feat: added azure key vault

Author: RestartDK

.github/workflows/workflow.yaml

@@ -2,48 +2,49 @@ name: Deploy Infrastructure and Application
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   workflow_dispatch:
 
 env:
   IMAGE_NAME: demo-image
-  RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-B-DEV 
+  RESOURCE_GROUP: BCSAI2024-DEVOPS-STUDENTS-B-DEV
+  ACR_NAME: demo-acr
 
 jobs:
   deploy-infrastructure:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      
+
       - name: Azure Login
         uses: azure/login@v1
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
-          
+
       - name: Deploy Bicep
         uses: azure/arm-deploy@v1
+        id: bicep
         with:
           subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
           resourceGroupName: ${{ env.RESOURCE_GROUP }}
           template: ./main.bicep
           parameters: ./main.parameters.json
-        id: bicep
 
   build-and-push:
     needs: deploy-infrastructure
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      
+
       - name: Azure Login
         uses: azure/login@v1
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
-      
+
       - name: ACR Login
         run: |
           az acr login --name ${{ secrets.ACR_NAME }}
-      
+
       - name: Build and Push
         run: |
           docker build -t ${{ secrets.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ github.sha }} ./backend
@@ -57,9 +58,10 @@ jobs:
         uses: azure/login@v1
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
-          
+
       - name: Deploy to Azure Web App
         uses: azure/webapps-deploy@v2
         with:
           app-name: ${{ secrets.WEBAPP_NAME }}
-          images: ${{ secrets.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          images: ${{ secrets.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ github.sha }}
+

main.bicep

@@ -19,6 +19,42 @@ param containerRegistryImageName string
 @description('The version/tag of the container image')
 param containerRegistryImageVersion string
 
+// Add these parameters
+@description('The key vault name')
+param keyVaultName string
+
+// Add Key Vault module
+module keyVault 'modules/key-vault.bicep' = {
+  name: 'keyVaultDeployment'
+  params: {
+    name: keyVaultName
+    location: location
+  }
+}
+
+// Reference the deployed Key Vault
+resource keyVaultReference 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+  scope: resourceGroup()
+}
+
+// Add Key Vault secrets for ACR credentials
+resource acrPasswordSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+  parent: keyVaultReference
+  name: 'acrPassword'
+  properties: {
+    value: acr.outputs.adminPassword
+  }
+}
+
+resource acrUsernameSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+  parent: keyVaultReference
+  name: 'acrUsername'
+  properties: {
+    value: acr.outputs.adminUsername
+  }
+}
+
 // ACR deployment
 module acr 'modules/acr.bicep' = {
   name: 'acrDeployment'
@@ -59,11 +95,12 @@ module webApp 'modules/web-app.bicep' = {
       linuxFxVersion: 'DOCKER|${acr.outputs.loginServer}/${containerRegistryImageName}:${containerRegistryImageVersion}'
       appCommandLine: ''
     }
+    // In the web app module parameters
     appSettingsKeyValuePairs: {
       WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
       DOCKER_REGISTRY_SERVER_URL: 'https://${acr.outputs.loginServer}'
-      DOCKER_REGISTRY_SERVER_USERNAME: acr.outputs.adminUsername
-      DOCKER_REGISTRY_SERVER_PASSWORD: acr.outputs.adminPassword
+      DOCKER_REGISTRY_SERVER_USERNAME: '@Microsoft.KeyVault(SecretUri=${keyVault.outputs.keyVaultUri}secrets/acrUsername)'
+      DOCKER_REGISTRY_SERVER_PASSWORD: '@Microsoft.KeyVault(SecretUri=${keyVault.outputs.keyVaultUri}secrets/acrPassword)'
     }
   }
   dependsOn: [

main.parameters.json

@@ -1,24 +1,28 @@
 {
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "location": {
-            "value": "westeurope"
-        },
-        "acrName": {
-            "value": "demo-acr"
-        },
-        "appServicePlanName": {
-            "value": "demo-service-plan"
-        },
-        "webAppName": {
-            "value": "demo-web-app"
-        },
-        "containerRegistryImageName": {
-            "value": "demo-image"
-        },
-        "containerRegistryImageVersion": {
-            "value": "latest"
-        }
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "value": "westeurope"
+    },
+    "acrName": {
+      "value": "demo-acr"
+    },
+    "appServicePlanName": {
+      "value": "demo-service-plan"
+    },
+    "webAppName": {
+      "value": "demo-web-app"
+    },
+    "containerRegistryImageName": {
+      "value": "demo-image"
+    },
+    "containerRegistryImageVersion": {
+      "value": "latest"
+    },
+    "keyVaultName": {
+      "value": "demo-kv"
     }
-}
+  }
+}
+

modules/acr.bicep

@@ -21,5 +21,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
 
 // Outputs needed by the web app
 output loginServer string = acr.properties.loginServer
+#disable-next-line outputs-should-not-contain-secrets
 output adminUsername string = acrAdminUserEnabled ? acr.listCredentials().username : ''
+#disable-next-line outputs-should-not-contain-secrets
 output adminPassword string = acrAdminUserEnabled ? acr.listCredentials().passwords[0].value : ''

modules/key-vault.bicep

@@ -0,0 +1,24 @@
+@description('The name of the key vault')
+param name string
+
+@description('The location of the key vault')
+param location string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: name
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: subscription().tenantId
+    accessPolicies: []
+    enabledForDeployment: true
+    enabledForTemplateDeployment: true
+    enableRbacAuthorization: true
+  }
+}
+
+output keyVaultName string = keyVault.name
+output keyVaultUri string = keyVault.properties.vaultUri