Added key vault module

miekki · Feb 23, 2024 · 83be3fb · 83be3fb
1 parent 0753bd9
commit 83be3fb
Show file tree

Hide file tree

Showing 10 changed files with 199 additions and 0 deletions.
diff --git a/modules/security/keyvault-accesspolicy/README.md b/modules/security/keyvault-accesspolicy/README.md
diff --git a/modules/security/keyvault-accesspolicy/main.bicep b/modules/security/keyvault-accesspolicy/main.bicep
@@ -0,0 +1,49 @@
+metadata name = 'Azure Key Vault - Access Policy'
+metadata description = 'Bicep module for simplified deployment of KeyVault - Access Policy.'
+metadata owner = 'MM'
+
+@description('Required. Name of Key Vault.')
+param keyVaultName string
+
+@description('Required. Name of Key Vault Access Policy.')
+param policyName string
+
+@description('Required. Object Id of a user, service principal or security group')
+param objectId string 
+
+
+@description('Optional. Application id of the client making request')
+param applicationId string = ''
+
+@description('Optional. Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge.')
+param secretsPermissions array = []
+
+@description('Optional. Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge.')
+param keyPermissions array = []
+
+@description('Optional. Specify the permissions to certificates. Valid values are: all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update')
+param certificatPermissions array = []
+
+
+resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = {
+  name: policyName
+  parent: keyvault
+  properties: {
+    accessPolicies: [
+      {
+        objectId: !empty(objectId) ? objectId : ''
+        applicationId:  !empty(applicationId) ? applicationId : null
+        permissions: {
+          secrets: !empty(secretsPermissions) ? secretsPermissions : null
+          keys: !empty(keyPermissions)? keyPermissions : null
+          certificates:!empty(certificatPermissions)? certificatPermissions : null
+        }
+        tenantId: subscription().tenantId
+      }
+    ] 
+  }
+}
diff --git a/modules/security/keyvault-accesspolicy/metadata.json b/modules/security/keyvault-accesspolicy/metadata.json
@@ -0,0 +1,5 @@
+{
+    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+    "version": "0.1",
+    "pathFilters": ["./main.bicep", "./metadata.json"]
+}
diff --git a/modules/security/keyvault-secrets/README.md b/modules/security/keyvault-secrets/README.md
diff --git a/modules/security/keyvault-secrets/main.bicep b/modules/security/keyvault-secrets/main.bicep
@@ -0,0 +1,25 @@
+metadata name = 'Azure Key Vault - Secrets'
+metadata description = 'Bicep module for simplified deployment of KeyVault - Secrets.'
+metadata owner = 'MM'
+
+@description('Required. Name of Key Vault.')
+param keyVaultName string
+
+@description('Required. Secret name.')
+param secretName string
+
+@description('Required. Secret value')
+@secure()
+param secretValue string
+
+resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+resource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
+  parent: keyvault
+  name: secretName
+  properties: {
+    value: secretValue
+  }
+}
diff --git a/modules/security/keyvault-secrets/metadata.json b/modules/security/keyvault-secrets/metadata.json
@@ -0,0 +1,5 @@
+{
+    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+    "version": "0.1",
+    "pathFilters": ["./main.bicep", "./metadata.json"]
+}
diff --git a/modules/security/keyvault/README.md b/modules/security/keyvault/README.md
diff --git a/modules/security/keyvault/main.bicep b/modules/security/keyvault/main.bicep
@@ -0,0 +1,90 @@
+metadata name = 'Azure Key Vault'
+metadata description = 'Bicep module for simplified deployment of KeyVault; enables VNet integration and offers flexible configuration options.'
+metadata owner = 'MM'
+
+@description('Required. Name of Key Vault.')
+param name string
+
+@description('Required. Location for all resources.')
+param location string
+
+@description('Required. Tags of the resource.')
+param tags object
+
+
+
+@description('Optional. Specifies whether soft delete should be enabled for the Key Vault.')
+param enableSoftDelete bool = true
+
+@description('Optional. The number of days to retain deleted data in the Key Vault.')
+param softDeleteRetentionInDays int = 7
+
+@description('Optional. Specify whether purge protection should be enabled for the Key Vault.')
+param enablePurgeProtection bool = false
+
+@description('Optional. Specify whether the Key Vault will be using RBAC. Default is false - use the access policy.')
+param enableRbacAuthorization bool = false
+
+@allowed(['standard', 'premium'])
+@description('Optional. The SKU name of the Key Vault.')
+param skuName string = 'standard'
+
+@allowed(['A', 'B'])
+@description('Optional. The SKU family of the Key Vault.')
+param skuFamily string = 'A'
+
+@description('Optional. Configuration for network access rules.')
+param networkAcls networkAclsType = {
+  defaultAction: 'Deny'
+}
+
+
+var varNetworkAclsIpRules = [for ip in networkAcls.?ipAllowlist ?? []: { value: ip }]
+
+var varNetworkAclsVirtualNetworkRules = [for subnet in networkAcls.?subnetIds ?? []: {  id: subnet }]
+
+var varNetworkAcls = {
+  bypass: networkAcls.?bypass ?? 'AzureServices'
+  defaultAction: networkAcls.defaultAction
+  ipRules: varNetworkAclsIpRules
+  virtualNetworkRules: varNetworkAclsVirtualNetworkRules
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    enableSoftDelete: enableSoftDelete
+    softDeleteRetentionInDays: softDeleteRetentionInDays
+    enablePurgeProtection: enablePurgeProtection
+    enableRbacAuthorization: enableRbacAuthorization
+    sku: {
+      family: skuFamily
+      name: skuName
+    }
+    tenantId: subscription().tenantId
+    networkAcls:varNetworkAcls
+  }
+}
+
+type networkAclsType = {
+  @description('Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.')
+  bypass: ('AzureServices' | 'None')?
+
+  @description('Specifies whether all network access is allowed or denied when no other rules match.')
+  defaultAction: ('Allow' | 'Deny')
+
+  @description('Specifies the IP or IP range in CIDR format to be allowed to connect. Only IPV4 address is allowed.')
+  ipAllowlist: string[]?
+
+  @description('Sets the virtual network rules.')
+  subnetIds: string[]?
+}
+
+
+@description('Key vault id')
+output id string = keyVault.id
+
+@description('Key vault name')
+output name string = keyVault.name
diff --git a/modules/security/keyvault/metadata.json b/modules/security/keyvault/metadata.json
@@ -0,0 +1,5 @@
+{
+    "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
+    "version": "0.1",
+    "pathFilters": ["./main.bicep", "./metadata.json"]
+}
diff --git a/modules/security/keyvault/test/main.test.bicep b/modules/security/keyvault/test/main.test.bicep
@@ -0,0 +1,20 @@
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The location to deploy resources to')
+param location string = resourceGroup().location
+
+var my_tags = {
+  env: 'dev'
+}
+
+// TEST 1 - minimum parameters
+module test1 '../main.bicep' = {
+  name: 'kv1'
+  params: {
+    location: location 
+    name: 'kv1'
+    tags: my_tags
+  }
+}