diff --git a/bicep/main.bicep b/bicep/main.bicep index cc6cbe3..9aa1534 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -80,7 +80,6 @@ module KeyVault 'modules/kv.bicep' = { location: location tags: tags - getPrincipalIds: ManagedIdentities.outputs.getPrincipalIds - listPrincipalIds: ManagedIdentities.outputs.listPrincipalIds + identities: ManagedIdentities.outputs.identities } } diff --git a/bicep/modules/id.bicep b/bicep/modules/id.bicep index 4d2d19b..91e6b21 100644 --- a/bicep/modules/id.bicep +++ b/bicep/modules/id.bicep @@ -2,35 +2,32 @@ param nameFormat string param location string param tags object -resource managedIdentityNone 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: format(nameFormat, 'ID', 1) - location: location - tags: tags -} - -resource managedIdentityGet 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: format(nameFormat, 'ID', 2) - location: location - tags: tags -} - -resource managedIdentityList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: format(nameFormat, 'ID', 3) - location: location - tags: tags -} - -resource managedIdentityGetList 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { - name: format(nameFormat, 'ID', 4) - location: location - tags: tags -} - -output getPrincipalIds array = [ - managedIdentityGet.properties.principalId - managedIdentityGetList.properties.principalId -] -output listPrincipalIds array = [ - managedIdentityList.properties.principalId - managedIdentityGetList.properties.principalId +param identityEnvironments array = [ + 'none' + 'get' + 'list' + 'getlist' ] + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [for (environment, index) in identityEnvironments: { + name: format(nameFormat, 'ID', index+1) + location: location + tags: tags +}] + +resource federatedCredential 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [for (environment, index) in identityEnvironments: { + name: environment + parent: managedIdentity[index+1] + properties: { + issuer: 'https://token.actions.githubusercontent.com' + subject: 'repo:bartvdbraak/keyweave:environment:${environment}' + audiences: [ + 'api://AzureADTokenExchange' + ] + } +}] + +output identities array = [for (environment, index) in identityEnvironments: { + name: environment + id: managedIdentity[index+1].properties.principalId +}] diff --git a/bicep/modules/kv.bicep b/bicep/modules/kv.bicep index 52978a2..8a31e5e 100644 --- a/bicep/modules/kv.bicep +++ b/bicep/modules/kv.bicep @@ -2,14 +2,13 @@ param nameFormat string param location string param tags object -param getPrincipalIds array -param listPrincipalIds array +param identities array -var accessPolicies = [for id in union(getPrincipalIds, listPrincipalIds): { +var accessPolicies = [for identity in identities: { tenantId: tenant().tenantId - objectId: id + objectId: identity.id permissions: { - secrets: contains(getPrincipalIds, id) && contains(listPrincipalIds, id) ? ['Get', 'List'] : contains(listPrincipalIds, id) ? ['List'] : ['Get'] + secrets: contains(identity.name, 'get') && contains(identity.name, 'list') ? ['Get', 'List'] : contains(identity.name, 'get') ? ['Get'] : ['List'] } }]