-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkv.bicep
103 lines (89 loc) · 3.38 KB
/
kv.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
/*
If you need to purge KV: https://docs.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal
The user will need the following permissions (at subscription level) to perform operations on soft-deleted vaults:
Microsoft.KeyVault/locations/deletedVaults/purge/action
*/
// https://argonsys.com/microsoft-cloud/library/dealing-with-deployment-blockers-with-bicep/
@description('A UNIQUE name')
@maxLength(21)
param appName string = 'petcli${uniqueString(resourceGroup().id, subscription().id)}'
@maxLength(24)
@description('The name of the KV, must be UNIQUE. A vault name must be between 3-24 alphanumeric characters.')
param kvName string = 'kv-${appName}'
@description('The KV location')
param location string = resourceGroup().location
@description('Is KV Network access public ?')
@allowed([
'enabled'
'disabled'
])
param publicNetworkAccess string = 'enabled'
@description('The KV SKU name')
@allowed([
'premium'
'standard'
])
param skuName string = 'standard'
@description('The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault.')
param tenantId string = subscription().tenantId
@description('The KV ipRules')
param ipRules array = []
@description('The KV vNetRules')
param vNetRules array = []
/*
[
id: vnet.outputs.appSubnetSubnetId
ignoreMissingVnetServiceEndpoint: true
]
*/
resource kv 'Microsoft.KeyVault/vaults@2022-11-01' = {
name: kvName
location: location
properties: {
sku: {
family: 'A'
name: skuName
}
tenantId: tenantId
publicNetworkAccess: publicNetworkAccess
enabledForDeployment: false // Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption: true // When enabledForDiskEncryption is true, networkAcls.bypass must include \"AzureServices\
enabledForTemplateDeployment: true
enablePurgeProtection: true
enableSoftDelete: true
enableRbacAuthorization: true // /!\ When true, the key vault will use RBAC for authorization of data actions, and the access policies specified in vault properties will be ignored
// When enabledForDeployment is true, networkAcls.bypass must include \"AzureServices\"
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipRules: [for ipRule in ipRules: {
value: ipRule
}]
virtualNetworkRules: [for vNetRule in vNetRules: {
id: vNetRule.id
}]
}
softDeleteRetentionInDays: 7 // 30 must be greater or equal than '7' but less or equal than '90'.
//accessPolicies: []
}
}
output keyVault object = kv
output keyVaultId string = kv.id
output keyVaultName string = kv.name
output keyVaultURI string = kv.properties.vaultUri
output keyVaultPublicNetworkAccess string = kv.properties.publicNetworkAccess
output keyVaultPublicNetworkAclsIpRules array = kv.properties.networkAcls.ipRules
// /!\ In the GHA Workflow, KV must be created firstly, then 'az keyvault network-rule add' must be completed
// only then ./kv/kv_sec_key.bicep' can be called to create the secrets
// https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets
/*
module kvSecrets '../kv/kv_sec_key.bicep' = {
name: 'aca-petclinic-kv-sec'
params: {
appName: appName
kvName: kvName
secretsObject: secretsObject
secretExpiryDate: secretExpiryDate
}
}
*/