Keyvault cleanup - Change variables

scripts/aks/bootstrap.sh

@@ -443,7 +443,7 @@ echo "Bootstrap advanced network for aks instance \"${CLUSTER_NAME}\"... "
 SECRET_NAME="radix-clusters"
 update_keyvault="true"
 K8S_CLUSTER_LIST=$(az keyvault secret show \
-    --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \
     --query="value" \
     --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null)
 temp_file_path="/tmp/$(uuidgen)"
@@ -455,7 +455,7 @@ if [[ ${update_keyvault} == true ]]; then
     EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME")
 
     #printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}"
-    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
+    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
         printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2
         exit 1
     fi
@@ -465,7 +465,7 @@ fi
 #Lets run it again interactivly
 
 K8S_CLUSTER_LIST=$(az keyvault secret show \
-    --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \
     --query="value" \
     --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null)
 temp_file_path="/tmp/$(uuidgen)"
@@ -477,7 +477,7 @@ if [[ ${update_keyvault} == true ]]; then
     EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME")
 
     printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}"
-    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
+    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
         printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2
         exit 1
     fi

scripts/aks/clusterlist.sh

@@ -92,7 +92,7 @@ source ${RADIX_PLATFORM_REPOSITORY_PATH}/scripts/utility/lib_clusterlist.sh
 ###
 
 K8S_CLUSTER_LIST=$(az keyvault secret show \
-    --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \
     --query="value" \
     --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null)
 temp_file_path="/tmp/$(uuidgen)"
@@ -104,7 +104,7 @@ if [[ ${update_keyvault} == true ]]; then
     EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME")
 
     printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}"
-    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
+    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
         printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2
         exit 1
     fi

scripts/aks/teardown.sh

@@ -410,7 +410,7 @@ echo "Done."
 SECRET_NAME="radix-clusters"
 update_keyvault="true"
 K8S_CLUSTER_LIST=$(az keyvault secret show \
-    --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \
     --query="value" \
     --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null)
 temp_file_path="/tmp/$(uuidgen)"
@@ -422,7 +422,7 @@ if [[ ${update_keyvault} == true ]]; then
     EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME")
 
     #printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}"
-    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
+    if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then
         printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2
         exit 1
     fi

scripts/aks/update_api_server_whitelist.sh

@@ -81,7 +81,7 @@ fi
 
 # Define script variables
 
-SECRET_NAME="kubernetes-api-server-whitelist-ips-${RADIX_ENVIRONMENT}"
+SECRET_NAME="kubernetes-api-auth-ip-range"
 update_keyvault=false
 
 #######################################################################################

scripts/cicd-canary/scaling/create-managed-identity.sh

@@ -176,7 +176,7 @@ rm ${tmp_file_name}
 # TODO: DevOps issue 259748, downgrade Contributor role when new role is ready
 # https://github.com/equinor/Solum/issues/10900
 create_role_assignment_for_identity "${mi_name}" "${AKS_COMMAND_RUNNER_ROLE_NAME}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
-set-kv-policy "${mi_object_id}" "get"
+# set-kv-policy "${mi_object_id}" "get"
 create-role-and-rolebinding "${WORKDIR_PATH}/role.yaml" "${WORKDIR_PATH}/rolebinding.yaml"
 modify-role-binding ${mi_object_id}
 add-federated-gh-credentials ${mi_name} "radix-platform" "master"

scripts/config-and-secrets/bootstrap-acr.sh

@@ -109,7 +109,7 @@ verify_cluster_access
 printf "Installing registry sp secret in k8s cluster...\n"
 
 az keyvault secret download \
-    --vault-name "$AZ_COMMON_KEYVAULT" \
+    --vault-name "$AZ_RESOURCE_KEYVAULT" \
     --name "radix-cr-cicd" \
     --file sp_credentials.json
 
