Azure · krbar · Oct 1, 2024 · May 16, 2024 · May 16, 2024 · May 16, 2024
@@ -84,7 +84,85 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 </details>
 <p>
 
+<<<<<<< HEAD
+### Example 2: _Deploying with a key vault reference to save secrets_
+
+This instance deploys the module saving admin key secrets in a key vault.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module searchService 'br/public:avm/res/search/search-service:<version>' = {
+  name: 'searchServiceDeployment'
+  params: {
+    // Required parameters
+    name: 'kv-ref'
+    // Non-required parameters
+    authOptions: {
+      aadOrApiKey: {
+        aadAuthFailureMode: 'http401WithBearerChallenge'
+      }
+    }
+    disableLocalAuth: false
+    location: '<location>'
+    secretsKeyVault: {
+      keyVaultName: '<keyVaultName>'
+      primaryAdminKeySecretName: 'Primary-Admin-Key'
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON Parameter file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "kv-ref"
+    },
+    // Non-required parameters
+    "authOptions": {
+      "value": {
+        "aadOrApiKey": {
+          "aadAuthFailureMode": "http401WithBearerChallenge"
+        }
+      }
+    },
+    "disableLocalAuth": {
+      "value": false
+    },
+    "location": {
+      "value": "<location>"
+    },
+    "secretsKeyVault": {
+      "value": {
+        "keyVaultName": "<keyVaultName>",
+        "primaryAdminKeySecretName": "Primary-Admin-Key"
+      }
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+### Example 3: _Using large parameter set_
+=======
 ### Example 2: _Using large parameter set_
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 
 This instance deploys the module with most of its features enabled.
 
@@ -620,6 +698,10 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method. |
 | [`replicaCount`](#parameter-replicacount) | int | The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
+<<<<<<< HEAD
+| [`secretsKeyVault`](#parameter-secretskeyvault) | object | Key vault reference and secret settings to add the API admin keys generated by the search-service account. |
+=======
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 | [`semanticSearch`](#parameter-semanticsearch) | string | Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations. |
 | [`sharedPrivateLinkResources`](#parameter-sharedprivatelinkresources) | array | The sharedPrivateLinkResources to create as part of the search Service. |
 | [`sku`](#parameter-sku) | string | Defines the SKU of an Azure Cognitive Search Service, which determines price tier and capacity limits. |
@@ -1368,6 +1450,58 @@ The principal type of the assigned principal ID.
   ]
   ```
 
+<<<<<<< HEAD
+### Parameter: `secretsKeyVault`
+
+Key vault reference and secret settings to add the API admin keys generated by the search-service account.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`keyVaultName`](#parameter-secretskeyvaultkeyvaultname) | string | The key vault name where to store the API Admin keys generated by the modules. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`primaryAdminKeySecretName`](#parameter-secretskeyvaultprimaryadminkeysecretname) | string | Default to API Primary admin key . The primary admin key secret name to create. |
+| [`resourceGroupName`](#parameter-secretskeyvaultresourcegroupname) | string | Default to the resource group where this account is. The resource group name where the key vault is. |
+| [`secondaryAdminKeySecretName`](#parameter-secretskeyvaultsecondaryadminkeysecretname) | string | Default to API Secondary admin key . The secondary admin key secret name to create. |
+
+### Parameter: `secretsKeyVault.keyVaultName`
+
+The key vault name where to store the API Admin keys generated by the modules.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `secretsKeyVault.primaryAdminKeySecretName`
+
+Default to API Primary admin key . The primary admin key secret name to create.
+
+- Required: No
+- Type: string
+
+### Parameter: `secretsKeyVault.resourceGroupName`
+
+Default to the resource group where this account is. The resource group name where the key vault is.
+
+- Required: No
+- Type: string
+
+### Parameter: `secretsKeyVault.secondaryAdminKeySecretName`
+
+Default to API Secondary admin key . The secondary admin key secret name to create.
+
+- Required: No
+- Type: string
+
+=======
+>>>>>>> parent of e4e03661 (AISearchService with adminkeys in keyvault)
 ### Parameter: `semanticSearch`
 
 Sets options that control the availability of semantic search. This configuration is only possible for certain search SKUs in certain locations.

@@ -60,6 +60,9 @@ param sharedPrivateLinkResources array = []
 ])
 param publicNetworkAccess string = 'enabled'
 
+@description('Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account.')
+param secretsKeyVault secretsKeyVaultType?
+
 @description('Optional. The number of replicas in the search service. If specified, it must be a value between 1 and 12 inclusive for standard SKUs or between 1 and 3 inclusive for basic SKU.')
 @minValue(1)
 @maxValue(12)
@@ -137,24 +140,23 @@ var builtInRoleNames = {
   )
 }
 
-resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
-  if (enableTelemetry) {
-    name: '46d3xbcp.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
-    properties: {
-      mode: 'Incremental'
-      template: {
-        '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
-        contentVersion: '1.0.0.0'
-        resources: []
-        outputs: {
-          telemetry: {
-            type: 'String'
-            value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
-          }
+resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
+  name: '46d3xbcp.search-searchservice.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+      outputs: {
+        telemetry: {
+          type: 'String'
+          value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
         }
       }
     }
   }
+}
 
 resource searchService 'Microsoft.Search/searchServices@2023-11-01' = {
   location: location
@@ -208,17 +210,16 @@ resource searchService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings
   }
 ]
 
-resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' =
-  if (!empty(lock ?? {}) && lock.?kind != 'None') {
-    name: lock.?name ?? 'lock-${name}'
-    properties: {
-      level: lock.?kind ?? ''
-      notes: lock.?kind == 'CanNotDelete'
-        ? 'Cannot delete resource or child resources.'
