refactor and improve PrivateEndpointConnectionApproval handling

Author: erwinkramer

Diff for: lib/network.bicep

@@ -68,6 +68,13 @@ Private Endpoint connection names from own and other tenants with either manual
 @export()
 var privateEndpointConnectionNames = _networkVar.privateEndpointConnectionNames
 
+@description('''
+Lookup array to check if the connection is still pending. 
+Some private endpoint connections do not like to be approved twice. This depends on the parent resource type.
+''')
+@export()
+var privateEndpointConnectionNamesPendingLookup = _networkVar.privateEndpointConnectionNamesPendingLookup
+
 /* ----------------------------------------
 
       😎 Bicep# - Public types 😎
@@ -183,9 +190,9 @@ func buildPrivateEndpoint(targetResourceName string, targetResourceId string, gr
 Build a private endpoint connection approval.
 ''')
 @export()
-func buildBuildPrivateEndpointConnectionApproval(connectionName string, additionalInfo string) _resourceType.resourceFormat => {
+func buildPrivateEndpointConnectionApproval(connectionName string, additionalInfo string) _resourceType.resourceFormat => {
   name: connectionName
-  properties: _networkFunction.buildBuildPrivateEndpointConnectionApprovalProperties(connectionName, additionalInfo)
+  properties: _networkFunction.buildPrivateEndpointConnectionApprovalProperties(connectionName, additionalInfo)
 }
 
 @description('''

Diff for: lib/private/functions/network.bicep

@@ -90,13 +90,12 @@ func buildNsgRuleProperties(
 
 @description('''
 Build Private Endpoint Connection Approval properties
-
-Because the approval properties are the same for each resource, we can just pick one resource and get the privateEndpointConnectionProperties for that.
 ''')
 @export()
-func buildBuildPrivateEndpointConnectionApprovalProperties(connectionName string, additionalInfo string) _networkType.privateEndpointConnectionProperties => {
+func buildPrivateEndpointConnectionApprovalProperties(connectionName string, additionalInfo string) _networkType.privateEndpointConnectionApprovalProperties => {
   privateLinkServiceConnectionState: {
     status: 'Approved'
     description: 'Approved by pipeline. For Resource ${split(connectionName, '.')[0]}. Additional info: ${additionalInfo}.'
+    actionRequired: 'None'
   }
 }

Diff for: lib/private/types/network.bicep

@@ -36,7 +36,13 @@ type subnet = resource<'Microsoft.Network/virtualNetworks@2023-09-01'>.propertie
 type vnetProperties = resource<'Microsoft.Network/virtualNetworks@2023-09-01'>.properties
 
 @export()
-type privateEndpointConnectionProperties = resource<'Microsoft.Network/applicationGateways/privateEndpointConnections@2023-09-01'>.properties
+type privateEndpointConnectionApprovalProperties = {
+  privateLinkServiceConnectionState: {
+    status: string
+    description: string
+    actionRequired: string
+  }
+}
 
 @export()
 type serviceTagRegional =

Diff for: lib/private/variables/generated/peConnectionsAutoAppr.json renamed to lib/private/variables/generated/peConApproved.json

@@ -2,5 +2,8 @@
   "peSthellosharpdev001Blob": "sthellosharpdev001.af5357a5-c192-4999-83a7-2ab87e0f2a36",
   "peSthellosharpdev001Dfs": "sthellosharpdev001.22c40a51-bd4e-4895-8687-b749ce63c434",
   "peSthellosharpdev001Queue": "sthellosharpdev001.c6cfcd4c-26b2-455d-b7c5-c2875e26d352",
+  "synGuanchen_MpeMountainArchive001": "sthellosharpdev001.b688df18-92cf-4608-b83f-a202c14d20f2",
+  "synGuanchen_MpeMountainArchive002": "sthellosharpdev001.4267eaf9-71fd-4dd5-8908-bf5e47908ec8",
+  "synGuanchen_MpeMountainArchive003": "sthellosharpdev001.05a5c9b5-e15a-4922-9fc3-029811e0e1a1",
   "synGuanchen_SynapseWsSqlSynGuanchen": "syn-guanchen.synapse-ws-sql--syn-guanchen-b177bad0-434d-4a3f-a1b4-75697f90cfaf"
 }

Diff for: lib/private/variables/generated/peConPending.json

@@ -0,0 +1 @@
+{}

Diff for: lib/private/variables/generated/peConPendingLookup.json

@@ -0,0 +1 @@
+[]

Diff for: lib/private/variables/generated/peConnectionsManual.json

@@ -142,75 +142,69 @@ var nsgRuleServiceTagsInboundAndOutbound = {
 var nsgRuleServiceTagsRegional = loadJsonContent('./generated/serviceTagsRegional.json')
 
