Add support for specifying custom static routes

Some automatic Bicep linting
Azure · Dec 18, 2024 · f5ee7ed · f5ee7ed
1 parent aa6bf84
commit f5ee7ed
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 32 deletions.
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -27,10 +27,10 @@ param deploymentEnvironment string = 'Dev'
 param diskEncryptionKeyExpirationInDays int = 60
 
 @sys.description('Required. Location where to deploy compute services.')
-param avdSessionHostLocation string 
+param avdSessionHostLocation string
 
 @sys.description('Required. Location where to deploy AVD management plane.')
-param avdManagementPlaneLocation string 
+param avdManagementPlaneLocation string
 
 @sys.description('AVD workload subscription ID, multiple subscriptions scenario. (Default: "")')
 param avdWorkloadSubsId string = ''
@@ -107,7 +107,7 @@ param hostPoolPublicNetworkAccess string = 'Enabled'
 ])
 @sys.description('Default to Enabled. Enables or Disables public network access on the workspace.')
 param workspacePublicNetworkAccess string = 'Enabled'
-  
+
 @allowed([
   'Automatic'
   'Direct'
@@ -511,6 +511,9 @@ param enableKvPurgeProtection bool = true
 @sys.description('Deploys anti malware extension on session hosts. (Default: true)')
 param deployAntiMalwareExt bool = true
 
+@sys.description('Additional customer-provided static routes to be added to the route tables.')
+param customStaticRoutes array = []
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -1093,7 +1096,9 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre
     createVnet: createAvdVnet
     deployAsg: (avdDeploySessionHosts || createAvdFslogixDeployment || varCreateMsixDeployment) ? true : false
     existingAvdSubnetResourceId: existingVnetAvdSubnetResourceId
-    createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService) ? createPrivateDnsZones : false
+    createPrivateDnsZones: (deployPrivateEndpointKeyvaultStorage || deployAvdPrivateLinkService)
+      ? createPrivateDnsZones
+      : false
     applicationSecurityGroupName: varApplicationSecurityGroupName
     computeObjectsRgName: varComputeObjectsRgName
     networkObjectsRgName: varNetworkObjectsRgName
@@ -1125,6 +1130,7 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre
           ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId
           : alaExistingWorkspaceResourceId)
       : ''
+    customStaticRoutes: customStaticRoutes
   }
   dependsOn: [
     baselineNetworkResourceGroup
@@ -1152,7 +1158,9 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
     preferredAppGroupType: (hostPoolPreferredAppGroupType == 'RemoteApp') ? 'RailApplications' : 'Desktop'
     deployScalingPlan: varDeployScalingPlan
     scalingPlanExclusionTag: varScalingPlanExclusionTag
-    scalingPlanSchedules: (avdHostPoolType == 'Pooled') ? varPooledScalingPlanSchedules : varPersonalScalingPlanSchedules
+    scalingPlanSchedules: (avdHostPoolType == 'Pooled')
+      ? varPooledScalingPlanSchedules
+      : varPersonalScalingPlanSchedules
     scalingPlanName: varScalingPlanName
     hostPoolMaxSessions: hostPoolMaxSessions
     personalAssignType: avdPersonalAssignType
@@ -1172,9 +1180,19 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
     deployAvdPrivateLinkService: deployAvdPrivateLinkService
     hostPoolPublicNetworkAccess: hostPoolPublicNetworkAccess
     workspacePublicNetworkAccess: workspacePublicNetworkAccess
-    privateEndpointSubnetResourceId: createAvdVnet ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}' : existingVnetPrivateEndpointSubnetResourceId
-    avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsDiscoveryZoneResourceId : avdVnetPrivateDnsZoneDiscoveryResourceId) : ''
-    avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService ? (createPrivateDnsZones ? networking.outputs.avdDnsConnectionZoneResourceId : avdVnetPrivateDnsZoneConnectionResourceId) : ''
+    privateEndpointSubnetResourceId: createAvdVnet
+      ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}'
+      : existingVnetPrivateEndpointSubnetResourceId
+    avdVnetPrivateDnsZoneDiscoveryResourceId: deployAvdPrivateLinkService
+      ? (createPrivateDnsZones
+          ? networking.outputs.avdDnsDiscoveryZoneResourceId
+          : avdVnetPrivateDnsZoneDiscoveryResourceId)
+      : ''
+    avdVnetPrivateDnsZoneConnectionResourceId: deployAvdPrivateLinkService
+      ? (createPrivateDnsZones
+          ? networking.outputs.avdDnsConnectionZoneResourceId
+          : avdVnetPrivateDnsZoneConnectionResourceId)
+      : ''
     privateEndpointConnectionName: varPrivateEndPointConnectionName
     privateEndpointDiscoveryName: varPrivateEndPointDiscoveryName
     privateEndpointWorkspaceName: varPrivateEndPointWorkspaceName
@@ -1267,20 +1285,23 @@ module wrklKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
           ipRules: []
         }
       : {}
-    privateEndpoints: deployPrivateEndpointKeyvaultStorage? [
+    privateEndpoints: deployPrivateEndpointKeyvaultStorage
+      ? [
           {
             name: varWrklKvPrivateEndpointName
             subnetResourceId: createAvdVnet
               ? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}'
               : existingVnetPrivateEndpointSubnetResourceId
             customNetworkInterfaceName: 'nic-01-${varWrklKvPrivateEndpointName}'
             service: 'vault'
-            privateDnsZoneGroupName: createPrivateDnsZones ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8] : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8]
+            privateDnsZoneGroupName: createPrivateDnsZones
+              ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8]
+              : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8]
             privateDnsZoneResourceIds: [
-                createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
+              createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
             ]
           }
-      ]
+        ]
       : []
     secrets: (avdIdentityServiceProvider != 'EntraID')
       ? [
@@ -1483,7 +1504,7 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (va
 }
 
