baoduy
diff --git a/‎src/aks/ContainerRegistry.ts‎
Lines changed: 6 additions & 1 deletion b/‎src/aks/ContainerRegistry.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎src/apim/Apim.ts‎
Lines changed: 12 additions & 6 deletions b/‎src/apim/Apim.ts‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎src/apim/helpers.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/apim/helpers.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/app/SignalR.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/app/SignalR.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/base/BaseResourceComponent.ts‎
Lines changed: 32 additions & 18 deletions b/‎src/base/BaseResourceComponent.ts‎
Lines changed: 32 additions & 18 deletions
diff --git a/‎src/common/ResourceLocker.ts‎
Lines changed: 0 additions & 24 deletions b/‎src/common/ResourceLocker.ts‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎src/common/RsGroup.ts‎
Lines changed: 0 additions & 3 deletions b/‎src/common/RsGroup.ts‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎src/database/AzSql.ts‎
Lines changed: 5 additions & 7 deletions b/‎src/database/AzSql.ts‎
Lines changed: 5 additions & 7 deletions
diff --git a/‎src/database/MySql.ts‎
Lines changed: 2 additions & 7 deletions b/‎src/database/MySql.ts‎
Lines changed: 2 additions & 7 deletions
diff --git a/‎src/database/Postgres.ts‎
Lines changed: 2 additions & 6 deletions b/‎src/database/Postgres.ts‎
Lines changed: 2 additions & 6 deletions
@@ -106,7 +106,12 @@ export class ContainerRegistry extends BaseResourceComponent<ContainerRegistryAr
               }
             : undefined,
 
-        publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
+        publicNetworkAccess: network?.publicNetworkAccess
+          ? registry.PublicNetworkAccess.Enabled
+          : network?.privateLink
+            ? registry.PublicNetworkAccess.Disabled
+            : registry.PublicNetworkAccess.Enabled,
+
         networkRuleBypassOptions: network?.bypass,
 
         networkRuleSet:
 
@@ -13,10 +13,7 @@ import { PrivateEndpoint } from '../vnet';
 import { vaultHelpers } from '../vault';
 
 export type ApimCertType = certHelpers.CertType | certHelpers.VaultCertType | certHelpers.CertFile;
-export type ApimProductType = Omit<
-  ApimProductArgs,
-  'rsGroup' | 'serviceName' | 'groupRoles' | 'enableDiagnostic'
-> &
+export type ApimProductType = Omit<ApimProductArgs, 'rsGroup' | 'serviceName' | 'groupRoles' | 'enableDiagnostic'> &
   Required<types.WithName>;
 
 export interface ApimArgs
@@ -181,7 +178,12 @@ export class Apim extends BaseResourceComponent<ApimArgs> {
         //Only support when linking to a virtual network
         //publicIpAddressId: this._apimVnet ? this._ipAddressInstances[this.commonProps.name]?.id : undefined,
         //natGatewayState: this._apimVnet?.enableGateway ? 'Enabled' : 'Disabled',
-        publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
+        publicNetworkAccess: network?.publicNetworkAccess
+          ? apim.PublicNetworkAccess.Enabled
+          : network?.privateLink
+            ? apim.PublicNetworkAccess.Disabled
+            : apim.PublicNetworkAccess.Enabled,
+
         //NATGateway
         virtualNetworkType: 'None',
         virtualNetworkConfiguration: network?.vnetRules
@@ -190,7 +192,11 @@ export class Apim extends BaseResourceComponent<ApimArgs> {
             }
           : undefined,
 
-        zones: sku.name == 'Basic' || sku.name == 'Consumption' ? undefined : zoneHelper.getDefaultZones(zones),
+        zones:
+          sku.name == apim.SkuType.Basic || sku.name == apim.SkuType.Consumption
+            ? undefined
+            : zoneHelper.getDefaultZones(zones),
+
         //Only available for Premium
         additionalLocations:
           sku.name === 'Premium'
 
@@ -14,7 +14,7 @@ export const createProxyApi = ({
     ...props,
     //Dummy serviceUrl for proxy api this will be overwritten by api management during runtime
     serviceUrl: `https://${props.name}-hook-delivery.local`,
-    operations: [{ name: 'POST', method: 'POST', urlTemplate: '/' }],
+    operations: [{ name: 'POST', method: 'POST', urlTemplate: '/', responses: [{ statusCode: 200 }] }],
     subscriptionRequired: Boolean(subscriptionKeyParameterNames),
     subscriptionKeyParameterNames,
     policyBuilder: (p: ApimPolicyBuilder) =>
 
@@ -57,7 +57,9 @@ export class SignalR extends BaseResourceComponent<SignalRArgs> {
         ...props,
         ...rsGroup,
         sku,
+
         publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
+
         networkACLs: isFreeTier
           ? undefined
           : network?.privateLink
 
