bartvdbraak/keyweave
1
0
Fork 0
mirror of https://github.com/bartvdbraak/keyweave.git synced 2025-04-28 07:11:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: bicep templates for azure resources

Browse source
This commit is contained in:
Bart van der Braak 2023-11-21 13:15:33 +01:00
parent cdb62b86e0
commit 3ed4444422
5 changed files with 221 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
bicep/main.bicep Normal file
View file

@ -0,0 +1,86 @@
targetScope = 'subscription'
/*
Parameters
*/
@allowed([
'D' // Development
'T' // Test
'A' // Acceptance
'P' // Production
])
param environment string
param location string = 'westeurope'
param name object = {
tenantId: 'BVDB'
projectId: 'KEYWEAVE'
region: 'WEU'
}
/*
Variables
*/
var tags = {
project: 'keyweave'
}
var nameFormat = '${name.tenantId}-${name.projectId}-${environment}-${name.region}-{0}-{1:N0}'
/*
Resource Group
*/
resource ResourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
name: format(nameFormat, 'RG', 1)
location: location
tags: tags
}
/*
Module for Log Analytics Workspace
*/
module LogAnalyticsWorkspace 'modules/law.bicep' = {
name: 'LogAnalyticsWorkspace'
scope: ResourceGroup
params: {
nameFormat: nameFormat
location: location
tags: tags
}
}
/*
Module for Managed Identities
*/
module ManagedIdentities 'modules/id.bicep' = {
name: 'ManagedIdentities'
scope: ResourceGroup
params: {
nameFormat: nameFormat
location: location
tags: tags
}
}
/*
Module for KeyVault
*/
module KeyVault 'modules/kv.bicep' = {
name: 'KeyVault'
scope: ResourceGroup
dependsOn: [
LogAnalyticsWorkspace
]
params: {
nameFormat: nameFormat
location: location
tags: tags
getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds
listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds
}
}

3
bicep/main.test.bicepparam Normal file
View file

@ -0,0 +1,3 @@
using 'main.bicep'
param environment = 'T'

36
bicep/modules/id.bicep Normal file
View file

@ -0,0 +1,36 @@
param nameFormat string
param location string
param tags object
resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: format(nameFormat, 'ID', 1)
location: location
tags: tags
}
resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: format(nameFormat, 'ID', 2)
location: location
tags: tags
}
resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: format(nameFormat, 'ID', 3)
location: location
tags: tags
}
resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: format(nameFormat, 'ID', 4)
location: location
tags: tags
}
output getPrincipalIds array = [
managedIdentityGet.properties.principalId
managedIdentityGetList.properties.principalId
]
output listPrincipalIds array = [
managedIdentityList.properties.principalId
managedIdentityGetList.properties.principalId
]

72
bicep/modules/kv.bicep Normal file
View file

@ -0,0 +1,72 @@
param nameFormat string
param location string
param tags object
param getPrincipalIds array
param listPrincipalIds array
var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): {
tenantId: tenant().tenantId
objectId: id
permissions: {
secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get']
}
}]
/*
Log Analytics Workspace (existing)
*/
resource _logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = {
name: format(nameFormat, 'LAW', 1)
}
/*
Key Vault
*/
resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
name: replace(toLower(format(nameFormat, 'KVT', 1)), '-', '')
location: location
tags: tags
properties: {
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
enableSoftDelete: true
enablePurgeProtection: true
accessPolicies: accessPolicies
}
resource testSecret 'secrets' = {
name: 'testSecret'
properties: {
value: 'testSecretValue'
}
}
resource filterTestSecret 'secrets' = {
name: 'filterTestSecret'
properties: {
value: 'filterTestSecretValue'
}
}
}
/*
Diagnostic Settings for Key Vault
*/
resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'keyVaultLogging'
scope: keyVault
properties: {
workspaceId: _logAnalyticsWorkspace.id
logs: [
{
category: 'AuditEvent'
enabled: true
}
]
}
}

24
bicep/modules/law.bicep Normal file
View file

@ -0,0 +1,24 @@
param nameFormat string
param location string
param tags object
/*
Log Analytics Workspace
*/
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: format(nameFormat, 'LAW', 1)
location: location
tags: tags
properties: {
sku: {
name: 'PerGB2018'
}
features: {
enableLogAccessUsingOnlyResourcePermissions: true
}
workspaceCapping: {
dailyQuotaGb: json('0.025')
}
}
}