feat: bicep templates for azure resources

2025-04-28 07:11:21 +00:00 · 2023-11-21 13:15:33 +01:00 · 2023-11-21 13:15:33 +01:00 · 3ed4444422
commit 3ed4444422
parent cdb62b86e0
5 changed files with 221 additions and 0 deletions
--- a/bicep/main.bicep
+++ b/bicep/main.bicep
@ -0,0 +1,86 @@
+targetScope = 'subscription'
+
+/*
+  Parameters
+*/
+
+@allowed([
+  'D' // Development
+  'T' // Test
+  'A' // Acceptance
+  'P' // Production
+])
+param environment string
+param location string = 'westeurope'
+param name object = {
+  tenantId: 'BVDB'
+  projectId: 'KEYWEAVE'
+  region: 'WEU'
+}
+
+/*
+  Variables
+*/
+
+var tags = {
+  project: 'keyweave'
+}
+var nameFormat = '${name.tenantId}-${name.projectId}-${environment}-${name.region}-{0}-{1:N0}'
+
+/*
+  Resource Group
+*/
+
+resource ResourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+  name: format(nameFormat, 'RG', 1)
+  location: location
+  tags: tags
+}
+
+/*
+  Module for Log Analytics Workspace
+*/
+
+module LogAnalyticsWorkspace 'modules/law.bicep' = {
+  name: 'LogAnalyticsWorkspace'
+  scope: ResourceGroup
+  params: {
+    nameFormat: nameFormat
+    location: location
+    tags: tags
+  }
+}
+
+/*
+  Module for Managed Identities
+*/
+
+module ManagedIdentities 'modules/id.bicep' = {
+  name: 'ManagedIdentities'
+  scope: ResourceGroup
+  params: {
+    nameFormat: nameFormat
+    location: location
+    tags: tags
+  }
+}
+
+/*
+  Module for KeyVault
+*/
+
+module KeyVault 'modules/kv.bicep' = {
+  name: 'KeyVault'
+  scope: ResourceGroup
+  dependsOn: [
+    LogAnalyticsWorkspace
+  ]
+  params: {
+    nameFormat: nameFormat
+    location: location
+    tags: tags
+
+    getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds
+    listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds
+  }
+}
--- a/bicep/main.test.bicepparam
+++ b/bicep/main.test.bicepparam
@ -0,0 +1,3 @@
+using 'main.bicep'
+
+param environment = 'T'
--- a/bicep/modules/id.bicep
+++ b/bicep/modules/id.bicep
@ -0,0 +1,36 @@
+param nameFormat string
+param location string
+param tags object
+
+resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: format(nameFormat, 'ID', 1)
+  location: location
+  tags: tags
+}
+
+resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: format(nameFormat, 'ID', 2)
+  location: location
+  tags: tags
+}
+
+resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: format(nameFormat, 'ID', 3)
+  location: location
+  tags: tags
+}
+
+resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  name: format(nameFormat, 'ID', 4)
+  location: location
+  tags: tags
+}
+
+output getPrincipalIds array = [
+  managedIdentityGet.properties.principalId
+  managedIdentityGetList.properties.principalId
+]
+output listPrincipalIds array = [
+  managedIdentityList.properties.principalId
+  managedIdentityGetList.properties.principalId
+]
--- a/bicep/modules/kv.bicep
+++ b/bicep/modules/kv.bicep
@ -0,0 +1,72 @@
+param nameFormat string
+param location string
+param tags object
+
+param getPrincipalIds array
+param listPrincipalIds array
+
+var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): {
+  tenantId: tenant().tenantId
+  objectId: id
+  permissions: {
+    secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get']
+  }
+}]
+
+/*
+  Log Analytics Workspace (existing)
+*/
+
+resource _logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
+  name: format(nameFormat, 'LAW', 1)
+}
+
+/*
+  Key Vault
+*/
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
+  name: replace(toLower(format(nameFormat, 'KVT', 1)), '-', '')
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: tenant().tenantId
+    enableSoftDelete: true
+    enablePurgeProtection: true
+    accessPolicies: accessPolicies
+  }
+  resource testSecret 'secrets' = {
+    name: 'testSecret'
+    properties: {
+      value: 'testSecretValue'
+    }
+  }
+  resource filterTestSecret 'secrets' = {
+    name: 'filterTestSecret'
+    properties: {
+      value: 'filterTestSecretValue'
+    }
+  }
+}
+
+/*
+  Diagnostic Settings for Key Vault
+*/
+
+resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'keyVaultLogging'
+  scope: keyVault
+  properties: {
+    workspaceId: _logAnalyticsWorkspace.id
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+}
--- a/bicep/modules/law.bicep
+++ b/bicep/modules/law.bicep
@ -0,0 +1,24 @@
+param nameFormat string
+param location string
+param tags object
+
+/*
+  Log Analytics Workspace
+*/
+
+resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
+  name: format(nameFormat, 'LAW', 1)
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    features: {
+      enableLogAccessUsingOnlyResourcePermissions: true
+    }
+    workspaceCapping: {
+      dailyQuotaGb: json('0.025')
+    }
+  }
+}