From 53f02d343ba0d9b85f6e72229565374555fbb425 Mon Sep 17 00:00:00 2001 From: bkeller108 <149533143+brittneek@users.noreply.github.com> Date: Wed, 28 May 2025 16:26:54 -0500 Subject: [PATCH 1/2] keyvault and managed identity --- infra/main.bicep | 43 +++++++++++++++++--------- infra/modules/key-vault.bicep | 46 ++++++++++++++++++++++++++++ infra/modules/managed-identity.bicep | 16 ++++++++++ infra/modules/types.bicep | 36 ++++++++++++++++++++++ 4 files changed, 126 insertions(+), 15 deletions(-) create mode 100644 infra/modules/key-vault.bicep create mode 100644 infra/modules/managed-identity.bicep diff --git a/infra/main.bicep b/infra/main.bicep index fdb02604..8724069c 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -85,7 +85,7 @@ var container_app_deployment container_app_deployment_info_type = { var abbrs = loadJsonContent('./abbreviations.json') // ========== Managed Identity ========== // -module avmManagedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = { +module avmManagedIdentity './modules/managed-identity.bicep' = { name: format(deployment_param.resource_name_format_string, abbrs.security.managedIdentity) params: { name: '${abbrs.security.managedIdentity}${deployment_param.solution_prefix}' @@ -120,23 +120,36 @@ module bicepOwnerRoleAssignment 'modules/role_assignment.bicep' = { // } // ========== Key Vault Module ========== // -module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = { - name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) +module avmKeyVault './modules/key-vault.bicep' = { + //name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) params: { - name: '${abbrs.security.keyVault}${deployment_param.solution_prefix}' - location: deployment_param.resource_group_location - tags: { - app: deployment_param.solution_prefix + name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) + keyVaultParams: { + name: '${abbrs.security.keyVault}${deployment_param.solution_prefix}' location: deployment_param.resource_group_location - } - roleAssignments: [ - { - principalId: avmManagedIdentity.outputs.principalId - roleDefinitionIdOrName: 'Key Vault Administrator' + tags: { + app: deployment_param.solution_prefix + location: deployment_param.resource_group_location } - ] - enablePurgeProtection: false - enableSoftDelete: true + roleAssignments: [ + { + principalId: avmManagedIdentity.outputs.principalId + roleDefinitionIdOrName: 'Key Vault Administrator' + } + ] + enablePurgeProtection: false + enableSoftDelete: true + publicNetworkAccess: 'Enabled' + keyvaultsku: 'standard' + // Add missing AVM parameters for parity with classic resource + enableRbacAuthorization: true + createMode: 'default' + enableTelemetry: false + // networkAcls, privateEndpoints, diagnosticSettings, keys, secrets, lock can be added if needed + enableVaultForDiskEncryption: true + enableVaultForTemplateDeployment: true + softDeleteRetentionInDays: 7 + } } scope: resourceGroup(resourceGroup().name) } diff --git a/infra/modules/key-vault.bicep b/infra/modules/key-vault.bicep new file mode 100644 index 00000000..16860ba1 --- /dev/null +++ b/infra/modules/key-vault.bicep @@ -0,0 +1,46 @@ +// ========== Key Vault Module ========== // +// param name string +// param location string +// param tags object +// param roleAssignments array = [] +// param enablePurgeProtection bool = false +// param enableSoftDelete bool = true +// param enableVaultForDiskEncryption bool = true +// param enableVaultForTemplateDeployment bool = true +// param publicNetworkAccess string = 'Enabled' +// param vaultsku string = 'standard' +// param softDeleteRetentionInDays int = 7 +// param enableRbacAuthorization bool = true +// param createMode string = 'default' +// param enableTelemetry bool = true + +import { + key_vault_param_type +} from './types.bicep' + +param keyVaultParams key_vault_param_type +param name string + +module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = { + name: name + params: { + name: keyVaultParams.name + location: keyVaultParams.location + tags: keyVaultParams.tags + roleAssignments: keyVaultParams.roleAssignments + enablePurgeProtection: keyVaultParams.enablePurgeProtection + enableSoftDelete: keyVaultParams.enableSoftDelete + enableVaultForDiskEncryption : keyVaultParams.enableVaultForDiskEncryption + enableVaultForTemplateDeployment: keyVaultParams.enableVaultForTemplateDeployment + publicNetworkAccess: keyVaultParams.publicNetworkAccess + sku: keyVaultParams.keyvaultsku + softDeleteRetentionInDays: keyVaultParams.softDeleteRetentionInDays + enableRbacAuthorization: