From 0e61a5cbe0edb2845889e085745fac2195e738aa Mon Sep 17 00:00:00 2001 From: John Date: Thu, 16 Nov 2023 17:16:17 +0100 Subject: [PATCH] feat: Added user defined type for Key Vault Access Policies (#622) ## Description This pull request introduces the type `accessPoliciesType` so the author experience is enhanced when using this parameter to set access policies. I have added the `accessPoliciesType` to `key-vault/vault/main.bicep` and `key-vault/vault/access-policy`. Besides the addition of the type I have removed `formattedAccessPolicies` because the user-defined type has taken over the task to enforce required properties. This makes it simpler for the user to read and use the key vault main.bicep. I have tested the modules by deploying to my Azure environment: 1. **With** access policies configured in bicepparam: ```bicepparam using './main.bicep' param name = 'br-kv-john-test-no-ap' param enableRbacAuthorization = false param accessPolicies = [ { objectId: '' permissions: { certificates: [ 'all' ] keys: [ 'all' ] secrets: [ 'all' ] storage: [ 'all' ] } tenantId: '' } ] ``` **Succesful deployment** image 2. **Without** access policies configured in bicepparam to showcase it is optional: ```bicepparam using './main.bicep' param name = 'br-kv-john-test-no-ap' ``` **Succesful deployment** image ## Updating an existing module - [ ] I have run `brm validate` locally to verify the module files. - [x] I have run deployment tests locally to ensure the module is deployable. - [x] I have read the [Updating an existing module](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md#updating-an-existing-module) section in the contributing guide and updated the `version.json` file properly: - [ ] The PR contains backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`. - [x] The PR contains backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] The PR contains breaking changes, and I have bumped the MAJOR version in `version.json`. - [ ] I have updated the examples in README with the latest module version number. --- CONTRIBUTING.md | 9 +- avm/res/key-vault/vault/README.md | 73 +++++ .../key-vault/vault/access-policy/README.md | 73 +++++ .../key-vault/vault/access-policy/main.bicep | 36 ++- .../key-vault/vault/access-policy/main.json | 147 ++++++++- avm/res/key-vault/vault/key/main.json | 4 +- avm/res/key-vault/vault/main.bicep | 35 +- avm/res/key-vault/vault/main.json | 302 ++++++++++++++++-- avm/res/key-vault/vault/secret/main.json | 4 +- avm/res/key-vault/vault/version.json | 2 +- 10 files changed, 640 insertions(+), 45 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1b2b781385..65151cb56a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -310,19 +310,18 @@ The `brm validate` command mentioned in the above step does not deploy the `test Once the module files are validated locally, you can commit your changes and open a pull request. You must link the new module proposal in the pull request description if you are trying to add a new module. Adding or updating multiple modules is not supported and will cause a failure in the pull request validation CI, so please only add or change one module at a time. -## Prefix the PR TItle based on the type of change. +## Prefix the pull request title based on the type of change -The modules in the repository follow Semantic Versioning. -A GitHub action checks that PRs include a prefix. This acts as a stepping stone to automating the version incrementing, this action requires each PR have a semantic prefix. +The modules in the repository follow Semantic Versioning. A GitHub action checks that pull requests include a prefix. This acts as a stepping stone to automating the version incrementing, this GitHub action requires each pull request to have a semantic prefix. -Example PR Tiles: +Example pull request titles: - Creating a new module: `feat(new): Storage Account Module` - Add a bug fix to existing module: `fix: Storage Account does not properly format output` - Add a feature to existing module `feat: Add input parameter to deploy storage into vnet` - Add a breaking change to a module due to refactoring: `refactor!: Use custom types in storage account` -More details can be found [here] about each prefix(https://www.conventionalcommits.org/en/v1.0.0/). +More details on prefixes can be found [here](https://www.conventionalcommits.org/en/v1.0.0/). Recommend prefixes include: diff --git a/avm/res/key-vault/vault/README.md b/avm/res/key-vault/vault/README.md index 41d4f8ec4d..c87d3bb406 100644 --- a/avm/res/key-vault/vault/README.md +++ b/avm/res/key-vault/vault/README.md @@ -886,6 +886,79 @@ All access policies to create. - Required: No - Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationId`](#parameter-accesspoliciesapplicationid) | No | string | Optional. Application ID of the client making request on behalf of a principal. | +| [`objectId`](#parameter-accesspoliciesobjectid) | Yes | string | Required. The object ID of a user, service principal or security group in the tenant for the vault. | +| [`permissions`](#parameter-accesspoliciespermissions) | Yes | object | | +| [`tenantId`](#parameter-accesspoliciestenantid) | No | string | Optional. The tenant ID that is used for authenticating requests to the key vault. | + +### Parameter: `accessPolicies.applicationId` + +Optional. Application ID of the client making request on behalf of a principal. + +- Required: No +- Type: string + +### Parameter: `accessPolicies.objectId` + +Required. The object ID of a user, service principal or security group in the tenant for the vault. