-
Notifications
You must be signed in to change notification settings - Fork 108
Expand file tree
/
Copy pathkeyVault.bicep
More file actions
142 lines (121 loc) · 3.53 KB
/
keyVault.bicep
File metadata and controls
142 lines (121 loc) · 3.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
@description('KeyVault Name')
param keyVaultName string
@description('Deployment Location')
param location string = resourceGroup().location
@description('Managed Identity ClientId')
param identityClientId string
@description('AzureAD TenantId')
param tenantId string = subscription().tenantId
@description('IPAM-UI App Registration Client/App ID')
param uiAppId string
@description('IPAM-Engine App Registration Client/App ID')
param engineAppId string
@secure()
@description('IPAM-Engine App Registration Client Secret')
param engineAppSecret string
@description('Log Analytics Worskpace ID')
param workspaceId string
@description('Array of role assignments to create.')
param roleAssignments roleAssignmentType
resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
name: keyVaultName
location: location
properties: {
enablePurgeProtection: true
enableRbacAuthorization: true
enabledForTemplateDeployment: true
tenantId: tenantId
sku: {
name: 'standard'
family: 'A'
}
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
resource identityId 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'IDENTITY-ID'
properties: {
value: identityClientId
}
}
resource uiId 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'UI-ID'
properties: {
value: uiAppId
}
}
resource engineId 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'ENGINE-ID'
properties: {
value: engineAppId
}
}
resource engineSecret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'ENGINE-SECRET'
properties: {
value: engineAppSecret
}
}
resource appTenant 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'TENANT-ID'
properties: {
value: tenantId
}
}
resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'diagSettings'
scope: keyVault
properties: {
logs: [
{
categoryGroup: 'allLogs'
enabled: true
retentionPolicy: {
days: 0
enabled: false
}
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
retentionPolicy: {
days: 0
enabled: false
}
}
]
workspaceId: workspaceId
}
}
resource keyVaultRoleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (roleAssignment, index) in (roleAssignments ?? []): {
name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
scope: keyVault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionId)
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
}
}]
output keyVaultName string = keyVault.name
output keyVaultUri string = keyVault.properties.vaultUri
type roleAssignmentType = {
@description('Required. The role definition GUID to assign.')
roleDefinitionId: string
@description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
principalId: string
@description('Optional. The principal type of the assigned principal ID.')
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
@description('Optional. The description of the role assignment.')
description: string?
}[]?