diff --git a/deploy/main.bicep b/deploy/main.bicep index fa29bb9..6b8458d 100644 --- a/deploy/main.bicep +++ b/deploy/main.bicep @@ -33,6 +33,9 @@ param engineAppId string @description('IPAM-Engine App Registration Client Secret') param engineAppSecret string +@description('Array of additional role assignments to create on the Key Vault') +param additionalKeyVaultRoleAssignments object[] = [] + @description('Tags') param tags object = {} @@ -88,12 +91,20 @@ module keyVault './modules/keyVault.bicep' = { params: { location: location keyVaultName: resourceNames.keyVaultName - identityPrincipalId: managedIdentity.outputs.principalId identityClientId: managedIdentity.outputs.clientId uiAppId: uiAppId engineAppId: engineAppId engineAppSecret: engineAppSecret workspaceId: logAnalyticsWorkspace.outputs.workspaceId + roleAssignments: union( + [{ + roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User + principalId: managedIdentity.outputs.principalId + principalType: 'ServicePrincipal' + description: 'Required: Managed Identity for IPAM' + }], + additionalKeyVaultRoleAssignments + ) } } diff --git a/deploy/main.parameters.example.bicepparam b/deploy/main.parameters.example.bicepparam new file mode 100644 index 0000000..8dcd312 --- /dev/null +++ b/deploy/main.parameters.example.bicepparam @@ -0,0 +1,30 @@ +using './main.bicep' + +param guid = sys.guid('') +param location = 'eastus' +param namePrefix = 'ipam' +param azureCloud = 'AZURE_PUBLIC' +param privateAcr = false +param deployAsFunc = false +param deployAsContainer = true +param uiAppId = '' +param engineAppId = '' +param engineAppSecret = sys.readEnvironmentVariable('ENGINE_APP_SECRET') // recommended to change use az.getSecret() instead after the initial deployment +// param engineAppSecret = az.getSecret('', '', '', '', '') +param additionalKeyVaultRoleAssignments = [] +param tags = {} +param resourceNames = { + functionName: '${namePrefix}-${uniqueString(guid)}' + appServiceName: '${namePrefix}-${uniqueString(guid)}' + functionPlanName: '${namePrefix}-asp-${uniqueString(guid)}' + appServicePlanName: '${namePrefix}-asp-${uniqueString(guid)}' + cosmosAccountName: '${namePrefix}-dbacct-${uniqueString(guid)}' + cosmosContainerName: '${namePrefix}-ctr' + cosmosDatabaseName: '${namePrefix}-db' + keyVaultName: '${namePrefix}-kv-${uniqueString(guid)}' + workspaceName: '${namePrefix}-law-${uniqueString(guid)}' + managedIdentityName: '${namePrefix}-mi-${uniqueString(guid)}' + resourceGroupName: '${namePrefix}-rg-${uniqueString(guid)}' + storageAccountName: '${namePrefix}stg${uniqueString(guid)}' + containerRegistryName: '${namePrefix}acr${uniqueString(guid)}' +} diff --git a/deploy/modules/keyVault.bicep b/deploy/modules/keyVault.bicep index caba133..982fbae 100644 --- a/deploy/modules/keyVault.bicep +++ b/deploy/modules/keyVault.bicep @@ -4,9 +4,6 @@ param keyVaultName string @description('Deployment Location') param location string = resourceGroup().location -@description('Managed Identity PrincipalId') -param identityPrincipalId string - @description('Managed Identity ClientId') param identityClientId string @@ -26,9 +23,8 @@ param engineAppSecret string @description('Log Analytics Worskpace ID') param workspaceId string -var keyVaultUser = '4633458b-17de-408a-b874-0445c86b69e6' -var keyVaultUserId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultUser) -var keyVaultUserRoleAssignmentId = guid(keyVaultUser, identityPrincipalId, keyVault.id) +@description('Array of role assignments to create.') +param roleAssignments roleAssignmentType resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { name: keyVaultName @@ -36,6 +32,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { properties: { enablePurgeProtection: true enableRbacAuthorization: true + enabledForTemplateDeployment: true tenantId: tenantId sku: { name: 'standard' @@ -116,15 +113,30 @@ resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-pr } } -resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { - name: keyVaultUserRoleAssignmentId +resource keyVaultRoleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (roleAssignment, index) in (roleAssignments ?? []): { + name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionId) scope: keyVault properties: { - principalType: 'ServicePrincipal' - roleDefinitionId: keyVaultUserId - principalId: identityPrincipalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionId) + principalId: roleAssignment.principalId + description: roleAssignment.?description + principalType: roleAssignment.?principalType } -} +}] output keyVaultName string = keyVault.name output keyVaultUri string = keyVault.properties.vaultUri + +type roleAssignmentType = { + @description('Required. The role definition GUID to assign.') + roleDefinitionId: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? + + @description('Optional. The description of the role assignment.') + description: string? +}[]?