From b985d5f2905acfef78b51e427b2e85dab5304068 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 16 Jan 2025 00:16:50 +0100 Subject: [PATCH] feat: KeyVault - Updated UDTs to pending specs (#4111) ## Description Updated user-defined types with pending https://github.com/Azure/Azure-Verified-Modules/pull/1738 & https://github.com/Azure/bicep-registry-modules/pull/4098. ## Pipeline Reference | Pipeline | | -------- | [![avm.res.key-vault.vault](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml/badge.svg?branch=users%2Falsehr%2FkeyVault_udt&event=workflow_dispatch)](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.key-vault.vault.yml) ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation --- avm/res/key-vault/vault/README.md | 30 +- .../key-vault/vault/access-policy/README.md | 2 +- .../key-vault/vault/access-policy/main.bicep | 26 +- .../key-vault/vault/access-policy/main.json | 291 +++++++-------- avm/res/key-vault/vault/key/README.md | 2 +- avm/res/key-vault/vault/key/main.bicep | 2 +- avm/res/key-vault/vault/key/main.json | 4 +- avm/res/key-vault/vault/main.bicep | 24 +- avm/res/key-vault/vault/main.json | 348 +++++++++--------- avm/res/key-vault/vault/secret/README.md | 2 +- avm/res/key-vault/vault/secret/main.bicep | 2 +- avm/res/key-vault/vault/secret/main.json | 4 +- .../vault/tests/e2e/defaults/main.test.bicep | 1 - .../vault/tests/e2e/eckey/main.test.bicep | 1 - .../vault/tests/e2e/rsakey/main.test.bicep | 1 - .../tests/e2e/waf-aligned/main.test.bicep | 1 - 16 files changed, 370 insertions(+), 371 deletions(-) diff --git a/avm/res/key-vault/vault/README.md b/avm/res/key-vault/vault/README.md index 1e997d6051..2b076102a2 100644 --- a/avm/res/key-vault/vault/README.md +++ b/avm/res/key-vault/vault/README.md @@ -19,7 +19,7 @@ This module deploys a Key Vault. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.KeyVault/vaults` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults) | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | +| `Microsoft.KeyVault/vaults/accessPolicies` | [2023-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2023-07-01/vaults/accessPolicies) | | `Microsoft.KeyVault/vaults/keys` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/keys) | | `Microsoft.KeyVault/vaults/secrets` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/secrets) | | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) | @@ -56,7 +56,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { name: 'kvvmin002' // Non-required parameters enablePurgeProtection: false - location: '' } } ``` @@ -80,9 +79,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { // Non-required parameters "enablePurgeProtection": { "value": false - }, - "location": { - "value": "" } } } @@ -102,7 +98,6 @@ using 'br/public:avm/res/key-vault/vault:' param name = 'kvvmin002' // Non-required parameters param enablePurgeProtection = false -param location = '' ``` @@ -159,7 +154,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } } ] - location: '' } } ``` @@ -219,9 +213,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } } ] - }, - "location": { - "value": "" } } } @@ -275,7 +266,6 @@ param keys = [ } } ] -param location = '' ``` @@ -1111,7 +1101,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } } ] - location: '' } } ``` @@ -1171,9 +1160,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } } ] - }, - "location": { - "value": "" } } } @@ -1227,7 +1213,6 @@ param keys = [ } } ] -param location = '' ``` @@ -1293,7 +1278,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } } ] - location: '' networkAcls: { bypass: 'AzureServices' defaultAction: 'Deny' @@ -1400,9 +1384,6 @@ module vault 'br/public:avm/res/key-vault/vault:' = { } ] }, - "location": { - "value": "" - }, "networkAcls": { "value": { "bypass": "AzureServices", @@ -1509,7 +1490,6 @@ param keys = [ } } ] -param location = '' param networkAcls = { bypass: 'AzureServices' defaultAction: 'Deny' @@ -2433,7 +2413,7 @@ Configuration details for private endpoints. For security reasons, it is recomme | [`name`](#parameter-privateendpointsname) | string | The name of the Private Endpoint. | | [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS Zone Group to configure for the Private Endpoint. | | [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. | -| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. | +| [`resourceGroupResourceId`](#parameter-privateendpointsresourcegroupresourceid) | string | The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used. | | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | | [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. | | [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/Resource Groups in this deployment. | @@ -2686,9 +2666,9 @@ The name of the