-
Notifications
You must be signed in to change notification settings - Fork 1
/
keyvault.bicep
86 lines (72 loc) · 2.4 KB
/
keyvault.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
@description('Specifies the Azure location where the resources should be created.')
param location string = resourceGroup().location
@description('The name for the user-assigned managed identity')
param uamiName string
@description('The hostname for the Key Vault')
param keyvaultName string
@description('The name for the Key Vault secret')
param secretName string
@description('The value for the secret to be used by GitHub')
@secure()
param secretValue string
@description('The GitHub user or organization name')
param githubOrgOrUser string
@description('The GitHub repo name')
param githubRepo string
@description('The GitHub repository\'s branch name')
param githubBranch string = 'main'
param defaultAudience string = 'api://AzureADTokenExchange'
var keyVaultRoleID = {
'Key Vault Secrets User': '4633458b-17de-408a-b874-0445c86b69e6'
}
var github = {
issuer: 'https://token.actions.githubusercontent.com'
subject: 'repo:${githubOrgOrUser}/${githubRepo}:ref:refs/heads/${githubBranch}'
audience: defaultAudience
}
resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: uamiName
location: location
resource federatedCred 'federatedIdentityCredentials' = {
name: 'github'
properties: {
issuer: github.issuer
audiences: [ github.audience ]
subject: github.subject
// description: 'The GitHub repo will sign in via a federated credential'
}
}
}
resource keyvault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
name: keyvaultName
location: location
properties: {
enableRbacAuthorization: true
tenantId: subscription().tenantId
sku: { name: 'standard', family: 'A' }
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
}
}
}
resource secret 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyvault
name: secretName
properties: {
value: secretValue
}
}
resource managedIdentityCanReadSecrets 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(keyVaultRoleID['Key Vault Secrets User'], uami.id, keyvault.id)
scope: keyvault
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultRoleID['Key Vault Secrets User'])
principalId: uami.properties.principalId
principalType: 'ServicePrincipal'
}
}
output uami object = {
tenant_id: subscription().tenantId
client_id: uami.properties.clientId
}