From 80efa90c502fbafa7f525c86a9911a44d7597e16 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 31 Jan 2023 20:49:11 +1100 Subject: [PATCH 1/4] updated DES API version --- .../.test/common/dependencies.bicep | 5 +- .../.test/common/deploy.test.bicep | 10 ++-- .../diskEncryptionSets/deploy.bicep | 23 ++++++-- .../diskEncryptionSets/readme.md | 52 ++++++++++++++++++- 4 files changed, 80 insertions(+), 10 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep index 75de19a493..119f0062b7 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep @@ -16,7 +16,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: 'standard' } tenantId: tenant().tenantId - enablePurgeProtection: null + enablePurgeProtection: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true @@ -55,3 +55,6 @@ output keyName string = keyVault::key.name @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index 0ae5f9f0ed..5fb414d273 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -32,8 +32,8 @@ module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { - keyVaultName: 'dep-<>-kv-${serviceShort}' - managedIdentityName: 'dep-<>-msi-${serviceShort}' + keyVaultName: 'dep-hook-kv-${serviceShort}' + managedIdentityName: 'dep-hook-msi-${serviceShort}' } } @@ -46,7 +46,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry - name: '<>${serviceShort}001' + name: 'hook${serviceShort}001' keyName: nestedDependencies.outputs.keyName keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ @@ -58,5 +58,9 @@ module testDeployment '../../deploy.bicep' = { principalType: 'ServicePrincipal' } ] + systemAssignedIdentity: true + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } } } diff --git a/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 04b40b7b4e..4749152ed9 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -20,9 +20,18 @@ param keyVersion string = '' ]) param encryptionType string = 'EncryptionAtRestWithPlatformAndCustomerKeys' +@description('Optional. Multi-tenant application client id to access key vault in a different tenant. Setting the value to "None" will clear the property.') +param federatedClientId string = 'None' + @description('Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version.') param rotationToLatestKeyVersionEnabled bool = false +@description('Optional. Enables system assigned managed identity on the resource.') +param systemAssignedIdentity bool = true + +@description('Optional. The ID(s) to assign to the resource.') +param userAssignedIdentities object = {} + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -32,6 +41,13 @@ param tags object = {} @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +var identity = identityType != 'None' ? { + type: identityType + userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null +} : null + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -49,13 +65,11 @@ resource keyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = { scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) } -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { name: name location: location tags: tags - identity: { - type: 'SystemAssigned' - } + identity: identity properties: { activeKey: { sourceVault: { @@ -64,6 +78,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { keyUrl: !empty(keyVersion) ? '${keyVaultKey.properties.keyUri}/${keyVersion}' : keyVaultKey.properties.keyUriWithVersion } encryptionType: encryptionType + federatedClientId: federatedClientId rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled } } diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 350721060f..7f281e23b6 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -15,8 +15,8 @@ This template deploys a disk encryption set. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/diskEncryptionSets` | [2021-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/diskEncryptionSets) | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2021-06-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2021-06-01-preview/vaults/accessPolicies) | +| `Microsoft.Compute/diskEncryptionSets` | [2022-07-02](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-07-02/diskEncryptionSets) | +| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | ## Parameters @@ -34,11 +34,14 @@ This template deploys a disk encryption set. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | +| `federatedClientId` | string | `'None'` | | Multi-tenant application client id to access key vault in a different tenant. Setting the value to "None" will clear the property. | | `keyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `location` | string | `[resourceGroup().location]` | | Resource location. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `rotationToLatestKeyVersionEnabled` | bool | `False` | | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | +| `systemAssignedIdentity` | bool | `True` | | Enables system assigned managed identity on the resource. | | `tags` | object | `{object}` | | Tags of the disk encryption resource. | +| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | ### Parameter Usage: `roleAssignments` @@ -141,6 +144,39 @@ tags: {

+### Parameter Usage: `userAssignedIdentities` + +You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format: + +

+ +Parameter JSON format + +```json +"userAssignedIdentities": { + "value": { + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {}, + "/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {} + } +} +``` + +
+ +
+ +Bicep format + +```bicep +userAssignedIdentities: { + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {} + '/subscriptions/<>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {} +} +``` + +
+

