-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeyvault.bicep
121 lines (113 loc) · 2.44 KB
/
keyvault.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
param location string
param objectId string
param subnetId string
param vnetId string
param salt string = utcNow()
var kvName = 'kv${uniqueString(salt)}'
var vaultNamePE = 'kv${uniqueString(salt)}-pe'
var kvPrivateDnsName = 'privatelink.vaultcore.azure.net'
var dnsZoneName = 'privatelink-vaultcore-azure-net'
// Main Resource
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
name: kvName
location: location
tags: {}
properties: {
tenantId: subscription().tenantId
sku: {
family: 'A'
name: 'standard'
}
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: objectId
permissions: {
secrets: [
'get'
'list'
]
}
}
]
networkAcls: {
defaultAction: 'Deny'
}
}
}
// TestSecret
resource kvSecret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {
name: '${kvName}/somekey'
tags: {}
properties: {
value: 'somevalue'
contentType: 'string'
}
dependsOn: [
keyVault
]
}
// Private Endpoint for Resource
resource vaultPE 'Microsoft.Network/privateEndpoints@2020-07-01' = {
name: vaultNamePE
location: location
tags: {}
properties: {
subnet: {
id: subnetId
}
privateLinkServiceConnections: [
{
properties: {
privateLinkServiceId: keyVault.id
groupIds: [
'vault'
]
requestMessage: 'bicep'
}
name: vaultNamePE
}
]
}
}
// Private DNS Entry for resource
resource kv_private_dns 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: kvPrivateDnsName
tags: {}
location: 'global'
properties: {}
}
// Linking Private DNS and VNET
resource kv_private_dns_virtualNetworkLinks 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
name: '${kvPrivateDnsName}/vnl'
tags: {}
location: 'global'
properties: {
virtualNetwork: {
id: vnetId
}
registrationEnabled: false
}
dependsOn: [
kv_private_dns
]
}
// Linking Private Endpoint with Private DNS
resource kv_private_endpoint_dns 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-07-01' = {
name: '${vaultNamePE}/default'
properties: {
privateDnsZoneConfigs: [
{
name: dnsZoneName
properties: {
privateDnsZoneId: kv_private_dns.id
}
}
]
}
dependsOn: [
kv_private_dns
vaultPE
]
}
output kv_name string = keyVault.name