 // VMSS Flex
-module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' =  if (avdDeploySessionHosts && deployVmssFlex) {
+module vmScaleSetFlex './modules/avdSessionHosts/.bicep/vmScaleSet.bicep' = if (avdDeploySessionHosts && deployVmssFlex) {
   name: 'AVD-VMSS-Flex-${time}'
   scope: resourceGroup('${avdWorkloadSubsId}', '${varComputeObjectsRgName}')
   params: {

diff --git a/workload/bicep/modules/networking/deploy.bicep b/workload/bicep/modules/networking/deploy.bicep
@@ -103,6 +103,9 @@ param alaWorkspaceResourceId string
 @sys.description('Do not modify, used to set unique value for resource deployment')
 param time string = utcNow()
 
+@sys.description('Additional customer-provided static routes to be added to the route tables.')
+param customStaticRoutes array = []
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -118,7 +121,7 @@ var varDiagnosticSettings = !empty(alaWorkspaceResourceId)
   ? [
       {
         workspaceResourceId: alaWorkspaceResourceId
-        logCategoriesAndGroups: [] 
+        logCategoriesAndGroups: []
       }
     ]
   : []
@@ -153,7 +156,7 @@ var varWindowsActivationKMSPrefixesNsg = (varAzureCloudName == 'AzureCloud')
             ]
           : []
 // https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/custom-routes-enable-kms-activation#solution
-var varStaticRoutes = (varAzureCloudName == 'AzureCloud')
+var varDefaultStaticRoutes = (varAzureCloudName == 'AzureCloud')
   ? [
       {
         name: 'AVDServiceTraffic'
@@ -283,6 +286,9 @@ var varStaticRoutes = (varAzureCloudName == 'AzureCloud')
               }
             ]
           : []
+
+var staticRoutes = union(varDefaultStaticRoutes, customStaticRoutes)
+
 var privateDnsZoneNames = {
   AutomationAgentService: 'privatelink.agentsvc.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}'
   Automation: 'privatelink.azure-automation.${privateDnsZoneSuffixes_AzureAutomation[environment().name]}'
@@ -490,7 +496,7 @@ module routeTableAvd '../../../../avm/1.0.0/res/network/route-table/main.bicep'
     name: avdRouteTableName
     location: location
     tags: tags
-    routes: varCreateAvdStaicRoute ? varStaticRoutes : []
+    routes: varCreateAvdStaicRoute ? staticRoutes : []
   }
   dependsOn: []
 }
@@ -619,24 +625,24 @@ module privateDnsZoneKeyVault '../../../../avm/1.0.0/res/network/private-dns-zon
 