private link connection to create. - Required: No - Type: string -### Parameter: `privateEndpoints.resourceGroupName` +### Parameter: `privateEndpoints.resourceGroupResourceId` -Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. +The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used. - Required: No - Type: string @@ -3189,7 +3169,7 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | | `br/public:avm/res/network/private-endpoint:0.9.0` | Remote reference | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference | ## Data Collection diff --git a/avm/res/key-vault/vault/access-policy/README.md b/avm/res/key-vault/vault/access-policy/README.md index 23286ad221..96339cfd35 100644 --- a/avm/res/key-vault/vault/access-policy/README.md +++ b/avm/res/key-vault/vault/access-policy/README.md @@ -12,7 +12,7 @@ This module deploys a Key Vault Access Policy. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.KeyVault/vaults/accessPolicies` | [2022-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2022-07-01/vaults/accessPolicies) | +| `Microsoft.KeyVault/vaults/accessPolicies` | [2023-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2023-07-01/vaults/accessPolicies) | ## Parameters diff --git a/avm/res/key-vault/vault/access-policy/main.bicep b/avm/res/key-vault/vault/access-policy/main.bicep index 8a274ac588..33a20ec88a 100644 --- a/avm/res/key-vault/vault/access-policy/main.bicep +++ b/avm/res/key-vault/vault/access-policy/main.bicep @@ -6,26 +6,24 @@ metadata owner = 'Azure/module-maintainers' param keyVaultName string @description('Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault\'s tenant ID.') -param accessPolicies accessPoliciesType - -var formattedAccessPolicies = [ - for accessPolicy in (accessPolicies ?? []): { - applicationId: accessPolicy.?applicationId ?? '' - objectId: accessPolicy.objectId - permissions: accessPolicy.permissions - tenantId: accessPolicy.?tenantId ?? tenant().tenantId - } -] +param accessPolicies accessPoliciesType[]? resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { name: keyVaultName } -resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = { +resource policies 'Microsoft.KeyVault/vaults/accessPolicies@2023-07-01' = { name: 'add' parent: keyVault properties: { - accessPolicies: formattedAccessPolicies + accessPolicies: [ + for accessPolicy in (accessPolicies ?? []): { + applicationId: accessPolicy.?applicationId ?? '' + objectId: accessPolicy.objectId + permissions: accessPolicy.permissions + tenantId: accessPolicy.?tenantId ?? tenant().tenantId + } + ] } } @@ -41,6 +39,8 @@ output resourceId string = policies.id // ================ // // Definitions // // ================ // +@export() +@description('The type for an access policy.') type accessPoliciesType = { @description('Optional. The tenant ID that is used for authenticating requests to the key vault.') tenantId: string? @@ -118,4 +118,4 @@ type accessPoliciesType = { | 'setsas' | 'update')[]? } -}[]? +} diff --git a/avm/res/key-vault/vault/access-policy/main.json b/avm/res/key-vault/vault/access-policy/main.json index 0618c7e29a..09c42aa4dc 100644 --- a/avm/res/key-vault/vault/access-policy/main.json +++ b/avm/res/key-vault/vault/access-policy/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "3969955574908853094" + "templateHash": "6744070574147884656" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -14,139 +14,139 @@ }, "definitions": { "accessPoliciesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "tenantId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." - } - }, - "objectId": { - "type": "string", - "metadata": { - "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." - } - }, - "applicationId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Application ID of the client making request on behalf of a principal." - } - }, - "permissions": { - "type": "object", - "properties": { - "keys": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "create", - "decrypt", - "delete", - "encrypt", - "get", - "getrotationpolicy", - "import", - "list", - "purge", - "recover", - "release", - "restore", - "rotate", - "setrotationpolicy", - "sign", - "unwrapKey", - "update", - "verify", - "wrapKey" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to keys." - } - }, - "secrets": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "delete", - "get", - "list", - "purge", - "recover", - "restore", - "set" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to secrets." - } - }, - "certificates": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "create", - "delete", - "deleteissuers", - "get", - "getissuers", - "import", - "list", - "listissuers", - "managecontacts", - "manageissuers", - "purge", - "recover", - "restore", - "setissuers", - "update" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to