From b2ef5e961fae128fdf900c90c206ddc44510afa8 Mon Sep 17 00:00:00 2001 From: Alex Schouls Date: Fri, 13 Dec 2024 10:39:46 +0100 Subject: [PATCH] added CMS Identity to KV and CMS CA --- infrastructure/cms.bicep | 21 +++++++++++++++++++++ infrastructure/modules/containerApp.bicep | 2 ++ infrastructure/modules/identity.bicep | 11 +++++++++++ infrastructure/modules/keyVault.bicep | 3 ++- 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 infrastructure/modules/identity.bicep diff --git a/infrastructure/cms.bicep b/infrastructure/cms.bicep index e1486e0..947ae23 100644 --- a/infrastructure/cms.bicep +++ b/infrastructure/cms.bicep @@ -10,11 +10,31 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2024-07-01' = { location: deployment().location } +module cmsIdentity 'modules/identity.bicep' = { + scope: resourceGroup + name: 'deployCmsIdentity' + params: { + identityName: 'id-cms' + } +} + module keyVault 'modules/keyVault.bicep' = { scope: resourceGroup name: 'deployCmsKeyVault' params: { keyVaultName: 'kv-cms' + accessPolicies: [ + { + objectId: cmsIdentity.outputs.cmsIdentityPrincipalId + permissions: { + secrets: [ + 'list' + 'get' + ] + } + tenantId: cmsIdentity.outputs.cmsIdentityTenantId + } + ] } } @@ -38,6 +58,7 @@ module cmsContainerApp 'modules/containerApp.bicep' = { logAnalyicsWorkspaceName: logAnalyticsWorkspace.outputs.resourceName keyVaultName: keyVault.outputs.resourceName targetPort: 1337 + cmsIdentityPrincipalId: cmsIdentity.outputs.cmsIdentityPrincipalId environmentVariables: [ { name: 'DATABASE_CLIENT' diff --git a/infrastructure/modules/containerApp.bicep b/infrastructure/modules/containerApp.bicep index 9ad43a1..5bde5ce 100644 --- a/infrastructure/modules/containerApp.bicep +++ b/infrastructure/modules/containerApp.bicep @@ -14,6 +14,7 @@ param targetPort int = 80 param environmentVariables array param secrets array param keyVaultName string +param cmsIdentityPrincipalId string var location = resourceGroup().location @@ -66,6 +67,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-08-02-preview' = { for secret in secrets: { name: secret.name keyVaultUrl: '${keyVault.properties.vaultUri}secrets/${replaceUnderscoresWithDashes(secret.name)}' + identity: cmsIdentityPrincipalId } ] } diff --git a/infrastructure/modules/identity.bicep b/infrastructure/modules/identity.bicep new file mode 100644 index 0000000..0c2c8f2 --- /dev/null +++ b/infrastructure/modules/identity.bicep @@ -0,0 +1,11 @@ +import { appendHash } from '../utilities.bicep' + +param identityName string + +resource cmsIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: appendHash(identityName) + location: resourceGroup().location +} + +output cmsIdentityPrincipalId string = cmsIdentity.properties.principalId +output cmsIdentityTenantId string = cmsIdentity.properties.tenantId diff --git a/infrastructure/modules/keyVault.bicep b/infrastructure/modules/keyVault.bicep index aecc494..4b245d8 100644 --- a/infrastructure/modules/keyVault.bicep +++ b/infrastructure/modules/keyVault.bicep @@ -2,6 +2,7 @@ import { appendHash } from '../utilities.bicep' param keyVaultName string param sku string = 'standard' +param accessPolicies array = [] resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = { name: appendHash(keyVaultName) @@ -12,7 +13,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = { family: 'A' } tenantId: subscription().tenantId - accessPolicies: [] + accessPolicies: accessPolicies } }