Bicep Module Documentation
← Back to Overview
Module search-service
searchService
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| identity | identity | |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| sharedPrivateLink | sharedPrivateLink[] | Settings for the shared private link for this resource |
| authOptions | authOptions | |
| dataExfiltrationProtections | Array containing any of: 'All' |
A list of data exfiltration scenarios that are explicitly disallowed for the search service. Currently, the only supported value is 'All' to disable all possible data export scenarios with more fine grained controls planned for the future. |
| disableLocalAuth | bool | When set to true, calls to the search service will not be permitted to utilize API keys for authentication. This cannot be set to true if dataPlaneAuthOptions are defined. |
| encryptionWithCmk | encryptionWithCmk | |
| hostingMode | 'default' 'highDensity' |
Applicable only for the standard3 SKU. You can set this property to enable up to 3 high density partitions that allow up to 1000 indexes, which is much higher than the maximum indexes allowed for any other SKU. For the standard3 SKU, the value is either default or highDensity. For all other SKUs, this value must be default. |
| networkRuleSet (required) | networkRuleset | Network specific rules that determine how the Azure AI Search service may be reached. |
| partitionCount | int | The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For standard3 services with hostingMode set to highDensity, the allowed values are between 1 and 3. |
| publicNetworkAccess | 'disabled' 'enabled' |
Allow public access to the keyvault (default: Enabled) |
| replicaCount | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
| semanticSearch | 'disabled' 'free' 'standard' |
Sets options that control the availability of semantic search. This configuration is only possible for certain Azure AI Search SKUs in certain locations. |
| sku (required) | sku | The SKU of the search service, which determines price tier and capacity limits. This property is required when creating a new search service. |
identity
| Property | Value | Description |
|---|---|---|
| type | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
The types of identities associated with this resource. (default: none) |
| userAssignedIdentities | string[] | Resource IDs of User Assigned Identities to associate with this resource |
sharedPrivateLink
| Property | Value | Description |
|---|---|---|
| naming | naming | Shared private link Naming |
| groupId (required) | string | The group ID from the provider of resource the shared private link resource is for. |
| privateLinkResourceId (required) | string | The resource ID of the resource the shared private link resource is for. |
| requestMessage (required) | string | The message for requesting approval of the shared private link resource. |
| resourceRegion | string | Optional. Can be used to specify the Azure Resource Manager location of the resource for which a shared private link is being created. This is only required for those resources whose DNS configuration are regional (such as Azure Kubernetes Service). |
aadOrApiKey
| Property | Value | Description |
|---|---|---|
| aadAuthFailureMode (required) | 'http401WithBearerChallenge' 'http403' |
Describes what response the data plane API of a search service would send for requests that failed authentication. |
authOptions
| Property | Value | Description |
|---|---|---|
| aadOrApiKey (required) | aadOrApiKey |
encryptionWithCmk
| Property | Value | Description |
|---|---|---|
| enforcement (required) | 'Disabled' 'Enabled' 'Unspecified' |
Describes how a search service should enforce compliance if it finds objects that arent encrypted with the customer-managed key. |
sku
| Property | Value | Description |
|---|---|---|
| name (required) | 'basic' 'free' 'standard' 'standard2' 'standard3' 'storage_optimized_l1' 'storage_optimized_l2' |
The SKU of the search service. Valid values include: free: Shared service. basic: Dedicated service with up to 3 replicas. standard: Dedicated service with up to 12 partitions and 12 replicas. standard2: Similar to standard, but with more capacity per search unit. standard3: The largest Standard offering with up to 12 partitions and 12 replicas (or up to 3 partitions with more indexes if you also set the hostingMode property to highDensity). storage_optimized_l1: Supports 1TB per partition, up to 12 partitions. storage_optimized_l2: Supports 2TB per partition, up to 12 partitions. |
networkRuleset
| Property | Value | Description |
|---|---|---|
| bypass | 'AzurePortal' 'AzureServices' 'None' |
Possible origins of inbound traffic that can bypass the rules defined in the ipRules section. |
| ipRules | ipRules[] | Add allow rules to container registry [Array of IP rules] |
ipRules
| Property | Value | Description |
|---|---|---|
| value (required) | string | Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
3.0.0 (2025-10-08)
⚠ BREAKING CHANGES
- update resource api version and replaced deprecated param disabledDataExfiltrationOptions by dataExfiltrationProtections
Bug Fixes
- update resource api version and replaced deprecated param disabledDataExfiltrationOptions by dataExfiltrationProtections
2.3.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
2.3.0 (2025-05-12)
Features
- add shared private link
2.2.0 (2025-04-29)
Features
- add endpoint output
2.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
2.1.0 (2025-03-26)
Features
- add resourceName output
2.0.1 (2025-03-25)
Bug Fixes
- incorrect PE group ID
2.0.0 (2025-03-17)
⚠ BREAKING CHANGES
- remove role-assignment principalType parameter
Features
- remove role-assignment principalType parameter
1.0.0 (2025-01-16)
Features
- add initial version