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicies.permissions` +- Required: Yes +- Type: object + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`certificates`](#parameter-accesspoliciespermissionscertificates) | No | array | Optional. Permissions to certificates. | +| [`keys`](#parameter-accesspoliciespermissionskeys) | No | array | Optional. Permissions to keys. | +| [`secrets`](#parameter-accesspoliciespermissionssecrets) | No | array | Optional. Permissions to secrets. | +| [`storage`](#parameter-accesspoliciespermissionsstorage) | No | array | Optional. Permissions to storage accounts. | + +### Parameter: `accessPolicies.permissions.certificates` + +Optional. Permissions to certificates. + +- Required: No +- Type: array +- Allowed: `[all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update]` + +### Parameter: `accessPolicies.permissions.keys` + +Optional. Permissions to keys. + +- Required: No +- Type: array +- Allowed: `[all, backup, create, decrypt, delete, encrypt, get, getrotationpolicy, import, list, purge, recover, release, restore, rotate, setrotationpolicy, sign, unwrapKey, update, verify, wrapKey]` + +### Parameter: `accessPolicies.permissions.secrets` + +Optional. Permissions to secrets. + +- Required: No +- Type: array +- Allowed: `[all, backup, delete, get, list, purge, recover, restore, set]` + +### Parameter: `accessPolicies.permissions.storage` + +Optional. Permissions to storage accounts. + +- Required: No +- Type: array +- Allowed: `[all, backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas, update]` + + +### Parameter: `accessPolicies.tenantId` + +Optional. The tenant ID that is used for authenticating requests to the key vault. + +- Required: No +- Type: string + ### Parameter: `createMode` The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. diff --git a/avm/res/key-vault/vault/access-policy/README.md b/avm/res/key-vault/vault/access-policy/README.md index f3fbb5be3b..8bec047b9f 100644 --- a/avm/res/key-vault/vault/access-policy/README.md +++ b/avm/res/key-vault/vault/access-policy/README.md @@ -35,6 +35,79 @@ An array of 0 to 16 identities that have access to the key vault. All identities - Required: No - Type: array + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`applicationId`](#parameter-accesspoliciesapplicationid) | No | string | Optional. Application ID of the client making request on behalf of a principal. | +| [`objectId`](#parameter-accesspoliciesobjectid) | Yes | string | Required. The object ID of a user, service principal or security group in the tenant for the vault. | +| [`permissions`](#parameter-accesspoliciespermissions) | Yes | object | | +| [`tenantId`](#parameter-accesspoliciestenantid) | No | string | Optional. The tenant ID that is used for authenticating requests to the key vault. | + +### Parameter: `accessPolicies.applicationId` + +Optional. Application ID of the client making request on behalf of a principal. + +- Required: No +- Type: string + +### Parameter: `accessPolicies.objectId` + +Required. The object ID of a user, service principal or security group in the tenant for the vault. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicies.permissions` +- Required: Yes +- Type: object + +| Name | Required | Type | Description | +| :-- | :-- | :--| :-- | +| [`certificates`](#parameter-accesspoliciespermissionscertificates) | No | array | Optional. Permissions to certificates. | +| [`keys`](#parameter-accesspoliciespermissionskeys) | No | array | Optional. Permissions to keys. | +| [`secrets`](#parameter-accesspoliciespermissionssecrets) | No | array | Optional. Permissions to secrets. | +| [`storage`](#parameter-accesspoliciespermissionsstorage) | No | array | Optional. Permissions to storage accounts. | + +### Parameter: `accessPolicies.permissions.certificates` + +Optional. Permissions to certificates. + +- Required: No +- Type: array +- Allowed: `[all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update]` + +### Parameter: `accessPolicies.permissions.keys` + +Optional. Permissions to keys. + +- Required: No +- Type: array +- Allowed: `[all, backup, create, decrypt, delete, encrypt, get, getrotationpolicy, import, list, purge, recover, release, restore, rotate, setrotationpolicy, sign, unwrapKey, update, verify, wrapKey]` + +### Parameter: `accessPolicies.permissions.secrets` + +Optional. Permissions to secrets. + +- Required: No +- Type: array +- Allowed: `[all, backup, delete, get, list, purge, recover, restore, set]` + +### Parameter: `accessPolicies.permissions.storage` + +Optional. Permissions to storage accounts. + +- Required: No +- Type: array +- Allowed: `[all, backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas, update]` + + +### Parameter: `accessPolicies.tenantId` + +Optional. The tenant ID that is used for authenticating requests to the key vault. + +- Required: No +- Type: string + ### Parameter: `keyVaultName` The name of the parent key vault. Required if the template is used in a standalone deployment. diff --git a/avm/res/key-vault/vault/access-policy/main.bicep b/avm/res/key-vault/vault/access-policy/main.bicep index d037981e0c..5968e0f28c 100644 --- a/avm/res/key-vault/vault/access-policy/main.bicep +++ b/avm/res/key-vault/vault/access-policy/main.bicep @@ -6,13 +6,13 @@ metadata owner = 'Azure/module-maintainers' param keyVaultName string @description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') -param accessPolicies array? +param accessPolicies accessPoliciesType var formattedAccessPolicies = [for accessPolicy in (accessPolicies ?? []): { - applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' - objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' + applicationId: accessPolicy.?applicationId ?? '' + objectId: accessPolicy.objectId permissions: accessPolicy.permissions - tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId + tenantId: accessPolicy.?tenantId ?? tenant().tenantId }] resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { @@ -35,3 +35,31 @@ output name string = policies.name @description('The resource ID of the access policies assignment.') output resourceId string = policies.id + +// ================ // +// Definitions // +// ================ // +type accessPoliciesType = { + @description('Optional. The tenant ID that is used for authenticating requests to the key vault.') + tenantId: string? + + @description('Required. The object ID of a user, service principal or security group in the tenant for the vault.') + objectId: string + + @description('Optional. Application ID of the client making request on behalf of a principal.') + applicationId: string? + + permissions: { + @description('Optional. Permissions to keys.') + keys: ('all' | 'backup' | 'create' | 'decrypt' | 'delete' | 'encrypt' | 'get' | 'getrotationpolicy' | 'import' | 'list' | 'purge' | 'recover' | 'release' | 'restore' | 'rotate' | 'setrotationpolicy' | 'sign' | 'unwrapKey' | 'update' | 'verify' | 'wrapKey')[]? + + @description('Optional. Permissions to secrets.') + secrets: ('all' | 'backup' | 'delete' | 'get' | 'list' | 'purge' | 'recover' | 'restore' | 'set')[]? + + @description('Optional. Permissions to certificates.') + certificates: ('all' | 'backup' | 'create' | 'delete' | 'deleteissuers' | 'get' | 'getissuers' | 'import' | 'list' | 'listissuers' | 'managecontacts' | 'manageissuers' | 'purge' | 'recover' | 'restore' | 'setissuers' | 'update')[]? + + @description('Optional. Permissions to storage accounts.') + storage: ('all' | 'backup' | 'delete' | 'deletesas' | 'get' | 'getsas' | 'list' | 'listsas' | 'purge' | 'recover' | 'regeneratekey' | 'restore' | 'set' | 'setsas' | 'update')[]? + } +}[]? diff --git a/avm/res/key-vault/vault/access-policy/main.json b/avm/res/key-vault/vault/access-policy/main.json index 8aa7ea483d..afeab4a10b 100644 --- a/avm/res/key-vault/vault/access-policy/main.json +++ b/avm/res/key-vault/vault/access-policy/main.json @@ -5,13 +5,147 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4111939022872407830" + "version": "0.21.1.54444", + "templateHash": "16565480734433924198" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", "owner": "Azure/module-maintainers" }, + "definitions": { + "accessPoliciesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." + } + }, + "applicationId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Application ID of the client making request on behalf of a principal." + } + }, + "permissions": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "getrotationpolicy", + "import", + "list", + "purge", + "recover", + "release", + "restore", + "rotate", + "setrotationpolicy", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to keys." + } + }, + "secrets": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to secrets." + } + }, + "certificates": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "purge", + "recover", + "restore", + "setissuers", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to certificates." + } + }, + "storage": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "purge", + "recover", + "regeneratekey", + "restore", + "set", + "setsas", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to storage accounts." + } + } + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -20,8 +154,7 @@ } }, "accessPolicies": { - "type": "array", - "nullable": true, + "$ref": "#/definitions/accessPoliciesType", "metadata": { "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." } @@ -33,10 +166,10 @@ "name": "formattedAccessPolicies", "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", "input": { - "applicationId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'objectId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId, '')]", + "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), '')]", + "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId]", "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" + "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), tenant().tenantId)]" } } ] diff --git a/avm/res/key-vault/vault/key/main.json b/avm/res/key-vault/vault/key/main.json index 6e85c7d6ad..7ea489a81b 100644 --- a/avm/res/key-vault/vault/key/main.json +++ b/avm/res/key-vault/vault/key/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2691621623448325959" + "version": "0.21.1.54444", + "templateHash": "10926648479875609377" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", diff --git a/avm/res/key-vault/vault/main.bicep b/avm/res/key-vault/vault/main.bicep index fa2f17d1d7..3dff6ecf6c 100644 --- a/avm/res/key-vault/vault/main.bicep +++ b/avm/res/key-vault/vault/main.bicep @@ -13,7 +13,7 @@ param name string param location string = resourceGroup().location @description('Optional. All access policies to create.') -param accessPolicies array? +param accessPolicies accessPoliciesType @description('Optional. All secrets to create.') @secure() @@ -104,10 +104,10 @@ var builtInRoleNames = { } var formattedAccessPolicies = [for accessPolicy in (accessPolicies ?? []): { - applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' - objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' + applicationId: accessPolicy.?applicationId ?? '' + objectId: accessPolicy.objectId permissions: accessPolicy.permissions - tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId + tenantId: accessPolicy.?tenantId ?? tenant().tenantId }] var secretList = secrets.?secureList ?? [] @@ -202,7 +202,7 @@ module keyVault_accessPolicies 'access-policy/main.bicep' = if (!empty(accessPol name: '${uniqueString(deployment().name, location)}-KeyVault-AccessPolicies' params: { keyVaultName: keyVault.name - accessPolicies: formattedAccessPolicies + accessPolicies: accessPolicies } } @@ -423,3 +423,28 @@ type lockType = { @description('Optional. Specify the type of lock.') kind: ('CanNotDelete' | 'ReadOnly' | 'None')? }? + +type accessPoliciesType = { + @description('Optional. The tenant ID that is used for authenticating requests to the key vault.') + tenantId: string? + + @description('Required. The object ID of a user, service principal or security group in the tenant for the vault.') + objectId: string + + @description('Optional. Application ID of the client making request on behalf of a principal.') + applicationId: string? + + permissions: { + @description('Optional. Permissions to keys.') + keys: ('all' | 'backup' | 'create' | 'decrypt' | 'delete' | 'encrypt' | 'get' | 'getrotationpolicy' | 'import' | 'list' | 'purge' | 'recover' | 'release' | 'restore' | 'rotate' | 'setrotationpolicy' | 'sign' | 'unwrapKey' | 'update' | 'verify' | 'wrapKey')[]? + + @description('Optional. Permissions to secrets.') + secrets: ('all' | 'backup' | 'delete' | 'get' | 'list' | 'purge' | 'recover' | 'restore' | 'set')[]? + + @description('Optional. Permissions to certificates.') + certificates: ('all' | 'backup' | 'create' | 'delete' | 'deleteissuers' | 'get' | 'getissuers' | 'import' | 'list' | 'listissuers' | 'managecontacts' | 'manageissuers' | 'purge' | 'recover' | 'restore' | 'setissuers' | 'update')[]? + + @description('Optional. Permissions to storage accounts.') + storage: ('all' | 'backup' | 'delete' | 'deletesas' | 'get' | 'getsas' | 'list' | 'listsas' | 'purge' | 'recover' | 'regeneratekey' | 'restore' | 'set' | 'setsas' | 'update')[]? + } +}[]? diff --git a/avm/res/key-vault/vault/main.json b/avm/res/key-vault/vault/main.json index 0607d1deac..4f1aa9e271 100644 --- a/avm/res/key-vault/vault/main.json +++ b/avm/res/key-vault/vault/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "7132385713843537541" + "version": "0.21.1.54444", + "templateHash": "15892116294747624679" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -358,6 +358,138 @@ } }, "nullable": true + }, + "accessPoliciesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." + } + }, + "applicationId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Application ID of the client making request on behalf of a principal." + } + }, + "permissions": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "getrotationpolicy", + "import", + "list", + "purge", + "recover", + "release", + "restore", + "rotate", + "setrotationpolicy", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to keys." + } + }, + "secrets": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to