@@ -4,14 +4,14 @@ import * as types from '../types';
 
 import { RandomPassword, RandomPasswordArgs } from '../common/RandomPassword';
 import { RandomString, RandomStringArgs } from '../common/RandomString';
-import { VaultSecretResult, VaultSecrets } from '../vault/VaultSecrets';
+import { VaultSecrets } from '../vault/VaultSecrets';
 
 import { BaseComponent } from './BaseComponent';
 import { EncryptionKey } from '../vault/EncryptionKey';
-import { ResourceLocker } from '../common/ResourceLocker';
 import { RoleAssignment } from '../azAd/RoleAssignment';
 import { SecretItemArgs } from '../vault/VaultSecret';
 import { getComponentResourceType } from './helpers';
+import * as authorization from '@pulumi/azure-native/authorization';
 
 /**
  * Base interface for resource component arguments that combines vault information
@@ -48,7 +48,7 @@ export interface CommonBaseArgs
  * @template TArgs - Type parameter extending BaseArgs to define required component arguments
  */
 export abstract class BaseResourceComponent<TArgs extends BaseArgs> extends BaseComponent<TArgs> {
-  public vaultSecrets?: { [key: string]: VaultSecretResult };
+  public vaultSecrets?: pulumi.Output<string>[];
   private _secrets: { [key: string]: pulumi.Input<string> } = {};
   private _vaultSecretsCreated: boolean = false;
 
@@ -220,22 +220,27 @@ export abstract class BaseResourceComponent<TArgs extends BaseArgs> extends Base
     return new RandomString(props.name ?? this.name, props, { parent: this });
   }
 
-  protected lockFromDeleting(resource: pulumi.CustomResource) {
-    return new ResourceLocker(
-      `${this.name}-lock`,
-      {
-        resource,
-        level: 'CanNotDelete',
-      },
-      { dependsOn: resource, parent: this },
-    );
+  private lockFromDeleting() {
+    const { protect } = this.opts ?? { protect: false };
+    if (!protect) return undefined;
+
+    pulumi.output(this.getOutputs()).apply((o) => {
+      const id = o?.id;
+      if (!id) return undefined;
+
+      new authorization.ManagementLockByScope(
+        `${this.name}-lock`,
+        {
+          level: 'CanNotDelete',
+          scope: id,
+          notes: `Lock ${this.name} from DELETE`,
+        },
+        { dependsOn: this, parent: this, retainOnDelete: true },
+      );
+    });
   }
 
-  /**
-   * Internal method to handle post-creation secret management
-   * Creates vault secrets if any secrets were added during component creation
-   */
-  private postCreated() {
+  private createVaultSecrets() {
     const { vaultInfo } = this.args;
     if (this._vaultSecretsCreated || Object.keys(this._secrets).length <= 0 || !vaultInfo) return;
 
@@ -259,6 +264,15 @@ export abstract class BaseResourceComponent<TArgs extends BaseArgs> extends Base
       { dependsOn: this.opts?.dependsOn, parent: this },
     );
 
-    this.vaultSecrets = rs.results;
+    this.vaultSecrets = Object.keys(rs.results).map((k) => pulumi.output(k));
+  }
+
+  /**
+   * Internal method to handle post-creation secret management
+   * Creates vault secrets if any secrets were added during component creation
+   */
+  private postCreated() {
+    this.createVaultSecrets();
+    this.lockFromDeleting();
   }
 }
@@ -7,7 +7,6 @@ import * as types from '../types';
 export interface RsGroupArgs extends BaseArgs, Omit<resources.ResourceGroupArgs, 'managedBy' | 'location'> {
   /** if the role definition is not provided the readonly role will be added to this group by default  */
   roleAssignments?: RsRoleDefinitionType[];
-  lock?: boolean;
 }
 
 export class RsGroup extends BaseResourceComponent<RsGroupArgs> {
@@ -28,8 +27,6 @@ export class RsGroup extends BaseResourceComponent<RsGroupArgs> {
     this.id = group.id;
 
     this.createRoleAssignment();
-    if (args.lock) this.lockFromDeleting(group);
-
     this.registerOutputs();
   }
 
 
@@ -84,7 +84,6 @@ export interface AzSqlArgs
     alertEmails: pulumi.Input<string[]>;
     retentionDays?: number;
   };
-  lock?: boolean;
   databases?: Record<string, AzSqlDbType>;
 }
 
@@ -101,7 +100,6 @@ export class AzSql extends BaseResourceComponent<AzSqlArgs> {
     this.createVulnerabilityAssessment(server);
     this.createNetwork(server);
     this.createDatabases(server, password, elastic);
-    if (args.lock) this.lockFromDeleting(server);
 
     this.id = server.id;
     this.resourceName = server.name;
@@ -141,7 +139,6 @@ export class AzSql extends BaseResourceComponent<AzSqlArgs> {
       defaultUAssignedId,
       administrators,
       network,
-      lock,
       administratorLogin,
       ...props
     } = this.args;
@@ -187,13 +184,14 @@ export class AzSql extends BaseResourceComponent<AzSqlArgs> {
             }
           : undefined,
 