@@ -141,7 +141,7 @@ printf "\nDone\n"
 printf "Installing app registry secret in k8s cluster...\n"
 
 az keyvault secret download \
-    --vault-name "$AZ_COMMON_KEYVAULT" \
+    --vault-name "$AZ_RESOURCE_KEYVAULT" \
     --name "${AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY}" \
     --file acr_password.json
 

scripts/dockerhub/update_docker_auth.sh

@@ -111,7 +111,7 @@ echo -e "Update Docker auth in keyvault:"
 echo -e ""
 echo -e "   > WHERE:"
 echo -e "   ------------------------------------------------------------------"
-echo -e "   -  AZ_RESOURCE_KEYVAULT             : $AZ_COMMON_KEYVAULT"
+echo -e "   -  AZ_RESOURCE_KEYVAULT             : $AZ_RESOURCE_KEYVAULT"
 echo -e ""
 echo -e "   > WHAT:"
 echo -e "   ------------------------------------------------------------------"
@@ -147,13 +147,13 @@ printf "Updating Docker auth in keyvault... "
 EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") # The secrets have no real expiration date
 
 az keyvault secret set \
-    --vault-name "${AZ_COMMON_KEYVAULT}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" \
     --name docker-io-auth-username \
     --value "${USER_NAME}" \
     --expires "${EXPIRY_DATE}" --output none || exit
 
 az keyvault secret set \
-    --vault-name "${AZ_COMMON_KEYVAULT}" \
+    --vault-name "${AZ_RESOURCE_KEYVAULT}" \
     --name docker-io-auth-access-token \
     --value "${ACCESS_TOKEN}" \
     --expires "${EXPIRY_DATE}" --output none || exit

scripts/flux/bootstrap.sh

@@ -171,7 +171,7 @@ echo -e "   -  CLUSTER_NAME                     : $CLUSTER_NAME"
 echo -e ""
 echo -e "   > WHAT:"
 echo -e "   -------------------------------------------------------------------"
-echo -e "   -  AZ_RESOURCE_KEYVAULT             : $AZ_COMMON_KEYVAULT"
+echo -e "   -  AZ_RESOURCE_KEYVAULT             : $AZ_RESOURCE_KEYVAULT"
 echo -e "   -  GIT_REPO                         : $GIT_REPO"
 echo -e "   -  GIT_BRANCH                       : $GIT_BRANCH"
 echo -e "   -  GIT_DIR                          : $GIT_DIR"
@@ -231,8 +231,8 @@ printf "...Done"
 ### CREDENTIALS
 ###
 
-FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --vault-name "$AZ_COMMON_KEYVAULT")"
-# FLUX_PUBLIC_KEY="$(az keyvault secret show --name "$FLUX_PUBLIC_KEY_NAME" --vault-name "$AZ_COMMON_KEYVAULT")"
+FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --vault-name "$AZ_RESOURCE_KEYVAULT")"
+# FLUX_PUBLIC_KEY="$(az keyvault secret show --name "$FLUX_PUBLIC_KEY_NAME" --vault-name "$AZ_RESOURCE_KEYVAULT")"
 
 # printf "\nLooking for flux deploy keys for GitHub in keyvault \"${AZ_RESOURCE_KEYVAULT}\"..."
 # if [[ -z "$FLUX_PRIVATE_KEY" ]] || [[ -z "$FLUX_PUBLIC_KEY" ]]; then
@@ -258,7 +258,7 @@ FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --va
 # fi
 
 az keyvault secret download \
-    --vault-name "$AZ_COMMON_KEYVAULT" \
+    --vault-name "$AZ_RESOURCE_KEYVAULT" \
     --name "$FLUX_PRIVATE_KEY_NAME" \
     --file "$FLUX_PRIVATE_KEY_NAME" \
     2>&1 >/dev/null
@@ -268,7 +268,7 @@ printf "...Done\n"
 # Create secret for Flux v2 to use to authenticate with ACR.
 printf "\nCreating k8s secret \"radix-docker\"..."
 az keyvault secret download \
-    --vault-name "$AZ_COMMON_KEYVAULT" \
+    --vault-name "$AZ_RESOURCE_KEYVAULT" \
     --name "radix-cr-cicd" \
     --file sp_credentials.json \
     2>&1 >/dev/null
@@ -309,7 +309,7 @@ else
 fi
 
 printf "\nGetting Slack Webhook URL..."
-SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name $AZ_RESOURCE_KEYVAULT --name $KV_SECRET_SLACK_WEBHOOK | jq -r .value)"
+SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name $AZ_RESOURCE_KEYVAULT --name slack-webhook | jq -r .value)"
 printf "...Done\n"
 
