Skip to content

Commit eb1f78c

Browse files
jamastenjamasten
authored
Moved CMK resources to HUB (#842)
commit
1 parent 3b93e15 commit eb1f78c

File tree

3 files changed

+99
-49
lines changed

3 files changed

+99
-49
lines changed

src/bicep/core/hub-customer-managed-keys.bicep

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
/*
2+
Copyright (c) Microsoft Corporation.
3+
Licensed under the MIT License.
4+
*/
5+
6+
param diskEncryptionSetName string
7+
param deploymentNameSuffix string
8+
param keyVaultName string
9+
param keyVaultPrivateDnsZoneResourceId string
10+
param location string
11+
param resourcePrefix string
12+
param subnetResourceId string
13+
param tags object
14+
param userAssignedIdentityName string
15+
16+
module keyVault '../modules/key-vault.bicep' = {
17+
name: 'deploy-key-vault-${deploymentNameSuffix}'
18+
params: {
19+
keyVaultName: keyVaultName
20+
keyVaultPrivateDnsZoneResourceId: keyVaultPrivateDnsZoneResourceId
21+
location: location
22+
resourcePrefix: resourcePrefix
23+
subnetResourceId: subnetResourceId
24+
tags: tags
25+
}
26+
}
27+
28+
module diskEncryptionSet '../modules/disk-encryption-set.bicep' = {
29+
name: 'deploy-disk-encryption-set_${deploymentNameSuffix}'
30+
params: {
31+
deploymentNameSuffix: deploymentNameSuffix
32+
diskEncryptionSetName: diskEncryptionSetName
33+
keyUrl: keyVault.outputs.keyUriWithVersion
34+
keyVaultResourceId: keyVault.outputs.keyVaultResourceId
35+
location: location
36+
tags: contains(tags, 'Microsoft.Compute/diskEncryptionSets') ? tags['Microsoft.Compute/diskEncryptionSets'] : {}
37+
}
38+
}
39+
40+
module userAssignedIdentity '../modules/user-assigned-identity.bicep' = {
41+
name: 'deploy-user-assigned-identity-${deploymentNameSuffix}'
42+
params: {
43+
location: location
44+
name: userAssignedIdentityName
45+
tags: tags
46+
}
47+
}
48+
49+
output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId
50+
output keyVaultUri string = keyVault.outputs.keyVaultUri
51+
output storageKeyName string = keyVault.outputs.storageKeyName
52+
output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId

src/bicep/mlz.bicep

Lines changed: 21 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,10 @@ var virtualNetworkNamingConvention = replace(namingConvention, resourceToken, 'v
564564

565565
var hubName = 'hub'
566566
var hubShortName = 'hub'
567+
var hubDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, hubName)
568+
var hubKeyVaultName = take(hubKeyVaultUniqueName, 24)
569+
var hubKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, hubShortName)
570+
var hubKeyVaultUniqueName = replace(hubKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId))
567571
var hubLogStorageAccountName = take(hubLogStorageAccountUniqueName, 24)
568572
var hubLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, hubShortName)
569573
var hubLogStorageAccountUniqueName = replace(hubLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, hubSubscriptionId))
@@ -572,6 +576,7 @@ var hubNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention,
572576
var hubResourceGroupName = replace(resourceGroupNamingConvention, nameToken, hubName)
573577
var hubRouteTableName = replace(routeTableNamingConvention, nameToken, hubName)
574578
var hubSubnetName = replace(subnetNamingConvention, nameToken, hubName)
579+
var hubUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, hubName)
575580
var hubVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, hubName)
576581

577582
// IDENTITY NAMES
@@ -591,18 +596,14 @@ var identityVirtualNetworkName = replace(virtualNetworkNamingConvention, nameTok
591596

592597
var operationsName = 'operations'
593598
var operationsShortName = 'ops'
594-
var operationsDiskEncryptionSetName = replace(diskEncryptionSetNamingConvention, nameToken, operationsName)
595-
var operationsKeyVaultName = take(operationsKeyVaultUniqueName, 24)
596-
var operationsKeyVaultShortName = replace(keyVaultNamingConvention, nameToken, operationsShortName)
597-
var operationsKeyVaultUniqueName = replace(operationsKeyVaultShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId))
598599
var operationsLogStorageAccountName = take(operationsLogStorageAccountUniqueName, 24)
599600
var operationsLogStorageAccountShortName = replace(storageAccountNamingConvention, nameToken, operationsShortName)
600601
var operationsLogStorageAccountUniqueName = replace(operationsLogStorageAccountShortName, 'unique_token', uniqueString(resourcePrefix, resourceSuffix, operationsSubscriptionId))
601602
var operationsNetworkSecurityGroupName = replace(networkSecurityGroupNamingConvention, nameToken, operationsName)
602603
var operationsResourceGroupName = replace(resourceGroupNamingConvention, nameToken, operationsName)
603604
var operationsRouteTableName = replace(routeTableNamingConvention, nameToken, operationsName)
604605
var operationsSubnetName = replace(subnetNamingConvention, nameToken, operationsName)
605-
var operationsUserAssignedIdentityName = replace(userAssignedIdentityNamingConvention, nameToken, operationsName)
606+
606607
var operationsVirtualNetworkName = replace(virtualNetworkNamingConvention, nameToken, operationsName)
607608