 @export()
-var nsgRuleServiceTagsInbound = union(
-  nsgRuleServiceTagsInboundAndOutbound,
-  {
-    dataConnectorsForMicrosoftScurityProducts: 'Scuba'
-    azureVPNGatewayAndApplicationGateway: 'GatewayManager'
-    actionGroup: 'ActionGroup'
-    apiManagement: 'ApiManagement'
-    applicationInsightsAvailability: 'ApplicationInsightsAvailability'
-    azureAISearch: 'AzureCognitiveSearch'
-    azureDataExplorerManagement: 'AzureDataExplorerManagement'
-    azureDevOps: 'AzureDevOps'
-    azureDigitalTwins: 'AzureDigitalTwins'
-    azureLoadTestingInstanceManagement: 'AzureLoadTestingInstanceManagement'
-    azureMachineLearningInference: 'AzureMachineLearningInference'
-    microsoftSentinel: 'AzureSentinel'
-    azureTrafficManager: 'AzureTrafficManager'
-    azureHDInsight: 'HDInsight'
-    logicAppsManagement: 'LogicAppsManagement'
-    office365ManagementActivityAPIWebhook: 'M365ManagementActivityApiWebhook'
-    powerPlatformextensionExecution: 'PowerPlatformPlex'
-    serialConsoleService: 'SerialConsole'
-  }
-)
+var nsgRuleServiceTagsInbound = union(nsgRuleServiceTagsInboundAndOutbound, {
+  dataConnectorsForMicrosoftScurityProducts: 'Scuba'
+  azureVPNGatewayAndApplicationGateway: 'GatewayManager'
+  actionGroup: 'ActionGroup'
+  apiManagement: 'ApiManagement'
+  applicationInsightsAvailability: 'ApplicationInsightsAvailability'
+  azureAISearch: 'AzureCognitiveSearch'
+  azureDataExplorerManagement: 'AzureDataExplorerManagement'
+  azureDevOps: 'AzureDevOps'
+  azureDigitalTwins: 'AzureDigitalTwins'
+  azureLoadTestingInstanceManagement: 'AzureLoadTestingInstanceManagement'
+  azureMachineLearningInference: 'AzureMachineLearningInference'
+  microsoftSentinel: 'AzureSentinel'
+  azureTrafficManager: 'AzureTrafficManager'
+  azureHDInsight: 'HDInsight'
+  logicAppsManagement: 'LogicAppsManagement'
+  office365ManagementActivityAPIWebhook: 'M365ManagementActivityApiWebhook'
+  powerPlatformextensionExecution: 'PowerPlatformPlex'
+  serialConsoleService: 'SerialConsole'
+})
 
