Let's get a SOPS key in there

PoshCode · Oct 3, 2023 · 12d4d92 · 12d4d92
1 parent 4767fc8
commit 12d4d92
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 4 deletions.
diff --git a/infrastructure/Cluster.bicep b/infrastructure/Cluster.bicep
@@ -267,24 +267,42 @@ module aks_iam2 'modules/resourceRoleAssignment.bicep' = {
   }
 }
 
-module keyvault_devops_iam 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akvdvo_iam'
+module keyvault_devops_secrets 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_akvdvo_secrets'
   params: {
     principalIds: [ adminId ]
     resourceId: keyVault.outputs.id
     roleName: 'Key Vault Secrets Officer'
   }
 }
 
-module keyvault_kubelet_iam 'modules/resourceRoleAssignment.bicep' = {
-  name: '${deploymentName}_akv2k8s_iam'
+module keyvault_devops_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_akvdvo_crypto'
+  params: {
+    principalIds: [ adminId ]
+    resourceId: keyVault.outputs.id
+    roleName: 'Key Vault Crypto User'
+  }
+}
+
+module keyvault_kubelet_secrets 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_akv2k8s_secrets'
   params: {
     principalIds: [ aks.outputs.kubeletIdentityObjectId ]
     resourceId: keyVault.outputs.id
     roleName: 'Key Vault Secrets User'
   }
 }
 
+module keyvault_kubelet_crypto 'modules/resourceRoleAssignment.bicep' = {
+  name: '${deploymentName}_akv2k8s_crypto'
+  params: {
+    principalIds: [ aks.outputs.kubeletIdentityObjectId ]
+    resourceId: keyVault.outputs.id
+    roleName: 'Key Vault Crypto User'
+  }
+}
+
 @description('Flux release namespace')
 output fluxReleaseNamespace string = flux.outputs.fluxReleaseNamespace
 

diff --git a/infrastructure/modules/keyVault.bicep b/infrastructure/modules/keyVault.bicep
@@ -34,8 +34,23 @@ resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
   }
 }
 
+resource sopsKey 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
+  parent: vault
+  name: 'sops-key'
+  properties: {
+    keyOps: [
+      'decrypt'
+      'encrypt'
+    ]
+  }
+}
+
+
 @description('Name of the keyvault')
 output name string = vault.name
 
 @description('Resource Id of the keyvault')
 output id string = vault.id
+
+@description('key for sops')
+output sopsKeyId string = sopsKey.id