Merge pull request #85 from wviriya/refresh-functions-v4

wviriya · web-flow · commit a153d38a9f3c · 2022-06-14T10:12:44.000+12:00
Fix Key Vault dependency issue, split create and update Key Vault int…
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -18,6 +18,9 @@ param sqlAdminLogin string
 @secure()
 param sqlAdminPassword string
 
+@description('Service principal Id used for deployment.')
+param objectId string
+
 @description('The resource tags that will be applied to the deployed resources.')
 param resourceTags object = {
   ProjectType: 'Azure Serverless Microservices'
@@ -36,24 +39,27 @@ var apimName = '${applicationName}Apim'
 var sqlServerName = '${applicationName}-db'
 var staticWebAppName = '${applicationName}Web'
 var storageAccountName = take(toLower(replace('${applicationName}func', '-', '')), 24)
-var functionsApps = [
-  'Trips'
-  'Drivers'
-  'Passengers'
-  'TripArchiver'
-  'Orchestrators'
- ]
 var functionRuntime = 'dotnet'
 var functionVersion = '~4'
 
+module keyVault 'modules/keyvault.bicep' = {
+  name: keyVaultName
+  params: {
+    keyVaultName: keyVaultName
+    objectId: objectId
+    resourceTags: resourceTags
+    location: location
+  }
+}
+
 module cosmos 'modules/cosmosdb.bicep' = {
   name: cosmosdbName
   params: {
     accountName: cosmosdbName
     location: location
     databaseName: applicationName
     resourceTags: resourceTags
-    keyVaultName: keyVaultName
+    keyVaultName: keyVault.name
   }
 }
 
@@ -66,7 +72,7 @@ module sqlDb 'modules/sqldb.bicep' = {
     administratorPassword: sqlAdminPassword
     location: location
     resourceTags: resourceTags
-    keyVaultName: keyVaultName
+    keyVaultName: keyVault.name
   }
 }
 
@@ -76,7 +82,7 @@ module eventGrid 'modules/eventgrid.bicep' = {
     eventGridTopicName: eventGridName
     location: location
     resourceTags: resourceTags
-    keyVaultName: keyVaultName
+    keyVaultName: keyVault.name
   } 
 }
 
@@ -86,7 +92,7 @@ module signalR 'modules/signalr.bicep' = {
     signalRName: signalRName
     location: location
     resourceTags: resourceTags
-    keyVaultName: keyVaultName
+    keyVaultName: keyVault.name
   } 
 }
 
@@ -187,11 +193,11 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'DocDbApiKey'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
         }
         {
           name: 'DocDbEndpointUri'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
         }
         {
           name: 'DocDbRideShareDatabaseName'
@@ -227,27 +233,27 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'AuthorityUrl'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
         }
         {
           name: 'ApiApplicationId'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
         }
         {
           name: 'ApiScopeName'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
         }
         {
           name: 'EnableAuth'
           value: 'true'
         }
         {
           name: 'SqlConnectionString'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/SqlConnectionString)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/SqlConnectionString)'
         }
         {
           name: 'AzureSignalRConnectionString'
-          value:'@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AzureSignalRConnectionString)'
+          value:'@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AzureSignalRConnectionString)'
         }
       ]
       cors: {
@@ -297,11 +303,11 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'DocDbApiKey'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
         }
         {
           name: 'DocDbEndpointUri'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
         }
         {
           name: 'DocDbRideShareDatabaseName'
@@ -321,15 +327,15 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'AuthorityUrl'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
         }
         {
           name: 'ApiApplicationId'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
         }
         {
           name: 'ApiScopeName'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
         }
         {
           name: 'EnableAuth'
@@ -383,11 +389,11 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'DocDbApiKey'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
         }
         {
           name: 'DocDbEndpointUri'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
         }
         {
           name: 'DocDbRideShareDatabaseName'
@@ -407,31 +413,31 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'AuthorityUrl'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
         }
         {
           name: 'ApiApplicationId'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
         }
         {
           name: 'ApiScopeName'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
         }
         {
           name: 'EnableAuth'
           value: 'true'
         }
         {
           name: 'GraphTenantId'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphTenantId)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphTenantId)'
         }
         {
           name: 'GraphClientId'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientId)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientId)'
         }
         {
           name: 'GraphClientSecret'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientSecret)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientSecret)'
         }
       ]
       cors: {
@@ -441,6 +447,9 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
       }
     }
   }
+  identity: {
+    type: 'SystemAssigned'
+  }
 }
 
 resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
@@ -477,11 +486,11 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'DocDbApiKey'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
         }
         {
           name: 'DocDbEndpointUri'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
         }
         {
           name: 'DocDbRideShareDatabaseName'
@@ -541,7 +550,7 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'TripExternalizationsEventGridTopicApiKey'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'
         }
       ]
       cors: {
@@ -551,6 +560,9 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
       }
     }
   }
+  identity: {
+    type: 'SystemAssigned'
+  }
 }
 
 resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
@@ -566,7 +578,7 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
         }
         {
           name: 'DocDbConnectionString'
-          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbConnectionString)'
+          value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbConnectionString)'
         }
       ]
       cors: {
@@ -576,23 +588,23 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
       }
     }
   }
+  identity: {
+    type: 'SystemAssigned'
+  }
 }
 
-module keyVault 'modules/keyvault.bicep' = {
-  name: keyVaultName
+module keyVaultPolicies 'modules/keyvaultPolicies.bicep' = {
+  name: '${keyVaultName}polices'
   params: {
     keyVaultName: keyVaultName
-    functionAppPrefix: applicationName
-    functionApps: functionsApps
-    resourceTags: resourceTags
-    location: location
+    functionAppPrincipalIds: [
+      tripFunctionApp.identity.principalId
+      driverFunctionApp.identity.principalId
+      passengerFunctionApp.identity.principalId
+      tripArchiverFunctionApp.identity.principalId
+      orchestratorsFunctionApp.identity.principalId
+    ]
   }
-  dependsOn: [
-    tripFunctionApp
-    driverFunctionApp
-    passengerFunctionApp
-    tripArchiverFunctionApp
-    orchestratorsFunctionApp
-  ]
 }
 
+output principalId string = orchestratorsFunctionApp.identity.principalId
diff --git a/bicep/modules/keyvault.bicep b/bicep/modules/keyvault.bicep
@@ -1,22 +1,15 @@
 @description('The name of the Key Vault resource that will be deployed.')
 param keyVaultName string
 
-@description('The prefix for the function apps.')
-param functionAppPrefix string
-
-@description('The list of function apps that will have access to this Key Vault.')
-param functionApps array
+@description('Service principal Id used for deployment.')
+param objectId string
 
 @description('The resource tags that will be applied to this Key Vault.')
 param resourceTags object
 
 @description('The location that this Key Vault will be deployed to.')
 param location string
 
