keyvault and managed identity

Author: brittneek

infra/main.bicep

@@ -85,7 +85,7 @@ var container_app_deployment container_app_deployment_info_type = {
 var abbrs = loadJsonContent('./abbreviations.json')
 
 // ========== Managed Identity ========== //
-module avmManagedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
+module avmManagedIdentity './modules/managed-identity.bicep' = {
   name: format(deployment_param.resource_name_format_string, abbrs.security.managedIdentity)
   params: {
     name: '${abbrs.security.managedIdentity}${deployment_param.solution_prefix}'
@@ -120,23 +120,36 @@ module bicepOwnerRoleAssignment 'modules/role_assignment.bicep' = {
 // }
 
 // ========== Key Vault Module ========== //
-module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
-  name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault)
+module avmKeyVault './modules/key-vault.bicep' = {
+  //name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault)
   params: {
-    name: '${abbrs.security.keyVault}${deployment_param.solution_prefix}'
-    location: deployment_param.resource_group_location
-    tags: {
-      app: deployment_param.solution_prefix
+    name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault)
+    keyVaultParams:  {
+      name: '${abbrs.security.keyVault}${deployment_param.solution_prefix}'
       location: deployment_param.resource_group_location
-    }
-    roleAssignments: [
-      {
-        principalId: avmManagedIdentity.outputs.principalId
-        roleDefinitionIdOrName: 'Key Vault Administrator'
+      tags: {
+        app: deployment_param.solution_prefix
+        location: deployment_param.resource_group_location
       }
-    ]
-    enablePurgeProtection: false
-    enableSoftDelete: true
+      roleAssignments: [
+        {
+          principalId: avmManagedIdentity.outputs.principalId
+          roleDefinitionIdOrName: 'Key Vault Administrator'
+        }
+      ]
+      enablePurgeProtection: false
+      enableSoftDelete: true
+      publicNetworkAccess: 'Enabled'
+      keyvaultsku: 'standard'
+      // Add missing AVM parameters for parity with classic resource
+      enableRbacAuthorization: true
+      createMode: 'default'
+      enableTelemetry: false
+      // networkAcls, privateEndpoints, diagnosticSettings, keys, secrets, lock can be added if needed
+      enableVaultForDiskEncryption: true
+      enableVaultForTemplateDeployment: true
+      softDeleteRetentionInDays: 7
+    }
   }
   scope: resourceGroup(resourceGroup().name)
 }

infra/modules/key-vault.bicep

@@ -0,0 +1,46 @@
+// ========== Key Vault Module ========== //
+// param name string
+// param location string
+// param tags object
+// param roleAssignments array = []
+// param enablePurgeProtection bool = false
+// param enableSoftDelete bool = true
+// param enableVaultForDiskEncryption  bool =   true
+// param enableVaultForTemplateDeployment bool = true
+// param publicNetworkAccess string = 'Enabled'
+// param vaultsku string = 'standard'
+// param softDeleteRetentionInDays int = 7
+// param enableRbacAuthorization bool = true
+// param createMode string = 'default'
+// param enableTelemetry bool = true
+
+import {
+  key_vault_param_type
+} from './types.bicep'
+
+param keyVaultParams key_vault_param_type
+param name string
+
+module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = {
+  name: name
+  params: {
+    name: keyVaultParams.name
+    location: keyVaultParams.location
+    tags: keyVaultParams.tags
+    roleAssignments: keyVaultParams.roleAssignments
+    enablePurgeProtection: keyVaultParams.enablePurgeProtection
+    enableSoftDelete: keyVaultParams.enableSoftDelete
+    enableVaultForDiskEncryption : keyVaultParams.enableVaultForDiskEncryption
+    enableVaultForTemplateDeployment: keyVaultParams.enableVaultForTemplateDeployment
+    publicNetworkAccess: keyVaultParams.publicNetworkAccess
+    sku: keyVaultParams.keyvaultsku
+    softDeleteRetentionInDays: keyVaultParams.softDeleteRetentionInDays
+    enableRbacAuthorization: keyVaultParams.enableRbacAuthorization
+    createMode: keyVaultParams.createMode
+    enableTelemetry: keyVaultParams.enableTelemetry
+
+  }
+}
+
+output resourceId string = avmKeyVault.outputs.resourceId
+output vaultUri string = avmKeyVault.outputs.uri

infra/modules/managed-identity.bicep

@@ -0,0 +1,16 @@
+// ========== Managed Identity ========== //
+param name string
+param location string
+param tags object
+
+module avmManagedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
+  name: name
+  params: {
+    name: name
+    location: location
+    tags: tags
+  }
+}
+
+output resourceId string = avmManagedIdentity.outputs.resourceId
+output principalId string = avmManagedIdentity.outputs.principalId

infra/modules/types.bicep

@@ -64,3 +64,39 @@ type container_app_deployment_info_type = {
 
 @export()
 func make_solution_prefix(unique_id string) string => 'cps-${padLeft(take(unique_id, 12), 12, '0')}'
+
+type keyvault_sku_type = 'standard' | 'premium' 
+
+type keyvault_public_network_access_type = 'Disabled' | 'Enabled' 
+
+@export() 
+type key_vault_param_type = {
+  @description('Name of the Key Vault')
+  name: string
+  @description('Location of the Key Vault')
+  location: string
+  @description('Tags for the Key Vault')
+  tags: object
+  @description('Role assignments for the Key Vault')
+  roleAssignments: array
+  @description('Enable purge protection for the Key Vault')
+  enablePurgeProtection: bool
+  @description('Enable soft delete for the Key Vault')
+  enableSoftDelete: bool
+  @description('Enable vault for disk encryption')
+  enableVaultForDiskEncryption: bool
+  @description('Enable vault for template deployment')
+  enableVaultForTemplateDeployment: bool
+  @description('Public network access setting for the Key Vault')
+  publicNetworkAccess: keyvault_public_network_access_type
+  @description('SKU of the Key Vault')
+  keyvaultsku: keyvault_sku_type
+  @description('Soft delete retention period in days')
+  softDeleteRetentionInDays: int
+  @description('Enable RBAC authorization for the Key Vault')
+  enableRbacAuthorization: bool
+  @description('Create mode for the Key Vault')
+  createMode: string
+  @description('Enable telemetry for the Key Vault')
+  enableTelemetry: bool
+}