diff --git a/.github/workflows/module-keyvault.yml b/.github/workflows/module-keyvault.yml new file mode 100644 index 0000000..ff0555d --- /dev/null +++ b/.github/workflows/module-keyvault.yml @@ -0,0 +1,26 @@ +name: module-keyvault +concurrency: + group: ${{ github.workflow }} + +on: + workflow_dispatch: + push: + branches: + - main + paths: + - "modules/security/keyvault/**" + +permissions: + id-token: write + contents: read + +jobs: + call-shared-workflow: + name: Run + uses: ./.github/workflows/template-module.yml + with: + module_name: keyvault + module_file_path: modules/security/keyvault/main.bicep + module_metadata_file_path: modules/security/keyvault/metadata.json + module_parameters: name=test-keyvault tags={'env':'dev'} location=uksouth workspaceId=1 + secrets: inherit diff --git a/modules/security/keyvault/main.bicep b/modules/security/keyvault/main.bicep index 75040da..99af789 100644 --- a/modules/security/keyvault/main.bicep +++ b/modules/security/keyvault/main.bicep @@ -11,7 +11,8 @@ param location string @description('Required. Tags of the resource.') param tags object - +@description('Required. Provide Log Analytics Workspace Id for diagnostics settings.') +param workspaceId string @description('Optional. Specifies whether soft delete should be enabled for the Key Vault.') param enableSoftDelete bool = true @@ -20,16 +21,16 @@ param enableSoftDelete bool = true param softDeleteRetentionInDays int = 7 @description('Optional. Specify whether purge protection should be enabled for the Key Vault.') -param enablePurgeProtection bool = false +param enablePurgeProtection bool = true @description('Optional. Specify whether the Key Vault will be using RBAC. Default is false - use the access policy.') -param enableRbacAuthorization bool = false +param enableRbacAuthorization bool = true -@allowed(['standard', 'premium']) +@allowed([ 'standard', 'premium' ]) @description('Optional. The SKU name of the Key Vault.') param skuName string = 'standard' -@allowed(['A', 'B']) +@allowed([ 'A', 'B' ]) @description('Optional. The SKU family of the Key Vault.') param skuFamily string = 'A' @@ -38,10 +39,57 @@ param networkAcls networkAclsType = { defaultAction: 'Deny' } +@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') +@allowed([ + '' + 'Enabled' + 'Disabled' +]) +param publicNetworkAccess string = '' + +@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') +param privateEndpoints privateEndpointType + +@description('Optional. The lock settings of the service.') +param lock lockType + +// for a list with build in rbac for key vault please have a look https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli +// Key Vault Secrets Officer - Perform any action on the secrets of a key vault, except manage permissions. - b86a8fe4-44ce-4948-aee5-eccb2c155cd7 +// Key Vault Secrets User - Read secret contents including secret portion of a certificate with private key - 4633458b-17de-408a-b874-0445c86b69e6 +// +// Key Vault Certificates Officer - Perform any action on the certificates of a key vault, except manage permissions. - a4417e6f-fecd-4de8-b567-7b0420556985 +// Key Vault Certificate User - Read entire certificate contents including secret and key portion - db79e9a7-68ee-4b58-9aeb-b90e7c24fcba +// +// Key Vault Crypto Officer - Perform any action on the keys of a key vault, except manage permissions. - 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 +// Key Vault Crypto User - Perform cryptographic operations using keys. - 12338af0-0e69-4776-bea7-57ae8d297424 +@description('RBAC Role Assignments to apply to each RBAC policy') +param roleAssignments array = [ + 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7' +] + +@description('List of RBAC policies to assign to the Key Vault') +param rbacPolicies array = [] + +var builtInRoleNames = { + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') + 'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + 'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395') + 'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') + 'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') + 'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + 'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2') + 'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') + 'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} var varNetworkAclsIpRules = [for ip in networkAcls.?ipAllowlist ?? []: { value: ip }] -var varNetworkAclsVirtualNetworkRules = [for subnet in networkAcls.?subnetIds ?? []: { id: subnet }] +var varNetworkAclsVirtualNetworkRules = [for subnet in networkAcls.?subnetIds ?? []: { id: subnet }] var varNetworkAcls = { bypass: networkAcls.?bypass ?? 