From 5717fe37e516e6109c60f90629e634b205d5dd70 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Jun 2022 14:53:51 +0200 Subject: [PATCH 1/3] Updated implementation --- .../.parameters/parameters.json | 6 ++--- .../diskEncryptionSets/deploy.bicep | 22 +++++++++++++------ .../diskEncryptionSets/readme.md | 15 +++++++------ 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json b/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json index 9ad9ed7c52..58ec4d9a2a 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json +++ b/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json @@ -5,11 +5,11 @@ "name": { "value": "<>-az-des-x-001" }, - "keyVaultId": { + "keyVaultResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" }, - "keyUrl": { - "value": "https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys + "keyName": { + "value": "keyEncryptionKey" }, "roleAssignments": { "value": [ diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 56827da5a4..2702b7d0fa 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -5,10 +5,13 @@ param name string param location string = resourceGroup().location @description('Required. Resource ID of the KeyVault containing the key or secret.') -param keyVaultId string +param keyVaultResourceId string @description('Required. Key URL (with version) pointing to a key or secret in KeyVault.') -param keyUrl string +param keyName string + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +param keyVersion string @description('Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys.') @allowed([ @@ -41,6 +44,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource keyVault 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = { + name: '${last(split(keyVaultResourceId, '/'))}/${keyName}' + scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) +} + resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { name: name location: location @@ -51,9 +59,9 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { properties: { activeKey: { sourceVault: { - id: keyVaultId + id: keyVaultResourceId } - keyUrl: keyUrl + keyUrl: !empty(keyVersion) ? '${keyVault.properties.keyUri}/${keyVersion}' : keyVault.properties.keyUriWithVersion } encryptionType: encryptionType rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled @@ -63,7 +71,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { - keyVaultName: last(split(keyVaultId, '/')) + keyVaultName: last(split(keyVaultResourceId, '/')) accessPolicies: [ { tenantId: subscription().tenantId @@ -81,7 +89,7 @@ module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/de ] } // This is to support access policies to KV in different subscription and resource group than the disk encryption set. - scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) + scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) } module diskEncryptionSet_rbac '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { @@ -108,7 +116,7 @@ output resourceGroupName string = resourceGroup().name output systemAssignedPrincipalId string = diskEncryptionSet.identity.principalId @description('The name of the key vault with the disk encryption key.') -output keyVaultName string = last(split(keyVaultId, '/')) +output keyVaultName string = last(split(keyVaultResourceId, '/')) @description('The location the resource was deployed into.') output location string = diskEncryptionSet.location diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index ee973461cd..29e4d8a782 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -22,8 +22,8 @@ This template deploys a disk encryption set. **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `keyUrl` | string | Key URL (with version) pointing to a key or secret in KeyVault. | -| `keyVaultId` | string | Resource ID of the KeyVault containing the key or secret. | +| `keyName` | string | Key URL (with version) pointing to a key or secret in KeyVault. | +| `keyVaultResourceId` | string | Resource ID of the KeyVault containing the key or secret. | | `name` | string | The name of the disk encryption set that is being created. | **Optional parameters** @@ -31,6 +31,7 @@ This template deploys a disk encryption set. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | +| `keyVersion` | string | | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `location` | string | `[resourceGroup().location]` | | Resource location. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `rotationToLatestKeyVersionEnabled` | bool | `False` | | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | @@ -164,11 +165,11 @@ tags: { "name": { "value": "<>-az-des-x-001" }, - "keyVaultId": { + "keyVaultResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" }, - "keyUrl": { - "value": "https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys + "keyName": { + "value": "keyEncryptionKey" }, "roleAssignments": { "value": [ @@ -196,8 +197,8 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' name: '${uniqueString(deployment().name)}-diskEncryptionSets' params: { name: '<>-az-des-x-001' - keyVaultId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' - keyUrl: 'https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' + keyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + keyName: 'keyEncryptionKey' roleAssignments: [ { roleDefinitionIdOrName: 'Reader' From 9b07d2f5db922adfb569991e5f7742136b0af2ff Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Jun 2022 14:56:13 +0200 Subject: [PATCH 2/3] Fixed name --- arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 2702b7d0fa..a1622d08b8 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -44,7 +44,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource keyVault 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = { +resource keyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = { name: '${last(split(keyVaultResourceId, '/'))}/${keyName}' scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) } @@ -61,7 +61,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { sourceVault: { id: keyVaultResourceId } - keyUrl: !empty(keyVersion) ? '${keyVault.properties.keyUri}/${keyVersion}' : keyVault.properties.keyUriWithVersion + keyUrl: !empty(keyVersion) ? '${keyVaultKey.properties.keyUri}/${keyVersion}' : keyVaultKey.properties.keyUriWithVersion } encryptionType: encryptionType rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled From cde175d3f5d99965f1388df7ca0dba03a08ea057 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Jun 2022 15:00:42 +0200 Subject: [PATCH 3/3] Fixes --- arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep | 2 +- arm/Microsoft.Compute/diskEncryptionSets/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index a1622d08b8..b6f658cb78 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -11,7 +11,7 @@ param keyVaultResourceId string param keyName string @description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') -param keyVersion string +param keyVersion string = '' @description('Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys.') @allowed([ diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index 29e4d8a782..be5bcb03a7 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -31,7 +31,7 @@ This template deploys a disk encryption set. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | -| `keyVersion` | string | | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | +| `keyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `location` | string | `[resourceGroup().location]` | | Resource location. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `rotationToLatestKeyVersionEnabled` | bool | `False` | | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. |