-resource functions 'Microsoft.Web/sites@2021-01-15' existing = [for functionApp in functionApps :{
-  name: '${functionAppPrefix}${functionApp}'
-}]
-
 resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
   name: keyVaultName
   location: location
@@ -25,19 +18,21 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
       name: 'standard'
       family: 'A'
     }
+    accessPolicies: [
+      {
+        tenantId: subscription().tenantId
+        objectId: objectId
+        permissions: {
+          secrets: [
+            'all'
+          ]
+        }
+      }
+    ]
     enableSoftDelete: true
     softDeleteRetentionInDays: 7
     enabledForTemplateDeployment: true
     tenantId: subscription().tenantId
-    accessPolicies: [for i in range(0, length(functionApps)) : {
-      tenantId: functions[i].identity.tenantId
-      objectId: functions[i].identity.principalId
-      permissions: {
-        secrets: [
-          'get'
-        ]
-      }
-    }]
   }
   tags: resourceTags
 }
diff --git a/bicep/modules/keyvaultPolicies.bicep b/bicep/modules/keyvaultPolicies.bicep
@@ -0,0 +1,25 @@
+@description('The name of the Key Vault resource that will be deployed.')
+param keyVaultName string
+
+@description('The list of function app principal Id that will have access to this Key Vault.')
+param functionAppPrincipalIds array
+
+resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
+  name: keyVaultName
+}
+
+resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
+  name: 'add'
+  parent: keyVault
+  properties: {
+    accessPolicies: [for i in range(0, length(functionAppPrincipalIds)) : {
+      tenantId: subscription().tenantId
+      objectId: functionAppPrincipalIds[i]
+      permissions: {
+        secrets: [
+          'get'
+        ]
+      }
+    }]
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@ param sqlAdminLogin string`
`18`	`18`	`@secure()`
`19`	`19`	`param sqlAdminPassword string`
`20`	`20`
	`21`	`+@description('Service principal Id used for deployment.')`
	`22`	`+param objectId string`
	`23`	`+`
`21`	`24`	`@description('The resource tags that will be applied to the deployed resources.')`
`22`	`25`	`param resourceTags object = {`
`23`	`26`	`ProjectType: 'Azure Serverless Microservices'`
`@@ -36,24 +39,27 @@ var apimName = '${applicationName}Apim'`
`36`	`39`	`var sqlServerName = '${applicationName}-db'`
`37`	`40`	`var staticWebAppName = '${applicationName}Web'`
`38`	`41`	`var storageAccountName = take(toLower(replace('${applicationName}func', '-', '')), 24)`
`39`		`-var functionsApps = [`
`40`		`- 'Trips'`
`41`		`- 'Drivers'`
`42`		`- 'Passengers'`
`43`		`- 'TripArchiver'`
`44`		`- 'Orchestrators'`
`45`		`- ]`
`46`	`42`	`var functionRuntime = 'dotnet'`
`47`	`43`	`var functionVersion = '~4'`
`48`	`44`
	`45`	`+module keyVault 'modules/keyvault.bicep' = {`
	`46`	`+ name: keyVaultName`
	`47`	`+ params: {`
	`48`	`+ keyVaultName: keyVaultName`
	`49`	`+ objectId: objectId`
	`50`	`+ resourceTags: resourceTags`
	`51`	`+ location: location`
	`52`	`+ }`
	`53`	`+}`
	`54`	`+`
`49`	`55`	`module cosmos 'modules/cosmosdb.bicep' = {`
`50`	`56`	`name: cosmosdbName`
`51`	`57`	`params: {`
`52`	`58`	`accountName: cosmosdbName`
`53`	`59`	`location: location`
`54`	`60`	`databaseName: applicationName`
`55`	`61`	`resourceTags: resourceTags`
`56`		`- keyVaultName: keyVaultName`
	`62`	`+ keyVaultName: keyVault.name`
`57`	`63`	`}`
`58`	`64`	`}`
`59`	`65`
`@@ -66,7 +72,7 @@ module sqlDb 'modules/sqldb.bicep' = {`
`66`	`72`	`administratorPassword: sqlAdminPassword`
`67`	`73`	`location: location`
`68`	`74`	`resourceTags: resourceTags`
`69`		`- keyVaultName: keyVaultName`
	`75`	`+ keyVaultName: keyVault.name`
`70`	`76`	`}`
`71`	`77`	`}`
`72`	`78`
`@@ -76,7 +82,7 @@ module eventGrid 'modules/eventgrid.bicep' = {`
`76`	`82`	`eventGridTopicName: eventGridName`
`77`	`83`	`location: location`
`78`	`84`	`resourceTags: resourceTags`
`79`		`- keyVaultName: keyVaultName`
	`85`	`+ keyVaultName: keyVault.name`
`80`	`86`	`}`
`81`	`87`	`}`
`82`	`88`
`@@ -86,7 +92,7 @@ module signalR 'modules/signalr.bicep' = {`
`86`	`92`	`signalRName: signalRName`
`87`	`93`	`location: location`