'AzureServices' @@ -64,17 +112,57 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = { name: skuName } tenantId: subscription().tenantId - networkAcls:varNetworkAcls + networkAcls: varNetworkAcls + publicNetworkAccess: !empty(publicNetworkAccess) ? publicNetworkAccess : ((!empty(privateEndpoints ?? []) && empty(networkAcls ?? {})) ? 'Disabled' : null) } } +module rbacRoleAssignments 'roleAssignment.bicep' = [for rbacRole in roleAssignments: { + name: guid(name, rbacRole) + params: { + keyVaultName: keyVault.name + rbacPolicies: rbacPolicies + rbacRole: rbacRole + } +}] + +resource log 'microsoft.insights/diagnosticSettings@2016-09-01' = { + name: 'service' // '${keyVault.name}-diagnostics' + location: location + scope: keyVault + properties: { + workspaceId: workspaceId + logs: [ + { + category: 'AuditEvent' + enabled: true + } + ] + } +} + +resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' + } + scope: keyVault +} + +@description('Key vault id') +output id string = keyVault.id + +@description('Key vault name') +output name string = keyVault.name + type networkAclsType = { @description('Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Possible values are any combination of Logging,Metrics,AzureServices (For example, "Logging, Metrics"), or None to bypass none of those traffics.') bypass: ('AzureServices' | 'None')? - + @description('Specifies whether all network access is allowed or denied when no other rules match.') defaultAction: ('Allow' | 'Deny') - + @description('Specifies the IP or IP range in CIDR format to be allowed to connect. Only IPV4 address is allowed.') ipAllowlist: string[]? @@ -82,9 +170,166 @@ type networkAclsType = { subnetIds: string[]? } +type privateEndpointType = { -@description('Key vault id') -output id string = keyVault.id + @description('Optional. The name of the private endpoint.') + name: string? -@description('Key vault name') -output name string = keyVault.name + @description('Optional. The location to deploy the private endpoint to.') + location: string? + + @description('Optional. The service (sub-) type to deploy the private endpoint for. For example "vault" or "blob".') + service: string? + + @description('Required. Resource ID of the subnet where the endpoint needs to be created.') + subnetResourceId: string + + @description('Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided.') + privateDnsZoneGroupName: string? + + @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') + privateDnsZoneResourceIds: string[]? + + @description('Optional. Custom DNS configurations.') + customDnsConfigs: { + @description('Required. Fqdn that resolves to private endpoint IP address.') + fqdn: string? + + @description('Required. A list of private IP addresses of the private endpoint.') + ipAddresses: string[] + }[]? + + @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') + ipConfigurations: { + @description('Required. The name of the resource that is unique within a resource group.') + name: string + + @description('Required. Properties of private endpoint IP configurations.') + properties: { + @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') + groupId: string + + @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') + memberName: string + + @description('Required. A private IP address obtained from the private endpoint\'s subnet.') + privateIPAddress: string + } + }[]? + + @description('Optional. Application security groups in which the private endpoint IP configuration is included.') + applicationSecurityGroupResourceIds: string[]? + + @description('Optional. The custom name of the network interface attached to the private endpoint.') + customNetworkInterfaceName: string? + + @description('Optional. Specify the type of lock.') + lock: lockType + + @description('Optional. Array of role assignments to create.') + roleAssignments: roleAssignmentType + + @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') + tags: object? + + @description('Optional. Manual PrivateLink Service Connections.') + manualPrivateLinkServiceConnections: array? + + @description('Optional. Enable/Disable usage telemetry for module.') + enableTelemetry: bool? +}[]? + +type lockType = { + @description('Optional. Specify the name of lock.') + name: string? + + @description('Optional. Specify the type of lock.') + kind: ('CanNotDelete' | 'ReadOnly' | 'None')? +}? + +type accessPoliciesType = { + @description('Optional. The tenant ID that is used for authenticating requests to the key vault.') + tenantId: