From 1de2e6839d0bb0cabb4e64bba85f7daa5ec6958f Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 17 Jun 2022 18:26:15 +0200 Subject: [PATCH 1/2] test cross referencing kv access policies --- .../diskEncryptionSets/deploy.bicep | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 5751f949a7..fb81cb0002 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -60,7 +60,31 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { } } -module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { +// module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { +// name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' +// params: { +// keyVaultName: last(split(keyVaultId, '/')) +// accessPolicies: [ +// { +// tenantId: subscription().tenantId +// objectId: diskEncryptionSet.identity.principalId +// permissions: { +// keys: [ +// 'get' +// 'wrapKey' +// 'unwrapKey' +// ] +// secrets: [] +// certificates: [] +// } +// } +// ] +// } +// // This is to support access policies to KV in different subscription and resource group than the disk encryption set. +// scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) +// } + +module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { keyVaultName: last(split(keyVaultId, '/')) From 96b79a4ff84632962257f395af79e2597a4d594c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 17 Jun 2022 18:45:49 +0200 Subject: [PATCH 2/2] cleanup --- .../.bicep/nested_kvAccessPolicy.bicep | 36 ------------------- .../diskEncryptionSets/deploy.bicep | 24 ------------- 2 files changed, 60 deletions(-) delete mode 100644 arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep deleted file mode 100644 index 64765196a8..0000000000 --- a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep +++ /dev/null @@ -1,36 +0,0 @@ -@description('Required. The name of the key vault') -param keyVaultName string - -@description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') -param accessPolicies array = [] - -@description('Optional. The access policy name') -param name string = 'add' - -var formattedAccessPolicies = [for accessPolicy in accessPolicies: { - applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' - objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' - permissions: accessPolicy.permissions - tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId -}] - -resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = { - name: keyVaultName -} - -resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = { - name: name - parent: keyVault - properties: { - accessPolicies: formattedAccessPolicies - } -} - -@description('The name of the resource group the access policies assignment was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the access policies assignment') -output name string = policies.name - -@description('The resource ID of the access policies assignment') -output resourceId string = policies.id diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index fb81cb0002..56827da5a4 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -60,30 +60,6 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { } } -// module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { -// name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' -// params: { -// keyVaultName: last(split(keyVaultId, '/')) -// accessPolicies: [ -// { -// tenantId: subscription().tenantId -// objectId: diskEncryptionSet.identity.principalId -// permissions: { -// keys: [ -// 'get' -// 'wrapKey' -// 'unwrapKey' -// ] -// secrets: [] -// certificates: [] -// } -// } -// ] -// } -// // This is to support access policies to KV in different subscription and resource group than the disk encryption set. -// scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) -// } - module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: {