Skip to content

Fix Key Vault dependency issue, split create and update Key Vault int… #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 13, 2022
Merged

Fix Key Vault dependency issue, split create and update Key Vault int… #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 60 additions & 48 deletions bicep/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ param sqlAdminLogin string
@secure()
param sqlAdminPassword string

@description('Service principal Id used for deployment.')
param objectId string

@description('The resource tags that will be applied to the deployed resources.')
param resourceTags object = {
ProjectType: 'Azure Serverless Microservices'
Expand All @@ -36,24 +39,27 @@ var apimName = '${applicationName}Apim'
var sqlServerName = '${applicationName}-db'
var staticWebAppName = '${applicationName}Web'
var storageAccountName = take(toLower(replace('${applicationName}func', '-', '')), 24)
var functionsApps = [
'Trips'
'Drivers'
'Passengers'
'TripArchiver'
'Orchestrators'
]
var functionRuntime = 'dotnet'
var functionVersion = '~4'

module keyVault 'modules/keyvault.bicep' = {
name: keyVaultName
params: {
keyVaultName: keyVaultName
objectId: objectId
resourceTags: resourceTags
location: location
}
}

module cosmos 'modules/cosmosdb.bicep' = {
name: cosmosdbName
params: {
accountName: cosmosdbName
location: location
databaseName: applicationName
resourceTags: resourceTags
keyVaultName: keyVaultName
keyVaultName: keyVault.name
}
}

Expand All @@ -66,7 +72,7 @@ module sqlDb 'modules/sqldb.bicep' = {
administratorPassword: sqlAdminPassword
location: location
resourceTags: resourceTags
keyVaultName: keyVaultName
keyVaultName: keyVault.name
}
}

Expand All @@ -76,7 +82,7 @@ module eventGrid 'modules/eventgrid.bicep' = {
eventGridTopicName: eventGridName
location: location
resourceTags: resourceTags
keyVaultName: keyVaultName
keyVaultName: keyVault.name
}
}

Expand All @@ -86,7 +92,7 @@ module signalR 'modules/signalr.bicep' = {
signalRName: signalRName
location: location
resourceTags: resourceTags
keyVaultName: keyVaultName
keyVaultName: keyVault.name
}
}

Expand Down Expand Up @@ -187,11 +193,11 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'DocDbApiKey'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
}
{
name: 'DocDbEndpointUri'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
}
{
name: 'DocDbRideShareDatabaseName'
Expand Down Expand Up @@ -227,27 +233,27 @@ resource tripFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'AuthorityUrl'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
}
{
name: 'ApiApplicationId'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
}
{
name: 'ApiScopeName'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
}
{
name: 'EnableAuth'
value: 'true'
}
{
name: 'SqlConnectionString'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/SqlConnectionString)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/SqlConnectionString)'
}
{
name: 'AzureSignalRConnectionString'
value:'@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AzureSignalRConnectionString)'
value:'@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AzureSignalRConnectionString)'
}
]
cors: {
Expand Down Expand Up @@ -297,11 +303,11 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'DocDbApiKey'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
}
{
name: 'DocDbEndpointUri'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
}
{
name: 'DocDbRideShareDatabaseName'
Expand All @@ -321,15 +327,15 @@ resource driverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'AuthorityUrl'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
}
{
name: 'ApiApplicationId'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
}
{
name: 'ApiScopeName'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
}
{
name: 'EnableAuth'
Expand Down Expand Up @@ -383,11 +389,11 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'DocDbApiKey'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
}
{
name: 'DocDbEndpointUri'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
}
{
name: 'DocDbRideShareDatabaseName'
Expand All @@ -407,31 +413,31 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'AuthorityUrl'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/AuthorityUrl)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/AuthorityUrl)'
}
{
name: 'ApiApplicationId'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiApplicationId)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiApplicationId)'
}
{
name: 'ApiScopeName'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/ApiScopeName)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/ApiScopeName)'
}
{
name: 'EnableAuth'
value: 'true'
}
{
name: 'GraphTenantId'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphTenantId)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphTenantId)'
}
{
name: 'GraphClientId'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientId)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientId)'
}
{
name: 'GraphClientSecret'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/GraphClientSecret)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/GraphClientSecret)'
}
]
cors: {
Expand All @@ -441,6 +447,9 @@ resource passengerFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
}
}
identity: {
type: 'SystemAssigned'
}
}

resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
Expand Down Expand Up @@ -477,11 +486,11 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'DocDbApiKey'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbPrimaryKey)'
}
{
name: 'DocDbEndpointUri'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbEndpoint)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbEndpoint)'
}
{
name: 'DocDbRideShareDatabaseName'
Expand Down Expand Up @@ -541,7 +550,7 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'TripExternalizationsEventGridTopicApiKey'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/TripExternalizationsEventGridTopicApiKey)'
}
]
cors: {
Expand All @@ -551,6 +560,9 @@ resource orchestratorsFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
}
}
identity: {
type: 'SystemAssigned'
}
}

resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
Expand All @@ -566,7 +578,7 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
{
name: 'DocDbConnectionString'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVaultName}.vault.azure.net/secrets/CosmosDbConnectionString)'
value: '@Microsoft.KeyVault(SecretUri=https:://${keyVault.name}.vault.azure.net/secrets/CosmosDbConnectionString)'
}
]
cors: {
Expand All @@ -576,23 +588,23 @@ resource tripArchiverFunctionApp 'Microsoft.Web/sites@2021-03-01' = {
}
}
}
identity: {
type: 'SystemAssigned'
}
}

module keyVault 'modules/keyvault.bicep' = {
name: keyVaultName
module keyVaultPolicies 'modules/keyvaultPolicies.bicep' = {
name: '${keyVaultName}polices'
params: {
keyVaultName: keyVaultName
functionAppPrefix: applicationName
functionApps: functionsApps
resourceTags: resourceTags
location: location
functionAppPrincipalIds: [
tripFunctionApp.identity.principalId
driverFunctionApp.identity.principalId
passengerFunctionApp.identity.principalId
tripArchiverFunctionApp.identity.principalId
orchestratorsFunctionApp.identity.principalId
]
}
dependsOn: [
tripFunctionApp
driverFunctionApp
passengerFunctionApp
tripArchiverFunctionApp
orchestratorsFunctionApp
]
}

output principalId string = orchestratorsFunctionApp.identity.principalId
31 changes: 13 additions & 18 deletions bicep/modules/keyvault.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,15 @@
@description('The name of the Key Vault resource that will be deployed.')
param keyVaultName string

@description('The prefix for the function apps.')
param functionAppPrefix string

@description('The list of function apps that will have access to this Key Vault.')
param functionApps array
@description('Service principal Id used for deployment.')
param objectId string

@description('The resource tags that will be applied to this Key Vault.')
param resourceTags object

@description('The location that this Key Vault will be deployed to.')
param location string

resource functions 'Microsoft.Web/sites@2021-01-15' existing = [for functionApp in functionApps :{
name: '${functionAppPrefix}${functionApp}'
}]

resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
name: keyVaultName
location: location
Expand All @@ -25,19 +18,21 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
name: 'standard'
family: 'A'
}
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: objectId
permissions: {
secrets: [
'all'
]
}
}
]
enableSoftDelete: true
softDeleteRetentionInDays: 7
enabledForTemplateDeployment: true
tenantId: subscription().tenantId
accessPolicies: [for i in range(0, length(functionApps)) : {
tenantId: functions[i].identity.tenantId
objectId: functions[i].identity.principalId
permissions: {
secrets: [
'get'
]
}
}]
}
tags: resourceTags
}
25 changes: 25 additions & 0 deletions bicep/modules/keyvaultPolicies.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
@description('The name of the Key Vault resource that will be deployed.')
param keyVaultName string

@description('The list of function app principal Id that will have access to this Key Vault.')
param functionAppPrincipalIds array

resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
name: keyVaultName
}

resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
name: 'add'
parent: keyVault
properties: {
accessPolicies: [for i in range(0, length(functionAppPrincipalIds)) : {
tenantId: subscription().tenantId
objectId: functionAppPrincipalIds[i]
permissions: {
secrets: [
'get'
]
}
}]
}
}