-
Notifications
You must be signed in to change notification settings - Fork 269
/
main.bicep
719 lines (605 loc) · 27.7 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
metadata name = 'Key Vaults'
metadata description = 'This module deploys a Key Vault.'
metadata owner = 'Azure/module-maintainers'
// ================ //
// Parameters //
// ================ //
@description('Required. Name of the Key Vault. Must be globally unique.')
@maxLength(24)
param name string
@description('Optional. Location for all resources.')
param location string = resourceGroup().location
@description('Optional. All access policies to create.')
param accessPolicies accessPoliciesType
@description('Optional. All secrets to create.')
param secrets secretsType?
@description('Optional. All keys to create.')
param keys keysType?
@description('Optional. Specifies if the vault is enabled for deployment by script or compute.')
param enableVaultForDeployment bool = true
@description('Optional. Specifies if the vault is enabled for a template deployment.')
param enableVaultForTemplateDeployment bool = true
@description('Optional. Specifies if the azure platform has access to the vault for enabling disk encryption scenarios.')
param enableVaultForDiskEncryption bool = true
@description('Optional. Switch to enable/disable Key Vault\'s soft delete feature.')
param enableSoftDelete bool = true
@description('Optional. softDelete data retention days. It accepts >=7 and <=90.')
param softDeleteRetentionInDays int = 90
@description('Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC.')
param enableRbacAuthorization bool = true
@description('Optional. The vault\'s create mode to indicate whether the vault need to be recovered or not. - recover or default.')
param createMode string = 'default'
@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.')
param enablePurgeProtection bool = true
@description('Optional. Specifies the SKU for the vault.')
@allowed([
'premium'
'standard'
])
param sku string = 'premium'
@description('Optional. Rules governing the accessibility of the resource from specific network locations.')
param networkAcls object?
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.')
@allowed([
''
'Enabled'
'Disabled'
])
param publicNetworkAccess string = ''
@description('Optional. The lock settings of the service.')
param lock lockType
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints privateEndpointType
@description('Optional. Resource tags.')
param tags object?
@description('Optional. The diagnostic settings of the service.')
param diagnosticSettings diagnosticSettingType
@description('Optional. Enable/Disable usage telemetry for module.')
param enableTelemetry bool = true
// =========== //
// Variables //
// =========== //
var builtInRoleNames = {
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
'Key Vault Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'00482a5a-887f-4fb3-b363-3b7fe8e74483'
)
'Key Vault Certificates Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'a4417e6f-fecd-4de8-b567-7b0420556985'
)
'Key Vault Certificate User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'db79e9a7-68ee-4b58-9aeb-b90e7c24fcba'
)
'Key Vault Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f25e0fa2-a7c8-4377-a976-54943a77a395'
)
'Key Vault Crypto Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'14b46e9e-c2b7-41b4-b07b-48a6ebf60603'
)
'Key Vault Crypto Service Encryption User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'e147488a-f6f5-4113-8e2d-b22465e65bf6'
)
'Key Vault Crypto User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'12338af0-0e69-4776-bea7-57ae8d297424'
)
'Key Vault Reader': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'21090545-7ca7-4776-b22c-e363652d74d2'
)
'Key Vault Secrets Officer': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
)
'Key Vault Secrets User': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4633458b-17de-408a-b874-0445c86b69e6'
)
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Role Based Access Control Administrator (Preview)': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
)
'User Access Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
)
}
var formattedAccessPolicies = [
for accessPolicy in (accessPolicies ?? []): {
applicationId: accessPolicy.?applicationId ?? ''
objectId: accessPolicy.objectId
permissions: accessPolicy.permissions
tenantId: accessPolicy.?tenantId ?? tenant().tenantId
}
]
// ============ //
// Dependencies //
// ============ //
#disable-next-line no-deployments-resources
resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
name: '46d3xbcp.res.keyvault-vault.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
}
}
}
}
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: name
location: location
tags: tags
properties: {
enabledForDeployment: enableVaultForDeployment
enabledForTemplateDeployment: enableVaultForTemplateDeployment
enabledForDiskEncryption: enableVaultForDiskEncryption
enableSoftDelete: enableSoftDelete
softDeleteRetentionInDays: softDeleteRetentionInDays
enableRbacAuthorization: enableRbacAuthorization
createMode: createMode
enablePurgeProtection: enablePurgeProtection ? enablePurgeProtection : null
