-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathkey-vault.bicep
100 lines (93 loc) · 3.36 KB
/
key-vault.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import { roleAssignmentInfo } from '../security/managed-identity.bicep'
import { diagnosticSettingsInfo } from '../management_governance/log-analytics-workspace.bicep'
@description('Name of the resource.')
param name string
@description('Location to deploy the resource. Defaults to the location of the resource group.')
param location string = resourceGroup().location
@description('Tags for the resource.')
param tags object = {}
@description('Key Vault SKU name. Defaults to standard.')
@allowed([
'standard'
'premium'
])
param skuName string = 'standard'
@description('Whether soft deletion is enabled. Defaults to true.')
param enableSoftDelete bool = true
@description('Number of days to retain soft-deleted keys, secrets, and certificates. Defaults to 90.')
param retentionInDays int = 90
@description('Whether purge protection is enabled. Defaults to true.')
param enablePurgeProtection bool = true
@description('Role assignments to create for the Key Vault.')
param roleAssignments roleAssignmentInfo[] = []
@description('Name of the Log Analytics Workspace to use for diagnostic settings.')
param logAnalyticsWorkspaceName string?
@description('Diagnostic settings to configure for the Key Vault instance. Defaults to all logs and metrics.')
param diagnosticSettings diagnosticSettingsInfo = {
logs: [
{
categoryGroup: 'allLogs'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
name: name
location: location
tags: tags
properties: {
sku: {
family: 'A'
name: skuName
}
tenantId: subscription().tenantId
networkAcls: {
defaultAction: 'Allow'
bypass: 'AzureServices'
ipRules: []
virtualNetworkRules: []
}
enableSoftDelete: enableSoftDelete
enabledForTemplateDeployment: true
enableRbacAuthorization: true
enablePurgeProtection: enablePurgeProtection
softDeleteRetentionInDays: retentionInDays
}
}
resource assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for roleAssignment in roleAssignments: {
name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
scope: keyVault
properties: {
principalId: roleAssignment.principalId
roleDefinitionId: roleAssignment.roleDefinitionId
principalType: roleAssignment.principalType
}
}
]
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = if (logAnalyticsWorkspaceName != null) {
name: logAnalyticsWorkspaceName!
}
resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (logAnalyticsWorkspaceName != null) {
name: '${keyVault.name}-diagnostic-settings'
scope: keyVault
properties: {
workspaceId: logAnalyticsWorkspace.id
logs: diagnosticSettings!.logs
metrics: diagnosticSettings!.metrics
}
}
@description('The deployed Key Vault resource.')
output resource resource = keyVault
@description('ID for the deployed Key Vault resource.')
output id string = keyVault.id
@description('Name for the deployed Key Vault resource.')
output name string = keyVault.name
@description('URI for the deployed Key Vault resource.')
output uri string = keyVault.properties.vaultUri