Skip to content

Commit 8d8f02d

Browse files
RestartDKRestartDK
committed
added keyvault role assignments
1 parent 4e94b50 commit 8d8f02d

File tree

4 files changed

+110
-29
lines changed

4 files changed

+110
-29
lines changed

.github/workflows/workflow.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ jobs:
3030
needs: deploy-infrastructure
3131
runs-on: ubuntu-latest
3232
env:
33-
KEY_VAULT_NAME_DEV: "dkumlin-demo-kv"
33+
KEY_VAULT_NAME_DEV: "dkumlin-demo-keyvault"
3434
KEY_VAULT_SECRET_ACR_USERNAME: "acr-username"
3535
KEY_VAULT_SECRET_ACR_PASSWORD: "acr-password"
3636
CONTAINER_REGISTRY_SERVER_URL_DEV: "dkumlinacrdemo.io"

main.bicep

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,26 @@ param containerRegistryImageName string
1212
param containerRegistryImageVersion string
1313
@description('The key vault name')
1414
param keyVaultName string
15+
@description('Role assignments for the Key Vault')
16+
param keyVaultRoleAssignments array = []
1517

16-
// Add Key Vault module
18+
// ACR deployment
19+
module acr 'modules/acr.bicep' = {
20+
name: 'acrDeployment'
21+
params: {
22+
name: acrName
23+
location: location
24+
acrAdminUserEnabled: true
25+
}
26+
}
27+
28+
// Initial Key Vault deployment
1729
module keyVault 'modules/key-vault.bicep' = {
1830
name: 'keyVault'
1931
params: {
20-
name: keyVaultName
32+
roleAssignments: keyVaultRoleAssignments
2133
location: location
34+
keyVaultName: keyVaultName
2235
}
2336
}
2437

@@ -47,16 +60,6 @@ resource acrUsernameSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
4760
}
4861
}
4962

50-
// ACR deployment
51-
module acr 'modules/acr.bicep' = {
52-
name: 'acrDeployment'
53-
params: {
54-
name: acrName
55-
location: location
56-
acrAdminUserEnabled: true
57-
}
58-
}
59-
6063
// App Service Plan deployment
6164
module appServicePlan 'modules/app-service-plan.bicep' = {
6265
name: 'appServicePlanDeployment'
@@ -98,16 +101,13 @@ module webApp 'modules/web-app.bicep' = {
98101
]
99102
}
100103

101-
resource webAppKeyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
102-
name: guid(resourceGroup().id, webApp.name, 'Key Vault Secrets User')
104+
// Add RBAC role assignment for web app to access Key Vault secrets
105+
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
106+
name: guid(keyVaultReference.id, webApp.name, 'Key Vault Secrets User')
103107
scope: keyVaultReference
104108
properties: {
105109
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
106110
principalId: webApp.outputs.principalId
107111
principalType: 'ServicePrincipal'
108112
}
109-
dependsOn: [
110-
webApp
111-
keyVault
112-
]
113113
}

main.parameters.json

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,20 @@
2222
},
2323
"keyVaultName": {
2424
"value": "dkumlin-demo-keyvault"
25+
},
26+
"keyVaultRoleAssignments": {
27+
"value": [
28+
{
29+
"principalId": "daa3436a-d1fb-44fe-b34b-053db433cdb7",
30+
"roleDefinitionIdOrName": "Key Vault Administrator",
31+
"principalType": "Group"
32+
},
33+
{
34+
"principalId": "37841ca3-42b3-4aed-b215-44d6f5dcb57d",
35+
"roleDefinitionIdOrName": "Key Vault Secrets User",
36+
"principalType": "ServicePrincipal"
37+
}
38+
]
2539
}
2640
}
2741
}

modules/key-vault.bicep

Lines changed: 77 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,90 @@
1-
@description('The name of the key vault')
2-
param name string
1+
param location string = resourceGroup().location
2+
param keyVaultName string = 'kv${uniqueString(resourceGroup().id)}'
3+
param enableVaultForDeployment bool = true
4+
param roleAssignments array = []
35

4-
@description('The location of the key vault')
5-
param location string
6+
var builtInRoleNames = {
7+
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
8+
'Key Vault Administrator': subscriptionResourceId(
9+
'Microsoft.Authorization/roleDefinitions',
10+
'00482a5a-887f-4fb3-b363-3b7fe8e74483'
11+
)
12+
'Key Vault Certificates Officer': subscriptionResourceId(
13+
'Microsoft.Authorization/roleDefinitions',
14+
'a4417e6f-fecd-4de8-b567-7b0420556985'
15+
)
16+
'Key Vault Contributor': subscriptionResourceId(
17+
'Microsoft.Authorization/roleDefinitions',
18+
'f25e0fa2-a7c8-4377-a976-54943a77a395'
19+
)
20+
'Key Vault Crypto Officer': subscriptionResourceId(
21+
'Microsoft.Authorization/roleDefinitions',
22+
'14b46e9e-c2b7-41b4-b07b-48a6ebf60603'
23+
)
24+
'Key Vault Crypto Service Encryption User': subscriptionResourceId(
25+
'Microsoft.Authorization/roleDefinitions',
26+
'e147488a-f6f5-4113-8e2d-b22465e65bf6'
27+
)
28+
'Key Vault Crypto User': subscriptionResourceId(
29+
'Microsoft.Authorization/roleDefinitions',
30+
'12338af0-0e69-4776-bea7-57ae8d297424'
31+
)
32+
'Key Vault Reader': subscriptionResourceId(
33+
'Microsoft.Authorization/roleDefinitions',
34+
'21090545-7ca7-4776-b22c-e363652d74d2'
35+
)
36+
'Key Vault Secrets Officer': subscriptionResourceId(
37+
'Microsoft.Authorization/roleDefinitions',
38+
'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
39+
)
40+
'Key Vault Secrets User': subscriptionResourceId(
41+
'Microsoft.Authorization/roleDefinitions',
42+
'4633458b-17de-408a-b874-0445c86b69e6'
43+
)
44+
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
45+
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
46+
'Role Based Access Control Administrator (Preview)': subscriptionResourceId(
47+
'Microsoft.Authorization/roleDefinitions',
48+
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
49+
)
50+
'User Access Administrator': subscriptionResourceId(
51+
'Microsoft.Authorization/roleDefinitions',
52+
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
53+
)
54+
}
655

7-
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
8-
name: name
56+
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
57+
name: keyVaultName
958
location: location
1059
properties: {
60+
enabledForDeployment: enableVaultForDeployment
61+
enableRbacAuthorization: true
62+
enableSoftDelete: true
63+
enabledForTemplateDeployment: true
1164
sku: {
1265
family: 'A'
1366
name: 'standard'
1467
}
1568
tenantId: subscription().tenantId
16-
enabledForDeployment: true
17-
enabledForTemplateDeployment: true
18-
enableRbacAuthorization: true
69+
accessPolicies: []
1970
}
2071
}
2172

73+
resource keyVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
74+
for (roleAssignment, index) in (roleAssignments ?? []): {
75+
name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
76+
properties: {
77+
roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? roleAssignment.roleDefinitionIdOrName
78+
principalId: roleAssignment.principalId
79+
description: roleAssignment.?description
80+
principalType: roleAssignment.?principalType
81+
condition: roleAssignment.?condition
82+
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null
83+
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
84+
}
85+
scope: keyVault
86+
}
87+
]
88+
2289
output keyVaultName string = keyVault.name
23-
output keyVaultUri string = keyVault.properties.vaultUri
90+
output keyVaultResourceId string = keyVault.id

0 commit comments

Comments
 (0)