-        : 'Cannot delete or modify the resource or child resources.'
-    }
-    scope: searchService
+resource searchService_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+  name: lock.?name ?? 'lock-${name}'
+  properties: {
+    level: lock.?kind ?? ''
+    notes: lock.?kind == 'CanNotDelete'
+      ? 'Cannot delete resource or child resources.'
+      : 'Cannot delete or modify the resource or child resources.'
   }
+  scope: searchService
+}
 
 resource searchService_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for (roleAssignment, index) in (roleAssignments ?? []): {
@@ -313,6 +314,25 @@ module searchService_sharedPrivateLinkResources 'shared-private-link-resource/ma
   }
 ]
 
+module keyVault 'modules/secrets-key-vault.bicep' = if (secretsKeyVault != null) {
+  name: '${uniqueString(deployment().name, location)}-secrets-kv'
+  scope: resourceGroup(secretsKeyVault.?resourceGroupName ?? resourceGroup().name)
+  params: {
+    keyVaultName: secretsKeyVault!.keyVaultName
+
+    keySecrets: [
+      {
+        secretName: secretsKeyVault.?primaryAdminKeySecretName ?? 'Primary-Admin-Key'
+        secretValue: searchService.listAdminKeys().primaryKey
+      }
+      {
+        secretName: secretsKeyVault.?secondaryAdminKeySecretName ?? 'Secondary-Admin-Key'
+        secretValue: searchService.listAdminKeys().secondaryKey
+      }
+    ]
+  }
+}
+
 // =========== //
 //   Outputs   //
 // =========== //
@@ -493,3 +513,17 @@ type diagnosticSettingType = {
   @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
   marketplacePartnerResourceId: string?
 }[]?
+
+type secretsKeyVaultType = {
+  @description('Required. The key vault name where to store the API Admin keys generated by the modules.')
+  keyVaultName: string
+
+  @description('Optional. Default to the resource group where this account is. The resource group name where the key vault is.')
+  resourceGroupName: string?
+
+  @description('Optional. Default to API Primary admin key . The primary admin key secret name to create.')
+  primaryAdminKeySecretName: string?
+
+  @description('Optional. Default to API Secondary admin key . The secondary admin key secret name to create.')
+  secondaryAdminKeySecretName: string?
+}
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "13069544635575133650"
+      "version": "0.27.1.19265",
+      "templateHash": "3771642557846929937"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -433,6 +433,38 @@
         }
       },
       "nullable": true
+    },
+    "secretsKeyVaultType": {
+      "type": "object",
+      "properties": {
+        "keyVaultName": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. The key vault name where to store the API Admin keys generated by the modules."
+          }
+        },
+        "resourceGroupName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to the resource group where this account is. The resource group name where the key vault is."
+          }
+        },
+        "primaryAdminKeySecretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to API Primary admin key . The primary admin key secret name to create."
+          }
+        },
+        "secondaryAdminKeySecretName": {
+          "type": "string",
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Default to API Secondary admin key . The secondary admin key secret name to create."
+          }
+        }
+      }
     }
   },
   "parameters": {
@@ -539,6 +571,13 @@
         "description": "Optional. This value can be set to 'enabled' to avoid breaking changes on existing customer resources and templates. If set to 'disabled', traffic over public interface is not allowed, and private endpoint connections would be the exclusive access method."
       }
     },
+    "secretsKeyVault": {
+      "$ref": "#/definitions/secretsKeyVaultType",
+      "nullable": true,
+      "metadata": {
+        "description": "Optional. Key vault reference and secret settings to add the API admin keys generated by the search-service account."
+      }
+    },
     "replicaCount": {
       "type": "int",
       "defaultValue": 3,
@@ -1574,4 +1613,4 @@
       "value": "[reference('searchService', '2023-11-01', 'full').location]"
     }
   }
-}
+}
diff --git a/avm/res/search/search-service/modules/secrets-key-vault.bicep b/avm/res/search/search-service/modules/secrets-key-vault.bicep
@@ -0,0 +1,23 @@
+param keyVaultName string
+param keySecrets keySecret[]
+
+resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
+resource keySecretsSecrets 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = [
+  for secret in keySecrets: {
+    name: secret.secretName
+    parent: kv
+    properties: {
+      value: secret.secretValue
+    }
+  }
+]
+
+type keySecret = {
+  secretName: string
+
+  @secure()
+  secretValue: string
+}
@@ -0,0 +1,21 @@
+@description('Optional. The location to deploy to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Managed Identity to create.')
+param keyVaultName string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
+  name: keyVaultName
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    enableRbacAuthorization: true
+    tenantId: subscription().tenantId
+  }
+}
+
+@description('The name of the Key Vault created.')
+output keyVaultName string = keyVaultName