forked from Azure/azure-sdk-for-net
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathazuredeploy.bicep
118 lines (105 loc) · 3.1 KB
/
azuredeploy.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
@description('The base name for resources')
param name string = uniqueString(resourceGroup().id)
@description('The location for resources')
param location string = resourceGroup().location
@description('A secret to use in the web application')
@secure()
param secret string = newGuid()
@description('The web site hosting plan')
param sku string = 'F1'
@description('The App Configuration SKU. Only "standard" supports customer-managed keys from Key Vault')
@allowed([
'free'
'standard'
])
param configSku string = 'standard'
resource config 'Microsoft.AppConfiguration/configurationStores@2020-06-01' = {
name: '${name}config'
location: location
sku: {
name: configSku
}
resource configValue 'keyValues@2020-07-01-preview' = {
// Store non-secrets in App Configuration e.g., client IDs, endpoints without secure tokens, etc.
name: 'APPCONFIG_VALUE'
properties: {
contentType: 'text/plain'
value: 'not a secret'
}
}
resource configSecret 'keyValues@2020-07-01-preview' = {
// Store secrets in Key Vault with a reference to them in App Configuration e.g., client secrets, connection strings, etc.
name: 'KEYVAULT_SECRET'
properties: {
// Most often you will want to reference a secret without the version so the current value is always retrieved.
contentType: 'application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8'
value: '{"uri":"${kvSecret.properties.secretUri}"}'
}
}
}
resource kv 'Microsoft.KeyVault/vaults@2019-09-01' = {
// Make sure the Key Vault name begins with a letter.
name: 'kv${name}'
location: location
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: subscription().tenantId
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: web.identity.principalId
permissions: {
// Secrets are referenced by and enumerated in App Configuration so 'list' is not necessary.
secrets: [
'get'
]
}
}
]
}
}
// Separate resource from parent to reference in configSecret resource.
resource kvSecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${kv.name}/${name}secret'
properties: {
contentType: 'text/plain'
value: secret
}
}
resource plan 'Microsoft.Web/serverfarms@2020-12-01' = {
name: '${name}plan'
location: location
sku: {
name: sku
}
kind: 'linux'
properties: {
reserved: true
}
}
resource web 'Microsoft.Web/sites@2020-12-01' = {
name: '${name}web'
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
httpsOnly: true
serverFarmId: plan.id
siteConfig: {
linuxFxVersion: 'DOTNETCORE|3.1'
connectionStrings: [
{
name: 'AppConfig'
connectionString: listKeys(config.id, config.apiVersion).value[0].connectionString
}
]
}
}
}
output appConfigConnectionString string = listKeys(config.id, config.apiVersion).value[0].connectionString
output siteUrl string = 'https://${web.properties.defaultHostName}/'
output vaultUrl string = kv.properties.vaultUri