added CMS Identity to KV and CMS CA

Physer · Dec 13, 2024 · b2ef5e9 · b2ef5e9
1 parent 6fe7507
commit b2ef5e9
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 1 deletion.
diff --git a/infrastructure/cms.bicep b/infrastructure/cms.bicep
@@ -10,11 +10,31 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = {
   location: deployment().location
 }
 
+module cmsIdentity 'modules/identity.bicep' = {
+  scope: resourceGroup
+  name: 'deployCmsIdentity'
+  params: {
+    identityName: 'id-cms'
+  }
+}
+
 module keyVault 'modules/keyVault.bicep' = {
   scope: resourceGroup
   name: 'deployCmsKeyVault'
   params: {
     keyVaultName: 'kv-cms'
+    accessPolicies: [
+      {
+        objectId: cmsIdentity.outputs.cmsIdentityPrincipalId
+        permissions: {
+          secrets: [
+            'list'
+            'get'
+          ]
+        }
+        tenantId: cmsIdentity.outputs.cmsIdentityTenantId
+      }
+    ]
   }
 }
 
@@ -38,6 +58,7 @@ module cmsContainerApp 'modules/containerApp.bicep' = {
     logAnalyicsWorkspaceName: logAnalyticsWorkspace.outputs.resourceName
     keyVaultName: keyVault.outputs.resourceName
     targetPort: 1337
+    cmsIdentityPrincipalId: cmsIdentity.outputs.cmsIdentityPrincipalId
     environmentVariables: [
       {
         name: 'DATABASE_CLIENT'

diff --git a/infrastructure/modules/containerApp.bicep b/infrastructure/modules/containerApp.bicep
@@ -14,6 +14,7 @@ param targetPort int = 80
 param environmentVariables array
 param secrets array
 param keyVaultName string
+param cmsIdentityPrincipalId string
 
 var location = resourceGroup().location
 
@@ -66,6 +67,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-08-02-preview' = {
         for secret in secrets: {
           name: secret.name
           keyVaultUrl: '${keyVault.properties.vaultUri}secrets/${replaceUnderscoresWithDashes(secret.name)}'
+          identity: cmsIdentityPrincipalId
         }
       ]
     }

diff --git a/infrastructure/modules/identity.bicep b/infrastructure/modules/identity.bicep
@@ -0,0 +1,11 @@
+import { appendHash } from '../utilities.bicep'
+
+param identityName string
+
+resource cmsIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = {
+  name: appendHash(identityName)
+  location: resourceGroup().location
+}
+
+output cmsIdentityPrincipalId string = cmsIdentity.properties.principalId
+output cmsIdentityTenantId string = cmsIdentity.properties.tenantId
diff --git a/infrastructure/modules/keyVault.bicep b/infrastructure/modules/keyVault.bicep
@@ -2,6 +2,7 @@ import { appendHash } from '../utilities.bicep'
 
 param keyVaultName string
 param sku string = 'standard'
+param accessPolicies array = []
 
 resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
   name: appendHash(keyVaultName)
@@ -12,7 +13,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
       family: 'A'
     }
     tenantId: subscription().tenantId
-    accessPolicies: []
+    accessPolicies: accessPolicies
   }
 }