Merge pull request #320 from Azure/gb-kvrefactor

KeyVault refactor
Azure · Jul 20, 2022 · 247ba23 · 247ba23
2 parents 8ead24a + 7fdf0b8
commit 247ba23
Show file tree

Hide file tree

Showing 23 changed files with 257 additions and 165 deletions.
diff --git a/.github/workflows/ByoVnetCI.yml b/.github/workflows/ByoVnetCI.yml
@@ -203,7 +203,7 @@ jobs:
             } else { Write-Output "-- Looks like $feature is registered properly" }
           }
 
-          if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) {
+          if($params.parameters.keyVaultAksCSI.value -eq $true) {
             $feature='AKS-AzureKeyVaultSecretsProvider'
             write-output "-- $feature"
             $featureCsi = $aksfeatures |  Where-Object {$_.name -like "*$feature"}
@@ -336,7 +336,7 @@ jobs:
               $paramFileContent=Get-Content $paramFilePath
               $params=$paramFileContent|ConvertFrom-Json
 
-              if($params.parameters.createKV.value -eq $true) {
+              if($params.parameters.keyVaultCreate.value -eq $true) {
                 Write-Output "Checking for already existing soft deleted KV"
 
                 #lets do this properly and interrogate the whatif file for the KVNAME
@@ -641,7 +641,7 @@ jobs:
           }
 
           Write-Output "Checking for CSI Secrets driver"
-          if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) {
+          if($params.parameters.keyVaultAksCSI.value -eq $true) {
             $csiEnabled=az aks show -n $AKSNAME -g $RG --query "addonProfiles.omsagent.enabled" -o tsv
             write-output $csiEnabled
 

diff --git a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json
@@ -65,10 +65,10 @@
         "SystemPoolType" : {
             "value" : "Standard"
         },
-        "createKV" : {
+        "keyVaultCreate" : {
             "value" : true
         },
-        "azureKeyvaultSecretsProvider" : {
+        "keyVaultAksCSI" : {
             "value" : true
         },
         "appgwKVIntegration" : {
@@ -87,10 +87,10 @@
               "guard"
             ]
         },
-        "KeyVaultSoftDelete" : {
+        "keyVaultSoftDelete" : {
             "value" : false
         },
-        "KeyVaultPurgeProtection" : {
+        "keyVaultPurgeProtection" : {
             "value" : false
         },
         "dnsZoneId" : {

diff --git a/.github/workflows_dep/AksDeploy-Private.parameters.json b/.github/workflows_dep/AksDeploy-Private.parameters.json
@@ -74,10 +74,10 @@
           "appgwKVIntegration": {
             "value": true
           },
-          "azureKeyvaultSecretsProvider": {
+          "keyVaultAksCSI": {
             "value": true
           },
-          "createKV": {
+          "keyVaultCreate": {
             "value": true
           },
           "upgradeChannel": {

diff --git a/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json b/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json
@@ -44,10 +44,10 @@
 		"networkPlugin": {
 			"value": "azure"
 		},
-        "KeyVaultSoftDelete" : {
+        "keyVaultSoftDelete" : {
             "value" : false
         },
-        "KeyVaultPurgeProtection" : {
+        "keyVaultPurgeProtection" : {
             "value" : false
         }
 	}

diff --git a/.github/workflows_dep/regressionparams/key-vault.json b/.github/workflows_dep/regressionparams/key-vault.json
@@ -32,13 +32,13 @@
     "appgwKVIntegration": {
       "value": true
     },
-    "azureKeyvaultSecretsProvider": {
+    "keyVaultAksCSI": {
       "value": true
     },
-    "createKV": {
+    "keyVaultCreate": {
       "value": true
     },
-    "kvIPAllowlist": {
+    "keyVaultIPAllowlist": {
       "value": [
         "1.2.3.4/32"
       ]

diff --git a/.github/workflows_dep/regressionparams/managed-private-privatelink.json b/.github/workflows_dep/regressionparams/managed-private-privatelink.json
@@ -74,10 +74,10 @@
     "appgwKVIntegration": {
       "value": true
     },
-    "azureKeyvaultSecretsProvider": {
+    "keyVaultAksCSI": {
       "value": true
     },
-    "createKV": {
+    "keyVaultCreate": {
       "value": true
     },
     "upgradeChannel": {

diff --git a/.github/workflows_dep/regressionparams/managed-private.json b/.github/workflows_dep/regressionparams/managed-private.json
@@ -59,10 +59,10 @@
     "appgwKVIntegration": {
       "value": true
     },
-    "createKV": {
+    "keyVaultCreate": {
       "value": true
     },
-    "azureKeyvaultSecretsProvider": {
+    "keyVaultAksCSI": {
       "value": true
     },
     "upgradeChannel": {

diff --git a/.github/workflows_dep/regressionparams/managed-public.json b/.github/workflows_dep/regressionparams/managed-public.json
@@ -53,10 +53,10 @@
     "appgwKVIntegration": {
       "value": true
     },
-    "createKV": {
+    "keyVaultCreate": {
       "value": true
     },
-    "azureKeyvaultSecretsProvider": {
+    "keyVaultAksCSI": {
       "value": true
     },
     "upgradeChannel": {