+ ## Outputs | Output Name | Type | Description | @@ -192,6 +228,10 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' roleDefinitionIdOrName: 'Reader' } ] + systemAssignedIdentity: true + userAssignedIdentities: { + '': {} + } } } ``` @@ -232,6 +272,14 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' "roleDefinitionIdOrName": "Reader" } ] + }, + "systemAssignedIdentity": { + "value": true + }, + "userAssignedIdentities": { + "value": { + "": {} + } } } } From fe4ef464ca21af7501cf6797d0c9dbc91773c506 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 31 Jan 2023 20:51:03 +1100 Subject: [PATCH 2/4] restored name prefix --- .../diskEncryptionSets/.test/common/deploy.test.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index 5fb414d273..563cf17861 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -32,8 +32,8 @@ module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { - keyVaultName: 'dep-hook-kv-${serviceShort}' - managedIdentityName: 'dep-hook-msi-${serviceShort}' + keyVaultName: 'dep-<>-kv-${serviceShort}' + managedIdentityName: 'dep-<>-msi-${serviceShort}' } } @@ -46,7 +46,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' params: { enableDefaultTelemetry: enableDefaultTelemetry - name: 'hook${serviceShort}001' + name: '<>${serviceShort}001' keyName: nestedDependencies.outputs.keyName keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId roleAssignments: [ From 56905081901b76111d8c69f6a93d247b65c8d2e4 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 31 Jan 2023 21:08:43 +1100 Subject: [PATCH 3/4] updated syntax for Linter --- modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep | 2 +- modules/Microsoft.Compute/diskEncryptionSets/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 4749152ed9..57b274b78d 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -20,7 +20,7 @@ param keyVersion string = '' ]) param encryptionType string = 'EncryptionAtRestWithPlatformAndCustomerKeys' -@description('Optional. Multi-tenant application client id to access key vault in a different tenant. Setting the value to "None" will clear the property.') +@description('Optional. Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property.') param federatedClientId string = 'None' @description('Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version.') diff --git a/modules/Microsoft.Compute/diskEncryptionSets/readme.md b/modules/Microsoft.Compute/diskEncryptionSets/readme.md index 7f281e23b6..117f30fbdc 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/modules/Microsoft.Compute/diskEncryptionSets/readme.md @@ -34,7 +34,7 @@ This template deploys a disk encryption set. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | -| `federatedClientId` | string | `'None'` | | Multi-tenant application client id to access key vault in a different tenant. Setting the value to "None" will clear the property. | +| `federatedClientId` | string | `'None'` | | Multi-tenant application client ID to access key vault in a different tenant. Setting the value to "None" will clear the property. | | `keyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `location` | string | `[resourceGroup().location]` | | Resource location. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | From 9f3329cb62ee4f12ae8fd240d38db7a97bac4db8 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 1 Feb 2023 22:29:01 +1100 Subject: [PATCH 4/4] aligned to modules for purge protected key vaults --- .../.test/common/dependencies.bicep | 15 ++++++++------- .../.test/common/deploy.test.bicep | 6 +++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep index 119f0062b7..2c40774db0 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/dependencies.bicep @@ -7,6 +7,11 @@ param keyVaultName string @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location @@ -16,7 +21,8 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: 'standard' } tenantId: tenant().tenantId - enablePurgeProtection: true + enablePurgeProtection: true // Required by disk encryption set + softDeleteRetentionInDays: 7 enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true @@ -32,13 +38,8 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { } } -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { - name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Reader-RoleAssignment.') + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') scope: keyVault::key properties: { principalId: managedIdentity.properties.principalId diff --git a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep index 563cf17861..c844de19e8 100644 --- a/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/diskEncryptionSets/.test/common/deploy.test.bicep @@ -14,6 +14,9 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'cdescom' +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -32,7 +35,8 @@ module nestedDependencies 'dependencies.bicep' = { scope: resourceGroup name: '${uniqueString(deployment().name, location)}-nestedDependencies' params: { - keyVaultName: 'dep-<>-kv-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-<>-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' managedIdentityName: 'dep-<>-msi-${serviceShort}' } }