 IMAGE_REGISTRY="${AZ_RESOURCE_CONTAINER_REGISTRY}.azurecr.io"

scripts/github_maintenance/bootstrap.sh

@@ -118,7 +118,7 @@ object_id=$(az identity show --name "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMEN
     exit 1
 }
 
-set-kv-policy "${object_id}" "get set"
+# set-kv-policy "${object_id}" "get set"
 
 namespaces=("default" "ingress-nginx" "radix-web-console-qa" "radix-cicd-canary" "flux-system" "radix-api-qa" "radix-canary-golang-qa" "radix-cost-allocation-api-qa" "radix-platform-qa" "radix-github-webhook-qa" "monitor")
 

scripts/migrate.sh

@@ -669,7 +669,7 @@ if [[ $ENABLE_NOTIFY == true ]]; then
     # Notify on slack
     echo "Notify on slack"
     # Get slack webhook url
-    SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name "$AZ_RESOURCE_KEYVAULT" --name "$KV_SECRET_SLACK_WEBHOOK" | jq -r .value)"
+    SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name "$AZ_RESOURCE_KEYVAULT" --name slack-webhook | jq -r .value)"
     curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$slack_users"' Restore has been completed.","link_names":1}' "$SLACK_WEBHOOK_URL"
 fi
 

scripts/radix-zone/radix_zone_c2.env

@@ -63,8 +63,7 @@ AZ_RESOURCE_GROUP_IPPRE="common-${AZ_RADIX_ZONE_LOCATION}"
 AZ_REDIS_CACHE_SKU="Standard"
 
 # Shared resources
-AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
-AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}"
+AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}"
 AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}"
 AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal"
 
@@ -117,7 +116,7 @@ MI_AKSKUBELET="radix-id-akskubelet-${RADIX_ZONE}"
 ### Key vault secrets
 ###
 
-KV_SECRET_SLACK_WEBHOOK="slack-webhook-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
+# KV_SECRET_SLACK_WEBHOOK="slack-webhook"
 
 KV_EXPIRATION_TIME="12 months"
 
@@ -196,7 +195,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml"
 KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key
 APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client"
 APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server"
-KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
+# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
 SERVICE_MANAGEMENT_REFERENCE="110327"
 
 #######################################################################################

scripts/radix-zone/radix_zone_dev.env

@@ -65,8 +65,7 @@ AZ_RESOURCE_GROUP_IPPRE="common"
 AZ_REDIS_CACHE_SKU="Basic"
 
 # Shared resources
-AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}"
-AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}"
+AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}"
 AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}"
 AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal"
 
@@ -120,7 +119,7 @@ MI_GITHUB_MAINTENANCE="radix-github-maintenance"
 ### Key vault secrets
 ###
 
-KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE"
+# KV_SECRET_SLACK_WEBHOOK="slack-webhook"
 
 KV_EXPIRATION_TIME="12 months"
 
@@ -198,7 +197,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml"
 KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key
 APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client"
 APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server"
-KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
+# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
 SERVICE_MANAGEMENT_REFERENCE="110327"
 
 #######################################################################################

scripts/radix-zone/radix_zone_playground.env

@@ -64,8 +64,7 @@ AZ_RESOURCE_GROUP_IPPRE="common"
 AZ_REDIS_CACHE_SKU="Standard"
 
 # Shared resources
-AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}"
-AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}"
+AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}"
 AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}"
 AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal"
 
@@ -118,7 +117,7 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope"
 ### Key vault secrets
 ###
 
-KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE"
+# KV_SECRET_SLACK_WEBHOOK="slack-webhook"
 
 KV_EXPIRATION_TIME="12 months"
 
@@ -196,7 +195,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml"
 KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key
 APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client"
 APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server"
-KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
+# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
 SERVICE_MANAGEMENT_REFERENCE="110327"
 
 #######################################################################################

scripts/radix-zone/radix_zone_prod.env

@@ -64,8 +64,7 @@ AZ_RESOURCE_GROUP_IPPRE="common"
 AZ_REDIS_CACHE_SKU="Standard"
 
 # Shared resources
-AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}"
-AZ_COMMON_KEYVAULT="radix-keyv-platform"
+AZ_RESOURCE_KEYVAULT="radix-keyv-platform"
 AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}"
 AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal"
 