`88`	`94`	`resourceTags: resourceTags`
`89`		`- keyVaultName: keyVaultName`
	`95`	`+ keyVaultName: keyVault.name`
`90`	`96`	`}`
`91`	`97`	`}`
`92`	`98`
`@@ -187,11 +193,11 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`187`	`193`	`}`
`188`	`194`	`{`
`189`	`195`	`name: 'DocDbApiKey'`
`190`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
	`196`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
`191`	`197`	`}`
`192`	`198`	`{`
`193`	`199`	`name: 'DocDbEndpointUri'`
`194`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'`
	`200`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'`
`195`	`201`	`}`
`196`	`202`	`{`
`197`	`203`	`name: 'DocDbRideShareDatabaseName'`
`@@ -227,27 +233,27 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`227`	`233`	`}`
`228`	`234`	`{`
`229`	`235`	`name: 'AuthorityUrl'`
`230`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'`
	`236`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'`
`231`	`237`	`}`
`232`	`238`	`{`
`233`	`239`	`name: 'ApiApplicationId'`
`234`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'`
	`240`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'`
`235`	`241`	`}`
`236`	`242`	`{`
`237`	`243`	`name: 'ApiScopeName'`
`238`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'`
	`244`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'`
`239`	`245`	`}`
`240`	`246`	`{`
`241`	`247`	`name: 'EnableAuth'`
`242`	`248`	`value: 'true'`
`243`	`249`	`}`
`244`	`250`	`{`
`245`	`251`	`name: 'SqlConnectionString'`
`246`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/SqlConnectionString)'`
	`252`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/SqlConnectionString)'`
`247`	`253`	`}`
`248`	`254`	`{`
`249`	`255`	`name: 'AzureSignalRConnectionString'`
`250`		`- value:'@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AzureSignalRConnectionString)'`
	`256`	`+ value:'@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AzureSignalRConnectionString)'`
`251`	`257`	`}`
`252`	`258`	`]`
`253`	`259`	`cors: {`
`@@ -297,11 +303,11 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`297`	`303`	`}`
`298`	`304`	`{`
`299`	`305`	`name: 'DocDbApiKey'`
`300`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
	`306`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
`301`	`307`	`}`
`302`	`308`	`{`
`303`	`309`	`name: 'DocDbEndpointUri'`
`304`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'`
	`310`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'`
`305`	`311`	`}`
`306`	`312`	`{`
`307`	`313`	`name: 'DocDbRideShareDatabaseName'`
`@@ -321,15 +327,15 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`321`	`327`	`}`
`322`	`328`	`{`
`323`	`329`	`name: 'AuthorityUrl'`
`324`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'`
	`330`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'`
`325`	`331`	`}`
`326`	`332`	`{`
`327`	`333`	`name: 'ApiApplicationId'`
`328`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'`
	`334`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'`
`329`	`335`	`}`
`330`	`336`	`{`
`331`	`337`	`name: 'ApiScopeName'`
`332`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'`
	`338`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'`
`333`	`339`	`}`
`334`	`340`	`{`
`335`	`341`	`name: 'EnableAuth'`
`@@ -383,11 +389,11 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`383`	`389`	`}`
`384`	`390`	`{`
`385`	`391`	`name: 'DocDbApiKey'`
`386`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
	`392`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
`387`	`393`	`}`
`388`	`394`	`{`
`389`	`395`	`name: 'DocDbEndpointUri'`
`390`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'`
	`396`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'`
`391`	`397`	`}`
`392`	`398`	`{`
`393`	`399`	`name: 'DocDbRideShareDatabaseName'`
`@@ -407,31 +413,31 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`407`	`413`	`}`
`408`	`414`	`{`
`409`	`415`	`name: 'AuthorityUrl'`
`410`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'`
	`416`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'`
`411`	`417`	`}`
`412`	`418`	`{`
`413`	`419`	`name: 'ApiApplicationId'`
`414`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'`