secrets." + } + }, + "certificates": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "purge", + "recover", + "restore", + "setissuers", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to certificates." + } + }, + "storage": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "purge", + "recover", + "regeneratekey", + "restore", + "set", + "setsas", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to storage accounts." + } + } + } + } + } + }, + "nullable": true } }, "parameters": { @@ -376,8 +508,7 @@ } }, "accessPolicies": { - "type": "array", - "nullable": true, + "$ref": "#/definitions/accessPoliciesType", "metadata": { "description": "Optional. All access policies to create." } @@ -527,10 +658,10 @@ "name": "formattedAccessPolicies", "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", "input": { - "applicationId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'objectId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId, '')]", + "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), '')]", + "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId]", "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" + "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), tenant().tenantId)]" } } ], @@ -672,7 +803,7 @@ "value": "[parameters('name')]" }, "accessPolicies": { - "value": "[variables('formattedAccessPolicies')]" + "value": "[parameters('accessPolicies')]" } }, "template": { @@ -682,13 +813,147 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "4111939022872407830" + "version": "0.21.1.54444", + "templateHash": "16565480734433924198" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", "owner": "Azure/module-maintainers" }, + "definitions": { + "accessPoliciesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." + } + }, + "applicationId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Application ID of the client making request on behalf of a principal." + } + }, + "permissions": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "getrotationpolicy", + "import", + "list", + "purge", + "recover", + "release", + "restore", + "rotate", + "setrotationpolicy", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to keys." + } + }, + "secrets": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to secrets." + } + }, + "certificates": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "purge", + "recover", + "restore", + "setissuers", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to certificates." + } + }, + "storage": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "purge", + "recover", + "regeneratekey", + "restore", + "set", + "setsas", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to storage accounts." + } + } + } + } + } + }, + "nullable": true + } + }, "parameters": { "keyVaultName": { "type": "string", @@ -697,8 +962,7 @@ } }, "accessPolicies": { - "type": "array", - "nullable": true, + "$ref": "#/definitions/accessPoliciesType", "metadata": { "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." } @@ -710,10 +974,10 @@ "name": "formattedAccessPolicies", "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", "input": { - "applicationId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].applicationId, '')]", - "objectId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'objectId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId, '')]", + "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), '')]", + "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId]", "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[if(contains(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].tenantId, tenant().tenantId)]" + "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), tenant().tenantId)]" } } ] @@ -815,8 +1079,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9180551172362989336" + "version": "0.21.1.54444", + "templateHash": "16336835405945824329" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -1104,8 +1368,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "2691621623448325959" + "version": "0.21.1.54444", + "templateHash": "10926648479875609377" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", diff --git a/avm/res/key-vault/vault/secret/main.json b/avm/res/key-vault/vault/secret/main.json index f778252db1..b62da35740 100644 --- a/avm/res/key-vault/vault/secret/main.json +++ b/avm/res/key-vault/vault/secret/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.23.1.45101", - "templateHash": "9180551172362989336" + "version": "0.21.1.54444", + "templateHash": "16336835405945824329" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", diff --git a/avm/res/key-vault/vault/version.json b/avm/res/key-vault/vault/version.json index 1c035df49f..c177b1bb58 100644 --- a/avm/res/key-vault/vault/version.json +++ b/avm/res/key-vault/vault/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.2", + "version": "0.3", "pathFilters": [ "./main.json" ]