Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(azure): copy from keyvault to app config #593

Merged
merged 6 commits into from
Apr 9, 2024
Merged

feat(azure): copy from keyvault to app config #593

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
74677dd
feat(azure): copy from keyvault to app config
arealmaas Apr 4, 2024
543cfd8
fix weirdness
arealmaas Apr 5, 2024
17d6230
cleanup
arealmaas Apr 5, 2024
bea7b48
cleanup
arealmaas Apr 5, 2024
e8e7a5a
hello doctor
arealmaas Apr 5, 2024
4906d89
Merge branch 'main' into feat/copy-from-keyvault-to-appconfig
arealmaas Apr 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 21 additions & 16 deletions .azure/infrastructure/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,22 @@ param sourceKeyVaultResourceGroup string
@minLength(3)
param sourceKeyVaultName string

import {Sku as KeyVaultSku} from '../modules/keyvault/create.bicep'
import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep'
param keyVaultSku KeyVaultSku

import {Sku as AppConfigurationSku} from '../modules/appConfiguration/create.bicep'
import { Sku as AppConfigurationSku } from '../modules/appConfiguration/create.bicep'
param appConfigurationSku AppConfigurationSku

import {Sku as AppInsightsSku} from '../modules/applicationInsights/create.bicep'
import { Sku as AppInsightsSku } from '../modules/applicationInsights/create.bicep'
param appInsightsSku AppInsightsSku

import {Sku as SlackNotifierSku} from '../modules/functionApp/slackNotifier.bicep'
import { Sku as SlackNotifierSku } from '../modules/functionApp/slackNotifier.bicep'
param slackNotifierSku SlackNotifierSku

import {Sku as PostgresSku} from '../modules/postgreSql/create.bicep'
import { Sku as PostgresSku } from '../modules/postgreSql/create.bicep'
param postgresSku PostgresSku

import {Sku as RedisSku} from '../modules/redis/main.bicep'
import { Sku as RedisSku } from '../modules/redis/main.bicep'
param redisSku RedisSku
@minLength(1)
param redisVersion string
Expand Down Expand Up @@ -112,7 +112,9 @@ module postgresql '../modules/postgreSql/create.bicep' = {
environmentKeyVaultName: environmentKeyVault.outputs.name
srcKeyVault: srcKeyVault
srcSecretName: 'dialogportenPgAdminPassword${environment}'
administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}')
? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}')
: secrets.dialogportenPgAdminPassword
sku: postgresSku
}
}
Expand All @@ -129,28 +131,31 @@ module redis '../modules/redis/main.bicep' = {
}
}

module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
scope: resourceGroup
name: 'copyEnvironmentSecrets'
name: 'copyCrossEnvironmentSecrets'
params: {
appConfigurationName: appConfiguration.outputs.name
srcKeyVaultKeys: keyVaultSourceKeys
srcKeyVaultName: secrets.sourceKeyVaultName
srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
destKeyVaultName: environmentKeyVault.outputs.name
secretPrefix: 'dialogporten--${environment}--'
secretPrefix: 'dialogporten--any--'
}
}

module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
scope: resourceGroup
name: 'copyCrossEnvironmentSecrets'
params: { srcKeyVaultKeys: keyVaultSourceKeys
name: 'copyEnvironmentSecrets'
params: {
appConfigurationName: appConfiguration.outputs.name
srcKeyVaultKeys: keyVaultSourceKeys
srcKeyVaultName: secrets.sourceKeyVaultName
srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
destKeyVaultName: environmentKeyVault.outputs.name
secretPrefix: 'dialogporten--any--'
secretPrefix: 'dialogporten--${environment}--'
}
}

Expand Down Expand Up @@ -181,7 +186,7 @@ module appInsightsReaderAccessPolicy '../modules/applicationInsights/addReaderRo
name: 'appInsightsReaderAccessPolicy'
params: {
appInsightsName: appInsights.outputs.appInsightsName
principalIds: [ slackNotifier.outputs.functionAppPrincipalId ]
principalIds: [slackNotifier.outputs.functionAppPrincipalId]
}
}

Expand Down Expand Up @@ -212,7 +217,7 @@ module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = {
name: 'keyVaultReaderAccessPolicyFunctions'
params: {
keyvaultName: environmentKeyVault.outputs.name
principalIds: [ slackNotifier.outputs.functionAppPrincipalId ]
principalIds: [slackNotifier.outputs.functionAppPrincipalId]
}
}

Expand Down
56 changes: 41 additions & 15 deletions .azure/modules/keyvault/copySecrets.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// Source
param srcKeyVaultKeys array
param srcKeyVaultKeys array
param srcKeyVaultName string
param srcKeyVaultRGNName string = resourceGroup().name
param srcKeyVaultSubId string = subscription().subscriptionId
Expand All @@ -9,28 +9,54 @@ param destKeyVaultName string
param destKeyVaultRGName string = resourceGroup().name
param destKeyVaultSubId string = subscription().subscriptionId

// App configuration
param appConfigurationName string

// Secret
#disable-next-line secure-secrets-in-params
param secretPrefix string
param removeSecretPrefix bool = true

var environmentKeys = [for key in srcKeyVaultKeys: {
isEnvironmentKey: startsWith(key, secretPrefix)
value: removeSecretPrefix ? replace(key, secretPrefix, '') : key
fullName: key
}]
var filteredKeysBySecretPrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix))

var keys = map(
filteredKeysBySecretPrefix,
key => {
secretNameWithoutPrefix: replace(key, secretPrefix, '')
secretName: key
appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':')
}
)

resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: srcKeyVaultName
scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName)
name: srcKeyVaultName
scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName)
}

resource appConfigurationResource 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
name: appConfigurationName
}

module secrets 'upsertSecret.bicep' = [for key in environmentKeys: if (key.isEnvironmentKey) {
name: '${take(key.value, 57)}-${take(uniqueString(key.value), 6)}'
module secrets 'upsertSecret.bicep' = [
for key in keys: {
name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}'
scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName)
params: {
destKeyVaultName: destKeyVaultName
secretName: key.secretNameWithoutPrefix
secretValue: srcKeyVaultResource.getSecret(key.secretName)
}
}
]

module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [
for key in keys: {
name: '${take(key.secretNameWithoutPrefix, 57)}-${take(uniqueString(key.secretNameWithoutPrefix), 6)}'
scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName)
params: {
destKeyVaultName: destKeyVaultName
secretName: key.value
secretValue: srcKeyVaultResource.getSecret(key.fullName)
configStoreName: appConfigurationResource.name
key: key.appConfigKey
value: 'https://${destKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${key.secretNameWithoutPrefix}'
keyValueType: 'keyVaultReference'
}
}]
}
]
Loading