How would you configure your Bicep code for the creation of a storage with advanced threat protection? #1504

rpothin · 2021-02-09T16:06:41Z

rpothin
Feb 9, 2021

Hello,

First, thank you very much for your work on this project.
It is nice to be able to generate ARM templates like that.

I would like to know how you would configure your Bicep code to generate an ARM template that looks like the following one: https://github.com/Azure/azure-quickstart-templates/blob/master/201-storage-advanced-threat-protection-create/azuredeploy.json

I tried to use modules, but I was not able to get it 100% right when generating the ARM template from the Bicep code.

Thank you in advance for your advice.
Raphael

Answered by alex-frankel

Feb 9, 2021

Have you tried using the bicep decompile command? You can also use the decompile capability in the bicep playground:

Here's the code it generated:

param storageAccountName string {
  metadata: {
    description: 'The name must be unique across all existing storage account names in Azure. It must be 3 to 24 characters long, and can contain only lowercase letters and numbers.'
  }
  default: 'atpstorage${uniqueString(resourceGroup().id)}'
}
param location string {
  metadata: {
    description: 'Storage account location, default is same as resource group location.'
  }
  default: resourceGroup().location
}
param storageAccountKind string {
  allowed: [
    'StorageV2'
    'Storage'
  ]
  me…

View full answer

alex-frankel · 2021-02-09T16:51:26Z

alex-frankel
Feb 9, 2021
Maintainer

Have you tried using the bicep decompile command? You can also use the decompile capability in the bicep playground:

Here's the code it generated:

param storageAccountName string {
  metadata: {
    description: 'The name must be unique across all existing storage account names in Azure. It must be 3 to 24 characters long, and can contain only lowercase letters and numbers.'
  }
  default: 'atpstorage${uniqueString(resourceGroup().id)}'
}
param location string {
  metadata: {
    description: 'Storage account location, default is same as resource group location.'
  }
  default: resourceGroup().location
}
param storageAccountKind string {
  allowed: [
    'StorageV2'
    'Storage'
  ]
  metadata: {
    description: 'Storage account type, for more info see \'https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\'.'
  }
  default: 'StorageV2'
}
param storageAccountReplication string {
  allowed: [
    'Standard_LRS'
    'Standard_GRS'
    'Standard_ZRS'
    'Premium_LRS'
  ]
  metadata: {
    description: 'Storage account replication, for more info see \'https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy\'.'
  }
  default: 'Standard_LRS'
}
param advancedThreatProtectionEnabled bool {
  metadata: {
    description: 'Enable or disable Advanced Threat Protection.'
  }
  default: true
}

resource storageAccountName_resource 'Microsoft.Storage/storageAccounts@2018-07-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountReplication
  }
  kind: storageAccountKind
  properties: {}
}

resource storageAccountName_Microsoft_Security_current 'Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings@2019-01-01' = if (advancedThreatProtectionEnabled) {
  name: '${storageAccountName}/Microsoft.Security/current'
  properties: {
    isEnabled: true
  }
  dependsOn: [
    storageAccountName_resource
  ]
}

output storageAccountName_output string = storageAccountName

I tweaked it just a bit to get rid of the dependsOn by introducing a symbolic reference to the atp extension resource:

param storageAccountName string {
  metadata: {
    description: 'The name must be unique across all existing storage account names in Azure. It must be 3 to 24 characters long, and can contain only lowercase letters and numbers.'
  }
  default: 'atpstorage${uniqueString(resourceGroup().id)}'
}
param location string {
  metadata: {
    description: 'Storage account location, default is same as resource group location.'
  }
  default: resourceGroup().location
}
param storageAccountKind string {
  allowed: [
    'StorageV2'
    'Storage'
  ]
  metadata: {
    description: 'Storage account type, for more info see \'https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\'.'
  }
  default: 'StorageV2'
}
param storageAccountReplication string {
  allowed: [
    'Standard_LRS'
    'Standard_GRS'
    'Standard_ZRS'
    'Premium_LRS'
  ]
  metadata: {
    description: 'Storage account replication, for more info see \'https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy\'.'
  }
  default: 'Standard_LRS'
}
param advancedThreatProtectionEnabled bool {
  metadata: {
    description: 'Enable or disable Advanced Threat Protection.'
  }
  default: true
}

resource storageAccountName_resource 'Microsoft.Storage/storageAccounts@2018-07-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: storageAccountReplication
  }
  kind: storageAccountKind
  properties: {}
}

resource storageAccountName_Microsoft_Security_current 'Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings@2019-01-01' = if (advancedThreatProtectionEnabled) {
  name: '${storageAccountName_resource.name}/Microsoft.Security/current'
  properties: {
    isEnabled: true
  }
}

output storageAccountName_output string = storageAccountName

3 replies

rpothin Feb 9, 2021
Author

Thank you very much @alex-frankel for this quick and detailed answer.

I have tried to use bicep decompile and I got a similar result. I think my understand of Bicep's concepts was not good enough at that time to understand the result well.

Small complementary question: What do you mean exactly by "I tweaked it just a bit to get rid of the dependsOn by introducing a symbolic reference to the atp extension resource"?
I have tried to compare the 2 code blocks in your answer, but I did not really find the difference...

Thank you again for your help and have a nice day.

alex-frankel Feb 9, 2021
Maintainer

The change I made is to retrieve the name of the storageAccountName_Microsoft_Security_current resource with storageAccountName_resource.name instead of the param storageAccountName. This established an implicit dependency which allowed me to remove the dependsOn property entirely.

This has some more detail on how implicit dependencies work: https://github.com/Azure/bicep/blob/main/docs/spec/resources.md#implicit-dependency

Basically, because I am making an explicit reference to storageAccount_resource in the storageAccountName_Microsoft_Security_current resource, we know there is a dependency there, and it does not need an explicit dependsOn property.

rpothin Feb 9, 2021
Author

Oh yes, I see it now.
This is really a powerful feature (another one 😁) of Bicep.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How would you configure your Bicep code for the creation of a storage with advanced threat protection? #1504

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How would you configure your Bicep code for the creation of a storage with advanced threat protection? #1504

rpothin Feb 9, 2021

Replies: 1 comment · 3 replies

alex-frankel Feb 9, 2021 Maintainer

rpothin Feb 9, 2021 Author

alex-frankel Feb 9, 2021 Maintainer

rpothin Feb 9, 2021 Author

rpothin
Feb 9, 2021

Replies: 1 comment 3 replies

alex-frankel
Feb 9, 2021
Maintainer

rpothin Feb 9, 2021
Author

alex-frankel Feb 9, 2021
Maintainer

rpothin Feb 9, 2021
Author