diff --git a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep index e10b15264b..b1e58dbfc1 100644 --- a/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Sql/servers/.test/common/deploy.test.bicep @@ -167,5 +167,6 @@ module testDeployment '../../deploy.bicep' = { virtualNetworkSubnetId: nestedDependencies.outputs.serviceEndpointSubnetResourceId } ] + restrictOutboundNetworkAccess: 'Disabled' } } diff --git a/modules/Microsoft.Sql/servers/deploy.bicep b/modules/Microsoft.Sql/servers/deploy.bicep index 7d981250e1..7c41df4718 100644 --- a/modules/Microsoft.Sql/servers/deploy.bicep +++ b/modules/Microsoft.Sql/servers/deploy.bicep @@ -77,6 +77,14 @@ param privateEndpoints array = [] ]) param publicNetworkAccess string = '' +@description('Optional. Whether or not to restrict outbound network access for this server.') +@allowed([ + '' + 'Enabled' + 'Disabled' +]) +param restrictOutboundNetworkAccess string = '' + var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { @@ -121,6 +129,7 @@ resource server 'Microsoft.Sql/servers@2022-05-01-preview' = { minimalTlsVersion: minimalTlsVersion primaryUserAssignedIdentityId: !empty(primaryUserAssignedIdentityId) ? primaryUserAssignedIdentityId : null publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : (!empty(privateEndpoints) && empty(firewallRules) && empty(virtualNetworkRules) ? 'Disabled' : null) + restrictOutboundNetworkAccess: !empty(restrictOutboundNetworkAccess) ? restrictOutboundNetworkAccess : null } } diff --git a/modules/Microsoft.Sql/servers/readme.md b/modules/Microsoft.Sql/servers/readme.md index 754456be30..2cec828333 100644 --- a/modules/Microsoft.Sql/servers/readme.md +++ b/modules/Microsoft.Sql/servers/readme.md @@ -61,6 +61,7 @@ This module deploys a SQL server. | `minimalTlsVersion` | string | `'1.2'` | `[1.0, 1.1, 1.2]` | Minimal TLS version allowed. | | `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. | +| `restrictOutboundNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not to restrict outbound network access for this server. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `securityAlertPolicies` | _[securityAlertPolicies](securityAlertPolicies/readme.md)_ array | `[]` | | The security alert policies to create in the server. | | `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | @@ -503,6 +504,7 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { subnetResourceId: '' } ] + restrictOutboundNetworkAccess: 'Disabled' roleAssignments: [ { principalIds: [ @@ -644,6 +646,9 @@ module servers './Microsoft.Sql/servers/deploy.bicep' = { } ] }, + "restrictOutboundNetworkAccess": { + "value": "Disabled" + }, "roleAssignments": { "value": [ {