From dac3c7765b4943e1b7510127317f3055397857bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vebj=C3=B8rn=20Ostnes=20Gaupset?= Date: Fri, 18 Feb 2022 17:24:27 +0100 Subject: [PATCH 1/4] Securing secrets parameter --- arm/Microsoft.KeyVault/vaults/deploy.bicep | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 07e568443c..630bda7449 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -9,7 +9,8 @@ param location string = resourceGroup().location param accessPolicies array = [] @description('Optional. All secrets to create') -param secrets array = [] +@secure() +param secrets object = {} @description('Optional. All keys to create') param keys array = [] @@ -159,6 +160,8 @@ var formattedAccessPolicies = [for accessPolicy in accessPolicies: { tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId }] +var secretList = !empty(secrets) ? secrets.secrets : [] + module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -217,7 +220,7 @@ module keyVault_accessPolicies 'accessPolicies/deploy.bicep' = if (!empty(access } } -module keyVault_secrets 'secrets/deploy.bicep' = [for (secret, index) in secrets: { +module keyVault_secrets 'secrets/deploy.bicep' = [for (secret, index) in secretList: { name: '${uniqueString(deployment().name, location)}-KeyVault-Secret-${index}' params: { name: secret.name From 431ea499b5ec51c70dfae5803846aee46cf8669c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vebj=C3=B8rn=20Ostnes=20Gaupset?= Date: Fri, 18 Feb 2022 17:32:51 +0100 Subject: [PATCH 2/4] Updated readme from array to object --- arm/Microsoft.KeyVault/vaults/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index b574a28379..8a4b0cb4fb 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -44,7 +44,7 @@ This module deploys a key vault and its child resources. | `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny | | `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | +| `secrets` | _[secrets](secrets/readme.md)_ object | `[]` | | Optional. All secrets to create | | `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | | `tags` | object | `{object}` | | Optional. Resource tags. | | `vaultSku` | string | `premium` | `[premium, standard]` | Optional. Specifies the SKU for the vault | From a98ecd483cbb18270975e79cbdadfce85a928d91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vebj=C3=B8rn=20Ostnes=20Gaupset?= <55185409+vgaupset@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:39:00 +0100 Subject: [PATCH 3/4] Update arm/Microsoft.KeyVault/vaults/deploy.bicep Co-authored-by: Alexander Sehr --- arm/Microsoft.KeyVault/vaults/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 630bda7449..3a492ec5ee 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -160,7 +160,7 @@ var formattedAccessPolicies = [for accessPolicy in accessPolicies: { tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId }] -var secretList = !empty(secrets) ? secrets.secrets : [] +var secretList = !empty(secrets) ? secrets.secureList : [] module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' From 3b8637d876bec235bc1b9c9e8b4437d2bceb7a13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vebj=C3=B8rn=20Ostnes=20Gaupset?= <55185409+vgaupset@users.noreply.github.com> Date: Mon, 21 Feb 2022 10:40:46 +0100 Subject: [PATCH 4/4] Changed secrets argument in parameter file --- .../vaults/.parameters/parameters.json | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index f960046199..bf0ceca370 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -38,23 +38,25 @@ ] }, "secrets": { - "value": [ - { - "name": "secretName", - "value": "secretValue", - "contentType": "Something", - "attributesExp": 1702648632, - "attributesNbf": 10000, - "roleAssignments": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - } - ] + "value": { + "secureList": [ + { + "name": "secretName", + "value": "secretValue", + "contentType": "Something", + "attributesExp": 1702648632, + "attributesNbf": 10000, + "roleAssignments": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + } + ] + } }, "keys": { "value": [