Skip to content

Commit

Permalink
fix: Added soft delete support to key vault
Browse files Browse the repository at this point in the history
  • Loading branch information
@tannerwatson
tannerwatson committed Dec 4, 2019
1 parent faf9e6b commit 81f631a
Show file tree
Hide file tree
Showing 2 changed files with 161 additions and 65 deletions.
6 changes: 5 additions & 1 deletion ingredient/ingredient-key-vault/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,17 @@ recipe:
| enabledForDeployment | no | Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Default value is false |
| enabledForTemplateDeployment | no | Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Default value is false |
| enabledForDiskEncryption | no | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Default value is false |
| enableSoftDelete | no | Boolean flag to specify whether soft delete functionality is enabled. Default value is false |
| enablePurgeProtection | no | Boolean flag to specify whether purge protection is enabled. Default value is false |
## Utilities
Utility classes can be used inside of the bake.yaml file for parameter and source values.
### ``keyvalut`` class
### ``keyvault`` class
| function | description |
| -------- | ----------- |
| `create_resource_name()` | Returns the name created for the Key Vault when deployed |

### Function Details
Expand Down
220 changes: 156 additions & 64 deletions ingredient/ingredient-key-vault/src/arm.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
"description": "Location for all resources."
}
},
"sku": {
"type": "string",
Expand Down Expand Up @@ -38,32 +38,55 @@
"metadata": {
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
}

},
"enabledForDeployment": {
"type": "bool",
"defaultValue": false
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
}
},
"enabledForTemplateDeployment": {
"type": "bool",
"defaultValue": false
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
}
},
"enabledForDiskEncryption": {
"type": "bool",
"defaultValue": false
"defaultValue": false,
"metadata": {
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
}
},
"enableSoftDelete": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Specifies whether the soft delete functionality is enabled for this key vault."
}
},
"enablePurgeProtection": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Specifies whether protection against purge is enabled for this vault."
}
},
"networkAcls": {
"type": "object",
"type": "object",
"defaultValue": {},
"metadata": {
"description": "The network firewall defined for this vault."
}
},
"diagnosticsEnabled": {
"type": "string",
"defaultValue": "yes",
"metadata": {
"description": "Specifies whether to configure diagnostic settings to expose logs and metrics for consumption."
}
"type": "string",
"defaultValue": "yes",
"metadata": {
"description": "Specifies whether to configure diagnostic settings to expose logs and metrics for consumption."
}
},
"diagnosticsSettingName": {
"type": "string",
Expand Down Expand Up @@ -94,60 +117,129 @@
}
}
},
"resources": [
"resources": [{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "NoSoftDelete",
"condition": "[not(parameters('enableSoftDelete'))]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"apiVersion": "2016-10-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.KeyVault/vaults",
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"accessPolicies": "[parameters('accessPolicies')]",
"tenantId": "[parameters('tenant')]",
"sku": {
"name": "[parameters('sku')]",
"family": "A"
},
"networkAcls": "[parameters('networkAcls')]"
},
"tags": {},
"resources": [{
"condition": "[equals(parameters('diagnosticsEnabled'), 'yes')]",
"type": "providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', parameters('diagnosticsSettingName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]"
],
"apiVersion": "2017-05-01-preview",
"properties": {
"name": "[parameters('diagnosticsSettingName')]",
"eventHubAuthorizationRuleId": "[resourceId(parameters('diagnosticsEventHubResourceGroup'),'Microsoft.EventHub/namespaces/authorizationRules', parameters('diagnosticsEventHubNamespace'), parameters('diagnosticsEventHubAuthorizationRule'))]",
"logs": [{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}],
"metrics": [{
"timeGrain": "PT1M",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}]
}
}]
}]
}
}
},
{
"apiVersion": "2016-10-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.KeyVault/vaults",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2017-05-10",
"name": "SoftDelete",
"condition": "[parameters('enableSoftDelete')]",
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"accessPolicies": "[parameters('accessPolicies')]",
"tenantId": "[parameters('tenant')]",
"sku": {
"name": "[parameters('sku')]",
"family": "A"
},
"networkAcls": "[parameters('networkAcls')]"
},
"tags": {},
"resources": [
{
"condition": "[equals(parameters('diagnosticsEnabled'), 'yes')]",
"type": "providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', parameters('diagnosticsSettingName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]"
],
"apiVersion": "2017-05-01-preview",
"properties": {
"name": "[parameters('diagnosticsSettingName')]",
"eventHubAuthorizationRuleId": "[resourceId(parameters('diagnosticsEventHubResourceGroup'),'Microsoft.EventHub/namespaces/authorizationRules', parameters('diagnosticsEventHubNamespace'), parameters('diagnosticsEventHubAuthorizationRule'))]",
"logs": [
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [
{
"timeGrain": "PT1M",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}
]
}
}
]
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [{
"apiVersion": "2016-10-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"type": "Microsoft.KeyVault/vaults",
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"enableSoftDelete": "[parameters('enableSoftDelete')]",
"enablePurgeProtection": "[parameters('enablePurgeProtection')]",
"accessPolicies": "[parameters('accessPolicies')]",
"tenantId": "[parameters('tenant')]",
"sku": {
"name": "[parameters('sku')]",
"family": "A"
},
"networkAcls": "[parameters('networkAcls')]"
},
"tags": {},
"resources": [{
"condition": "[equals(parameters('diagnosticsEnabled'), 'yes')]",
"type": "providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', parameters('diagnosticsSettingName'))]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]"
],
"apiVersion": "2017-05-01-preview",
"properties": {
"name": "[parameters('diagnosticsSettingName')]",
"eventHubAuthorizationRuleId": "[resourceId(parameters('diagnosticsEventHubResourceGroup'),'Microsoft.EventHub/namespaces/authorizationRules', parameters('diagnosticsEventHubNamespace'), parameters('diagnosticsEventHubAuthorizationRule'))]",
"logs": [{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}],
"metrics": [{
"timeGrain": "PT1M",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}]
}
}]
}]
}
}
}
]
}

0 comments on commit 81f631a

Please sign in to comment.