From 5856e6f45e0a64a9e4ddc8518aafd27483588f17 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 20 Dec 2021 09:50:18 +0100 Subject: [PATCH 01/15] disk encr --- .../.bicep/nested_accessPolicy.bicep | 0 .../diskEncryptionSets/deploy.bicep | 34 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) create mode 100644 arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 332fd6cae3..5acd9f89ef 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -24,6 +24,23 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { + name: name + location: location + tags: tags + identity: { + type: 'SystemAssigned' + } + properties: { + activeKey: { + sourceVault: { + id: keyVaultId + } + keyUrl: keyUrl + } + } +} + resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { name: '${last(split(keyVaultId, '/'))}/add' properties: { @@ -45,23 +62,6 @@ resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-0 } } -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { - name: name - location: location - tags: tags - identity: { - type: 'SystemAssigned' - } - properties: { - activeKey: { - sourceVault: { - id: keyVaultId - } - keyUrl: keyUrl - } - } -} - module diskEncryptionSet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-Rbac-${index}' params: { From e2a6aded2683f2f0b7ac92ecdd7c0426a7e487da Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 20 Dec 2021 17:54:43 +0100 Subject: [PATCH 02/15] accesspolicies cross --- .../.bicep/nested_accessPolicy.bicep | 0 .../.bicep/nested_kvAccessPolicy.bicep | 36 +++++++++++++++++++ .../diskEncryptionSets/deploy.bicep | 30 +++++++++++++--- 3 files changed, 62 insertions(+), 4 deletions(-) delete mode 100644 arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep create mode 100644 arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_accessPolicy.bicep deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep new file mode 100644 index 0000000000..7bd62cd492 --- /dev/null +++ b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep @@ -0,0 +1,36 @@ +@description('Required. The resource ID of the key vault') +param keyVaultName string + +@description('Optional. The access policy deployment') +param name string = 'add' + +@description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') +param accessPolicies array = [] + +var formattedAccessPolicies = [for accessPolicy in accessPolicies: { + applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' + objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' + permissions: accessPolicy.permissions + tenantId: contains(accessPolicy, 'tenantId') ? accessPolicy.tenantId : tenant().tenantId +}] + +resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = { + name: keyVaultName +} + +resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = { + name: name + parent: keyVault + properties: { + accessPolicies: formattedAccessPolicies + } +} + +@description('The name of the resource group the access policies assignment was created in.') +output accessPolicyResourceGroup string = resourceGroup().name + +@description('The name of the access policies assignment') +output accessPolicyName string = policies.name + +@description('The resource ID of the access policies assignment') +output accessPolicyResourceId string = policies.id diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 5acd9f89ef..dd4025c2e1 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -41,13 +41,14 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { } } -resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { - name: '${last(split(keyVaultId, '/'))}/add' - properties: { +module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' { + name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' + params: { + keyVaultName: '${last(split(keyVaultId, '/'))}' accessPolicies: [ { tenantId: subscription().tenantId - objectId: reference('Microsoft.Compute/diskEncryptionSets/${diskEncryptionSet.name}', '2020-12-01', 'Full').identity.principalId + objectId: diskEncryptionSet.identity.principalId permissions: { keys: [ 'get' @@ -62,6 +63,27 @@ resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-0 } } +// resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { +// name: '${last(split(keyVaultId, '/'))}/add' +// properties: { +// accessPolicies: [ +// { +// tenantId: subscription().tenantId +// objectId: reference('Microsoft.Compute/diskEncryptionSets/${diskEncryptionSet.name}', '2020-12-01', 'Full').identity.principalId +// permissions: { +// keys: [ +// 'get' +// 'wrapKey' +// 'unwrapKey' +// ] +// secrets: [] +// certificates: [] +// } +// } +// ] +// } +// } + module diskEncryptionSet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-Rbac-${index}' params: { From d84efe799a13cf11a12c241f0602befe23593aa1 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 20 Dec 2021 18:12:43 +0100 Subject: [PATCH 03/15] accesspolicies cross update --- arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep | 2 +- arm/Microsoft.Compute/diskEncryptionSets/readme.