From 3ed4444422d75404778494a0a10b66eb2bf07870 Mon Sep 17 00:00:00 2001 From: Bart van der Braak Date: Tue, 21 Nov 2023 13:15:33 +0100 Subject: [PATCH] feat: bicep templates for azure resources --- bicep/main.bicep | 86 ++++++++++++++++++++++++++++++++++++++ bicep/main.test.bicepparam | 3 ++ bicep/modules/id.bicep | 36 ++++++++++++++++ bicep/modules/kv.bicep | 72 +++++++++++++++++++++++++++++++ bicep/modules/law.bicep | 24 +++++++++++ 5 files changed, 221 insertions(+) create mode 100644 bicep/main.bicep create mode 100644 bicep/main.test.bicepparam create mode 100644 bicep/modules/id.bicep create mode 100644 bicep/modules/kv.bicep create mode 100644 bicep/modules/law.bicep diff --git a/bicep/main.bicep b/bicep/main.bicep new file mode 100644 index 0000000..b6c1eca --- /dev/null +++ b/bicep/main.bicep @@ -0,0 +1,86 @@ +targetScope = 'subscription' + +/* + Parameters +*/ + +@allowed([ + 'D' // Development + 'T' // Test + 'A' // Acceptance + 'P' // Production +]) +param environment string +param location string = 'westeurope' +param name object = { + tenantId: 'BVDB' + projectId: 'KEYWEAVE' + region: 'WEU' +} + +/* + Variables +*/ + +var tags = { + project: 'keyweave' +} +var nameFormat = '${name.tenantId}-${name.projectId}-${environment}-${name.region}-{0}-{1:N0}' + +/* + Resource Group +*/ + +resource ResourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: format(nameFormat, 'RG', 1) + location: location + tags: tags +} + +/* + Module for Log Analytics Workspace +*/ + +module LogAnalyticsWorkspace 'modules/law.bicep' = { + name: 'LogAnalyticsWorkspace' + scope: ResourceGroup + params: { + nameFormat: nameFormat + location: location + tags: tags + } +} + +/* + Module for Managed Identities +*/ + +module ManagedIdentities 'modules/id.bicep' = { + name: 'ManagedIdentities' + scope: ResourceGroup + params: { + nameFormat: nameFormat + location: location + tags: tags + } +} + +/* + Module for KeyVault +*/ + +module KeyVault 'modules/kv.bicep' = { + name: 'KeyVault' + scope: ResourceGroup + dependsOn: [ + LogAnalyticsWorkspace + ] + params: { + nameFormat: nameFormat + location: location + tags: tags + + getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds + listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds + } +} diff --git a/bicep/main.test.bicepparam b/bicep/main.test.bicepparam new file mode 100644 index 0000000..5c7b6fa --- /dev/null +++ b/bicep/main.test.bicepparam @@ -0,0 +1,3 @@ +using 'main.bicep' + +param environment = 'T' diff --git a/bicep/modules/id.bicep b/bicep/modules/id.bicep new file mode 100644 index 0000000..4d2d19b --- /dev/null +++ b/bicep/modules/id.bicep @@ -0,0 +1,36 @@ +param nameFormat string +param location string +param tags object + +resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: format(nameFormat, 'ID', 1) + location: location + tags: tags +} + +resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: format(nameFormat, 'ID', 2) + location: location + tags: tags +} + +resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: format(nameFormat, 'ID', 3) + location: location + tags: tags +} + +resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: format(nameFormat, 'ID', 4) + location: location + tags: tags +} + +output getPrincipalIds array = [ + managedIdentityGet.properties.principalId + managedIdentityGetList.properties.principalId +] +output listPrincipalIds array = [ + managedIdentityList.properties.principalId + managedIdentityGetList.properties.principalId +] diff --git a/bicep/modules/kv.bicep b/bicep/modules/kv.bicep new file mode 100644 index 0000000..52978a2 --- /dev/null +++ b/bicep/modules/kv.bicep @@ -0,0 +1,72 @@ +param nameFormat string +param location string +param tags object + +param getPrincipalIds array +param listPrincipalIds array + +var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): { + tenantId: tenant().tenantId + objectId: id + permissions: { + secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get'] + } +}] + +/* + Log Analytics Workspace (existing) +*/ + +resource _logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = { + name: format(nameFormat, 'LAW', 1) +} + +/* + Key Vault +*/ + +resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = { + name: replace(toLower(format(nameFormat, 'KVT', 1)), '-', '') + location: location + tags: tags + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enableSoftDelete: true + enablePurgeProtection: true + accessPolicies: accessPolicies + } + resource testSecret 'secrets' = { + name: 'testSecret' + properties: { + value: 'testSecretValue' + } + } + resource filterTestSecret 'secrets' = { + name: 'filterTestSecret' + properties: { + value: 'filterTestSecretValue' + } + } +} + +/* + Diagnostic Settings for Key Vault +*/ + +resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = { + name: 'keyVaultLogging' + scope: keyVault + properties: { + workspaceId: _logAnalyticsWorkspace.id + logs: [ + { + category: 'AuditEvent' + enabled: true + } + ] + } +} diff --git a/bicep/modules/law.bicep b/bicep/modules/law.bicep new file mode 100644 index 0000000..451519c --- /dev/null +++ b/bicep/modules/law.bicep @@ -0,0 +1,24 @@ +param nameFormat string +param location string +param tags object + +/* + Log Analytics Workspace +*/ + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: format(nameFormat, 'LAW', 1) + location: location + tags: tags + properties: { + sku: { + name: 'PerGB2018' + } + features: { + enableLogAccessUsingOnlyResourcePermissions: true + } + workspaceCapping: { + dailyQuotaGb: json('0.025') + } + } +}