Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add access policy in the ida kv for the ida enterprise application #69

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add access policy in the ida kv for the ida enterprise application #69

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion scripts/automation/infrastructure-dev.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ param resourceGroupName = 'IDA${environment}'
param location = 'northeurope'
param objectIdFgRobots = '5ac08731-48dd-4499-9151-7bf6b8ab8eac'

param objectIdEnterpriseApplication = 'f6676dc8-6b13-4ee9-88bb-416b7a0cbd34' // ObjectID enterprise application ida-dev

param managedIdentityName = 'IDAdevMI'

param keyVaultName = 'idakv-${environment}'
Expand All @@ -22,7 +24,7 @@ param storageAccountNameRaw = 'storageraw1${environment}'
param storageAccountNameVis = 'storagevis1${environment}'

param principalId = '80b30892-2768-4b33-92a6-bec41a7f4e2c' //aurora-aks-kubelet-shared dev environment
param roleDefinitionId = 'f1a07417-d97a-45cb-824c-7a7467783830' // azure built-in role for managed identity operator
param roleDefinitionId = 'f1a07417-d97a-45cb-824c-7a7467783830' // azure built-in role for managed identity operator

// Grant Flotilla (FlotillaBackendAuthDev) role assignment as "Storage Blob Data Reader" to storageanon account
param roleDefinitionIDFlotillaApp = '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' // Storage Blob Data Reader
Expand Down
2 changes: 2 additions & 0 deletions scripts/automation/infrastructure-prod.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ param resourceGroupName = 'IDA${environment}'
param location = 'northeurope'
param objectIdFgRobots = '5ac08731-48dd-4499-9151-7bf6b8ab8eac'

param objectIdEnterpriseApplication = '56f5f63f-d18a-47b6-97d7-779994f489bf' // ObjectID enterprise application ida-prod

param managedIdentityName = 'IDAprodMI'

param keyVaultName = 'idakv-${environment}'
Expand Down
2 changes: 2 additions & 0 deletions scripts/automation/infrastructure-staging.bicepparam
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ param resourceGroupName = 'IDA${environment}'
param location = 'northeurope'
param objectIdFgRobots = '5ac08731-48dd-4499-9151-7bf6b8ab8eac'

param objectIdEnterpriseApplication = 'a72f2337-fa85-40c8-95db-6ccfe4765f7c' // ObjectID enterprise application ida-staging

param managedIdentityName = 'IDAstagingMI'

param keyVaultName = 'idakv-${environment}'
Expand Down
3 changes: 3 additions & 0 deletions scripts/automation/infrastructure.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ param storageAccountNameVis string
param keyVaultName string
param objectIdFgRobots string

param objectIdEnterpriseApplication string

param administratorLogin string
@secure()
param administratorLoginPassword string
Expand Down Expand Up @@ -78,6 +80,7 @@ module keyVault 'modules/key-vault.bicep' = {
location: location
keyVaultName: keyVaultName
objectIdFgRobots: objectIdFgRobots
objectIdEnterpriseApplication: objectIdEnterpriseApplication
principalId: principalId
managedIdentityName: managedIdentityName
roleDefinitionID: roleDefinitionId
Expand Down
14 changes: 12 additions & 2 deletions scripts/automation/modules/key-vault.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
param location string
param keyVaultName string
param objectIdFgRobots string
param objectIdEnterpriseApplication string
param secrets array
param managedIdentityName string
param principalId string
Expand Down Expand Up @@ -63,12 +64,21 @@ resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2024-04-
]
}
}
{
tenantId: keyVault.properties.tenantId
objectId: objectIdEnterpriseApplication
permissions: {
keys: []
secrets: [
'get'
'list'
]
}
}
]
}
}

//TODO: Add policy ida client id

resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = [
for secret in secrets: {
name: secret.name
Expand Down
Loading