608609
// SHARED SERVICES NAMES
@@ -904,25 +905,22 @@ module privateDnsZones './modules/private-dns.bicep' = {
904905
]
905906
}
906907

907-
// OPERATIONS CMK DEPENDANCIES
908+
// CUSTOMER MANAGED KEYS
908909

909-
module operationsCustomerManagedKeys './core/operations-customer-managed-keys.bicep' = {
910-
name: 'deploy-cmk-ops-${deploymentNameSuffix}'
911-
scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
910+
module customerManagedKeys './core/hub-customer-managed-keys.bicep' = {
911+
name: 'deploy-cmk-hub-${deploymentNameSuffix}'
912+
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
912913
params: {
913914
deploymentNameSuffix: deploymentNameSuffix
914-
diskEncryptionSetName: operationsDiskEncryptionSetName
915-
keyVaultName: operationsKeyVaultName
915+
diskEncryptionSetName: hubDiskEncryptionSetName
916+
keyVaultName: hubKeyVaultName
916917
keyVaultPrivateDnsZoneResourceId: privateDnsZones.outputs.keyvaultDnsPrivateDnsZoneId
917918
location: location
918919
resourcePrefix: resourcePrefix
919-
subnetResourceId: spokeNetworks[0].outputs.subnetResourceId
920+
subnetResourceId: hubNetwork.outputs.subnetResourceId
920921
tags: calculatedTags
921-
userAssignedIdentityName: operationsUserAssignedIdentityName
922+
userAssignedIdentityName: hubUserAssignedIdentityName
922923
}
923-
dependsOn: [
924-
spokeNetworks
925-
]
926924
}
927925

928926
// AZURE MONITOR
@@ -994,7 +992,7 @@ module remoteAccess './core/remote-access.bicep' = if (deployRemoteAccess) {
994992
windowsVmSku: windowsVmSku
995993
windowsVmStorageAccountType: windowsVmStorageAccountType
996994
windowsVmVersion: windowsVmVersion
997-
diskEncryptionSetResourceId: operationsCustomerManagedKeys.outputs.diskEncryptionSetResourceId
995+
diskEncryptionSetResourceId: customerManagedKeys.outputs.diskEncryptionSetResourceId
998996
hybridUseBenefit: hybridUseBenefit
999997
linuxDiskName: linuxDiskName
1000998
windowsDiskName: windowsDiskName
@@ -1011,16 +1009,16 @@ module hubStorage './core/hub-storage.bicep' = {
10111009
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
10121010
params: {
10131011
blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId
1014-
keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri
1012+
keyVaultUri: customerManagedKeys.outputs.keyVaultUri
10151013
location: location
10161014
logStorageAccountName: hubLogStorageAccountName
10171015
logStorageSkuName: logStorageSkuName
10181016
resourcePrefix: resourcePrefix
1019-
storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName
1017+
storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName
10201018
subnetResourceId: hubNetwork.outputs.subnetResourceId
10211019
tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId
10221020
tags: calculatedTags
1023-
userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId
1021+
userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId
10241022
}
10251023
dependsOn: [
10261024
remoteAccess
@@ -1034,16 +1032,16 @@ module spokeStorage './core/spoke-storage.bicep' = [for (spoke, i) in spokes: {
10341032
scope: resourceGroup(spoke.subscriptionId, spoke.resourceGroupName)
10351033
params: {
10361034
blobsPrivateDnsZoneResourceId: privateDnsZones.outputs.blobPrivateDnsZoneId
1037-
keyVaultUri: operationsCustomerManagedKeys.outputs.keyVaultUri
1035+
keyVaultUri: customerManagedKeys.outputs.keyVaultUri
10381036
location: location
10391037
logStorageAccountName: spoke.logStorageAccountName
10401038
logStorageSkuName: logStorageSkuName
10411039
resourcePrefix: resourcePrefix
1042-
storageEncryptionKeyName: operationsCustomerManagedKeys.outputs.storageKeyName
1040+
storageEncryptionKeyName: customerManagedKeys.outputs.storageKeyName
10431041
subnetResourceId: spokeNetworks[i].outputs.subnetResourceId
10441042
tablesPrivateDnsZoneResourceId: privateDnsZones.outputs.tablePrivateDnsZoneId
10451043
tags: tags
1046-
userAssignedIdentityResourceId: operationsCustomerManagedKeys.outputs.userAssignedIdentityResourceId
1044+
userAssignedIdentityResourceId: customerManagedKeys.outputs.userAssignedIdentityResourceId
10471045
}
10481046
dependsOn: [
10491047
remoteAccess

0 commit comments

Comments
 (0)