Add keyvault

miekki · Mar 1, 2024 · d4cb137 · d4cb137
1 parent 83be3fb
commit d4cb137
Show file tree

Hide file tree

Showing 8 changed files with 576 additions and 14 deletions.
diff --git a/.github/workflows/module-keyvault.yml b/.github/workflows/module-keyvault.yml
@@ -0,0 +1,26 @@
+name: module-keyvault
+concurrency:
+  group: ${{ github.workflow }}
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "modules/security/keyvault/**"
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  call-shared-workflow:
+    name: Run
+    uses: ./.github/workflows/template-module.yml
+    with:
+      module_name: keyvault
+      module_file_path: modules/security/keyvault/main.bicep
+      module_metadata_file_path: modules/security/keyvault/metadata.json
+      module_parameters: name=test-keyvault tags={'env':'dev'} location=uksouth workspaceId=1
+    secrets: inherit
diff --git a/modules/security/keyvault/main.bicep b/modules/security/keyvault/main.bicep
diff --git a/modules/security/keyvault/roleAssignment.bicep b/modules/security/keyvault/roleAssignment.bicep
@@ -0,0 +1,17 @@
+param keyVaultName string
+param rbacPolicies array
+param rbacRole string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+resource rbac_certs_reader 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for rbacPolicy in rbacPolicies: {
+  name: guid(rbacRole, rbacPolicy.objectId)
+  scope: keyVault
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbacRole)
+    principalId: rbacPolicy.objectId
+    principalType: 'ServicePrincipal'
+  }
+}]
diff --git a/modules/security/keyvault/test/main.test.bicep b/modules/security/keyvault/test/main.test.bicep
@@ -9,12 +9,64 @@ var my_tags = {
   env: 'dev'
 }
 
+module vNet '../../../network/virtual-network/main.bicep' = {
+  name: '${uniqueString(deployment().name, location)}-vnet'
+  params: {
+    name: 'az-vnet-01'
+    addressPrefixes: [ '10.0.0.0/16' ]
+    location: location
+    tags: my_tags
+    subnets: [
+      {
+        name: 'frontend-subnet-01'
+        addressPrefix: '10.0.1.0/24'
+        networkSecurityGroupId: '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01'
+      }
+      {
+        name: 'backend-subnet-01'
+        addressPrefix: '10.0.2.0/24'
+        networkSecurityGroupId: '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01'
+      }
+
+    ]
+  }
+}
+
 // TEST 1 - minimum parameters
 module test1 '../main.bicep' = {
   name: 'kv1'
   params: {
-    location: location 
+    location: location
+    workspaceId: '11'
     name: 'kv1'
     tags: my_tags
   }
 }
+
+// TEST 2 - key vault part of the network
+module test2 '../main.bicep' = {
+  name: 'kv2'
+  params: {
+    location: location
+    workspaceId: '11'
+    name: 'kv2'
+    tags: my_tags
+
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
+    enableRbacAuthorization: true
+    networkAcls: {
+      defaultAction: 'Deny'
+      bypass: 'AzureServices'
+      ipAllowlist: [
+        '127.0.0.1'
+      ]
+      //subnetIds: vNet.outputs.subnetResourceIds
+      subnetIds: [
+        '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01'
+      ]
+    }
+
+  }
+}
diff --git a/test-deployment/abbreviations.json b/test-deployment/abbreviations.json
@@ -0,0 +1,136 @@
+{
+  "analysisServicesServers": "as",
+  "apiManagementService": "apim-",
+  "appConfigurationConfigurationStores": "appcs-",
+  "appManagedEnvironments": "cae-",
+  "appContainerApps": "ca-",
+  "authorizationPolicyDefinitions": "policy-",
+  "automationAutomationAccounts": "aa-",
+  "blueprintBlueprints": "bp-",
+  "blueprintBlueprintsArtifacts": "bpa-",
+  "cacheRedis": "redis-",
+  "cdnProfiles": "cdnp-",