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index dd4025c2e1..480f4834e7 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -41,7 +41,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { } } -module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' { +module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { keyVaultName: '${last(split(keyVaultId, '/'))}' diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index 72127509c1..a579e55c40 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -8,7 +8,7 @@ This template deploys a disk encryption set. | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.Compute/diskEncryptionSets` | 2020-12-01 | -| `Microsoft.KeyVault/vaults/accessPolicies` | 2019-09-01 | +| `Microsoft.KeyVault/vaults/accessPolicies` | 2021-06-01-preview | ## Parameters @@ -73,6 +73,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Diskencryptionsets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/diskEncryptionSets) -- [Vaults/Accesspolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2019-09-01/vaults/accessPolicies) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Vaults/Accesspolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2021-06-01-preview/vaults/accessPolicies) From e474ba882bf519f324cc9aefea99e2ca42765b0e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 20 Dec 2021 19:53:12 +0100 Subject: [PATCH 04/15] cross scope --- .../diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep | 2 +- arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep | 5 ++++- arm/Microsoft.Compute/diskEncryptionSets/readme.md | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep index 7bd62cd492..89e7e439d9 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep @@ -1,4 +1,4 @@ -@description('Required. The resource ID of the key vault') +@description('Required. The name of the key vault') param keyVaultName string @description('Optional. The access policy deployment') diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 480f4834e7..5b37f2816e 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -13,7 +13,7 @@ param keyUrl string @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Tags of the Automation Account resource.') +@description('Optional. Tags of the disk encryption resource.') param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') @@ -61,6 +61,9 @@ module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { } ] } + // This is to support access policies to kv in different subscription and resource group than the automation account. + // The current scope is used by default if no linked service is intended to be created. + scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) } // resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index a579e55c40..a0d28e9082 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -20,7 +20,7 @@ This template deploys a disk encryption set. | `location` | string | `[resourceGroup().location]` | | Optional. Resource location. | | `name` | string | | | Required. The name of the disk encryption set that is being created. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | -| `tags` | object | `{object}` | | Optional. Tags of the Automation Account resource. | +| `tags` | object | `{object}` | | Optional. Tags of the disk encryption resource. | ### Parameter Usage: `roleAssignments` From 82b4526bbee00f59c0eb0d7e8a84e930365ca691 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 20 Dec 2021 21:10:24 +0100 Subject: [PATCH 05/15] access policy removal --- .../.bicep/nested_kvAccessPolicy.bicep | 6 +++--- .../diskEncryptionSets/deploy.bicep | 3 ++- .../helper/Invoke-ResourceRemoval.ps1 | 14 ++++++++++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep index 89e7e439d9..3f8c479dc1 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/.bicep/nested_kvAccessPolicy.bicep @@ -1,12 +1,12 @@ @description('Required. The name of the key vault') param keyVaultName string -@description('Optional. The access policy deployment') -param name string = 'add' - @description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') param accessPolicies array = [] +@description('Optional. The access policy name') +param name string = 'add' + var formattedAccessPolicies = [for accessPolicy in accessPolicies: { applicationId: contains(accessPolicy, 'applicationId') ? accessPolicy.applicationId : '' objectId: contains(accessPolicy, 'objectId') ? accessPolicy.objectId : '' diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 5b37f2816e..5726f1ceea 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -44,7 +44,8 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { - keyVaultName: '${last(split(keyVaultId, '/'))}' + keyVaultName: last(split(keyVaultId, '/')) + name: diskEncryptionSet.identity.principalId accessPolicies: [ { tenantId: subscription().tenantId diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 14f9891773..31edc155c9 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -27,6 +27,9 @@ function Invoke-ResourceRemoval { [string] $Type ) + Write-Verbose ('Resource ID [{0}]' -f $resourceId) -Verbose + Write-Verbose ('Resource Type [{0}]' -f $type) -Verbose + switch ($type) { 'Microsoft.Insights/diagnosticSettings' { $parentResourceId = $resourceId.Split('/providers/{0}' -f $type)[0] @@ -36,6 +39,17 @@ function Invoke-ResourceRemoval { } break } + 'Microsoft.KeyVault/vaults/accessPolicies' { + $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] + $keyVaultName = Split-Path $keyVaultResourceId -Leaf + $objectId = Split-Path $ResourceId -Leaf + Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose + Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose + if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { + $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId + } + break + } 'Microsoft.RecoveryServices/vaults' { # Pre-Removal # ----------- From 8dbba5257643d17266a3ffa96123d0465d86f2bd Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 09:52:30 +0100 Subject: [PATCH 06/15] access policy pre removal --- .../diskEncryptionSets/deploy.bicep | 1 - .../helper/Invoke-ResourceRemoval.ps1 | 55 +++++++++++++++++-- 2 files changed, 49 insertions(+), 7 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 5726f1ceea..f0ab71b010 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -45,7 +45,6 @@ module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { keyVaultName: last(split(keyVaultId, '/')) - name: diskEncryptionSet.identity.principalId accessPolicies: [ { tenantId: subscription().tenantId diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 31edc155c9..d1210aab57 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -39,16 +39,59 @@ function Invoke-ResourceRemoval { } break } - 'Microsoft.KeyVault/vaults/accessPolicies' { - $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] - $keyVaultName = Split-Path $keyVaultResourceId -Leaf - $objectId = Split-Path $ResourceId -Leaf + # 'Microsoft.KeyVault/vaults/accessPolicies' { + # $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] + # $keyVaultName = Split-Path $keyVaultResourceId -Leaf + # $objectId = Split-Path $ResourceId -Leaf + # Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose + # Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose + # if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { + # $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId + # } + # break + # } + 'Microsoft.Compute/diskEncryptionSets' { + # Pre-Removal + # ----------- + # Remove access policies on key vault + $resourceGroupName = $resourceId.Split('/')[4] + $resourceName = Split-Path $resourceId -Leaf + + $diskEncryptionSet = Get-AzDiskEncryptionSet -Name $resourceName -ResourceGroupName $resourceGroupName + $keyVaultResourceId = $diskEncryptionSet.ActiveKey.SourceVault.Id + $objectId = $diskEncryptionSet.Identity.PrincipalId + Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose - if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { + # if ($PSCmdlet.ShouldProcess("Access policy [$objectId] from key vault [$keyVaultName]", 'Remove')) { + if ($PSCmdlet.ShouldProcess(('Access policy [{0}] from key vault [{1}]' -f $objectId, $keyVaultName), 'Remove')) { $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId } - break + + # if ((Get-AzRecoveryServicesVaultProperty -VaultId $resourceId).SoftDeleteFeatureState -ne 'Disabled') { + # if ($PSCmdlet.ShouldProcess(('Soft-delete on RSV [{0}]' -f $resourceId), 'Set')) { + # $null = Set-AzRecoveryServicesVaultProperty -VaultId $resourceId -SoftDeleteFeatureState 'Disable' + # } + # } + + # $backupItems = Get-AzRecoveryServicesBackupItem -BackupManagementType 'AzureVM' -WorkloadType 'AzureVM' -VaultId $resourceId + # foreach ($backupItem in $backupItems) { + # Write-Verbose ('Removing Backup item [{0}] from RSV [{1}]' -f $backupItem.Name, $resourceId) -Verbose + + # if ($backupItem.DeleteState -eq 'ToBeDeleted') { + # if ($PSCmdlet.ShouldProcess('Soft-deleted backup data removal', 'Undo')) { + # $null = Undo-AzRecoveryServicesBackupItemDeletion -Item $backupItem -VaultId $resourceId -Force + # } + # } + + # if ($PSCmdlet.ShouldProcess(('Backup item [{0}] from RSV [{1}]' -f $backupItem.Name, $resourceId), 'Remove')) { + # $null = Disable-AzRecoveryServicesBackupProtection -Item $backupItem -VaultId $resourceId -RemoveRecoveryPoints -Force + # } + # } + + # Actual removal + # -------------- + $null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop' } 'Microsoft.RecoveryServices/vaults' { # Pre-Removal From 84ac8b19d536e44b70787037eb75b1380879961f Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 09:59:09 +0100 Subject: [PATCH 07/15] kv name --- .../pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index d1210aab57..f090f4b0a2 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -59,6 +59,7 @@ function Invoke-ResourceRemoval { $diskEncryptionSet = Get-AzDiskEncryptionSet -Name $resourceName -ResourceGroupName $resourceGroupName $keyVaultResourceId = $diskEncryptionSet.ActiveKey.SourceVault.Id + $keyVaultName = Split-Path $keyVaultResourceId -Leaf $objectId = $diskEncryptionSet.Identity.PrincipalId Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose From 625544c0b55dd32223b670a312ab12eed39bc056 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 10:04:04 +0100 Subject: [PATCH 08/15] api update --- .../diskEncryptionSets/deploy.bicep | 26 ++----------------- .../diskEncryptionSets/readme.md | 4 +-- 2 files changed, 4 insertions(+), 26 deletions(-) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index f0ab71b010..3b1b9051b1 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -24,7 +24,7 @@ module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2020-12-01' = { +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { name: name location: location tags: tags @@ -61,32 +61,10 @@ module keyVaultAccessPolicies '.bicep/nested_kvAccessPolicy.bicep' = { } ] } - // This is to support access policies to kv in different subscription and resource group than the automation account. - // The current scope is used by default if no linked service is intended to be created. + // This is to support access policies to KV in different subscription and resource group than the disk encryption set. scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) } -// resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = { -// name: '${last(split(keyVaultId, '/'))}/add' -// properties: { -// accessPolicies: [ -// { -// tenantId: subscription().tenantId -// objectId: reference('Microsoft.Compute/diskEncryptionSets/${diskEncryptionSet.name}', '2020-12-01', 'Full').identity.principalId -// permissions: { -// keys: [ -// 'get' -// 'wrapKey' -// 'unwrapKey' -// ] -// secrets: [] -// certificates: [] -// } -// } -// ] -// } -// } - module diskEncryptionSet_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-Rbac-${index}' params: { diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index a0d28e9082..d81986a577 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -7,7 +7,7 @@ This template deploys a disk encryption set. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | -| `Microsoft.Compute/diskEncryptionSets` | 2020-12-01 | +| `Microsoft.Compute/diskEncryptionSets` | 2021-04-01 | | `Microsoft.KeyVault/vaults/accessPolicies` | 2021-06-01-preview | ## Parameters @@ -73,6 +73,6 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references -- [Diskencryptionsets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-12-01/diskEncryptionSets) +- [Diskencryptionsets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-04-01/diskEncryptionSets) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Vaults/Accesspolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2021-06-01-preview/vaults/accessPolicies) From 062e6f7492fdab688a4d440f911ee024cfe188de Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 10:14:08 +0100 Subject: [PATCH 09/15] add dse settings --- .../diskEncryptionSets/deploy.bicep | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index 3b1b9051b1..6039850e71 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -10,6 +10,16 @@ param keyVaultId string @description('Required. Key URL (with version) pointing to a key or secret in KeyVault.') param keyUrl string +@description('Optional. The type of key used to encrypt the data of the disk.') +@allowed([ + 'EncryptionAtRestWithCustomerKey' + 'EncryptionAtRestWithPlatformAndCustomerKeys' +]) +param encryptionType string = 'EncryptionAtRestWithCustomerKey' + +@description('Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version.') +param rotationToLatestKeyVersionEnabled bool = false + @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] @@ -38,6 +48,8 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { } keyUrl: keyUrl } + encryptionType: encryptionType + rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled } } From fb45810623d030e5293849443ed581d170158773 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 10:15:05 +0100 Subject: [PATCH 10/15] readme --- arm/Microsoft.Compute/diskEncryptionSets/readme.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index d81986a577..e656a38f7a 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -15,11 +15,13 @@ This template deploys a disk encryption set. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `encryptionType` | string | `EncryptionAtRestWithCustomerKey` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | Optional. The type of key used to encrypt the data of the disk. | | `keyUrl` | string | | | Required. Key URL (with version) pointing to a key or secret in KeyVault. | | `keyVaultId` | string | | | Required. Resource ID of the KeyVault containing the key or secret. | | `location` | string | `[resourceGroup().location]` | | Optional. Resource location. | | `name` | string | | | Required. The name of the disk encryption set that is being created. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `rotationToLatestKeyVersionEnabled` | bool | | | Optional. Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | | `tags` | object | `{object}` | | Optional. Tags of the disk encryption resource. | ### Parameter Usage: `roleAssignments` From 47eafbd3337b71df582965940f2e8b2a622d6a91 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 10:26:21 +0100 Subject: [PATCH 11/15] az compute module --- utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 index 72149ff01a..da2aa354f5 100644 --- a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 +++ b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 @@ -97,6 +97,7 @@ function Set-EnvironmentOnAgent { [Parameter(Mandatory = $false)] [Hashtable[]] $Modules = @( @{ Name = 'Az.Accounts' }, + @{ Name = 'Az.Compute' }, @{ Name = 'Az.Resources' }, @{ Name = 'Az.NetAppFiles' }, @{ Name = 'Az.Network' }, From 205f58eddac47ae38e5bc325fe99f2548f9ac335 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 10:42:58 +0100 Subject: [PATCH 12/15] skip access policies --- .../helper/Invoke-ResourceRemoval.ps1 | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index f090f4b0a2..bd912ed7ac 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -39,17 +39,18 @@ function Invoke-ResourceRemoval { } break } - # 'Microsoft.KeyVault/vaults/accessPolicies' { - # $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] - # $keyVaultName = Split-Path $keyVaultResourceId -Leaf - # $objectId = Split-Path $ResourceId -Leaf - # Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose - # Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose - # if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { - # $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId - # } - # break - # } + 'Microsoft.KeyVault/vaults/accessPolicies' { + # $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] + # $keyVaultName = Split-Path $keyVaultResourceId -Leaf + # $objectId = Split-Path $ResourceId -Leaf + # Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose + # Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose + # if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { + # $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId + # } + Write-Verbose ('Skip resource removal for type [{0}]' -f $type) -Verbose + break + } 'Microsoft.Compute/diskEncryptionSets' { # Pre-Removal # ----------- From e6634a804e250c07345844b81132b31bbc88b093 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 11:04:02 +0100 Subject: [PATCH 13/15] clean up --- .../helper/Invoke-ResourceRemoval.ps1 | 30 ------------------- 1 file changed, 30 deletions(-) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index bd912ed7ac..b08c7221ca 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -40,14 +40,6 @@ function Invoke-ResourceRemoval { break } 'Microsoft.KeyVault/vaults/accessPolicies' { - # $keyVaultResourceId = $resourceId.Split('/accessPolicies')[0] - # $keyVaultName = Split-Path $keyVaultResourceId -Leaf - # $objectId = Split-Path $ResourceId -Leaf - # Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose - # Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose - # if ($PSCmdlet.ShouldProcess("Diagnostic setting [$resourceName]", 'Remove')) { - # $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId - # } Write-Verbose ('Skip resource removal for type [{0}]' -f $type) -Verbose break } @@ -65,32 +57,10 @@ function Invoke-ResourceRemoval { Write-Verbose ('keyVaultResourceId [{0}]' -f $keyVaultResourceId) -Verbose Write-Verbose ('objectId [{0}]' -f $objectId) -Verbose - # if ($PSCmdlet.ShouldProcess("Access policy [$objectId] from key vault [$keyVaultName]", 'Remove')) { if ($PSCmdlet.ShouldProcess(('Access policy [{0}] from key vault [{1}]' -f $objectId, $keyVaultName), 'Remove')) { $null = Remove-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $objectId } - # if ((Get-AzRecoveryServicesVaultProperty -VaultId $resourceId).SoftDeleteFeatureState -ne 'Disabled') { - # if ($PSCmdlet.ShouldProcess(('Soft-delete on RSV [{0}]' -f $resourceId), 'Set')) { - # $null = Set-AzRecoveryServicesVaultProperty -VaultId $resourceId -SoftDeleteFeatureState 'Disable' - # } - # } - - # $backupItems = Get-AzRecoveryServicesBackupItem -BackupManagementType 'AzureVM' -WorkloadType 'AzureVM' -VaultId $resourceId - # foreach ($backupItem in $backupItems) { - # Write-Verbose ('Removing Backup item [{0}] from RSV [{1}]' -f $backupItem.Name, $resourceId) -Verbose - - # if ($backupItem.DeleteState -eq 'ToBeDeleted') { - # if ($PSCmdlet.ShouldProcess('Soft-deleted backup data removal', 'Undo')) { - # $null = Undo-AzRecoveryServicesBackupItemDeletion -Item $backupItem -VaultId $resourceId -Force - # } - # } - - # if ($PSCmdlet.ShouldProcess(('Backup item [{0}] from RSV [{1}]' -f $backupItem.Name, $resourceId), 'Remove')) { - # $null = Disable-AzRecoveryServicesBackupProtection -Item $backupItem -VaultId $resourceId -RemoveRecoveryPoints -Force - # } - # } - # Actual removal # -------------- $null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop' From b16f1caf01aa37a00cdeec5c356f4b7920179533 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 11:43:09 +0100 Subject: [PATCH 14/15] break --- .../pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index b08c7221ca..7c39354bb5 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -64,6 +64,7 @@ function Invoke-ResourceRemoval { # Actual removal # -------------- $null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop' + break } 'Microsoft.RecoveryServices/vaults' { # Pre-Removal From a462ee9098bd538df78b7e5c6ac9a9f543034418 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 21 Dec 2021 11:48:08 +0100 Subject: [PATCH 15/15] reason --- .../pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 index 7c39354bb5..1fd2854397 100644 --- a/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 +++ b/utilities/pipelines/resourceRemoval/helper/Invoke-ResourceRemoval.ps1 @@ -40,7 +40,7 @@ function Invoke-ResourceRemoval { break } 'Microsoft.KeyVault/vaults/accessPolicies' { - Write-Verbose ('Skip resource removal for type [{0}]' -f $type) -Verbose + Write-Verbose ('Skip resource removal for type [{0}]. Reason: handled by different logic.' -f $type) -Verbose break } 'Microsoft.Compute/diskEncryptionSets' {