 @export()
-var nsgRuleServiceTagsOutbound = union(
-  nsgRuleServiceTagsInboundAndOutbound,
-  {
-    appConfiguration: 'AppConfiguration'
-    azureAppService: 'AppService'
-    microsoftEntraID: 'AzureActiveDirectory'
-    azureAdvancedThreatProtection: 'AzureAdvancedThreatProtection'
-    azureArcInfrastructure: 'AzureArcInfrastructure'
-    azureAttestation: 'AzureAttestation'
-    azureBackup: 'AzureBackup'
-    azureContainerRegistry: 'AzureContainerRegistry'
-    azureCosmosDB: 'AzureCosmosDB'
-    azureDataLakeStorageGen1: 'AzureDataLake'
-    azureDevSpaces: 'AzureDevSpaces'
-    azureInformationProtection: 'AzureInformationProtection'
-    azureIoTHub: 'AzureIoTHub'
-    azureKeyVault: 'AzureKeyVault'
-    azureManagedGrafana: 'AzureManagedGrafana'
-    azureMonitor: 'AzureMonitor'
-    azureOpenDatasets: 'AzureOpenDatasets'
-    azureResourceManager: 'AzureResourceManager'
-    azureSignalR: 'AzureSignalR'
-    azureSiteRecovery: 'AzureSiteRecovery'
-    azureSpringApps: 'AzureSpringCloud'
-    azureStackBridgeServices: 'AzureStack'
-    azureUpdateDelivery: 'AzureUpdateDelivery'
-    azureDataFactoryManagement: 'DataFactoryManagement'
-    azureEventHubs: 'EventHub'
-    azureAutomationAndGuestConfiguration: 'GuestAndHybridManagement'
-    office365ManagementActivityAPI: 'M365ManagementActivityApi'
-    azureMicrosoftFluidRelayServer: 'MicrosoftAzureFluidRelay'
-    microsoftDefenderForCloudApps: 'MicrosoftCloudAppSecurity'
-    microsoftContainerRegistry: 'MicrosoftContainerRegistry'
-    azureServiceBus: 'ServiceBus'
-    azureSql: 'Sql'
-    azureStorage: 'Storage'
-    storageMover: 'StorageMover'
-    windowsAdminCenter: 'WindowsAdminCenter'
-    azurePlatformDNS: 'AzurePlatformDNS'
-    azurePlatformAzureInstanceMetadataServiceIMDS: 'AzurePlatformIMDS'
-    azurePlatformlicensingOrKeyManagementServiceLKM: 'AzurePlatformLKM'
-    microsoftPurviewPolicyDistribution: 'MicrosoftPurviewPolicyDistribution'
-  }
-)
+var nsgRuleServiceTagsOutbound = union(nsgRuleServiceTagsInboundAndOutbound, {
+  appConfiguration: 'AppConfiguration'
+  azureAppService: 'AppService'
+  microsoftEntraID: 'AzureActiveDirectory'
+  azureAdvancedThreatProtection: 'AzureAdvancedThreatProtection'
+  azureArcInfrastructure: 'AzureArcInfrastructure'
+  azureAttestation: 'AzureAttestation'
+  azureBackup: 'AzureBackup'
+  azureContainerRegistry: 'AzureContainerRegistry'
+  azureCosmosDB: 'AzureCosmosDB'
+  azureDataLakeStorageGen1: 'AzureDataLake'
+  azureDevSpaces: 'AzureDevSpaces'
+  azureInformationProtection: 'AzureInformationProtection'
+  azureIoTHub: 'AzureIoTHub'
+  azureKeyVault: 'AzureKeyVault'
+  azureManagedGrafana: 'AzureManagedGrafana'
+  azureMonitor: 'AzureMonitor'
+  azureOpenDatasets: 'AzureOpenDatasets'
+  azureResourceManager: 'AzureResourceManager'
+  azureSignalR: 'AzureSignalR'
+  azureSiteRecovery: 'AzureSiteRecovery'
+  azureSpringApps: 'AzureSpringCloud'
+  azureStackBridgeServices: 'AzureStack'
+  azureUpdateDelivery: 'AzureUpdateDelivery'
+  azureDataFactoryManagement: 'DataFactoryManagement'
+  azureEventHubs: 'EventHub'
+  azureAutomationAndGuestConfiguration: 'GuestAndHybridManagement'
+  office365ManagementActivityAPI: 'M365ManagementActivityApi'
+  azureMicrosoftFluidRelayServer: 'MicrosoftAzureFluidRelay'
+  microsoftDefenderForCloudApps: 'MicrosoftCloudAppSecurity'
+  microsoftContainerRegistry: 'MicrosoftContainerRegistry'
+  azureServiceBus: 'ServiceBus'
+  azureSql: 'Sql'
+  azureStorage: 'Storage'
+  storageMover: 'StorageMover'
+  windowsAdminCenter: 'WindowsAdminCenter'
+  azurePlatformDNS: 'AzurePlatformDNS'
+  azurePlatformAzureInstanceMetadataServiceIMDS: 'AzurePlatformIMDS'
+  azurePlatformlicensingOrKeyManagementServiceLKM: 'AzurePlatformLKM'
+  microsoftPurviewPolicyDistribution: 'MicrosoftPurviewPolicyDistribution'
+})
 
 @export()
 var nsgRuleDestinationServices = {
@@ -251,9 +245,15 @@ var nsgRuleDestinationServices = {
   dynamicPorts: { portRange: '49152-65535', protocol: 'TCP' }
 }
 
-var privateEndpointConnectionNamesAutoApproved = loadJsonContent('./generated/peConnectionsAutoAppr.json')
+var privateEndpointConnectionNamesApproved = loadJsonContent('./generated/peConApproved.json')
 
-var privateEndpointConnectionNamesManual = loadJsonContent('./generated/peConnectionsManual.json')
+var privateEndpointConnectionNamesPending = loadJsonContent('./generated/peConPending.json')
+
+@export()
+var privateEndpointConnectionNames = union(
+  privateEndpointConnectionNamesApproved,
+  privateEndpointConnectionNamesPending
+)
 
 @export()
-var privateEndpointConnectionNames = union(privateEndpointConnectionNamesAutoApproved, privateEndpointConnectionNamesManual)
+var privateEndpointConnectionNamesPendingLookup = loadJsonContent('./generated/peConPendingLookup.json')

Diff for: lib/private/variables/network.bicep

@@ -36,7 +36,9 @@ param groupIds array = [
 ]
 
 param privateEndpointConnectionApprovalNames array = [
-  sharpNetwork.privateEndpointConnectionNames.synGuanchen_MpeMountainArchive
+  sharpNetwork.privateEndpointConnectionNames.synGuanchen_MpeMountainArchive001
+  sharpNetwork.privateEndpointConnectionNames.synGuanchen_MpeMountainArchive002
+  sharpNetwork.privateEndpointConnectionNames.synGuanchen_MpeMountainArchive003
 ]
 