+  "cdnProfilesEndpoints": "cdne-",
+  "cognitiveServicesAccounts": "cog-",
+  "cognitiveServicesFormRecognizer": "cog-fr-",
+  "cognitiveServicesTextAnalytics": "cog-ta-",
+  "computeAvailabilitySets": "avail-",
+  "computeCloudServices": "cld-",
+  "computeDiskEncryptionSets": "des",
+  "computeDisks": "disk",
+  "computeDisksOs": "osdisk",
+  "computeGalleries": "gal",
+  "computeSnapshots": "snap-",
+  "computeVirtualMachines": "vm",
+  "computeVirtualMachineScaleSets": "vmss-",
+  "containerInstanceContainerGroups": "ci",
+  "containerRegistryRegistries": "cr",
+  "containerServiceManagedClusters": "aks-",
+  "databricksWorkspaces": "dbw-",
+  "dataFactoryFactories": "adf-",
+  "dataLakeAnalyticsAccounts": "dla",
+  "dataLakeStoreAccounts": "dls",
+  "dataMigrationServices": "dms-",
+  "dBforMySQLServers": "mysql-",
+  "dBforPostgreSQLServers": "psql-",
+  "devicesIotHubs": "iot-",
+  "devicesProvisioningServices": "provs-",
+  "devicesProvisioningServicesCertificates": "pcert-",
+  "documentDBDatabaseAccounts": "cosmos-",
+  "eventGridDomains": "evgd-",
+  "eventGridDomainsTopics": "evgt-",
+  "eventGridEventSubscriptions": "evgs-",
+  "eventHubNamespaces": "evhns-",
+  "eventHubNamespacesEventHubs": "evh-",
+  "hdInsightClustersHadoop": "hadoop-",
+  "hdInsightClustersHbase": "hbase-",
+  "hdInsightClustersKafka": "kafka-",
+  "hdInsightClustersMl": "mls-",
+  "hdInsightClustersSpark": "spark-",
+  "hdInsightClustersStorm": "storm-",
+  "hybridComputeMachines": "arcs-",
+  "insightsActionGroups": "ag-",
+  "insightsComponents": "appi-",
+  "keyVaultVaults": "kv-",
+  "kubernetesConnectedClusters": "arck",
+  "kustoClusters": "dec",
+  "kustoClustersDatabases": "dedb",
+  "loadTesting": "lt-",
+  "logicIntegrationAccounts": "ia-",
+  "logicWorkflows": "logic-",
+  "machineLearningServicesWorkspaces": "mlw-",
+  "managedIdentityUserAssignedIdentities": "id-",
+  "managementManagementGroups": "mg-",
+  "migrateAssessmentProjects": "migr-",
+  "networkApplicationGateways": "agw-",
+  "networkApplicationSecurityGroups": "asg-",
+  "networkAzureFirewalls": "afw-",
+  "networkBastionHosts": "bas-",
+  "networkConnections": "con-",
+  "networkDnsZones": "dnsz-",
+  "networkExpressRouteCircuits": "erc-",
+  "networkFirewallPolicies": "afwp-",
+  "networkFirewallPoliciesWebApplication": "waf",
+  "networkFirewallPoliciesRuleGroups": "wafrg",
+  "networkFrontDoors": "fd-",
+  "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-",
+  "networkLoadBalancersExternal": "lbe-",
+  "networkLoadBalancersInternal": "lbi-",
+  "networkLoadBalancersInboundNatRules": "rule-",
+  "networkLocalNetworkGateways": "lgw-",
+  "networkNatGateways": "ng-",
+  "networkNetworkInterfaces": "nic-",
+  "networkNetworkSecurityGroups": "nsg-",
+  "networkNetworkSecurityGroupsSecurityRules": "nsgsr-",
+  "networkNetworkWatchers": "nw-",
+  "networkPrivateDnsZones": "pdnsz-",
+  "networkPrivateLinkServices": "pl-",
+  "networkPublicIPAddresses": "pip-",
+  "networkPublicIPPrefixes": "ippre-",
+  "networkRouteFilters": "rf-",
+  "networkRouteTables": "rt-",
+  "networkRouteTablesRoutes": "udr-",
+  "networkTrafficManagerProfiles": "traf-",
+  "networkVirtualNetworkGateways": "vgw-",
+  "networkVirtualNetworks": "vnet-",
+  "networkVirtualNetworksSubnets": "snet-",
+  "networkVirtualNetworksVirtualNetworkPeerings": "peer-",
+  "networkVirtualWans": "vwan-",
+  "networkVpnGateways": "vpng-",
+  "networkVpnGatewaysVpnConnections": "vcn-",
+  "networkVpnGatewaysVpnSites": "vst-",
+  "notificationHubsNamespaces": "ntfns-",
+  "notificationHubsNamespacesNotificationHubs": "ntf-",
+  "operationalInsightsWorkspaces": "log-",