certificates." - } - }, - "storage": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "delete", - "deletesas", - "get", - "getsas", - "list", - "listsas", - "purge", - "recover", - "regeneratekey", - "restore", - "set", - "setsas", - "update" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to storage accounts." - } + "type": "object", + "properties": { + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." + } + }, + "applicationId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Application ID of the client making request on behalf of a principal." + } + }, + "permissions": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "getrotationpolicy", + "import", + "list", + "purge", + "recover", + "release", + "restore", + "rotate", + "setrotationpolicy", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to keys." } }, - "metadata": { - "description": "Required. Permissions the identity has for keys, secrets and certificates." + "secrets": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to secrets." + } + }, + "certificates": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "purge", + "recover", + "restore", + "setissuers", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to certificates." + } + }, + "storage": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "purge", + "recover", + "regeneratekey", + "restore", + "set", + "setsas", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to storage accounts." + } } + }, + "metadata": { + "description": "Required. Permissions the identity has for keys, secrets and certificates." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true, + "description": "The type for an access policy." + } } }, "parameters": { @@ -157,26 +157,16 @@ } }, "accessPolicies": { - "$ref": "#/definitions/accessPoliciesType", + "type": "array", + "items": { + "$ref": "#/definitions/accessPoliciesType" + }, + "nullable": true, "metadata": { "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." } } }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", - "input": { - "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), '')]", - "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId]", - "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), tenant().tenantId)]" - } - } - ] - }, "resources": { "keyVault": { "existing": true, @@ -186,10 +176,21 @@ }, "policies": { "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", + "apiVersion": "2023-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'add')]", "properties": { - "accessPolicies": "[variables('formattedAccessPolicies')]" + "copy": [ + { + "name": "accessPolicies", + "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", + "input": { + "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')], 'applicationId'), '')]", + "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')].objectId]", + "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')].permissions]", + "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')], 'tenantId'), tenant().tenantId)]" + } + } + ] } } }, diff --git a/avm/res/key-vault/vault/key/README.md b/avm/res/key-vault/vault/key/README.md index c4d0e93785..0294ca74b4 100644 --- a/avm/res/key-vault/vault/key/README.md +++ b/avm/res/key-vault/vault/key/README.md @@ -288,4 +288,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference | diff --git a/avm/res/key-vault/vault/key/main.bicep b/avm/res/key-vault/vault/key/main.bicep index 68ce8138b4..41af8b7d5e 100644 --- a/avm/res/key-vault/vault/key/main.bicep +++ b/avm/res/key-vault/vault/key/main.bicep @@ -56,7 +56,7 @@ param kty string = 'EC' @description('Optional. Key release policy.') param releasePolicy object? -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? diff --git a/avm/res/key-vault/vault/key/main.json b/avm/res/key-vault/vault/key/main.json index 7742b5612e..18b6e7fc95 100644 --- a/avm/res/key-vault/vault/key/main.json +++ b/avm/res/key-vault/vault/key/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15613133519974526575" + "templateHash": "15884853996194439605" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -84,7 +84,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } diff --git a/avm/res/key-vault/vault/main.bicep b/avm/res/key-vault/vault/main.bicep index f2858a0c84..a0db3d2bbf 100644 --- a/avm/res/key-vault/vault/main.bicep +++ b/avm/res/key-vault/vault/main.bicep @@ -63,22 +63,22 @@ param networkAcls object? ]) param publicNetworkAccess string = '' -import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The lock settings of the service.') param lock lockType? -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? -import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointSingleServiceType[]? @description('Optional. Resource