From 74677dd5b4f4ac32162182666a06af2551b3a919 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Thu, 4 Apr 2024 15:56:42 +0100 Subject: [PATCH 1/5] feat(azure): copy from keyvault to app config --- .azure/infrastructure/main.bicep | 5 +++- .azure/modules/keyvault/copySecrets.bicep | 29 ++++++++++++++++++----- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep index 4db077777..8f60ed5ba 100644 --- a/.azure/infrastructure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -133,6 +133,7 @@ module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup name: 'copyEnvironmentSecrets' params: { + appConfigurationName: appConfiguration.outputs.name srcKeyVaultKeys: keyVaultSourceKeys srcKeyVaultName: secrets.sourceKeyVaultName srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup @@ -145,7 +146,9 @@ module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup name: 'copyCrossEnvironmentSecrets' - params: { srcKeyVaultKeys: keyVaultSourceKeys + params: { + appConfigurationName: appConfiguration.outputs.name + srcKeyVaultKeys: keyVaultSourceKeys srcKeyVaultName: secrets.sourceKeyVaultName srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep index ca4251b9c..6a5ca9d73 100644 --- a/.azure/modules/keyvault/copySecrets.bicep +++ b/.azure/modules/keyvault/copySecrets.bicep @@ -9,15 +9,17 @@ param destKeyVaultName string param destKeyVaultRGName string = resourceGroup().name param destKeyVaultSubId string = subscription().subscriptionId +// App configuration +param appConfigurationName string + // Secret #disable-next-line secure-secrets-in-params param secretPrefix string -param removeSecretPrefix bool = true var environmentKeys = [for key in srcKeyVaultKeys: { isEnvironmentKey: startsWith(key, secretPrefix) - value: removeSecretPrefix ? replace(key, secretPrefix, '') : key - fullName: key + secretName: key + appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') }] resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { @@ -25,12 +27,27 @@ resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName) } +resource appConfigurationResource 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { + name: appConfigurationName +} + module secrets 'upsertSecret.bicep' = [for key in environmentKeys: if (key.isEnvironmentKey) { - name: '${take(key.value, 57)}-${take(uniqueString(key.value), 6)}' + name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { destKeyVaultName: destKeyVaultName - secretName: key.value - secretValue: srcKeyVaultResource.getSecret(key.fullName) + secretName: key.secretName + secretValue: srcKeyVaultResource.getSecret(key.secretName) + } +}] + +module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [for key in environmentKeys: if (!key.isEnvironmentKey) { + name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' + scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) + params: { + configStoreName: appConfigurationResource.name + key: key.appConfigKey + value: 'https://${destKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${key.secretName}' + keyValueType: 'keyVaultReference' } }] From 543cfd8fb4ac995d1f0fb9e5f5bb05ecedc9ff89 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Fri, 5 Apr 2024 13:17:08 +0100 Subject: [PATCH 2/5] fix weirdness --- .azure/infrastructure/main.bicep | 34 ++++++++++--------- .azure/modules/keyvault/copySecrets.bicep | 41 +++++++++++++---------- 2 files changed, 42 insertions(+), 33 deletions(-) diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep index 8f60ed5ba..5830dea2a 100644 --- a/.azure/infrastructure/main.bicep +++ b/.azure/infrastructure/main.bicep @@ -19,22 +19,22 @@ param sourceKeyVaultResourceGroup string @minLength(3) param sourceKeyVaultName string -import {Sku as KeyVaultSku} from '../modules/keyvault/create.bicep' +import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep' param keyVaultSku KeyVaultSku -import {Sku as AppConfigurationSku} from '../modules/appConfiguration/create.bicep' +import { Sku as AppConfigurationSku } from '../modules/appConfiguration/create.bicep' param appConfigurationSku AppConfigurationSku -import {Sku as AppInsightsSku} from '../modules/applicationInsights/create.bicep' +import { Sku as AppInsightsSku } from '../modules/applicationInsights/create.bicep' param appInsightsSku AppInsightsSku -import {Sku as SlackNotifierSku} from '../modules/functionApp/slackNotifier.bicep' +import { Sku as SlackNotifierSku } from '../modules/functionApp/slackNotifier.bicep' param slackNotifierSku SlackNotifierSku -import {Sku as