-        publicNetworkAccess: network?.privateLink
-          ? sql.ServerNetworkAccessFlag.Disabled
-          : sql.ServerNetworkAccessFlag.Enabled,
+        publicNetworkAccess: network?.publicNetworkAccess
+          ? sql.ServerNetworkAccessFlag.Enabled
+          : network?.privateLink
+            ? sql.ServerNetworkAccessFlag.Disabled
+            : sql.ServerNetworkAccessFlag.Enabled,
       },
       {
         ...this.opts,
-        protect: lock ?? this.opts?.protect,
         parent: this,
       },
     );
 
@@ -31,7 +31,6 @@ export interface MySqlArgs
   };
   enableAzureADAdmin: boolean;
   databases?: Array<{ name: string }>;
-  lock?: boolean;
 }
 
 export class MySql extends BaseResourceComponent<MySqlArgs> {
@@ -47,8 +46,6 @@ export class MySql extends BaseResourceComponent<MySqlArgs> {
     this.enableADAdmin(server, uAssignedId);
     this.createDatabases(server, credentials);
 
-    if (args.lock) this.lockFromDeleting(server);
-
     this.id = server.id;
     this.resourceName = server.name;
 
@@ -64,7 +61,7 @@ export class MySql extends BaseResourceComponent<MySqlArgs> {
   }
 
   private createMySql(uid: types.UserAssignedIdentityInputs) {
-    const { rsGroup, enableResourceIdentity, enableEncryption, administratorLogin, lock } = this.args;
+    const { rsGroup, enableResourceIdentity, enableEncryption, administratorLogin, network } = this.args;
 
     const adminLogin = administratorLogin ?? pulumi.interpolate`${this.name}-admin-${this.createRandomString().value}`;
     const password = this.createPassword();
@@ -121,13 +118,11 @@ export class MySql extends BaseResourceComponent<MySqlArgs> {
         availabilityZone: (this.args.availabilityZone ?? azureEnv.isPrd) ? '3' : '1',
 
         network: {
-          publicNetworkAccess:
-            (this.args.network?.publicNetworkAccess ?? this.args.network?.privateLink) ? 'Disabled' : 'Enabled',
+          publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
         },
       },
       {
         ...this.opts,
-        protect: lock ?? this.opts?.protect,
         parent: this,
       },
     );
 
@@ -30,7 +30,6 @@ export interface PostgresArgs
   enableAzureADAdmin: boolean;
   enablePasswordAuth?: boolean;
   databases?: Array<{ name: string }>;
-  lock?: boolean;
 }
 
 export class Postgres extends BaseResourceComponent<PostgresArgs> {
@@ -43,7 +42,6 @@ export class Postgres extends BaseResourceComponent<PostgresArgs> {
     const { server, credentials } = this.createPostgres();
     this.createNetwork(server);
     this.createDatabases(server, credentials);
-    if (args.lock) this.lockFromDeleting(server);
 
     this.id = server.id;
     this.resourceName = server.name;
@@ -67,7 +65,7 @@ export class Postgres extends BaseResourceComponent<PostgresArgs> {
       administratorLogin,
       enableAzureADAdmin,
       enablePasswordAuth,
-      lock,
+      network,
     } = this.args;
 
     const adminLogin = administratorLogin ?? pulumi.interpolate`${this.name}-admin-${this.createRandomString().value}`;
@@ -130,13 +128,11 @@ export class Postgres extends BaseResourceComponent<PostgresArgs> {
         availabilityZone: (this.args.availabilityZone ?? azureEnv.isPrd) ? '3' : '1',
 
         network: {
-          publicNetworkAccess:
-            (this.args.network?.publicNetworkAccess ?? this.args.network?.privateLink) ? 'Disabled' : 'Enabled',
+          publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
         },
       },
       {
         ...this.opts,
-        protect: lock ?? this.opts?.protect,
         parent: this,
       },
     );
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,6 @@ import * as types from '../types';`
`7`	`7`	`export interface RsGroupArgs extends BaseArgs, Omit<resources.ResourceGroupArgs, 'managedBy' \| 'location'> {`
`8`	`8`	`/** if the role definition is not provided the readonly role will be added to this group by default */`
`9`	`9`	`roleAssignments?: RsRoleDefinitionType[];`
`10`		`- lock?: boolean;`
`11`	`10`	`}`
`12`	`11`
`13`	`12`	`export class RsGroup extends BaseResourceComponent<RsGroupArgs> {`
`@@ -28,8 +27,6 @@ export class RsGroup extends BaseResourceComponent<RsGroupArgs> {`
`28`	`27`	`this.id = group.id;`
`29`	`28`
`30`	`29`	`this.createRoleAssignment();`
`31`		`- if (args.lock) this.lockFromDeleting(group);`
`32`		`-`
`33`	`30`	`this.registerOutputs();`
`34`	`31`	`}`
`35`	`32`