Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Import changes from Azure#1123 for Key Vault - `avm/res/key-vau…
Browse files Browse the repository at this point in the history
…lt/vault` (Azure#1986)

## Description

I have migrated changes from 1123 into my own feature branch to close
and completes the related tasks to 1123
#closes 1122
- adds tests for ec and rsa kty key parameters
- adds checks for dependencies between keySize and curveName key
parameters
- Expanded UDT for Secrets 
- Exapanded UDT for Keys
- added support for releasePolicy for key
- resolves the conflicts from Azure#1123 

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes Azure#123
Fixes Azure#456
Closes Azure#123
Closes Azure#456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.key-vault.vault](https://github.com/ChrisSidebotham/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml/badge.svg?branch=fblix-kv-updates-port)](https://github.com/ChrisSidebotham/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml)
|

## Type of Change

<!-- Use the check-boxes [x] on the options that are relevant. -->

- [x] Update to CI Environment or utlities (Non-module effecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [x] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change (Azure#1123 IS OPEN AND SHOULD BE DISCARDED)
- [x] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [x] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to day with the contribution guide at
https://aka.ms/avm/contribute/bicep -->
ChrisSidebotham authored and hundredacres committed Jun 19, 2024
1 parent 36d942f commit 37dbe28
Showing 13 changed files with 1,749 additions and 367 deletions.
1,216 changes: 990 additions & 226 deletions avm/res/key-vault/vault/README.md

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions avm/res/key-vault/vault/access-policy/main.json
Original file line number Diff line number Diff line change
@@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "10878813547461142217"
"version": "0.27.1.19265",
"templateHash": "13379419349517171769"
},
"name": "Key Vault Access Policies",
"description": "This module deploys a Key Vault Access Policy.",
8 changes: 8 additions & 0 deletions avm/res/key-vault/vault/key/README.md
Original file line number Diff line number Diff line change
@@ -42,6 +42,7 @@ This module deploys a Key Vault Key.
| [`keyOps`](#parameter-keyops) | array | Array of JsonWebKeyOperation. |
| [`keySize`](#parameter-keysize) | int | The key size in bits. For example: 2048, 3072, or 4096 for RSA. |
| [`kty`](#parameter-kty) | string | The type of the key. |
| [`releasePolicy`](#parameter-releasepolicy) | object | Key release policy. |
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
| [`rotationPolicy`](#parameter-rotationpolicy) | object | Key rotation policy properties object. |
| [`tags`](#parameter-tags) | object | Resource tags. |
@@ -142,6 +143,13 @@ The type of the key.
]
```

### Parameter: `releasePolicy`

Key release policy.

- Required: No
- Type: object

### Parameter: `roleAssignments`

Array of role assignments to create.
91 changes: 67 additions & 24 deletions avm/res/key-vault/vault/key/main.bicep
Original file line number Diff line number Diff line change
@@ -53,6 +53,9 @@ param keySize int?
])
param kty string = 'EC'

@description('Optional. Key release policy.')
param releasePolicy object?

@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType

@@ -61,19 +64,52 @@ param rotationPolicy object?

var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Key Vault Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
'Key Vault Certificates Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
'Key Vault Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
'Key Vault Crypto Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
'Key Vault Crypto Service Encryption User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6')
'Key Vault Crypto User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
'Key Vault Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21090545-7ca7-4776-b22c-e363652d74d2')
'Key Vault Secrets Officer': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
'Key Vault Secrets User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
'Key Vault Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'00482a5a-887f-4fb3-b363-3b7fe8e74483'
)
'Key Vault Certificates Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'a4417e6f-fecd-4de8-b567-7b0420556985'
)
'Key Vault Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f25e0fa2-a7c8-4377-a976-54943a77a395'
)
'Key Vault Crypto Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'14b46e9e-c2b7-41b4-b07b-48a6ebf60603'
)
'Key Vault Crypto Service Encryption User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'e147488a-f6f5-4113-8e2d-b22465e65bf6'
)
'Key Vault Crypto User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'12338af0-0e69-4776-bea7-57ae8d297424'
)
'Key Vault Reader': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'21090545-7ca7-4776-b22c-e363652d74d2'
)
'Key Vault Secrets Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
)
'Key Vault Secrets User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4633458b-17de-408a-b874-0445c86b69e6'
)
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
'Role Based Access Control Administrator (Preview)': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
)
'User Access Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
)
}

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
@@ -94,23 +130,30 @@ resource key 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
keyOps: keyOps
keySize: keySize
kty: kty
rotationPolicy: rotationPolicy
rotationPolicy: rotationPolicy ?? {}
release_policy: releasePolicy ?? {}
}
}

resource key_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): {
name: guid(key.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
properties: {
roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
condition: roleAssignment.?condition
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
resource key_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for (roleAssignment, index) in (roleAssignments ?? []): {
name: guid(key.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
properties: {
roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName)
? builtInRoleNames[roleAssignment.roleDefinitionIdOrName]
: contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/')
? roleAssignment.roleDefinitionIdOrName
: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
condition: roleAssignment.?condition
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
}
scope: key
}
scope: key
}]
]

@description('The name of the key.')
output name string = key.name
14 changes: 11 additions & 3 deletions avm/res/key-vault/vault/key/main.json
Original file line number Diff line number Diff line change
@@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "5903918450419813264"
"version": "0.27.1.19265",
"templateHash": "8655662111651470037"
},
"name": "Key Vault Keys",
"description": "This module deploys a Key Vault Key.",
@@ -170,6 +170,13 @@
"description": "Optional. The type of the key."
}
},
"releasePolicy": {
"type": "object",
"nullable": true,
"metadata": {
"description": "Optional. Key release policy."
}
},
"roleAssignments": {
"$ref": "#/definitions/roleAssignmentType",
"metadata": {
@@ -224,7 +231,8 @@
"keyOps": "[parameters('keyOps')]",
"keySize": "[parameters('keySize')]",
"kty": "[parameters('kty')]",
"rotationPolicy": "[parameters('rotationPolicy')]"
"rotationPolicy": "[coalesce(parameters('rotationPolicy'), createObject())]",
"release_policy": "[coalesce(parameters('releasePolicy'), createObject())]"
},
"dependsOn": [
"keyVault"
Loading

0 comments on commit 37dbe28

Please sign in to comment.