Add key vault

miekki · Mar 1, 2024 · 6544e17 · 6544e17
1 parent baba5dd
commit 6544e17
Show file tree

Hide file tree

Showing 8 changed files with 174 additions and 161 deletions.
diff --git a/modules/security/keyvault-accesspolicy/README.md b/modules/security/keyvault-accesspolicy/README.md
@@ -0,0 +1,7 @@
+# Key Vaults - Access policy
+
+This module deploy Key Vaults Access Policy.
+
+## Details
+
+Use this module within other Bicep template to simplify the usage of a Key Vault Access Policy.
diff --git a/modules/security/keyvault-accesspolicy/main.bicep b/modules/security/keyvault-accesspolicy/main.bicep
@@ -6,11 +6,10 @@ metadata owner = 'MM'
 param keyVaultName string
 
 @description('Required. Name of Key Vault Access Policy.')
-param policyName string
+param policyName string = 'add'
 
 @description('Required. Object Id of a user, service principal or security group')
-param objectId string 
-
+param objectId string
 
 @description('Optional. Application id of the client making request')
 param applicationId string = ''
@@ -24,7 +23,6 @@ param keyPermissions array = []
 @description('Optional. Specify the permissions to certificates. Valid values are: all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update')
 param certificatPermissions array = []
 
-
 resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
   name: keyVaultName
 }
@@ -36,14 +34,14 @@ resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
     accessPolicies: [
       {
         objectId: !empty(objectId) ? objectId : ''
-        applicationId:  !empty(applicationId) ? applicationId : null
+        applicationId: !empty(applicationId) ? applicationId : null
         permissions: {
-          secrets: !empty(secretsPermissions) ? secretsPermissions : null
-          keys: !empty(keyPermissions)? keyPermissions : null
-          certificates:!empty(certificatPermissions)? certificatPermissions : null
+          secrets: !empty(secretsPermissions) ? secretsPermissions : []
+          keys: !empty(keyPermissions) ? keyPermissions : []
+          certificates: !empty(certificatPermissions) ? certificatPermissions : []
         }
         tenantId: subscription().tenantId
       }
-    ] 
+    ]
   }
 }
diff --git a/modules/security/keyvault-secrets/README.md b/modules/security/keyvault-secrets/README.md
@@ -0,0 +1,7 @@
+# Key Vaults - Secrets
+
+This module deploy Key Vaults Secrets.
+
+## Details
+
+Use this module within other Bicep template to simplify the usage of a Key Vault Secrets.
diff --git a/modules/security/keyvault/README.md b/modules/security/keyvault/README.md
@@ -0,0 +1,7 @@
+# Key Vaults
+
+This module deploy Key Vaults.
+
+## Details
+
+Use this module within other Bicep template to simplify the usage of a Key Vault.
diff --git a/modules/security/keyvault/main.bicep b/modules/security/keyvault/main.bicep
diff --git a/modules/web/appservice/main.bicep b/modules/web/appservice/main.bicep
@@ -14,6 +14,7 @@ param tags object
 // Reference Properties
 @description('Optional. Provide Application Insight Name.')
 param applicationInsightsName string = ''
+
 @description('Optional. Provide Key Vault Name.')
 param keyVaultName string = ''
 //@description('Optional. Set to managed Identity if Key Vault Name is provided.')

diff --git a/test-deployment/deployment-test.azcli b/test-deployment/deployment-test.azcli
@@ -14,6 +14,7 @@ export location="uksouth"
 az group create --resource-group $rg_name --location $location
 
 # create deployment in rg with the content from main.bicep file and params
+
 az deployment group create --resource-group $rg_name --name module-testing --mode Complete --template-file main.bicep --parameters main.parameters.json
 
 

diff --git a/test-deployment/main.bicep b/test-deployment/main.bicep
@@ -2,7 +2,7 @@
 targetScope = 'resourceGroup'
 
 @description('Name of the environment eg. dev, prod')
-param environmentName string = 'dev'
+param environmentName string = 'dev_1'
 
 @description('Location for all resources')
 param location string = 'uksouth'
@@ -31,6 +31,13 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09
   }
 }
 
+var varNetworkAcls = {
+  bypass: 'AzureServices'
+  defaultAction: 'Deny'
+  ipAllowlist: [ '81.106.66.0/24' ]
+  // subnetIds ['']
+}
+
 module kv '../modules/security/keyvault/main.bicep' = {
   // scope: rg
   name: 'deploy-kv-test'
@@ -39,9 +46,26 @@ module kv '../modules/security/keyvault/main.bicep' = {
     name: '${abbrs.keyVaultVaults}${resourceToken}'
     tags: tags
     workspaceId: logAnalyticsWorkspace.id
-    networkAcls: {
-      defaultAction: 'Allow'
-    }
-    rbacPolicies: [ 'c5c1dcd6-c181-466e-a606-cd67d0532eb9' ]
+    networkAcls: varNetworkAcls
+    principalId: 'c5c1dcd6-c181-466e-a606-cd67d0532eb9' // me
+
+  }
+}
+
+module kv_secret '../modules/security/keyvault-secrets/main.bicep' = {
+  name: 'deploy-kv-secret-test'
+  params: {
+    keyVaultName: kv.outputs.name
+    secretName: 'ConnectionStrings--DefaultConnection'
+    secretValue: 'my pass'
+  }
+}
+
+module kv_access_policy '../modules/security/keyvault-accesspolicy/main.bicep' = {
+  name: 'deploy-kv-access-policy-test'
+  params: {
+    keyVaultName: kv.outputs.name
+    objectId: '47689dc0-8e50-4474-970a-b913a75b5b0e' // for magicsoftware-Calculator-8e88c488-1596-4d79-8d3f-f9d16aa345ad
+    secretsPermissions: [ 'get', 'list', 'set', 'delete' ]
   }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,6 +14,7 @@ export location="uksouth"
		az group create --resource-group $rg_name --location $location

		# create deployment in rg with the content from main.bicep file and params

		az deployment group create --resource-group $rg_name --name module-testing --mode Complete --template-file main.bicep --parameters main.parameters.json


Expand Down