+  "portalDashboards": "dash-",
+  "powerBIDedicatedCapacities": "pbi-",
+  "purviewAccounts": "pview-",
+  "recoveryServicesVaults": "rsv-",
+  "resourcesResourceGroups": "rg-",
+  "searchSearchServices": "srch-",
+  "serviceBusNamespaces": "sb-",
+  "serviceBusNamespacesQueues": "sbq-",
+  "serviceBusNamespacesTopics": "sbt-",
+  "serviceEndPointPolicies": "se-",
+  "serviceFabricClusters": "sf-",
+  "signalRServiceSignalR": "sigr",
+  "sqlManagedInstances": "sqlmi-",
+  "sqlServers": "sql-",
+  "sqlServersDataWarehouse": "sqldw-",
+  "sqlServersDatabases": "sqldb-",
+  "sqlServersDatabasesStretch": "sqlstrdb-",
+  "storageStorageAccounts": "st",
+  "storageStorageAccountsVm": "stvm",
+  "storSimpleManagers": "ssimp",
+  "streamAnalyticsCluster": "asa-",
+  "synapseWorkspaces": "syn",
+  "synapseWorkspacesAnalyticsWorkspaces": "synw",
+  "synapseWorkspacesSqlPoolsDedicated": "syndp",
+  "synapseWorkspacesSqlPoolsSpark": "synsp",
+  "timeSeriesInsightsEnvironments": "tsi-",
+  "webServerFarms": "plan-",
+  "webSitesAppService": "app-",
+  "webSitesAppServiceEnvironment": "ase-",
+  "webSitesFunctions": "func-",
+  "webStaticSites": "stapp-"
+}
diff --git a/test-deployment/deployment-test.azcli b/test-deployment/deployment-test.azcli
@@ -0,0 +1,30 @@
+# if you need to login to azure use the command below
+# az login
+
+# to see if you are logged in to the correct subscription use below command
+# az account show
+
+# to change the current subscription use the below command
+# az account set --subscription "Your Subscription Name"
+
+export rg_name="bicep-module-tmp-test-rg"
+export location="uksouth"
+
+# create a rg 
+az group create --resource-group $rg_name --location $location
+
+# create deployment in rg with the content from main.bicep file and params
+az deployment group create --resource-group $rg_name --name module-testing --mode Complete --template-file main.bicep --parameters main.parameters.json
+
+
+
+# ################### #
+# Destroy commands #
+# ################### #
+
+# delete deployment with the specify name
+az deployment group delete --resource-group $rg_name --name module-testing
+
+# delete the whole rg 
+az group delete --resource-group $rg_name --yes
+
diff --git a/test-deployment/main.bicep b/test-deployment/main.bicep
@@ -0,0 +1,47 @@
+// targetScope = 'subscription'
+targetScope = 'resourceGroup'
+
+@description('Name of the environment eg. dev, prod')
+param environmentName string = 'dev'
+
+@description('Location for all resources')
+param location string = 'uksouth'
+
+var abbrs = loadJsonContent('abbreviations.json')
+var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
+var tags = { environment: environmentName }
+
+// resource rg 'Microsoft.Resources/resourceGroups@2023-07-01' existing = {
+//   name: 'bicep-module-tmp-test-rg'
+// }
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
+  // scope: rg
+  name: take('log-${uniqueString(resourceGroup().id, subscription().id)}', 63)
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: 30
+    workspaceCapping: {
+      dailyQuotaGb: 1
+    }
+  }
+}
+
+module kv '../modules/security/keyvault/main.bicep' = {
+  // scope: rg
+  name: 'deploy-kv-test'
+  params: {
+    location: location
+    name: '${abbrs.keyVaultVaults}${resourceToken}'
+    tags: tags
+    workspaceId: logAnalyticsWorkspace.id
+    networkAcls: {
+      defaultAction: 'Allow'
+    }
+    rbacPolicies: [ 'c5c1dcd6-c181-466e-a606-cd67d0532eb9' ]
+  }
+}
diff --git a/test-deployment/main.parameters.json b/test-deployment/main.parameters.json
@@ -0,0 +1,9 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "location": {
+      "value": "uksouth"
+    }
+  }
+}