keyVaultParams.enableRbacAuthorization + createMode: keyVaultParams.createMode + enableTelemetry: keyVaultParams.enableTelemetry + + } +} + +output resourceId string = avmKeyVault.outputs.resourceId +output vaultUri string = avmKeyVault.outputs.uri diff --git a/infra/modules/managed-identity.bicep b/infra/modules/managed-identity.bicep new file mode 100644 index 00000000..6d4cc7d1 --- /dev/null +++ b/infra/modules/managed-identity.bicep @@ -0,0 +1,16 @@ +// ========== Managed Identity ========== // +param name string +param location string +param tags object + +module avmManagedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = { + name: name + params: { + name: name + location: location + tags: tags + } +} + +output resourceId string = avmManagedIdentity.outputs.resourceId +output principalId string = avmManagedIdentity.outputs.principalId diff --git a/infra/modules/types.bicep b/infra/modules/types.bicep index 4c961812..3a36bf62 100644 --- a/infra/modules/types.bicep +++ b/infra/modules/types.bicep @@ -64,3 +64,39 @@ type container_app_deployment_info_type = { @export() func make_solution_prefix(unique_id string) string => 'cps-${padLeft(take(unique_id, 12), 12, '0')}' + +type keyvault_sku_type = 'standard' | 'premium' + +type keyvault_public_network_access_type = 'Disabled' | 'Enabled' + +@export() +type key_vault_param_type = { + @description('Name of the Key Vault') + name: string + @description('Location of the Key Vault') + location: string + @description('Tags for the Key Vault') + tags: object + @description('Role assignments for the Key Vault') + roleAssignments: array + @description('Enable purge protection for the Key Vault') + enablePurgeProtection: bool + @description('Enable soft delete for the Key Vault') + enableSoftDelete: bool + @description('Enable vault for disk encryption') + enableVaultForDiskEncryption: bool + @description('Enable vault for template deployment') + enableVaultForTemplateDeployment: bool + @description('Public network access setting for the Key Vault') + publicNetworkAccess: keyvault_public_network_access_type + @description('SKU of the Key Vault') + keyvaultsku: keyvault_sku_type + @description('Soft delete retention period in days') + softDeleteRetentionInDays: int + @description('Enable RBAC authorization for the Key Vault') + enableRbacAuthorization: bool + @description('Create mode for the Key Vault') + createMode: string + @description('Enable telemetry for the Key Vault') + enableTelemetry: bool +} From 092b30a893df396ada3ef4d68a978b9b9185e4c9 Mon Sep 17 00:00:00 2001 From: DB Lee Date: Wed, 28 May 2025 15:50:24 -0700 Subject: [PATCH 2/2] add name to module as a meta data --- infra/main.bicep | 4 ++-- infra/modules/key-vault.bicep | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infra/main.bicep b/infra/main.bicep index 8724069c..c89c140a 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -121,10 +121,10 @@ module bicepOwnerRoleAssignment 'modules/role_assignment.bicep' = { // ========== Key Vault Module ========== // module avmKeyVault './modules/key-vault.bicep' = { - //name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) + name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) params: { name: format(deployment_param.resource_name_format_string, abbrs.security.keyVault) - keyVaultParams: { + keyVaultParams: { name: '${abbrs.security.keyVault}${deployment_param.solution_prefix}' location: deployment_param.resource_group_location tags: { diff --git a/infra/modules/key-vault.bicep b/infra/modules/key-vault.bicep index 16860ba1..e628e8b9 100644 --- a/infra/modules/key-vault.bicep +++ b/infra/modules/key-vault.bicep @@ -1,3 +1,4 @@ +metadata name = 'Key Vault Module' // ========== Key Vault Module ========== // // param name string // param location string @@ -30,7 +31,7 @@ module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = { roleAssignments: keyVaultParams.roleAssignments enablePurgeProtection: keyVaultParams.enablePurgeProtection enableSoftDelete: keyVaultParams.enableSoftDelete - enableVaultForDiskEncryption : keyVaultParams.enableVaultForDiskEncryption + enableVaultForDiskEncryption: keyVaultParams.enableVaultForDiskEncryption enableVaultForTemplateDeployment: keyVaultParams.enableVaultForTemplateDeployment publicNetworkAccess: keyVaultParams.publicNetworkAccess sku: keyVaultParams.keyvaultsku @@ -38,7 +39,6 @@ module avmKeyVault 'br/public:avm/res/key-vault/vault:0.12.1' = { enableRbacAuthorization: keyVaultParams.enableRbacAuthorization createMode: keyVaultParams.createMode enableTelemetry: keyVaultParams.enableTelemetry - } }