-
Notifications
You must be signed in to change notification settings - Fork 377
/
main.bicep
121 lines (106 loc) · 3.3 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
metadata name = 'Key Vault Access Policies'
metadata description = 'This module deploys a Key Vault Access Policy.'
metadata owner = 'Azure/module-maintainers'
@description('Conditional. The name of the parent key vault. Required if the template is used in a standalone deployment.')
param keyVaultName string
@description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.')
param accessPolicies accessPoliciesType
var formattedAccessPolicies = [
for accessPolicy in (accessPolicies ?? []): {
applicationId: accessPolicy.?applicationId ?? ''
objectId: accessPolicy.objectId
permissions: accessPolicy.permissions
tenantId: accessPolicy.?tenantId ?? tenant().tenantId
}
]
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultName
}
resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
name: 'add'
parent: keyVault
properties: {
accessPolicies: formattedAccessPolicies
}
}
@description('The name of the resource group the access policies assignment was created in.')
output resourceGroupName string = resourceGroup().name
@description('The name of the access policies assignment.')
output name string = policies.name
@description('The resource ID of the access policies assignment.')
output resourceId string = policies.id
// ================ //
// Definitions //
// ================ //
type accessPoliciesType = {
@description('Optional. The tenant ID that is used for authenticating requests to the key vault.')
tenantId: string?
@description('Required. The object ID of a user, service principal or security group in the tenant for the vault.')
objectId: string
@description('Optional. Application ID of the client making request on behalf of a principal.')
applicationId: string?
@description('Required. Permissions the identity has for keys, secrets and certificates.')
permissions: {
@description('Optional. Permissions to keys.')
keys: (
| 'all'
| 'backup'
| 'create'
| 'decrypt'
| 'delete'
| 'encrypt'
| 'get'
| 'getrotationpolicy'
| 'import'
| 'list'
| 'purge'
| 'recover'
| 'release'
| 'restore'
| 'rotate'
| 'setrotationpolicy'
| 'sign'
| 'unwrapKey'
| 'update'
| 'verify'
| 'wrapKey')[]?
@description('Optional. Permissions to secrets.')
secrets: ('all' | 'backup' | 'delete' | 'get' | 'list' | 'purge' | 'recover' | 'restore' | 'set')[]?
@description('Optional. Permissions to certificates.')
certificates: (
| 'all'
| 'backup'
| 'create'
| 'delete'
| 'deleteissuers'
| 'get'
| 'getissuers'
| 'import'
| 'list'
| 'listissuers'
| 'managecontacts'
| 'manageissuers'
| 'purge'
| 'recover'
| 'restore'
| 'setissuers'
| 'update')[]?
@description('Optional. Permissions to storage accounts.')
storage: (
| 'all'
| 'backup'
| 'delete'
| 'deletesas'
| 'get'
| 'getsas'
| 'list'
| 'listsas'
| 'purge'
| 'recover'
| 'regeneratekey'
| 'restore'
| 'set'
| 'setsas'
| 'update')[]?
}
}[]?