Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
264 lines (263 sloc) 14.6 KB
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secretValue": {
"type": "string",
"defaultValue": "The secret is 42",
"minLength": 1,
"metadata": {
"description": "Value of the secret to store in Key Vault"
}
}
},
"variables": {
"API Management Sku": "Developer",
"Service Name": "[concat('api-kv-demo-', uniqueString(subscription().id, resourceGroup().id))]",
"Admin Email": "noone@nowhere.com",
"Secret Manager API": "secret-manager",
"Get Secret Operation": "get-secret",
"Get Cached Secret Operation": "get-cached-secret",
"Vault Name": "[concat('kv-', uniqueString(subscription().id, resourceGroup().id), '-demo')]",
"Secret Name": "my-secret"
},
"resources": [
{
"type": "Microsoft.ApiManagement/service",
"apiVersion": "2019-01-01",
"name": "[variables('Service Name')]",
"location": "[resourceGroup().location]",
"tags": {
},
"dependsOn": [
],
"properties": {
"notificationSenderEmail": "apimgmt-noreply@mail.windowsazure.com",
"hostnameConfigurations": [
],
"additionalLocations": [
],
"customProperties": {
},
"certificates": [
],
"enableClientCertificate": true,
"virtualNetworkType": "External",
"publisherEmail": "[variables('Admin Email')]",
"publisherName": "api-admin"
},
"sku": {
"name": "[variables('API Management Sku')]"
},
"identity": {
"type": "SystemAssigned"
},
"resources": [
{
"type": "properties",
"apiVersion": "2019-01-01",
"name": "vault-name",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', variables('Service Name'))]"
],
"properties": {
"displayName": "vault-name",
"value": "[variables('Vault Name')]",
"tags": [
],
"secret": false
}
},
{
"type": "properties",
"apiVersion": "2019-01-01",
"name": "secret-name",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', variables('Service Name'))]"
],
"properties": {
"displayName": "secret-name",
"value": "[variables('Secret Name')]",
"tags": [
],
"secret": false
}
},
{
"type": "apis",
"apiVersion": "2019-01-01",
"name": "[variables('Secret Manager API')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', variables('Service Name'))]"
],
"properties": {
"displayName": "secret-manager",
"apiRevision": "1",
"path": "",
"protocols": [
"https"
],
"isCurrent": true
},
"resources": [
{
"type": "operations",
"apiVersion": "2019-01-01",
"name": "[variables('Get Secret Operation')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service/apis', variables('Service Name'), variables('Secret Manager API'))]"
],
"properties": {
"displayName": "[variables('Get Secret Operation')]",
"method": "GET",
"urlTemplate": "[variables('Get Secret Operation')]",
"templateParameters": [
],
"request": {
"queryParameters": [
],
"headers": [
],
"representations": [
]
},
"responses": [
{
"statusCode": 200,
"representations": [
{
"contentType": "text/plain",
"sample": "Mocked response"
}
],
"headers": [
]
}
]
},
"resources": [
{
"type": "policies",
"apiVersion": "2019-01-01",
"name": "policy",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service/apis/operations', variables('Service Name'), variables('Secret Manager API'), variables('Get Secret Operation'))]",
"[resourceId('Microsoft.ApiManagement/service/properties', variables('Service Name'), 'vault-name')]",
"[resourceId('Microsoft.ApiManagement/service/properties', variables('Service Name'), 'secret-name')]"
],
"properties": {
"value": "<!-- This operation fetches a secret from Key Vault and returns it as payload -->\r\n<policies>\r\n <inbound>\r\n <base />\r\n <!-- Retrieve secret from Key Vault -->\r\n <send-request mode=\"new\" response-variable-name=\"vault-secret\" timeout=\"20\" ignore-error=\"false\">\r\n <set-url>https://{{vault-name}}.vault.azure.net/secrets/{{secret-name}}/?api-version=7.0</set-url>\r\n <set-method>GET</set-method>\r\n <authentication-managed-identity resource=\"https://vault.azure.net\" />\r\n </send-request>\r\n </inbound>\r\n <backend>\r\n <!-- Return secret (no back-end service call) -->\r\n <return-response response-variable-name=\"existing context variable\">\r\n <set-status code=\"200\" />\r\n <set-body>@(((IResponse)context.Variables[\"vault-secret\"]).Body.As&lt;string&gt;())</set-body>\r\n </return-response>\r\n </backend>\r\n <outbound>\r\n <base />\r\n </outbound>\r\n <on-error>\r\n <base />\r\n </on-error>\r\n</policies>",