diff --git a/.github/workflows_dep/regressionparams/open-secure.json b/.github/workflows_dep/regressionparams/open-secure.json
@@ -23,10 +23,10 @@
     "azurepolicy": {
       "value": "audit"
     },
-    "azureKeyvaultSecretsProvider": {
+    "keyVaultAksCSI": {
       "value": true
     },
-    "createKV": {
+    "keyVaultCreate": {
       "value": true
     }
   }

diff --git a/.github/workflows_dep/regressionparams/optimised-for-well-architected.json b/.github/workflows_dep/regressionparams/optimised-for-well-architected.json
@@ -73,10 +73,10 @@
           "appgwKVIntegration": {
             "value": true
           },
-          "azureKeyvaultSecretsProvider": {
+          "keyVaultAksCSI": {
             "value": true
           },
-          "createKV": {
+          "keyVaultCreate": {
             "value": true
           },
           "upgradeChannel": {

diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep
@@ -0,0 +1,80 @@
+@minLength(2)
+@description('The location to use for the deployment. defaults to Resource Groups location.')
+param location string = resourceGroup().location
+
+@minLength(3)
+@maxLength(20)
+@description('Used to name all resources')
+param resourceName string
+
+@description('Enable support for private links')
+param privateLinks bool = false
+
+@description('If soft delete protection is enabled')
+param keyVaultSoftDelete bool = true
+
+@description('If purge protection is enabled')
+param keyVaultPurgeProtection bool = true
+
+@description('Add IP to KV firewall allow-list')
+param keyVaultIPAllowlist array = []
+
+param logAnalyticsWorkspaceId string = ''
+
+var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
+var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName
+
+var kvIPRules = [for kvIp in keyVaultIPAllowlist: {
+  value: kvIp
+}]
+
+resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
+  name: akvName
+  location: location
+  properties: {
+    tenantId: subscription().tenantId
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    // publicNetworkAccess:  whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked.
+    publicNetworkAccess: privateLinks && empty(keyVaultIPAllowlist) ? 'disabled' : 'enabled'
+
+    networkAcls: privateLinks && !empty(keyVaultIPAllowlist) ? {
+      bypass: 'AzureServices'
+      defaultAction: 'Deny'
+      ipRules: kvIPRules
+      virtualNetworkRules: []
+    } : {}
+
+    enableRbacAuthorization: true
+    enabledForDeployment: false
+    enabledForDiskEncryption: false
+    enabledForTemplateDeployment: false
+    enableSoftDelete: keyVaultSoftDelete
+    enablePurgeProtection: keyVaultPurgeProtection ? true : json('null')
+  }
+}
+
+resource kvDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceId)) {
+  name: 'kvDiags'
+  scope: kv
+  properties: {
+    workspaceId: logAnalyticsWorkspaceId
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+    metrics: [
+      {
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
+  }
+}
+
+output keyVaultName string = kv.name
+output keyVaultId string = kv.id
diff --git a/bicep/keyvaultrbac.bicep b/bicep/keyvaultrbac.bicep
@@ -0,0 +1,74 @@
+param keyVaultName string
+
+@description('An array of Service Principal IDs')
+param rbacSecretUserSps array = []
+
+@description('An array of Service Principal IDs')
+param rbacSecretOfficerSps array = []
+
+@description('An array of Service Principal IDs')
+param rbacCertOfficerSps array = []
+
+@description('An array of User IDs')
+param rbacSecretOfficerUsers array = []
+
+@description('An array of User IDs')
+param rbacCertOfficerUsers array = []
+
+var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
+var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
+var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
+
+resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
+  name: keyVaultName
+}
+
+resource rbacSecretUserSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretUserSps : if(!empty(rbacSp)) {
+  scope: kv
+  name: guid(kv.id, rbacSp, keyVaultSecretsUserRole)
+  properties: {
+    roleDefinitionId: keyVaultSecretsUserRole
+    principalType: 'ServicePrincipal'
+    principalId: rbacSp
+  }
+}]
+
+resource rbacSecretOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerSps : if(!empty(rbacSp)) {
+  scope: kv
+  name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole)
+  properties: {
+    roleDefinitionId: keyVaultSecretsOfficerRole
+    principalType: 'ServicePrincipal'
+    principalId: rbacSp
+  }
+}]
+
+resource rbacCertsOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerSps : if(!empty(rbacSp)) {
+  scope: kv
+  name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole)
+  properties: {
+    roleDefinitionId: keyVaultCertsOfficerRole
+    principalType: 'ServicePrincipal'
+    principalId: rbacSp
+  }
+}]
+
+resource rbacSecretOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerUsers : if(!empty(rbacSp)) {
+  scope: kv
+  name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole)
+  properties: {
+    roleDefinitionId: keyVaultSecretsOfficerRole
+    principalType: 'User'
+    principalId: rbacSp
+  }
+}]
+
+resource rbacCertsOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerUsers : if(!empty(rbacSp)) {
+  scope: kv
+  name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole)
+  properties: {
+    roleDefinitionId: keyVaultCertsOfficerRole
+    principalType: 'User'
+    principalId: rbacSp
+  }
+}]