string? + + @description('Required. The object ID of a user, service principal or security group in the tenant for the vault.') + objectId: string + + @description('Optional. Application ID of the client making request on behalf of a principal.') + applicationId: string? + + @description('Required. Permissions the identity has for keys, secrets and certificates.') + permissions: { + @description('Optional. Permissions to keys.') + keys: ('all' | 'backup' | 'create' | 'decrypt' | 'delete' | 'encrypt' | 'get' | 'getrotationpolicy' | 'import' | 'list' | 'purge' | 'recover' | 'release' | 'restore' | 'rotate' | 'setrotationpolicy' | 'sign' | 'unwrapKey' | 'update' | 'verify' | 'wrapKey')[]? + + @description('Optional. Permissions to secrets.') + secrets: ('all' | 'backup' | 'delete' | 'get' | 'list' | 'purge' | 'recover' | 'restore' | 'set')[]? + + @description('Optional. Permissions to certificates.') + certificates: ('all' | 'backup' | 'create' | 'delete' | 'deleteissuers' | 'get' | 'getissuers' | 'import' | 'list' | 'listissuers' | 'managecontacts' | 'manageissuers' | 'purge' | 'recover' | 'restore' | 'setissuers' | 'update')[]? + + @description('Optional. Permissions to storage accounts.') + storage: ('all' | 'backup' | 'delete' | 'deletesas' | 'get' | 'getsas' | 'list' | 'listsas' | 'purge' | 'recover' | 'regeneratekey' | 'restore' | 'set' | 'setsas' | 'update')[]? + } +}[]? + +type roleAssignmentType = { + @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') + roleDefinitionIdOrName: string + + @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') + principalId: string + + @description('Optional. The principal type of the assigned principal ID.') + principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? + + @description('Optional. The description of the role assignment.') + description: string? + + @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') + condition: string? + + @description('Optional. Version of the condition.') + conditionVersion: '2.0'? + + @description('Optional. The Resource Id of the delegated managed identity resource.') + delegatedManagedIdentityResourceId: string? +}[]? + +type diagnosticSettingType = { + @description('Optional. The name of diagnostic setting.') + name: string? + + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to \'\' to disable log collection.') + logCategoriesAndGroups: { + @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') + category: string? + + @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.') + categoryGroup: string? + }[]? + + @description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to \'\' to disable metric collection.') + metricCategories: { + @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.') + category: string + }[]? + + @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') + logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? + + @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + workspaceResourceId: string? + + @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + storageAccountResourceId: string? + + @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') + eventHubAuthorizationRuleResourceId: string? + + @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') + eventHubName: string? + + @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') + marketplacePartnerResourceId: string? +}[]? diff --git a/modules/security/keyvault/roleAssignment.bicep b/modules/security/keyvault/roleAssignment.bicep new file mode 100644 index 0000000..6905f21 --- /dev/null +++ b/modules/security/keyvault/roleAssignment.bicep @@ -0,0 +1,17 @@ +param keyVaultName string +param rbacPolicies array +param rbacRole string + +resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { + name: keyVaultName +} + +resource rbac_certs_reader 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for rbacPolicy in rbacPolicies: { + name: guid(rbacRole, rbacPolicy.objectId) + scope: keyVault + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbacRole) + principalId: rbacPolicy.objectId + principalType: 'ServicePrincipal' + } +}] diff --git a/modules/security/keyvault/test/main.test.bicep b/modules/security/keyvault/test/main.test.bicep index c90ff0a..00054be 100644 --- a/modules/security/keyvault/test/main.test.bicep +++ b/modules/security/keyvault/test/main.test.bicep @@ -9,12 +9,64 @@ var my_tags = { env: 'dev' } +module vNet '../../../network/virtual-network/main.bicep' = { + name: '${uniqueString(deployment().name, location)}-vnet' + params: { + name: 'az-vnet-01' + addressPrefixes: [ '10.0.0.0/16' ] + location: location + tags: