From 83be3fb19f93819eeb2687b0bbf017a9f322828d Mon Sep 17 00:00:00 2001 From: miekki Date: Fri, 23 Feb 2024 20:29:10 +0000 Subject: [PATCH] Added key vault module --- .../security/keyvault-accesspolicy/README.md | 0 .../security/keyvault-accesspolicy/main.bicep | 49 ++++++++++ .../keyvault-accesspolicy/metadata.json | 5 ++ modules/security/keyvault-secrets/README.md | 0 modules/security/keyvault-secrets/main.bicep | 25 ++++++ .../security/keyvault-secrets/metadata.json | 5 ++ modules/security/keyvault/README.md | 0 modules/security/keyvault/main.bicep | 90 +++++++++++++++++++ modules/security/keyvault/metadata.json | 5 ++ .../security/keyvault/test/main.test.bicep | 20 +++++ 10 files changed, 199 insertions(+) create mode 100644 modules/security/keyvault-accesspolicy/README.md create mode 100644 modules/security/keyvault-accesspolicy/main.bicep create mode 100644 modules/security/keyvault-accesspolicy/metadata.json create mode 100644 modules/security/keyvault-secrets/README.md create mode 100644 modules/security/keyvault-secrets/main.bicep create mode 100644 modules/security/keyvault-secrets/metadata.json create mode 100644 modules/security/keyvault/README.md create mode 100644 modules/security/keyvault/main.bicep create mode 100644 modules/security/keyvault/metadata.json create mode 100644 modules/security/keyvault/test/main.test.bicep diff --git a/modules/security/keyvault-accesspolicy/README.md b/modules/security/keyvault-accesspolicy/README.md new file mode 100644 index 0000000..e69de29 diff --git a/modules/security/keyvault-accesspolicy/main.bicep b/modules/security/keyvault-accesspolicy/main.bicep new file mode 100644 index 0000000..22e3e0b --- /dev/null +++ b/modules/security/keyvault-accesspolicy/main.bicep @@ -0,0 +1,49 @@ +metadata name = 'Azure Key Vault - Access Policy' +metadata description = 'Bicep module for simplified deployment of KeyVault - Access Policy.' +metadata owner = 'MM' + +@description('Required. Name of Key Vault.') +param keyVaultName string + +@description('Required. Name of Key Vault Access Policy.') +param policyName string + +@description('Required. Object Id of a user, service principal or security group') +param objectId string + + +@description('Optional. Application id of the client making request') +param applicationId string = '' + +@description('Optional. Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge.') +param secretsPermissions array = [] + +@description('Optional. Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge.') +param keyPermissions array = [] + +@description('Optional. Specify the permissions to certificates. Valid values are: all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update') +param certificatPermissions array = [] + + +resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { + name: keyVaultName +} + +resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = { + name: policyName + parent: keyvault + properties: { + accessPolicies: [ + { + objectId: !empty(objectId) ? objectId : '' + applicationId: !empty(applicationId) ? applicationId : null + permissions: { + secrets: !empty(secretsPermissions) ? secretsPermissions : null + keys: !empty(keyPermissions)? keyPermissions : null + certificates:!empty(certificatPermissions)? certificatPermissions : null + } + tenantId: subscription().tenantId + } + ] + } +} diff --git a/modules/security/keyvault-accesspolicy/metadata.json b/modules/security/keyvault-accesspolicy/metadata.json new file mode 100644 index 0000000..d8142b4 --- /dev/null +++ b/modules/security/keyvault-accesspolicy/metadata.json @@ -0,0 +1,5 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": ["./main.bicep", "./metadata.json"] +} \ No newline at end of file diff --git a/modules/security/keyvault-secrets/README.md b/modules/security/keyvault-secrets/README.md new file mode 100644 index 0000000..e69de29 diff --git a/modules/security/keyvault-secrets/main.bicep b/modules/security/keyvault-secrets/main.bicep new file mode 100644 index 0000000..90756bc --- /dev/null +++ b/modules/security/keyvault-secrets/main.bicep @@ -0,0 +1,25 @@ +metadata name = 'Azure Key Vault - Secrets' +metadata description = 'Bicep module for simplified deployment of KeyVault - Secrets.' +metadata owner = 'MM' + +@description('Required. Name of Key Vault.') +param keyVaultName string + +@description('Required. Secret name.') +param secretName string + +@description('Required. Secret value') +@secure() +param secretValue string + +resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { + name: keyVaultName +} + +resource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { + parent: keyvault + name: secretName + properties: { + value: secretValue + } +} diff --git a/modules/security/keyvault-secrets/metadata.json b/modules/security/keyvault-secrets/metadata.json new file mode 100644 index 0000000..d8142b4 --- /dev/null +++ b/modules/security/keyvault-secrets/metadata.json @@ -0,0 +1,5 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": ["./main.bicep", "./metadata.json"] +} \ No newline at end of file diff --git a/modules/security/keyvault/README.md b/modules/security/keyvault/README.md new file mode 100644 index 0000000..e69de29 diff --git a/modules/security/keyvault/main.bicep b/modules/security/keyvault/main.bicep new file mode 100644 index 0000000..75040da --- /dev/null +++ b/modules/security/keyvault/main.bicep @@ -0,0 +1,90 @@ +metadata name = 'Azure Key Vault' +metadata description = 'Bicep module for simplified deployment of KeyVault; enables VNet integration and offers flexible configuration options.' +metadata owner = 'MM' + +@description('Required. Name of Key Vault.') +param name string + +@description('Required. Location for all resources.') +param location string + +@description('Required. Tags of the resource.') +param tags object + + + +@description('Optional. Specifies whether soft delete should be enabled for the Key Vault.') +param enableSoftDelete bool = true + +@description('Optional. The number of days to retain deleted data in the Key Vault.') +param softDeleteRetentionInDays int = 7 + +@description('Optional. Specify whether purge protection should be enabled for the Key Vault.') +param enablePurgeProtection bool = false + +@description('Optional. Specify whether the Key Vault will be using RBAC. Default is false - use the access policy.') +param enableRbacAuthorization bool = false + +@allowed(['standard', 'premium']) +@description('Optional. The SKU name of the Key Vault.') +param skuName string = 'standard' + +@allowed(['A', 'B']) +@description('Optional. The SKU family of the Key Vault.') +param skuFamily string = 'A' + +@description('Optional. Configuration for network access rules.') +param networkAcls networkAclsType = { + defaultAction: 'Deny' +} + + +var varNetworkAclsIpRules = [for ip in networkAcls.?ipAllowlist ?? []: { value: ip }] + +var varNetworkAclsVirtualNetworkRules = [for subnet in networkAcls.?subnetIds ?? []: { id: subnet }] + +var varNetworkAcls = { + bypass: networkAcls.?bypass ?? 'AzureServices' + defaultAction: networkAcls.defaultAction + ipRules: varNetworkAclsIpRules + virtualNetworkRules: varNetworkAclsVirtualNetworkRules +} + +resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = { + name: name + location: location + tags: tags + properties: { + enableSoftDelete: enableSoftDelete + softDeleteRetentionInDays: softDeleteRetentionInDays + enablePurgeProtection: enablePurgeProtection + enableRbacAuthorization: enableRbacAuthorization + sku: { + family: skuFamily + name: skuName + } + tenantId: subscription().tenantId + networkAcls:varNetworkAcls + } +} + +type networkAclsType = { + @description('Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.') + bypass: ('AzureServices' | 'None')? + + @description('Specifies whether all network access is allowed or denied when no other rules match.') + defaultAction: ('Allow' | 'Deny') + + @description('Specifies the IP or IP range in CIDR format to be allowed to connect. Only IPV4 address is allowed.') + ipAllowlist: string[]? + + @description('Sets the virtual network rules.') + subnetIds: string[]? +} + + +@description('Key vault id') +output id string = keyVault.id + +@description('Key vault name') +output name string = keyVault.name diff --git a/modules/security/keyvault/metadata.json b/modules/security/keyvault/metadata.json new file mode 100644 index 0000000..d8142b4 --- /dev/null +++ b/modules/security/keyvault/metadata.json @@ -0,0 +1,5 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": ["./main.bicep", "./metadata.json"] +} \ No newline at end of file diff --git a/modules/security/keyvault/test/main.test.bicep b/modules/security/keyvault/test/main.test.bicep new file mode 100644 index 0000000..c90ff0a --- /dev/null +++ b/modules/security/keyvault/test/main.test.bicep @@ -0,0 +1,20 @@ +// ========== // +// Parameters // +// ========== // + +@description('Optional. The location to deploy resources to') +param location string = resourceGroup().location + +var my_tags = { + env: 'dev' +} + +// TEST 1 - minimum parameters +module test1 '../main.bicep' = { + name: 'kv1' + params: { + location: location + name: 'kv1' + tags: my_tags + } +}