
+            name: 'AzureBastionSubnet'
+          }
+        ]
+        tags: {
+          Environment: 'Non-Prod'
+          'hidden-title': 'This is visible in the resource name'
+          Role: 'DeploymentValidation'
+        }
+        vnetEncryption: false
+        vnetEncryptionEnforcement: 'AllowUnencrypted'
+      }
+    }
+    location: '<location>'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "hubVirtualNetworks": {
+      "value": {
+        "hub1": {
+          "addressPrefixes": "<addressPrefixes>",
+          "diagnosticSettings": [
+            {
+              "eventHubAuthorizationRuleResourceId": "<eventHubAuthorizationRuleResourceId>",
+              "eventHubName": "<eventHubName>",
+              "metricCategories": [
+                {
+                  "category": "AllMetrics"
+                }
+              ],
+              "name": "customSetting",
+              "storageAccountResourceId": "<storageAccountResourceId>",
+              "workspaceResourceId": "<workspaceResourceId>"
+            }
+          ],
+          "dnsServers": [
+            "10.0.1.6",
+            "10.0.1.7"
+          ],
+          "enableAzureFirewall": false,
+          "enableBastion": false,
+          "enablePeering": false,
+          "enableTelemetry": true,
+          "flowTimeoutInMinutes": 30,
+          "location": "<location>",
+          "lock": {
+            "kind": "CanNotDelete",
+            "name": "hub1Lock"
+          },
+          "routes": [
+            {
+              "name": "defaultRoute",
+              "properties": {
+                "addressPrefix": "0.0.0.0/0",
+                "nextHopType": "Internet"
+              }
+            }
+          ],
+          "subnets": [
+            {
+              "addressPrefix": "<addressPrefix>",
+              "name": "GatewaySubnet"
+            },
+            {
+              "addressPrefix": "<addressPrefix>",
+              "name": "AzureFirewallSubnet"
+            },
+            {
+              "addressPrefix": "<addressPrefix>",
+              "name": "AzureBastionSubnet"
+            }
+          ],
+          "tags": {
+            "Environment": "Non-Prod",
+            "hidden-title": "This is visible in the resource name",
+            "Role": "DeploymentValidation"
+          },
+          "vnetEncryption": false,
+          "vnetEncryptionEnforcement": "AllowUnencrypted"
+        }
+      }
+    },
+    "location": {
+      "value": "<location>"
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+### Example 4: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 

diff --git a/avm/ptn/network/hub-networking/main.bicep b/avm/ptn/network/hub-networking/main.bicep
@@ -245,22 +245,26 @@ output hubVirtualNetworks object[] = [
 
 @description('Array of hub bastion resources.')
 output hubBastions object[] = [
-  for (hub, index) in items(hubVirtualNetworks ?? {}): {
-    resourceGroupName: hubBastion[index].outputs.resourceGroupName
-    location: hubBastion[index].outputs.location
-    name: hubBastion[index].outputs.name
-    resourceId: hubBastion[index].outputs.resourceId
-  }
+  for (hub, index) in items(hubVirtualNetworks ?? {}): (hub.value.enableBastion)
+    ? {
+        resourceGroupName: hubBastion[index].outputs.resourceGroupName
+        location: hubBastion[index].outputs.location
+        name: hubBastion[index].outputs.name
+        resourceId: hubBastion[index].outputs.resourceId
+      }
+    : {}
 ]
 
 @description('Array of hub Azure Firewall resources.')
 output hubAzureFirewalls object[] = [
-  for (hub, index) in items(hubVirtualNetworks ?? {}): {
-    resourceGroupName: hubAzureFirewall[index].outputs.resourceGroupName
-    location: hubAzureFirewall[index].outputs.location
-    name: hubAzureFirewall[index].outputs.name
-    resourceId: hubAzureFirewall[index].outputs.resourceId
-  }
+  for (hub, index) in items(hubVirtualNetworks ?? {}): (hub.value.enableAzureFirewall)
+    ? {
+        resourceGroupName: hubAzureFirewall[index].outputs.resourceGroupName
+        location: hubAzureFirewall[index].outputs.location
+        name: hubAzureFirewall[index].outputs.name
+        resourceId: hubAzureFirewall[index].outputs.resourceId
+      }
+    : {}
 ]
 
 @description('The subnets of the hub virtual network.')

diff --git a/avm/ptn/network/hub-networking/main.json b/avm/ptn/network/hub-networking/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.29.47.4906",
-      "templateHash": "9188161100861636713"
+      "version": "0.30.3.12046",
+      "templateHash": "8969613921663763778"
     },
     "name": "Hub Networking",
     "description": "This module is designed to simplify the creation of multi-region hub networks in Azure. It will create a number of virtual networks and subnets, and optionally peer them together in a mesh topology with routing.",
@@ -2315,8 +2315,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "15958982442955537466"
+              "version": "0.30.3.12046",
+              "templateHash": "5568850224456572684"
             },
             "name": "Virtual Networks",
             "description": "This module deploys a Virtual Network.",
@@ -6436,8 +6436,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "13190798974838698070"
+              "version": "0.30.3.12046",
+              "templateHash": "16563975082451649304"
             },
             "name": "Existing Virtual Network Subnets",
             "description": "This module retrieves an existing Virtual Network Subnet.",
@@ -6519,8 +6519,8 @@
           "metadata": {
             "_generator": {
               "name": "bicep",
-              "version": "0.29.47.4906",
-              "templateHash": "11735652948112662202"
+              "version": "0.30.3.12046",
+              "templateHash": "10294962787410461549"
             },
             "name": "Virtual Network Subnets",
             "description": "This module deploys a Virtual Network Subnet.",
@@ -6859,12 +6859,7 @@
       },
       "copy": {
         "count": "[length(items(coalesce(parameters('hubVirtualNetworks'), createObject())))]",
-        "input": {
-          "resourceGroupName": "[reference(format('hubBastion[{0}]', copyIndex())).outputs.resourceGroupName.value]",
-          "location": "[reference(format('hubBastion[{0}]', copyIndex())).outputs.location.value]",
-          "name": "[reference(format('hubBastion[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('hubBastion[{0}]', copyIndex())).outputs.resourceId.value]"
-        }
+        "input": "[if(items(coalesce(parameters('hubVirtualNetworks'), createObject()))[copyIndex()].value.enableBastion, createObject('resourceGroupName', reference(format('hubBastion[{0}]', copyIndex())).outputs.resourceGroupName.value, 'location', reference(format('hubBastion[{0}]', copyIndex())).outputs.location.value, 'name', reference(format('hubBastion[{0}]', copyIndex())).outputs.name.value, 'resourceId', reference(format('hubBastion[{0}]', copyIndex())).outputs.resourceId.value), createObject())]"
       }
     },
     "hubAzureFirewalls": {
@@ -6877,12 +6872,7 @@
       },
       "copy": {
         "count": "[length(items(coalesce(parameters('hubVirtualNetworks'), createObject())))]",
-        "input": {
-          "resourceGroupName": "[reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.resourceGroupName.value]",
-          "location": "[reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.location.value]",
-          "name": "[reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.name.value]",
-          "resourceId": "[reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.resourceId.value]"
-        }
+        "input": "[if(items(coalesce(parameters('hubVirtualNetworks'), createObject()))[copyIndex()].value.enableAzureFirewall, createObject('resourceGroupName', reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.resourceGroupName.value, 'location', reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.location.value, 'name', reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.name.value, 'resourceId', reference(format('hubAzureFirewall[{0}]', copyIndex())).outputs.resourceId.value), createObject())]"
       }
     },
     "hubVirtualNetworkSubnets": {