Skip to content

Commit

Permalink
[Modules] Servicebus: Added Customer-Managed-Key & additional resourc…
Browse files Browse the repository at this point in the history
…e type handling for removal (#1586)

* Added encryption capabilities

* Cleanup

* Updated docs

* Added missing dot

* Added service bus removal case handling

* Update to latest

* Update to latest

* Update modules/Microsoft.ServiceBus/namespaces/deploy.bicep

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>

* Regenerated docs

* Moved param

Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com>
  • Loading branch information
AlexanderSehr and eriqua authored Jul 9, 2022
1 parent fa8d770 commit 2373c29
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 0 deletions.
9 changes: 9 additions & 0 deletions modules/Microsoft.ServiceBus/namespaces/.test/parameters.json
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,15 @@
"service": "namespace"
}
]
},
"cMKUserAssignedIdentityResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
},
"cMKKeyName": {
"value": "keyEncryptionKey"
},
"cMKKeyVaultResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
}
}
}
39 changes: 39 additions & 0 deletions modules/Microsoft.ServiceBus/namespaces/deploy.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,21 @@ param queues array = []
@description('Optional. The topics to create in the service bus namespace.')
param topics array = []

@description('Optional. The resource ID of a key vault to reference a customer managed key for encryption from.')
param cMKKeyVaultResourceId string = ''

@description('Optional. The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key.')
param cMKKeyName string = ''

@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.')
param cMKKeyVersion string = ''

@description('Optional. User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first.')
param cMKUserAssignedIdentityResourceId string = ''

@description('Optional. Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters.')
param requireInfrastructureEncryption bool = true

@description('Optional. The name of logs that will be streamed.')
@allowed([
'OperationalLogs'
Expand Down Expand Up @@ -158,6 +173,16 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
}
}

resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) {
name: last(split(cMKKeyVaultResourceId, '/'))
scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4])
}

resource cMKKeyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId) && !empty(cMKKeyName)) {
name: '${last(split(cMKKeyVaultResourceId, '/'))}/${cMKKeyName}'
scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4])
}

resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = {
name: !empty(name) ? name : uniqueServiceBusNamespaceName
location: location
Expand All @@ -168,6 +193,20 @@ resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2021-06-01-preview
identity: identity
properties: {
zoneRedundant: zoneRedundant
encryption: !empty(cMKKeyName) ? {
keySource: 'Microsoft.KeyVault'
keyVaultProperties: [
{
identity: !empty(cMKUserAssignedIdentityResourceId) ? {
userAssignedIdentity: cMKUserAssignedIdentityResourceId
} : null
keyName: cMKKeyName
keyVaultUri: cMKKeyVault.properties.vaultUri
keyVersion: !empty(cMKKeyVersion) ? cMKKeyVersion : last(split(cMKKeyVaultKey.properties.keyUriWithVersion, '/'))
}
]
requireInfrastructureEncryption: requireInfrastructureEncryption
} : null
}
}

Expand Down
17 changes: 17 additions & 0 deletions modules/Microsoft.ServiceBus/namespaces/readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ This module deploys a service bus namespace resource.
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `authorizationRules` | _[authorizationRules](authorizationRules/readme.md)_ array | `[System.Collections.Hashtable]` | | Authorization Rules for the Service Bus namespace. |
| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. If not provided, encryption is automatically enabled with a Microsoft-managed key. |
| `cMKKeyVaultResourceId` | string | `''` | | The resource ID of a key vault to reference a customer managed key for encryption from. |
| `cMKKeyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. |
| `cMKUserAssignedIdentityResourceId` | string | `''` | | User assigned identity to use when fetching the customer managed key. If not provided, a system-assigned identity can be used - but must be given access to the referenced key vault first. |
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
| `diagnosticLogCategoriesToEnable` | array | `[OperationalLogs]` | `[OperationalLogs]` | The name of logs that will be streamed. |
Expand All @@ -59,6 +63,7 @@ This module deploys a service bus namespace resource.
| `networkRuleSets` | _[networkRuleSets](networkRuleSets/readme.md)_ object | `{object}` | | Configure networking options for Premium SKU Service Bus, ipRules and virtualNetworkRules are not required when using dedicated modules. |
| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
| `queues` | _[queues](queues/readme.md)_ array | `[]` | | The queues to create in the service bus namespace. |
| `requireInfrastructureEncryption` | bool | `True` | | Enable infrastructure encryption (double encryption). Note, this setting requires the configuration of Customer-Managed-Keys (CMK) via the corresponding module parameters. |
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
| `tags` | object | `{object}` | | Tags of the resource. |
Expand Down Expand Up @@ -534,6 +539,15 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = {
"service": "namespace"
}
]
},
"cMKUserAssignedIdentityResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
},
"cMKKeyName": {
"value": "keyEncryptionKey"
},
"cMKKeyVaultResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002"
}
}
}
Expand Down Expand Up @@ -670,6 +684,9 @@ module namespaces './Microsoft.ServiceBus/namespaces/deploy.bicep' = {
service: 'namespace'
}
]
cMKUserAssignedIdentityResourceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
cMKKeyName: 'keyEncryptionKey'
cMKKeyVaultResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-nopr-002'
}
}
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,22 @@ function Invoke-ResourceRemoval {
Write-Verbose ('Skip resource removal for type [{0}]. Reason: handled by different logic.' -f $type) -Verbose
break
}
'Microsoft.ServiceBus/namespaces/ipfilterrules' {
Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus IP Filter Rules are not a resource that can be removed.' -f $type) -Verbose
break
}
'Microsoft.ServiceBus/namespaces/virtualnetworkrules' {
Write-Verbose ('Skip resource removal for type [{0}]. Reason: Service Bus Virtual Network Rules are not a resource that can be removed.' -f $type) -Verbose
break
}
'Microsoft.ServiceBus/namespaces/AuthorizationRules' {
if ((Split-Path $ResourceId '/')[-1] -eq 'RootManageSharedAccessKey') {
Write-Verbose ('Skip resource removal for type [{0}]. Reason: The Service Bus''s default authorization key [RootManageSharedAccessKey] cannot be removed.' -f $type) -Verbose
} else {
$null = Remove-AzResource -ResourceId $resourceId -Force -ErrorAction 'Stop'
}
break
}
'Microsoft.Compute/diskEncryptionSets' {
# Pre-Removal
# -----------
Expand Down

0 comments on commit 2373c29

Please sign in to comment.