	`420`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'`
`415`	`421`	`}`
`416`	`422`	`{`
`417`	`423`	`name: 'ApiScopeName'`
`418`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'`
	`424`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'`
`419`	`425`	`}`
`420`	`426`	`{`
`421`	`427`	`name: 'EnableAuth'`
`422`	`428`	`value: 'true'`
`423`	`429`	`}`
`424`	`430`	`{`
`425`	`431`	`name: 'GraphTenantId'`
`426`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphTenantId)'`
	`432`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphTenantId)'`
`427`	`433`	`}`
`428`	`434`	`{`
`429`	`435`	`name: 'GraphClientId'`
`430`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientId)'`
	`436`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientId)'`
`431`	`437`	`}`
`432`	`438`	`{`
`433`	`439`	`name: 'GraphClientSecret'`
`434`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientSecret)'`
	`440`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientSecret)'`
`435`	`441`	`}`
`436`	`442`	`]`
`437`	`443`	`cors: {`
`@@ -441,6 +447,9 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`441`	`447`	`}`
`442`	`448`	`}`
`443`	`449`	`}`
	`450`	`+ identity: {`
	`451`	`+ type: 'SystemAssigned'`
	`452`	`+ }`
`444`	`453`	`}`
`445`	`454`
`446`	`455`	`resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`@@ -477,11 +486,11 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`477`	`486`	`}`
`478`	`487`	`{`
`479`	`488`	`name: 'DocDbApiKey'`
`480`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
	`489`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'`
`481`	`490`	`}`
`482`	`491`	`{`
`483`	`492`	`name: 'DocDbEndpointUri'`
`484`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'`
	`493`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'`
`485`	`494`	`}`
`486`	`495`	`{`
`487`	`496`	`name: 'DocDbRideShareDatabaseName'`
`@@ -541,7 +550,7 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`541`	`550`	`}`
`542`	`551`	`{`
`543`	`552`	`name: 'TripExternalizationsEventGridTopicApiKey'`
`544`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'`
	`553`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'`
`545`	`554`	`}`
`546`	`555`	`]`
`547`	`556`	`cors: {`
`@@ -551,6 +560,9 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`551`	`560`	`}`
`552`	`561`	`}`
`553`	`562`	`}`
	`563`	`+ identity: {`
	`564`	`+ type: 'SystemAssigned'`
	`565`	`+ }`
`554`	`566`	`}`
`555`	`567`
`556`	`568`	`resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`@@ -566,7 +578,7 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`566`	`578`	`}`
`567`	`579`	`{`
`568`	`580`	`name: 'DocDbConnectionString'`
`569`		`- value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbConnectionString)'`
	`581`	`+ value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbConnectionString)'`
`570`	`582`	`}`
`571`	`583`	`]`
`572`	`584`	`cors: {`
`@@ -576,23 +588,23 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {`
`576`	`588`	`}`
`577`	`589`	`}`
`578`	`590`	`}`
	`591`	`+ identity: {`
	`592`	`+ type: 'SystemAssigned'`
	`593`	`+ }`
`579`	`594`	`}`
`580`	`595`
`581`		`-module keyVault 'modules/keyvault.bicep' = {`
`582`		`- name: keyVaultName`
	`596`	`+module keyVaultPolicies 'modules/keyvaultPolicies.bicep' = {`
	`597`	`+ name: '${keyVaultName}polices'`
`583`	`598`	`params: {`
`584`	`599`	`keyVaultName: keyVaultName`
`585`		`- functionAppPrefix: applicationName`
`586`		`- functionApps: functionsApps`
`587`		`- resourceTags: resourceTags`
`588`		`- location: location`
	`600`	`+ functionAppPrincipalIds: [`
	`601`	`+ tripFunctionApp.identity.principalId`
	`602`	`+ driverFunctionApp.identity.principalId`
	`603`	`+ passengerFunctionApp.identity.principalId`
	`604`	`+ tripArchiverFunctionApp.identity.principalId`
	`605`	`+ orchestratorsFunctionApp.identity.principalId`
	`606`	`+ ]`
`589`	`607`	`}`
`590`		`- dependsOn: [`
`591`		`- tripFunctionApp`
`592`		`- driverFunctionApp`
`593`		`- passengerFunctionApp`
`594`		`- tripArchiverFunctionApp`
`595`		`- orchestratorsFunctionApp`
`596`		`- ]`
`597`	`608`	`}`
`598`	`609`
	`610`	`+output principalId string = orchestratorsFunctionApp.identity.principalId`