@@ -119,7 +118,7 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope"
 ### Key vault secrets
 ###
 
-KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE"
+# KV_SECRET_SLACK_WEBHOOK="slack-webhook"
 
 KV_EXPIRATION_TIME="12 months"
 
@@ -199,7 +198,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml"
 KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key
 APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client"
 APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server"
-KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
+# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}"
 SERVICE_MANAGEMENT_REFERENCE="110327"
 
 

scripts/service-principals-and-aad-apps/bootstrap.sh

@@ -210,7 +210,7 @@ create_github_resource_lock_operator() {
     create_oidc_and_federated_credentials "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "lock-operations-${RADIX_ENVIRONMENT}"
     assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Omnia Authorization Locks Operator" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}"
     assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Reader" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}/providers/Microsoft.KeyVault/vaults/${AZ_RESOURCE_KEYVAULT}"
-    set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get"
+    # set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get"
 }
 
 if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then

scripts/service-principals-and-aad-apps/lib_managed_identity.sh

@@ -220,24 +220,24 @@ function create-role-and-rolebinding {
     printf "Done\n"
 }
 
-function set-kv-policy {
-    local object_id
-    local permissions
-
-    object_id=$1
-    permissions=$2
-
-    printf "Creating vault access policy on %s for %s...\n" "${AZ_RESOURCE_KEYVAULT}" "${object_id}"
-    az keyvault set-policy \
-        --name "${AZ_RESOURCE_KEYVAULT}" \
-        --secret-permissions ${permissions} \
-        --object-id "${object_id}" \
-        --only-show-errors >/dev/null || {
-        echo -e "ERROR: Could not create vault access policy on ${AZ_RESOURCE_KEYVAULT}." >&2
-        exit 1
-    }
-    printf "Done\n"
-}
+# function set-kv-policy {
+#     local object_id
+#     local permissions
+
+#     object_id=$1
+#     permissions=$2
+
+#     printf "Creating vault access policy on %s for %s...\n" "${AZ_RESOURCE_KEYVAULT}" "${object_id}"
+#     az keyvault set-policy \
+#         --name "${AZ_RESOURCE_KEYVAULT}" \
+#         --secret-permissions ${permissions} \
+#         --object-id "${object_id}" \
+#         --only-show-errors >/dev/null || {
+#         echo -e "ERROR: Could not create vault access policy on ${AZ_RESOURCE_KEYVAULT}." >&2
+#         exit 1
+#     }
+#     printf "Done\n"
+# }
 
 function create-az-role {
     local name

scripts/service-principals-and-aad-apps/lib_service_principal.sh

@@ -71,7 +71,7 @@ function update_service_principal_credentials_in_az_keyvault() {
     fi
 
     # Upload to keyvault
-    az keyvault secret set --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --file "${tmp_file_path}" ${expires} 2>&1 >/dev/null
+    az keyvault secret set --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --file "${tmp_file_path}" ${expires} 2>&1 >/dev/null
 
     # Clean up
     rm -rf "$tmp_file_path"
@@ -561,7 +561,7 @@ function delete_service_principal_and_stored_credentials() {
     az ad sp delete --id "${id}" --output none
 
     printf "deleting credentials in keyvault..."
-    az keyvault secret delete --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --output none
+    az keyvault secret delete --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --output none
     printf "Done.\n"
 }
 
@@ -572,13 +572,13 @@ function delete_ad_app_and_stored_credentials() {
     printf "Working on ad app \"${name}\": "
 
     # Get id from key vault as trying to use the name is just hopeless for client apps when using cli
-    app_id="$(az keyvault secret show --vault-name ${AZ_COMMON_KEYVAULT} --name "${name}" | jq -r .value | jq -r .id)"
+    app_id="$(az keyvault secret show --vault-name ${AZ_RESOURCE_KEYVAULT} --name "${name}" | jq -r .value | jq -r .id)"
 
     printf "deleting app in az ad..."
     az ad app delete --id "${app_id}" --output none
 
     printf "deleting credentials in keyvault..."
-    az keyvault secret delete --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --output none
+    az keyvault secret delete --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --output none
     printf "Done.\n"
 }