-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathkeyVault.bicep
151 lines (129 loc) · 4.44 KB
/
keyVault.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
// Parameters
@description('Specifies the name of the Key Vault resource.')
param name string
@description('Specifies the location.')
param location string = resourceGroup().location
@description('Specifies the sku name of the Key Vault resource.')
@allowed([
'premium'
'standard'
])
param skuName string = 'standard'
@description('Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.')
param tenantId string = subscription().tenantId
@description('Specifies whether to allow public network access for Key Vault.')
@allowed([
'Disabled'
'Enabled'
])
param publicNetworkAccess string = 'Disabled'
@description('The default action of allow or deny when no other rules match. Allowed values: Allow or Deny')
@allowed([
'Allow'
'Deny'
])
param networkAclsDefaultAction string = 'Deny'
@description('Specifies whether the Azure Key Vault resource is enabled for deployments.')
param enabledForDeployment bool = true
@description('Specifies whether the Azure Key Vault resource is enabled for disk encryption.')
param enabledForDiskEncryption bool = true
@description('Specifies whether the Azure Key Vault resource is enabled for template deployment.')
param enabledForTemplateDeployment bool = true
@description('Specifies whether purge protection is enabled for this Azure Key Vault resource.')
param enablePurgeProtection bool = true
@description('Specifies whether enable the RBAC authorization for the Azure Key Vault resource.')
param enableRbacAuthorization bool = true
@description('Specifies whether the soft deelete is enabled for this Azure Key Vault resource.')
param enableSoftDelete bool = true
@description('Specifies the soft delete retention in days.')
param softDeleteRetentionInDays int = 7
@description('Specifies the resource id of the Log Analytics workspace.')
param workspaceId string
@description('Specifies the object id of a Miccrosoft Entra ID user. In general, this the object id of the system administrator who deploys the Azure resources.')
param userId string = ''
@description('Specifies the resource tags.')
param tags object
// Variables
var diagnosticSettingsName = 'diagnosticSettings'
var logCategories = [
'AuditEvent'
'AzurePolicyEvaluationDetails'
]
var metricCategories = [
'AllMetrics'
]
var logs = [
for category in logCategories: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 0
}
}
]
var metrics = [
for category in metricCategories: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 0
}
}
]
// Resources
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: name
location: location
tags: tags
properties: {
createMode: 'default'
sku: {
family: 'A'
name: skuName
}
tenantId: tenantId
networkAcls: {
bypass: 'AzureServices'
defaultAction: networkAclsDefaultAction
}
enabledForDeployment: enabledForDeployment
enabledForDiskEncryption: enabledForDiskEncryption
enabledForTemplateDeployment: enabledForTemplateDeployment
enablePurgeProtection: enablePurgeProtection ? enablePurgeProtection : null
enableRbacAuthorization: enableRbacAuthorization
enableSoftDelete: enableSoftDelete
softDeleteRetentionInDays: softDeleteRetentionInDays
publicNetworkAccess: publicNetworkAccess
}
}
// Role Definitions
resource keyVaultAdministratorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
name: '00482a5a-887f-4fb3-b363-3b7fe8e74483'
scope: subscription()
}
// Role Assignments
// This role assignment grants the user the required permissions to perform all data plane operations Key Vault and all objects in it, including certificates, keys, and secrets.
resource keyVaultAdministratorUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(userId)) {
name: guid(keyVault.id, keyVaultAdministratorRoleDefinition.id, userId)
scope: keyVault
properties: {
roleDefinitionId: keyVaultAdministratorRoleDefinition.id
principalType: 'User'
principalId: userId
}
}
resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: diagnosticSettingsName
scope: keyVault
properties: {
workspaceId: workspaceId
logs: logs
metrics: metrics
}
}
// Outputs
output id string = keyVault.id
output name string = keyVault.name
output vaultUri string = keyVault.properties.vaultUri