 @description('Id of the subnet to attach the private endpoints to')
@@ -46,7 +48,7 @@ var sharpPrivateEndpoints = [
   for groupId in groupIds: sharpNetwork.buildPrivateEndpoint(sa.name, sa.id, groupId, subnetId)
 ]
 var sharpPrivateEndpointConnectionApprovals = [
-  for privateEndpointConnectionApprovalName in privateEndpointConnectionApprovalNames: sharpNetwork.buildBuildPrivateEndpointConnectionApproval(
+  for privateEndpointConnectionApprovalName in privateEndpointConnectionApprovalNames: sharpNetwork.buildPrivateEndpointConnectionApproval(
     privateEndpointConnectionApprovalName,
     'For [email protected]'
   )
@@ -115,7 +117,10 @@ resource privateEndpoints 'Microsoft.Network/privateEndpoints@2023-09-01' = [
 ]
 
 resource privateEndpointConnectionApprovals 'Microsoft.Storage/storageAccounts/privateEndpointConnections@2023-04-01' = [
-  for sharpPrivateEndpointConnectionApproval in sharpPrivateEndpointConnectionApprovals: {
+  for sharpPrivateEndpointConnectionApproval in sharpPrivateEndpointConnectionApprovals: if (contains(
+    sharpNetwork.privateEndpointConnectionNamesPendingLookup,
+    sharpPrivateEndpointConnectionApproval.name
+  )) {
     parent: sa
     name: sharpPrivateEndpointConnectionApproval.name
     properties: sharpPrivateEndpointConnectionApproval.properties

Diff for: samples/modules/storage-account.bicep

@@ -13,17 +13,18 @@ resources
 | where array_length(properties.privateEndpointConnections) > 0
 | mv-expand properties.privateEndpointConnections
 | extend id2 = properties_privateEndpointConnections.id
-| mv-expand properties_privateEndpointConnections.properties.privateLinkServiceConnectionState.description
+| mv-expand properties_privateEndpointConnections.properties.privateLinkServiceConnectionState.status
 | mv-expand properties_privateEndpointConnections.properties.privateEndpoint.id
-| extend state = properties_privateEndpointConnections_properties_privateLinkServiceConnectionState_description
+| extend state = properties_privateEndpointConnections_properties_privateLinkServiceConnectionState_status
 | extend peName = split(properties_privateEndpointConnections_properties_privateEndpoint_id, '`/')[-1]
 | extend name2 = split(id2, '`/')
 | extend connectionName = name2[-1]
 | project name, connectionName, state, peName
 "@
 
-$connectionNamesAutoApproved = [System.Collections.SortedList]::new()
-$connectionNamesManual = [System.Collections.SortedList]::new()
+$connectionNamesApproved = [System.Collections.SortedList]::new()
+$connectionNamesPending = [System.Collections.SortedList]::new()
+$connectionNamesPendingLookup = [System.Collections.Generic.SortedSet[string]]::new()
 
 foreach ($privateEndpoint in $privateEndpoints) {
 
@@ -32,13 +33,17 @@ foreach ($privateEndpoint in $privateEndpoints) {
     $First, $Rest = $privateEndpoint.peName -Replace '[^0-9A-Z.]', ' ' -Split ' ', 2
     $nameLowerCamelCase = $First.Tolower() + (Get-Culture).TextInfo.ToTitleCase($Rest) -Replace ' ' -Replace '\.', '_'
 
-    if ($privateEndpoint.state -eq "Auto-Approved") {
-        $connectionNamesAutoApproved.Add($nameLowerCamelCase, $privateEndpoint.connectionName )
+    if ($privateEndpoint.state -eq "Approved") {
+        $connectionNamesApproved.Add($nameLowerCamelCase, $privateEndpoint.connectionName )
     }
     else {
-        $connectionNamesManual.Add($nameLowerCamelCase, $privateEndpoint.connectionName )
+        $connectionNamesPending.Add($nameLowerCamelCase, $privateEndpoint.connectionName )
+        $connectionNamesPendingLookup.Add($privateEndpoint.connectionName) | Out-Null
     }
 }
 
-$connectionNamesAutoApproved    | ConvertTo-Json | Out-File "./lib/private/variables/generated/peConnectionsAutoAppr.json"
-$connectionNamesManual          | ConvertTo-Json | Out-File "./lib/private/variables/generated/peConnectionsManual.json"
+$connectionNamesApproved    | ConvertTo-Json | Out-File "./lib/private/variables/generated/peConApproved.json"
+$connectionNamesPending     | ConvertTo-Json | Out-File "./lib/private/variables/generated/peConPending.json"
+
+# Don't use a pipeline operator or else it does not handle empty arrays nicely
+ConvertTo-Json -InputObject $connectionNamesPendingLookup | Out-File "./lib/private/variables/generated/peConPendingLookup.json"