PostgresSku} from '../modules/postgreSql/create.bicep' +import { Sku as PostgresSku } from '../modules/postgreSql/create.bicep' param postgresSku PostgresSku -import {Sku as RedisSku} from '../modules/redis/main.bicep' +import { Sku as RedisSku } from '../modules/redis/main.bicep' param redisSku RedisSku @minLength(1) param redisVersion string @@ -112,7 +112,9 @@ module postgresql '../modules/postgreSql/create.bicep' = { environmentKeyVaultName: environmentKeyVault.outputs.name srcKeyVault: srcKeyVault srcSecretName: 'dialogportenPgAdminPassword${environment}' - administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword + administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') + ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') + : secrets.dialogportenPgAdminPassword sku: postgresSku } } @@ -129,9 +131,9 @@ module redis '../modules/redis/main.bicep' = { } } -module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { +module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup - name: 'copyEnvironmentSecrets' + name: 'copyCrossEnvironmentSecrets' params: { appConfigurationName: appConfiguration.outputs.name srcKeyVaultKeys: keyVaultSourceKeys @@ -139,21 +141,21 @@ module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId destKeyVaultName: environmentKeyVault.outputs.name - secretPrefix: 'dialogporten--${environment}--' + secretPrefix: 'dialogporten--any--' } } -module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { +module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = { scope: resourceGroup - name: 'copyCrossEnvironmentSecrets' - params: { + name: 'copyEnvironmentSecrets' + params: { appConfigurationName: appConfiguration.outputs.name srcKeyVaultKeys: keyVaultSourceKeys srcKeyVaultName: secrets.sourceKeyVaultName srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId destKeyVaultName: environmentKeyVault.outputs.name - secretPrefix: 'dialogporten--any--' + secretPrefix: 'dialogporten--${environment}--' } } @@ -184,7 +186,7 @@ module appInsightsReaderAccessPolicy '../modules/applicationInsights/addReaderRo name: 'appInsightsReaderAccessPolicy' params: { appInsightsName: appInsights.outputs.appInsightsName - principalIds: [ slackNotifier.outputs.functionAppPrincipalId ] + principalIds: [slackNotifier.outputs.functionAppPrincipalId] } } @@ -215,7 +217,7 @@ module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = { name: 'keyVaultReaderAccessPolicyFunctions' params: { keyvaultName: environmentKeyVault.outputs.name - principalIds: [ slackNotifier.outputs.functionAppPrincipalId ] + principalIds: [slackNotifier.outputs.functionAppPrincipalId] } } diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep index 6a5ca9d73..e585833dd 100644 --- a/.azure/modules/keyvault/copySecrets.bicep +++ b/.azure/modules/keyvault/copySecrets.bicep @@ -1,5 +1,5 @@ // Source -param srcKeyVaultKeys array +param srcKeyVaultKeys array param srcKeyVaultName string param srcKeyVaultRGNName string = resourceGroup().name param srcKeyVaultSubId string = subscription().subscriptionId @@ -16,38 +16,45 @@ param appConfigurationName string #disable-next-line secure-secrets-in-params param secretPrefix string -var environmentKeys = [for key in srcKeyVaultKeys: { +var environmentKeys = [ + for key in srcKeyVaultKeys: { isEnvironmentKey: startsWith(key, secretPrefix) + secretNameWithoutPrefix: replace(key, secretPrefix, '') secretName: key appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') -}] + } +] resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { - name: srcKeyVaultName - scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName) + name: srcKeyVaultName + scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName) } resource appConfigurationResource 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = { - name: appConfigurationName + name: appConfigurationName } -module secrets 'upsertSecret.bicep' = [for key in environmentKeys: if (key.isEnvironmentKey) { +module secrets 'upsertSecret.bicep' = [ + for key in environmentKeys: if (key.isEnvironmentKey) { name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { - destKeyVaultName: destKeyVaultName - secretName: key.secretName - secretValue: srcKeyVaultResource.getSecret(key.secretName) + destKeyVaultName: destKeyVaultName + secretName: key.secretNameWithoutPrefix + secretValue: srcKeyVaultResource.getSecret(key.secretName) } -}] + } +] -module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [for key in environmentKeys: if (!key.isEnvironmentKey) { +module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [ + for key in environmentKeys: if (!key.isEnvironmentKey) { name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { - configStoreName: appConfigurationResource.name - key: key.appConfigKey - value: 'https://${destKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${key.secretName}' - keyValueType: 'keyVaultReference' + configStoreName: appConfigurationResource.name + key: key.appConfigKey + value: 'https://${destKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${key.secretNameWithoutPrefix}' + keyValueType: 'keyVaultReference' } -}] + } +] From 17d623034e5fc639ea0693f5c61b3dbdd887c4cd Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Fri, 5 Apr 2024 13:29:08 +0100 Subject: [PATCH 3/5] cleanup --- .azure/modules/keyvault/copySecrets.bicep | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep index e585833dd..c37f8f232 100644 --- a/.azure/modules/keyvault/copySecrets.bicep +++ b/.azure/modules/keyvault/copySecrets.bicep @@ -16,14 +16,13 @@ param appConfigurationName string #disable-next-line secure-secrets-in-params param secretPrefix string -var environmentKeys = [ - for key in srcKeyVaultKeys: { - isEnvironmentKey: startsWith(key, secretPrefix) - secretNameWithoutPrefix: replace(key, secretPrefix, '') - secretName: key - appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') - } -] +var filteredKeysBySecrePrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix)) + +var keys = map(filteredKeysBySecrePrefix, key => { + secretNameWithoutPrefix: replace(key, secretPrefix, '') + secretName: key + appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') +}) resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: srcKeyVaultName @@ -35,7 +34,7 @@ resource appConfigurationResource 'Microsoft.AppConfiguration/configurationStore } module secrets 'upsertSecret.bicep' = [ - for key in environmentKeys: if (key.isEnvironmentKey) { + for key in keys: { name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { @@ -47,7 +46,7 @@ module secrets 'upsertSecret.bicep' = [ ] module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [ - for key in environmentKeys: if (!key.isEnvironmentKey) { + for key in keys: { name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { From bea7b48155ed9dc389973b4433d0287890d62537 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Fri, 5 Apr 2024 13:37:56 +0100 Subject: [PATCH 4/5] cleanup --- .azure/modules/keyvault/copySecrets.bicep | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep index c37f8f232..f906d784b 100644 --- a/.azure/modules/keyvault/copySecrets.bicep +++ b/.azure/modules/keyvault/copySecrets.bicep @@ -18,11 +18,14 @@ param secretPrefix string var filteredKeysBySecrePrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix)) -var keys = map(filteredKeysBySecrePrefix, key => { - secretNameWithoutPrefix: replace(key, secretPrefix, '') - secretName: key - appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') -}) +var keys = map( + filteredKeysBySecrePrefix, + key => { + secretNameWithoutPrefix: replace(key, secretPrefix, '') + secretName: key + appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':') + } +) resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: srcKeyVaultName @@ -47,7 +50,7 @@ module secrets 'upsertSecret.bicep' = [ module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [ for key in keys: { - name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}' + name: '${take(key.secretNameWithoutPrefix, 57)}-${take(uniqueString(key.secretNameWithoutPrefix), 6)}' scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName) params: { configStoreName: appConfigurationResource.name From e8e7a5a2c212e7b0ebed3b63b0a1b243a19de905 Mon Sep 17 00:00:00 2001 From: Are Almaas Date: Fri, 5 Apr 2024 13:41:38 +0100 Subject: [PATCH 5/5] hello doctor --- .azure/modules/keyvault/copySecrets.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep index f906d784b..c95028f7d 100644 --- a/.azure/modules/keyvault/copySecrets.bicep +++ b/.azure/modules/keyvault/copySecrets.bicep @@ -16,10 +16,10 @@ param appConfigurationName string #disable-next-line secure-secrets-in-params param secretPrefix string -var filteredKeysBySecrePrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix)) +var filteredKeysBySecretPrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix)) var keys = map( - filteredKeysBySecrePrefix, + filteredKeysBySecretPrefix, key => { secretNameWithoutPrefix: replace(key, secretPrefix, '') secretName: key