 // Private DNS zones AVD
 module privateDnsZoneAVDConnection '../../../../avm/1.0.0/res/network/private-dns-zone/main.bicep' = if (createPrivateDnsZones && deployAvdPrivateLinkService) {
-    scope: resourceGroup('${workloadSubsId}', '${networkObjectsRgName}')
-    name: 'Private-DNS-AVD-Connection-${time}'
-    params: {
-        name: privateDnsZoneNames.AVDFeedConnections
-        virtualNetworkLinks: varVirtualNetworkLinks
-        tags: tags
-    }
+  scope: resourceGroup('${workloadSubsId}', '${networkObjectsRgName}')
+  name: 'Private-DNS-AVD-Connection-${time}'
+  params: {
+    name: privateDnsZoneNames.AVDFeedConnections
+    virtualNetworkLinks: varVirtualNetworkLinks
+    tags: tags
+  }
 }
 
 // Private DNS zones AVD Discovery
 module privateDnsZoneAVDDiscovery '../../../../avm/1.0.0/res/network/private-dns-zone/main.bicep' = if (createPrivateDnsZones && deployAvdPrivateLinkService) {
-    scope: resourceGroup('${workloadSubsId}', '${networkObjectsRgName}')
-    name: 'Private-DNS-AVD-Discovery-${time}'
-    params: {
-        name: privateDnsZoneNames.AVDDiscovery
-        virtualNetworkLinks: varVirtualNetworkLinks
-        tags: tags
-    }
+  scope: resourceGroup('${workloadSubsId}', '${networkObjectsRgName}')
+  name: 'Private-DNS-AVD-Discovery-${time}'
+  params: {
+    name: privateDnsZoneNames.AVDDiscovery
+    virtualNetworkLinks: varVirtualNetworkLinks
+    tags: tags
+  }
 }
 // =========== //
 // Outputs //
@@ -645,5 +651,9 @@ output applicationSecurityGroupResourceId string = deployAsg ? applicationSecuri
 output virtualNetworkResourceId string = createVnet ? virtualNetwork.outputs.resourceId : ''
 output azureFilesDnsZoneResourceId string = createPrivateDnsZones ? privateDnsZoneAzureFiles.outputs.resourceId : ''
 output keyVaultDnsZoneResourceId string = createPrivateDnsZones ? privateDnsZoneKeyVault.outputs.resourceId : ''
-output avdDnsConnectionZoneResourceId string = (createPrivateDnsZones && deployAvdPrivateLinkService) ? privateDnsZoneAVDConnection.outputs.resourceId : ''
-output avdDnsDiscoveryZoneResourceId string = (createPrivateDnsZones && deployAvdPrivateLinkService) ? privateDnsZoneAVDDiscovery.outputs.resourceId : ''
+output avdDnsConnectionZoneResourceId string = (createPrivateDnsZones && deployAvdPrivateLinkService)
+  ? privateDnsZoneAVDConnection.outputs.resourceId
+  : ''
+output avdDnsDiscoveryZoneResourceId string = (createPrivateDnsZones && deployAvdPrivateLinkService)
+  ? privateDnsZoneAVDDiscovery.outputs.resourceId
+  : ''