my_tags + subnets: [ + { + name: 'frontend-subnet-01' + addressPrefix: '10.0.1.0/24' + networkSecurityGroupId: '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01' + } + { + name: 'backend-subnet-01' + addressPrefix: '10.0.2.0/24' + networkSecurityGroupId: '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01' + } + + ] + } +} + // TEST 1 - minimum parameters module test1 '../main.bicep' = { name: 'kv1' params: { - location: location + location: location + workspaceId: '11' name: 'kv1' tags: my_tags } } + +// TEST 2 - key vault part of the network +module test2 '../main.bicep' = { + name: 'kv2' + params: { + location: location + workspaceId: '11' + name: 'kv2' + tags: my_tags + + enableSoftDelete: true + softDeleteRetentionInDays: 90 + enablePurgeProtection: true + enableRbacAuthorization: true + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + ipAllowlist: [ + '127.0.0.1' + ] + //subnetIds: vNet.outputs.subnetResourceIds + subnetIds: [ + '/subscriptions/111111-1111-1111-1111-111111111111/resourceGroups/validation-rg/providers/Microsoft.Network/networkSecurityGroups/az-nsg-01' + ] + } + + } +} diff --git a/test-deployment/abbreviations.json b/test-deployment/abbreviations.json new file mode 100644 index 0000000..3cb408c --- /dev/null +++ b/test-deployment/abbreviations.json @@ -0,0 +1,136 @@ +{ + "analysisServicesServers": "as", + "apiManagementService": "apim-", + "appConfigurationConfigurationStores": "appcs-", + "appManagedEnvironments": "cae-", + "appContainerApps": "ca-", + "authorizationPolicyDefinitions": "policy-", + "automationAutomationAccounts": "aa-", + "blueprintBlueprints": "bp-", + "blueprintBlueprintsArtifacts": "bpa-", + "cacheRedis": "redis-", + "cdnProfiles": "cdnp-", + "cdnProfilesEndpoints": "cdne-", + "cognitiveServicesAccounts": "cog-", + "cognitiveServicesFormRecognizer": "cog-fr-", + "cognitiveServicesTextAnalytics": "cog-ta-", + "computeAvailabilitySets": "avail-", + "computeCloudServices": "cld-", + "computeDiskEncryptionSets": "des", + "computeDisks": "disk", + "computeDisksOs": "osdisk", + "computeGalleries": "gal", + "computeSnapshots": "snap-", + "computeVirtualMachines": "vm", + "computeVirtualMachineScaleSets": "vmss-", + "containerInstanceContainerGroups": "ci", + "containerRegistryRegistries": "cr", + "containerServiceManagedClusters": "aks-", + "databricksWorkspaces": "dbw-", + "dataFactoryFactories": "adf-", + "dataLakeAnalyticsAccounts": "dla", + "dataLakeStoreAccounts": "dls", + "dataMigrationServices": "dms-", + "dBforMySQLServers": "mysql-", + "dBforPostgreSQLServers": "psql-", + "devicesIotHubs": "iot-", + "devicesProvisioningServices": "provs-", + "devicesProvisioningServicesCertificates": "pcert-", + "documentDBDatabaseAccounts": "cosmos-", + "eventGridDomains": "evgd-", + "eventGridDomainsTopics": "evgt-", + "eventGridEventSubscriptions": "evgs-", + "eventHubNamespaces": "evhns-", + "eventHubNamespacesEventHubs": "evh-", + "hdInsightClustersHadoop": "hadoop-", + "hdInsightClustersHbase": "hbase-", + "hdInsightClustersKafka": "kafka-", + "hdInsightClustersMl": "mls-", + "hdInsightClustersSpark": "spark-", + "hdInsightClustersStorm": "storm-", + "hybridComputeMachines": "arcs-", + "insightsActionGroups": "ag-", + "insightsComponents": "appi-", + "keyVaultVaults": "kv-", + "kubernetesConnectedClusters": "arck", + "kustoClusters": "dec", + "kustoClustersDatabases": "dedb", + "loadTesting": "lt-", + "logicIntegrationAccounts": "ia-", + "logicWorkflows": "logic-", + "machineLearningServicesWorkspaces": "mlw-", + "managedIdentityUserAssignedIdentities": "id-", + "managementManagementGroups": "mg-", + "migrateAssessmentProjects": "migr-", + "networkApplicationGateways": "agw-", + "networkApplicationSecurityGroups": "asg-", + "networkAzureFirewalls": "afw-", + "networkBastionHosts": "bas-", + "networkConnections": "con-", + "networkDnsZones": "dnsz-", + "networkExpressRouteCircuits": "erc-", + "networkFirewallPolicies": "afwp-", + "networkFirewallPoliciesWebApplication": "waf", + "networkFirewallPoliciesRuleGroups": "wafrg", + "networkFrontDoors": "fd-", + "networkFrontdoorWebApplicationFirewallPolicies": "fdfp-", + "networkLoadBalancersExternal": "lbe-", + "networkLoadBalancersInternal": "lbi-", + "networkLoadBalancersInboundNatRules": "rule-", + "networkLocalNetworkGateways": "lgw-", + "networkNatGateways": "ng-", + "networkNetworkInterfaces": "nic-", + "networkNetworkSecurityGroups": "nsg-", + "networkNetworkSecurityGroupsSecurityRules": "nsgsr-", + "networkNetworkWatchers": "nw-", + "networkPrivateDnsZones": "pdnsz-", + "networkPrivateLinkServices": "pl-", + "networkPublicIPAddresses": "pip-", + "networkPublicIPPrefixes": "ippre-", + "networkRouteFilters": "rf-", + "networkRouteTables": "rt-", + "networkRouteTablesRoutes": "udr-", + "networkTrafficManagerProfiles": "traf-", + "networkVirtualNetworkGateways": "vgw-", + "networkVirtualNetworks": "vnet-", + "networkVirtualNetworksSubnets": "snet-", + "networkVirtualNetworksVirtualNetworkPeerings": "peer-", + "networkVirtualWans": "vwan-", + "networkVpnGateways": "vpng-", + "networkVpnGatewaysVpnConnections": "vcn-", + "networkVpnGatewaysVpnSites": "vst-", + "notificationHubsNamespaces": "ntfns-", + "notificationHubsNamespacesNotificationHubs": "ntf-", + "operationalInsightsWorkspaces": "log-", + "portalDashboards": "dash-", + "powerBIDedicatedCapacities": "pbi-", + "purviewAccounts": "pview-", + "recoveryServicesVaults": "rsv-", + "resourcesResourceGroups": "rg-", + "searchSearchServices": "srch-", + "serviceBusNamespaces": "sb-", + "serviceBusNamespacesQueues": "sbq-", + "serviceBusNamespacesTopics": "sbt-", + "serviceEndPointPolicies": "se-", + "serviceFabricClusters": "sf-", + "signalRServiceSignalR": "sigr", + "sqlManagedInstances": "sqlmi-", + "sqlServers": "sql-", + "sqlServersDataWarehouse": "sqldw-", + "sqlServersDatabases": "sqldb-", + "sqlServersDatabasesStretch": "sqlstrdb-", + "storageStorageAccounts": "st", + "storageStorageAccountsVm": "stvm", + "storSimpleManagers": "ssimp", + "streamAnalyticsCluster": "asa-", + "synapseWorkspaces": "syn", + "synapseWorkspacesAnalyticsWorkspaces": "synw", + "synapseWorkspacesSqlPoolsDedicated": "syndp", + "synapseWorkspacesSqlPoolsSpark": "synsp", + "timeSeriesInsightsEnvironments": "tsi-", + "webServerFarms": "plan-", + "webSitesAppService": "app-", + "webSitesAppServiceEnvironment": "ase-", + "webSitesFunctions": "func-", + "webStaticSites": "stapp-" +} diff --git a/test-deployment/deployment-test.azcli b/test-deployment/deployment-test.azcli new file mode 100644 index 0000000..febfdf5 --- /dev/null +++ b/test-deployment/deployment-test.azcli @@ -0,0 +1,30 @@ +# if you need to login to azure use the command below +# az login + +# to see if you are logged in to the correct subscription use below command +# az account show + +# to change the current subscription use the below command +# az account set --subscription "Your Subscription Name" + +export rg_name="bicep-module-tmp-test-rg" +export location="uksouth" + +# create a rg +az group create --resource-group $rg_name --location $location + +# create deployment in rg with the content from main.bicep file and params +az deployment group create --resource-group $rg_name --name module-testing --mode Complete --template-file main.bicep --parameters main.parameters.json + + + +# ################### # +# Destroy commands # +# ################### # + +# delete deployment with the specify name +az deployment group delete --resource-group $rg_name --name module-testing + +# delete the whole rg +az group delete --resource-group $rg_name --yes + diff --git a/test-deployment/main.bicep b/test-deployment/main.bicep new file mode 100644 index 0000000..3cf371f --- /dev/null +++ b/test-deployment/main.bicep @@ -0,0 +1,47 @@ +// targetScope = 'subscription' +targetScope = 'resourceGroup' + +@description('Name of the environment eg. dev, prod') +param environmentName string = 'dev' + +@description('Location for all resources') +param location string = 'uksouth' + +var abbrs = loadJsonContent('abbreviations.json') +var resourceToken = toLower(uniqueString(subscription().id, environmentName, location)) +var tags = { environment: environmentName } + +// resource rg 'Microsoft.Resources/resourceGroups@2023-07-01' existing = { +// name: 'bicep-module-tmp-test-rg' +// } + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = { + // scope: rg + name: take('log-${uniqueString(resourceGroup().id, subscription().id)}', 63) + location: location + tags: tags + properties: { + sku: { + name: 'PerGB2018' + } + retentionInDays: 30 + workspaceCapping: { + dailyQuotaGb: 1 + } + } +} + +module kv '../modules/security/keyvault/main.bicep' = { + // scope: rg + name: 'deploy-kv-test' + params: { + location: location + name: '${abbrs.keyVaultVaults}${resourceToken}' + tags: tags + workspaceId: logAnalyticsWorkspace.id + networkAcls: { + defaultAction: 'Allow' + } + rbacPolicies: [ 'c5c1dcd6-c181-466e-a606-cd67d0532eb9' ] + } +} diff --git a/test-deployment/main.parameters.json b/test-deployment/main.parameters.json new file mode 100644 index 0000000..3c919cd --- /dev/null +++ b/test-deployment/main.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "value": "uksouth" + } + } +}