tenantId: subscription().tenantId
accessPolicies: formattedAccessPolicies
sku: {
name: sku
family: 'A'
}
networkAcls: !empty(networkAcls ?? {})
? {
bypass: networkAcls.?bypass
defaultAction: networkAcls.?defaultAction
virtualNetworkRules: networkAcls.?virtualNetworkRules ?? []
ipRules: networkAcls.?ipRules ?? []
}
: null
publicNetworkAccess: !empty(publicNetworkAccess)
? publicNetworkAccess
: ((!empty(privateEndpoints ?? []) && empty(networkAcls ?? {})) ? 'Disabled' : null)
}
}
resource keyVault_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: keyVault
}
resource keyVault_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [
for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
properties: {
storageAccountId: diagnosticSetting.?storageAccountResourceId
workspaceId: diagnosticSetting.?workspaceResourceId
eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
eventHubName: diagnosticSetting.?eventHubName
metrics: [
for group in (diagnosticSetting.?metricCategories ?? [{ category: 'AllMetrics' }]): {
category: group.category
enabled: group.?enabled ?? true
timeGrain: null
}
]
logs: [
for group in (diagnosticSetting.?logCategoriesAndGroups ?? [{ categoryGroup: 'allLogs' }]): {
categoryGroup: group.?categoryGroup
category: group.?category
enabled: group.?enabled ?? true
}
]
marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
}
scope: keyVault
}
]
module keyVault_accessPolicies 'access-policy/main.bicep' = if (!empty(accessPolicies)) {
name: '${uniqueString(deployment().name, location)}-KeyVault-AccessPolicies'
params: {
keyVaultName: keyVault.name
accessPolicies: accessPolicies
}
}
module keyVault_secrets 'secret/main.bicep' = [
for (secret, index) in (secrets ?? []): {
name: '${uniqueString(deployment().name, location)}-KeyVault-Secret-${index}'
params: {
name: secret.name
value: secret.value
keyVaultName: keyVault.name
attributesEnabled: secret.?attributesEnabled
attributesExp: secret.?attributesExp
attributesNbf: secret.?attributesNbf
contentType: secret.?contentType
tags: secret.?tags ?? tags
roleAssignments: secret.?roleAssignments
}
}
]
module keyVault_keys 'key/main.bicep' = [
for (key, index) in (keys ?? []): {
name: '${uniqueString(deployment().name, location)}-KeyVault-Key-${index}'
params: {
name: key.name
keyVaultName: keyVault.name
attributesEnabled: key.?attributesEnabled
attributesExp: key.?attributesExp
attributesNbf: key.?attributesNbf
curveName: (key.?kty != 'RSA' && key.?kty != 'RSA-HSM') ? (key.?curveName ?? 'P-256') : null
keyOps: key.?keyOps
keySize: (key.?kty == 'RSA' || key.?kty == 'RSA-HSM') ? (key.?keySize ?? 4096) : null
releasePolicy: key.?releasePolicy ?? {}
kty: key.?kty ?? 'EC'
tags: key.?tags ?? tags
roleAssignments: key.?roleAssignments
rotationPolicy: key.?rotationPolicy
}
}
]
module keyVault_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.4.1' = [
for (privateEndpoint, index) in (privateEndpoints ?? []): {
name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}'
scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '')
params: {
name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}'
privateLinkServiceConnections: privateEndpoint.?isManualConnection != true
? [
{
name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}'
properties: {
privateLinkServiceId: keyVault.id
groupIds: [
privateEndpoint.?service ?? 'vault'
]
}
}
]
: null
manualPrivateLinkServiceConnections: privateEndpoint.?isManualConnection == true
? [
{
name: privateEndpoint.?privateLinkServiceConnectionName ?? '${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}'
properties: {
privateLinkServiceId: keyVault.id
groupIds: [
privateEndpoint.?service ?? 'vault'
]
requestMessage: privateEndpoint.?manualConnectionRequestMessage ?? 'Manual approval required.'
}
}
]
: null
subnetResourceId: privateEndpoint.subnetResourceId
enableTelemetry: privateEndpoint.?enableTelemetry ?? enableTelemetry
location: privateEndpoint.?location ?? reference(
split(privateEndpoint.subnetResourceId, '/subnets/')[0],
'2020-06-01',
'Full'
).location
lock: privateEndpoint.?lock ?? lock
privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName
privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds
roleAssignments: privateEndpoint.?roleAssignments
tags: privateEndpoint.?tags ?? tags
customDnsConfigs: privateEndpoint.?customDnsConfigs
ipConfigurations: privateEndpoint.?ipConfigurations
applicationSecurityGroupResourceIds: privateEndpoint.?applicationSecurityGroupResourceIds
customNetworkInterfaceName: privateEndpoint.?customNetworkInterfaceName
}
}
]
resource keyVault_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for (roleAssignment, index) in (roleAssignments ?? []): {
name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName)
properties: {
roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName)
? builtInRoleNames[roleAssignment.roleDefinitionIdOrName]
: contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/')
? roleAssignment.roleDefinitionIdOrName
: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
condition: roleAssignment.?condition
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
}
scope: keyVault
}
]
// =========== //
// Outputs //
// =========== //
@description('The resource ID of the key vault.')
