From cde1d2207c7a2fdd2292a2ca367693a15a73f9bf Mon Sep 17 00:00:00 2001
From: Bart van der Braak <bartvdbraak@gmail.com>
Date: Wed, 22 Nov 2023 02:18:20 +0100
Subject: [PATCH] feat: e2e test for firewalled kv

---
 .github/workflows/e2e.yml | 25 ++++++++++---------
 bicep/modules/kv.bicep    | 52 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 65 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index b9b3e9d..762b80c 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -5,7 +5,7 @@ permissions:
   contents: read
 
 env:
-  VAULT_NAME: bvdbkeyweavetweukvt1
+  VAULT_NAME: bvdbkeyweavetweukvt{0}
 
 on:
   push:
@@ -63,7 +63,7 @@ jobs:
     - name: Use Keyweave with No Access Policies
       run: |
         chmod +x ./artifact/keyweave
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
 
   get-test:
     name: Tests with Get access
@@ -80,7 +80,7 @@ jobs:
     - name: Use Keyweave with Only Get Access Policy
       run: |
         chmod +x ./artifact/keyweave
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
 
   list-test:
     name: Tests with List access
@@ -97,7 +97,7 @@ jobs:
     - name: Use Keyweave with Only List Access Policy
       run: |
         chmod +x ./artifact/keyweave
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
 
   get-list-test:
     name: Tests with Get and List access
@@ -114,24 +114,27 @@ jobs:
     - name: Use Keyweave with both Get and List Access Policies
       run: |
         chmod +x ./artifact/keyweave
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
 
     - name: Use Keyweave with a filter
       run: |
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --filter "filter"
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --filter "filter"
 
     - name: Use Keyweave with a complex file path
       run: |
         mkdir -p "user/projects/project 1/src/lib"
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "user/projects/project 1/src/lib/.env"
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "user/projects/project 1/src/lib/.env"
 
     - name: Use Keyweave with a non-existent Key Vault
-      run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}1234
+      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}1234
+
+    - name: Use Keyweave with a firewalled Key Vault
+      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '2') }}
 
     - name: Use Keyweave with a no permissions
       run: |
         mkdir -p "user/projects/project 1/src/lib"
-        ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }} --output "/.env"
+        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "/.env"
 
     - uses: azure/login@v1
       with:
@@ -139,7 +142,7 @@ jobs:
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }}
     - name: Use Keyweave while logged into other Subscription
-      run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
+      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
 
     # - uses: azure/login@v1
     #   with:
@@ -147,4 +150,4 @@ jobs:
     #     tenant-id: ${{ secrets.OTHER_TENANT_ID }}
     #     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     # - name: Use Keyweave while logged into other Azure Tenant
-    #   run: ./artifact/keyweave --vault-name ${{ env.VAULT_NAME }}
\ No newline at end of file
+    #   run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
\ No newline at end of file
diff --git a/bicep/modules/kv.bicep b/bicep/modules/kv.bicep
index 8a31e5e..a0bd707 100644
--- a/bicep/modules/kv.bicep
+++ b/bicep/modules/kv.bicep
@@ -53,7 +53,43 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
 }
 
 /*
-  Diagnostic Settings for Key Vault
+  Key Vault
+*/
+
+resource keyVaultWithFirewall 'Microsoft.KeyVault/vaults@2023-02-01' = {
+  name: replace(toLower(format(nameFormat, 'KVT', 2)), '-', '')
+  location: location
+  tags: tags
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: tenant().tenantId
+    enableSoftDelete: true
+    enablePurgeProtection: true
+    accessPolicies: accessPolicies
+    networkAcls: {
+      defaultAction: 'Deny'
+      ipRules: []
+    }
+  }
+  resource testSecret 'secrets' = {
+    name: 'testSecret'
+    properties: {
+      value: 'testSecretValue'
+    }
+  }
+  resource filterTestSecret 'secrets' = {
+    name: 'filterTestSecret'
+    properties: {
+      value: 'filterTestSecretValue'
+    }
+  }
+}
+
+/*
+  Diagnostic Settings for Key Vaults
 */
 
 resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
@@ -69,3 +105,17 @@ resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-
     ]
   }
 }
+
+resource keyVaultWithFirewallDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'keyVaultLogging'
+  scope: keyVaultWithFirewall
+  properties: {
+    workspaceId: _logAnalyticsWorkspace.id
+    logs: [
+      {
+        category: 'AuditEvent'
+        enabled: true
+      }
+    ]
+  }
+}