"format": "xml"
}
}
]
},
{
"type": "operations",
"apiVersion": "2019-01-01",
"name": "[variables('Get Cached Secret Operation')]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service/apis', variables('Service Name'), variables('Secret Manager API'))]"
],
"properties": {
"displayName": "[variables('Get Cached Secret Operation')]",
"method": "GET",
"urlTemplate": "[variables('Get Cached Secret Operation')]",
"templateParameters": [
],
"request": {
"queryParameters": [
],
"headers": [
],
"representations": [
]
},
"responses": [
{
"statusCode": 200,
"representations": [
{
"contentType": "text/plain",
"sample": "Mocked response"
}
],
"headers": [
]
}
]
},
"resources": [
{
"type": "policies",
"apiVersion": "2019-01-01",
"name": "policy",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service/apis/operations', variables('Service Name'), variables('Secret Manager API'), variables('Get Cached Secret Operation'))]",
"[resourceId('Microsoft.ApiManagement/service/properties', variables('Service Name'), 'vault-name')]",
"[resourceId('Microsoft.ApiManagement/service/properties', variables('Service Name'), 'secret-name')]"
],
"properties": {
"value": "<!-- This operation caches the secret -->\r\n<policies>\r\n <inbound>\r\n <base />\r\n <!--Look for secret in the cache -->\r\n <cache-lookup-value key=\"cached-secret\" variable-name=\"cached-secret\" />\r\n <!-- If API Management doesn’t find it in the cache, fetch it from Key Vault -->\r\n <choose>\r\n <when condition=\"@(!context.Variables.ContainsKey(&quot;cached-secret&quot;))\">\r\n <!-- Retrieve secret from Key Vault -->\r\n <send-request mode=\"new\" response-variable-name=\"cached-secret\" timeout=\"20\" ignore-error=\"false\">\r\n <set-url>https://{{vault-name}}.vault.azure.net/secrets/{{secret-name}}/?api-version=7.0</set-url>\r\n <set-method>GET</set-method>\r\n <authentication-managed-identity resource=\"https://vault.azure.net\" />\r\n </send-request>\r\n <!-- Store response body in context variable as a string -->\r\n <set-variable name=\"cached-secret\" value=\"@(((IResponse)context.Variables[&quot;cached-secret&quot;]).Body.As&lt;string&gt;())\" />\r\n <!-- Store result in cache -->\r\n <cache-store-value key=\"cached-secret\" value=\"@((string)context.Variables[&quot;cached-secret&quot;])\" duration=\"5\" />\r\n </when>\r\n </choose>\r\n </inbound>\r\n <backend>\r\n <!-- Return secret (no back-end service call) -->\r\n <return-response response-variable-name=\"existing context variable\">\r\n <set-status code=\"200\" />\r\n <set-body>@((string)context.Variables[\"cached-secret\"])</set-body>\r\n </return-response>\r\n </backend>\r\n <outbound>\r\n <base />\r\n </outbound>\r\n <on-error>\r\n <base />\r\n </on-error>\r\n</policies>",
"format": "xml"
}
}
]
}
]
}
]
},
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('Vault Name')]",
"apiVersion": "2018-02-14",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.ApiManagement/service', variables('Service Name'))]"
],
"tags": {
},
"properties": {
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[reference(resourceId('Microsoft.ApiManagement/service', variables('Service Name')), '2019-01-01', 'Full').identity.tenantId]",
"objectId": "[reference(resourceId('Microsoft.ApiManagement/service', variables('Service Name')), '2019-01-01', 'Full').identity.principalId]",
"permissions": {
"secrets": [
"get"
]
}
}
],
"sku": {
"family": "A",
"name": "standard"
}
},
"resources": [
{
"type": "secrets",
"name": "[variables('Secret Name')]",
"apiVersion": "2018-02-14",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('Vault Name'))]"
],
"tags": {
},
"properties": {
"value": "[parameters('secretValue')]",
"contentType": "string"
}
}
]
}
],
"outputs": {
"public-ip": {
"type": "string",
"value": "[reference(resourceId('Microsoft.ApiManagement/service', variables('Service Name'))).publicIPAddresses[0]]"
}
}
}
You can’t perform that action at this time.