output resourceId string = keyVault.id
@description('The name of the resource group the key vault was created in.')
output resourceGroupName string = resourceGroup().name
@description('The name of the key vault.')
output name string = keyVault.name
@description('The URI of the key vault.')
output uri string = keyVault.properties.vaultUri
@description('The location the resource was deployed into.')
output location string = keyVault.location
// ================ //
// Definitions //
// ================ //
type diagnosticSettingType = {
@description('Optional. The name of diagnostic setting.')
name: string?
@description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection.')
logCategoriesAndGroups: {
@description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.')
category: string?
@description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.')
categoryGroup: string?
@description('Optional. Enable or disable the category explicitly. Default is `true`.')
enabled: bool?
}[]?
@description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection.')
metricCategories: {
@description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.')
category: string
@description('Optional. Enable or disable the category explicitly. Default is `true`.')
enabled: bool?
}[]?
@description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.')
logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')?
@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
workspaceResourceId: string?
@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
storageAccountResourceId: string?
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
eventHubAuthorizationRuleResourceId: string?
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
eventHubName: string?
@description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.')
marketplacePartnerResourceId: string?
}[]?
type roleAssignmentType = {
@description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
roleDefinitionIdOrName: string
@description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
principalId: string
@description('Optional. The principal type of the assigned principal ID.')
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
@description('Optional. The description of the role assignment.')
description: string?
@description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
condition: string?
@description('Optional. Version of the condition.')
conditionVersion: '2.0'?
@description('Optional. The Resource Id of the delegated managed identity resource.')
delegatedManagedIdentityResourceId: string?
}[]?
type privateEndpointType = {
@description('Optional. The name of the private endpoint.')
name: string?
@description('Optional. The location to deploy the private endpoint to.')
location: string?
@description('Optional. The name of the private link connection to create.')
privateLinkServiceConnectionName: string?
@description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".')
service: string?
@description('Required. Resource ID of the subnet where the endpoint needs to be created.')
subnetResourceId: string
@description('Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided.')
privateDnsZoneGroupName: string?
@description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.')
privateDnsZoneResourceIds: string[]?
@description('Optional. If Manual Private Link Connection is required.')
isManualConnection: bool?
@description('Optional. A message passed to the owner of the remote resource with the manual connection request.')
@maxLength(140)
manualConnectionRequestMessage: string?
@description('Optional. Custom DNS configurations.')
customDnsConfigs: {
@description('Required. Fqdn that resolves to private endpoint IP address.')
fqdn: string?
@description('Required. A list of private IP addresses of the private endpoint.')
ipAddresses: string[]
}[]?
@description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.')
ipConfigurations: {
@description('Required. The name of the resource that is unique within a resource group.')
name: string
@description('Required. Properties of private endpoint IP configurations.')
properties: {
@description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.')
groupId: string
@description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.')
memberName: string
@description('Required. A private IP address obtained from the private endpoint\'s subnet.')
privateIPAddress: string
}
}[]?
@description('Optional. Application security groups in which the private endpoint IP configuration is included.')
applicationSecurityGroupResourceIds: string[]?
@description('Optional. The custom name of the network interface attached to the private endpoint.')
customNetworkInterfaceName: string?
@description('Optional. Specify the type of lock.')
lock: lockType
@description('Optional. Array of role assignments to create.')
roleAssignments: roleAssignmentType
@description('Optional. Tags to be applied on all resources/resource groups in this deployment.')
tags: object?
@description('Optional. Enable/Disable usage telemetry for module.')
enableTelemetry: bool?
@description('Optional. Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.')
resourceGroupName: string?
}[]?
type lockType = {
@description('Optional. Specify the name of lock.')
name: string?
@description('Optional. Specify the type of lock.')
kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
}?
type accessPoliciesType = {
@description('Optional. The tenant ID that is used for authenticating requests to the key vault.')
tenantId: string?
@description('Required. The object ID of a user, service principal or security group in the tenant for the vault.')
objectId: string
@description('Optional. Application ID of the client making request on behalf of a principal.')
applicationId: string?
@description('Required. Permissions the identity has for keys, secrets and certificates.')
permissions: {
@description('Optional. Permissions to keys.')
keys: (
| 'all'
| 'backup'
| 'create'
| 'decrypt'
| 'delete'
| 'encrypt'
| 'get'
| 'getrotationpolicy'
| 'import'
| 'list'
| 'purge'
| 'recover'
| 'release'
| 'restore'
| 'rotate'
| 'setrotationpolicy'
| 'sign'
| 'unwrapKey'
| 'update'
| 'verify'
| 'wrapKey')[]?
@description('Optional. Permissions to secrets.')
secrets: ('all' | 'backup' | 'delete' | 'get' | 'list' | 'purge' | 'recover' | 'restore' | 'set')[]?
@description('Optional. Permissions to certificates.')
certificates: (
| 'all'
| 'backup'
| 'create'
| 'delete'
| 'deleteissuers'
| 'get'
| 'getissuers'
| 'import'
| 'list'
| 'listissuers'
| 'managecontacts'
| 'manageissuers'
| 'purge'
| 'recover'
| 'restore'
| 'setissuers'
| 'update')[]?
@description('Optional. Permissions to storage accounts.')
storage: (
| 'all'
| 'backup'
| 'delete'
| 'deletesas'
| 'get'
| 'getsas'
| 'list'
| 'listsas'
| 'purge'
| 'recover'
| 'regeneratekey'
| 'restore'
| 'set'
| 'setsas'
| 'update')[]?
}
}[]?
type secretsType = {
@description('Required. The name of the secret.')
name: string
@description('Optional. Resource tags.')
tags: object?
@description('Optional. Contains attributes of the secret.')
attributes: {
@description('Optional. Defines whether the secret is enabled or disabled.')
enabled: bool?
@description('Optional. Defines when the secret will become invalid. Defined in seconds since 1970-01-01T00:00:00Z.')
exp: int?
@description('Optional. If set, defines the date from which onwards the secret becomes valid. Defined in seconds since 1970-01-01T00:00:00Z.')
nbf: int?
}?
@description('Optional. The content type of the secret.')
contentType: string?
@description('Required. The value of the secret. NOTE: "value" will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets.')
@secure()
value: string
@description('Optional. Array of role assignments to create.')
roleAssignments: roleAssignmentType?
}[]?
type keysType = {
@description('Required. The name of the key.')
name: string
@description('Optional. Resource tags.')
tags: object?
@description('Optional. Contains attributes of the key.')
attributes: {
@description('Optional. Defines whether the key is enabled or disabled.')
enabled: bool?
@description('Optional. Defines when the key will become invalid. Defined in seconds since 1970-01-01T00:00:00Z.')
exp: int?
@description('Optional. If set, defines the date from which onwards the key becomes valid. Defined in seconds since 1970-01-01T00:00:00Z.')
nbf: int?
}?
@description('Optional. The elliptic curve name. Only works if "keySize" equals "EC" or "EC-HSM". Default is "P-256".')
curveName: ('P-256' | 'P-256K' | 'P-384' | 'P-521')?
@description('Optional. The allowed operations on this key.')
keyOps: ('decrypt' | 'encrypt' | 'import' | 'release' | 'sign' | 'unwrapKey' | 'verify' | 'wrapKey')[]?
@description('Optional. The key size in bits. Only works if "keySize" equals "RSA" or "RSA-HSM". Default is "4096".')
keySize: (2048 | 3072 | 4096)?
@description('Optional. The type of the key. Default is "EC".')
kty: ('EC' | 'EC-HSM' | 'RSA' | 'RSA-HSM')?
@description('Optional. Key release policy.')
releasePolicy: {
@description('Optional. Content type and version of key release policy.')
contentType: string?
@description('Optional. Blob encoding the policy rules under which the key can be released.')
data: string?
}?
@description('Optional. Key rotation policy.')
rotationPolicy: rotationPoliciesType?
@description('Optional. Array of role assignments to create.')
roleAssignments: roleAssignmentType?
}[]?
type rotationPoliciesType = {
@description('Optional. The attributes of key rotation policy.')
attributes: {
@description('Optional. The expiration time for the new key version. It should be in ISO8601 format. Eg: "P90D", "P1Y".')
expiryTime: string?
}?
@description('Optional. The lifetimeActions for key rotation action.')
lifetimeActions: {
@description('Optional. The action of key rotation policy lifetimeAction.')
action: {
@description('Optional. The type of action.')
type: ('Notify' | 'Rotate')?
}?
@description('Optional. The trigger of key rotation policy lifetimeAction.')
trigger: {
@description('Optional. The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format. Eg: "P90D", "P1Y".')
timeAfterCreate: string?
@description('Optional. The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: "P90D", "P1Y".')
timeBeforeExpiry: string?
}?
}[]?
}?