tags.') param tags object? -import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingFullType[]? @@ -308,7 +308,15 @@ module keyVault_keys 'key/main.bicep' = [ module keyVault_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.9.0' = [ for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-keyVault-PrivateEndpoint-${index}' - scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '') + scope: !empty(privateEndpoint.?resourceGroupResourceId) + ? resourceGroup( + split((privateEndpoint.?resourceGroupResourceId ?? '//'), '/')[2], + split((privateEndpoint.?resourceGroupResourceId ?? '////'), '/')[4] + ) + : resourceGroup( + split((privateEndpoint.?subnetResourceId ?? '//'), '/')[2], + split((privateEndpoint.?subnetResourceId ?? '////'), '/')[4] + ) params: { name: privateEndpoint.?name ?? 'pep-${last(split(keyVault.id, '/'))}-${privateEndpoint.?service ?? 'vault'}-${index}' privateLinkServiceConnections: privateEndpoint.?isManualConnection != true @@ -425,6 +433,7 @@ output keys credentialOutputType[] = [ // Definitions // // ================ // @export() +@description('The type for a private endpoint output.') type privateEndpointOutputType = { @description('The name of the private endpoint.') name: string @@ -449,6 +458,7 @@ type privateEndpointOutputType = { } @export() +@description('The type for a credential output.') type credentialOutputType = { @description('The item\'s resourceId.') resourceId: string @@ -461,6 +471,7 @@ type credentialOutputType = { } @export() +@description('The type for an access policy.') type accessPolicyType = { @description('Optional. The tenant ID that is used for authenticating requests to the key vault.') tenantId: string? @@ -541,6 +552,7 @@ type accessPolicyType = { } @export() +@description('The type for a secret output.') type secretType = { @description('Required. The name of the secret.') name: string @@ -571,6 +583,7 @@ type secretType = { } @export() +@description('The type for a key.') type keyType = { @description('Required. The name of the key.') name: string @@ -617,6 +630,7 @@ type keyType = { roleAssignments: roleAssignmentType[]? } +@description('The type for a rotation policy.') type rotationPolicyType = { @description('Optional. The attributes of key rotation policy.') attributes: { diff --git a/avm/res/key-vault/vault/main.json b/avm/res/key-vault/vault/main.json index d89c9bf8a9..2bd3699c24 100644 --- a/avm/res/key-vault/vault/main.json +++ b/avm/res/key-vault/vault/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "9360899285262740387" + "templateHash": "5900566328584197217" }, "name": "Key Vaults", "description": "This module deploys a Key Vault.", @@ -73,7 +73,8 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for a private endpoint output." } }, "credentialOutputType": { @@ -99,7 +100,8 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for a credential output." } }, "accessPolicyType": { @@ -233,7 +235,8 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for an access policy." } }, "secretType": { @@ -307,7 +310,8 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for a secret output." } }, "keyType": { @@ -453,7 +457,8 @@ } }, "metadata": { - "__bicep_export!": true + "__bicep_export!": true, + "description": "The type for a key." } }, "rotationPolicyType": { @@ -530,6 +535,9 @@ "description": "Optional. The lifetimeActions for key rotation action." } } + }, + "metadata": { + "description": "The type for a rotation policy." } }, "_1.privateEndpointCustomDnsConfigType": { @@ -554,7 +562,7 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -596,7 +604,7 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -637,7 +645,7 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -759,7 +767,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -789,7 +797,7 @@ "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -830,6 +838,13 @@ "description": "Required. Resource ID of the subnet where the endpoint needs to be created." } }, + "resourceGroupResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The resource ID of the Resource Group the Private Endpoint will be created in. If not specified, the Resource Group of the provided Virtual Network Subnet is used." + } + }, "privateDnsZoneGroup": { "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", "nullable": true, @@ -919,19 +934,12 @@ "metadata": { "description": "Optional. Enable/Disable usage telemetry for module." } - }, - "resourceGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource." - } } }, "metadata": { "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } }, @@ -1006,7 +1014,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -1379,7 +1387,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "3969955574908853094" + "templateHash": "6744070574147884656" }, "name": "Key Vault Access Policies", "description": "This module deploys a Key Vault Access Policy.", @@ -1387,139 +1395,139 @@ }, "definitions": { "accessPoliciesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "tenantId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." - } - }, - "objectId": { - "type": "string", - "metadata": { - "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." - } - }, - "applicationId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Application ID of the client making request on behalf of a principal." - } - }, - "permissions": { - "type": "object", - "properties": { - "keys": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "create", - "decrypt", - "delete", - "encrypt", - "get", - "getrotationpolicy", - "import", - "list", - "purge", - "recover", - "release", - "restore", - "rotate", - "setrotationpolicy", - "sign", - "unwrapKey", - "update", - "verify", - "wrapKey" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to keys." - } - }, - "secrets": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "delete", - "get", - "list", - "purge", - "recover", - "restore", - "set" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to secrets." - } - }, - "certificates": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "create", - "delete", - "deleteissuers", - "get", - "getissuers", - "import", - "list", - "listissuers", - "managecontacts", - "manageissuers", - "purge", - "recover", - "restore", - "setissuers", - "update" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to certificates." - } - }, - "storage": { - "type": "array", - "allowedValues": [ - "all", - "backup", - "delete", - "deletesas", - "get", - "getsas", - "list", - "listsas", - "purge", - "recover", - "regeneratekey", - "restore", - "set", - "setsas", - "update" - ], - "nullable": true, - "metadata": { - "description": "Optional. Permissions to storage accounts." - } + "type": "object", + "properties": { + "tenantId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The tenant ID that is used for authenticating requests to the key vault." + } + }, + "objectId": { + "type": "string", + "metadata": { + "description": "Required. The object ID of a user, service principal or security group in the tenant for the vault." + } + }, + "applicationId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Application ID of the client making request on behalf of a principal." + } + }, + "permissions": { + "type": "object", + "properties": { + "keys": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "getrotationpolicy", + "import", + "list", + "purge", + "recover", + "release", + "restore", + "rotate", + "setrotationpolicy", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to keys." } }, - "metadata": { - "description": "Required. Permissions the identity has for keys, secrets and certificates." + "secrets": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to secrets." + } + }, + "certificates": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "purge", + "recover", + "restore", + "setissuers", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to certificates." + } + }, + "storage": { + "type": "array", + "allowedValues": [ + "all", + "backup", + "delete", + "deletesas", + "get", + "getsas", + "list", + "listsas", + "purge", + "recover", + "regeneratekey", + "restore", + "set", + "setsas", + "update" + ], + "nullable": true, + "metadata": { + "description": "Optional. Permissions to storage accounts." + } } + }, + "metadata": { + "description": "Required. Permissions the identity has for keys, secrets and certificates." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true, + "description": "The type for an access policy." + } } }, "parameters": { @@ -1530,26 +1538,16 @@ } }, "accessPolicies": { - "$ref": "#/definitions/accessPoliciesType", + "type": "array", + "items": { + "$ref": "#/definitions/accessPoliciesType" + }, + "nullable": true, "metadata": { "description": "Optional. An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." } } }, - "variables": { - "copy": [ - { - "name": "formattedAccessPolicies", - "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", - "input": { - "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'applicationId'), '')]", - "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].objectId]", - "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')].permissions]", - "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('formattedAccessPolicies')], 'tenantId'), tenant().tenantId)]" - } - } - ] - }, "resources": { "keyVault": { "existing": true, @@ -1559,10 +1557,21 @@ }, "policies": { "type": "Microsoft.KeyVault/vaults/accessPolicies", - "apiVersion": "2022-07-01", + "apiVersion": "2023-07-01", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'add')]", "properties": { - "accessPolicies": "[variables('formattedAccessPolicies')]" + "copy": [ + { + "name": "accessPolicies", + "count": "[length(coalesce(parameters('accessPolicies'), createArray()))]", + "input": { + "applicationId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')], 'applicationId'), '')]", + "objectId": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')].objectId]", + "permissions": "[coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')].permissions]", + "tenantId": "[coalesce(tryGet(coalesce(parameters('accessPolicies'), createArray())[copyIndex('accessPolicies')], 'tenantId'), tenant().tenantId)]" + } + } + ] } } }, @@ -1645,7 +1654,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17861251076091988255" + "templateHash": "6967022677055315423" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -1723,7 +1732,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -1960,7 +1969,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15613133519974526575" + "templateHash": "15884853996194439605" }, "name": "Key Vault Keys", "description": "This module deploys a Key Vault Key.", @@ -2038,7 +2047,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } @@ -2268,7 +2277,6 @@ "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-keyVault-PrivateEndpoint-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "resourceGroup": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'resourceGroupName'), '')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" diff --git a/avm/res/key-vault/vault/secret/README.md b/avm/res/key-vault/vault/secret/README.md index 5ce71cab32..64d7b573b2 100644 --- a/avm/res/key-vault/vault/secret/README.md +++ b/avm/res/key-vault/vault/secret/README.md @@ -223,4 +223,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference | diff --git a/avm/res/key-vault/vault/secret/main.bicep b/avm/res/key-vault/vault/secret/main.bicep index b822e63ba3..3faf6b6474 100644 --- a/avm/res/key-vault/vault/secret/main.bicep +++ b/avm/res/key-vault/vault/secret/main.bicep @@ -28,7 +28,7 @@ param contentType string? @secure() param value string -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.5.1' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? diff --git a/avm/res/key-vault/vault/secret/main.json b/avm/res/key-vault/vault/secret/main.json index b395d3e978..bdda80f113 100644 --- a/avm/res/key-vault/vault/secret/main.json +++ b/avm/res/key-vault/vault/secret/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17861251076091988255" + "templateHash": "6967022677055315423" }, "name": "Key Vault Secrets", "description": "This module deploys a Key Vault Secret.", @@ -84,7 +84,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.5.1" } } } diff --git a/avm/res/key-vault/vault/tests/e2e/defaults/main.test.bicep b/avm/res/key-vault/vault/tests/e2e/defaults/main.test.bicep index fe1f1e70c5..89d9dfa440 100644 --- a/avm/res/key-vault/vault/tests/e2e/defaults/main.test.bicep +++ b/avm/res/key-vault/vault/tests/e2e/defaults/main.test.bicep @@ -42,7 +42,6 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}002' - location: resourceLocation // Only for testing purposes enablePurgeProtection: false } diff --git a/avm/res/key-vault/vault/tests/e2e/eckey/main.test.bicep b/avm/res/key-vault/vault/tests/e2e/eckey/main.test.bicep index 820d3bab2e..88b1b187f8 100644 --- a/avm/res/key-vault/vault/tests/e2e/eckey/main.test.bicep +++ b/avm/res/key-vault/vault/tests/e2e/eckey/main.test.bicep @@ -42,7 +42,6 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}002' - location: resourceLocation // Only for testing purposes enablePurgeProtection: false enableRbacAuthorization: true diff --git a/avm/res/key-vault/vault/tests/e2e/rsakey/main.test.bicep b/avm/res/key-vault/vault/tests/e2e/rsakey/main.test.bicep index 09a406942b..2879588b09 100644 --- a/avm/res/key-vault/vault/tests/e2e/rsakey/main.test.bicep +++ b/avm/res/key-vault/vault/tests/e2e/rsakey/main.test.bicep @@ -42,7 +42,6 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}002' - location: resourceLocation // Only for testing purposes enablePurgeProtection: false enableRbacAuthorization: true diff --git a/avm/res/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/avm/res/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep index be536debf7..31d0ef9550 100644 --- a/avm/res/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -66,7 +66,6 @@ module testDeployment '../../../main.bicep' = [ name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { name: '${namePrefix}${serviceShort}002' - location: resourceLocation diagnosticSettings: [ { eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName