Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PSRule] Fix Keyvault issues #3989

Merged
merged 40 commits into from
Sep 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
d3fde10
uniquestring with utc datetime
fabmas Sep 15, 2023
e8aa6bf
json rollback and psrule ver update
elanzel Sep 15, 2023
7bba3c4
1.29.0
elanzel Sep 15, 2023
fbe5adb
upd
fabmas Sep 16, 2023
493677a
upd
fabmas Sep 18, 2023
f903ed3
upd
fabmas Sep 18, 2023
1f2dfaa
utcnow
fabmas Sep 18, 2023
c123357
undo
fabmas Sep 18, 2023
7abb6bc
newGUID
fabmas Sep 18, 2023
f4587b8
test
fabmas Sep 18, 2023
e54cbd9
upd
fabmas Sep 18, 2023
d6e7676
upd
fabmas Sep 18, 2023
6a15047
upd
fabmas Sep 18, 2023
ef1c414
upd
fabmas Sep 18, 2023
f5dc223
upd
fabmas Sep 18, 2023
613c346
removed 'all' permission from secret
fabmas Sep 18, 2023
f36f0a7
upd
fabmas Sep 18, 2023
7826ef4
upd
fabmas Sep 18, 2023
cc5a9a1
upd
fabmas Sep 18, 2023
f92341f
upd
fabmas Sep 18, 2023
f61433e
upd
fabmas Sep 19, 2023
fbea017
Added accesspolicies testing
elenabatanero Sep 19, 2023
32f06c1
Adding acls
elenabatanero Sep 19, 2023
0059cdb
fixed psrule
elenabatanero Sep 19, 2023
7abcfb6
updated readme
elenabatanero Sep 19, 2023
419ac77
Update modules/key-vault/vault/.test/accesspolicies/main.test.bicep
elbatane Sep 20, 2023
b1464f3
Merge branch 'main' of https://github.com/Azure/ResourceModules into …
elanzel Sep 20, 2023
ea456a6
enable rbac auth true as default
elanzel Sep 20, 2023
2338b28
readme file update
elanzel Sep 20, 2023
53869eb
main.json updated
elanzel Sep 20, 2023
d2f679d
shorted storageAccountName for accesspolicies
elanzel Sep 20, 2023
6a34e4b
updated shor prefix
elanzel Sep 20, 2023
1910310
serviceShort string = 'kvvaccesspol'
elanzel Sep 20, 2023
17bce13
readme update
elanzel Sep 20, 2023
20beb1a
serviceShort string = 'kvvrbac'
elanzel Sep 20, 2023
62d4207
removed comment
elanzel Sep 20, 2023
6ebfedc
Update modules/key-vault/vault/.test/accesspolicies/main.test.bicep
elanzel Sep 21, 2023
ec1fab0
Update modules/key-vault/vault/main.bicep
elanzel Sep 21, 2023
ef41af9
readme update
elanzel Sep 21, 2023
a0a6447
main.json updated
elanzel Sep 21, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .ps-rule/min-suppress.Rule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ spec:
rule:
- Azure.Resource.UseTags
- Azure.KeyVault.Logs
- Azure.KeyVault.Firewall
- Azure.Policy.ExemptionDescriptors
- Azure.Policy.Descriptors
- Azure.Policy.AssignmentDescriptors
Expand Down
46 changes: 46 additions & 0 deletions modules/key-vault/vault/.test/accesspolicies/dependencies.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
@description('Optional. The location to deploy to.')
param location string = resourceGroup().location

@description('Required. The name of the Virtual Network to create.')
param virtualNetworkName string

@description('Required. The name of the Managed Identity to create.')
param managedIdentityName string

var addressPrefix = '10.0.0.0/16'

resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
addressPrefix
]
}
subnets: [
{
name: 'defaultSubnet'
properties: {
addressPrefix: cidrSubnet(addressPrefix, 16, 0)
serviceEndpoints: [
{
service: 'Microsoft.KeyVault'
}
]
}
}
]
}
}

resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: location
}

@description('The resource ID of the created Virtual Network Subnet.')
output subnetResourceId string = virtualNetwork.properties.subnets[0].id

@description('The principal ID of the created Managed Identity.')
output managedIdentityPrincipalId string = managedIdentity.properties.principalId
124 changes: 124 additions & 0 deletions modules/key-vault/vault/.test/accesspolicies/main.test.bicep
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
targetScope = 'subscription'

// ========== //
// Parameters //
// ========== //

@description('Optional. The name of the resource group to deploy for testing purposes.')
@maxLength(90)
param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg'

@description('Optional. The location to deploy resources to.')
param location string = deployment().location

@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
param serviceShort string = 'kvvap'

@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
param enableDefaultTelemetry bool = true

@description('Optional. A token to inject into the name of each resource.')
param namePrefix string = '[[namePrefix]]'

// ============ //
// Dependencies //
// ============ //

// General resources
// =================
resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: resourceGroupName
location: location
}

module nestedDependencies 'dependencies.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-nestedDependencies'
params: {
managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
}
}

// Diagnostics
// ===========
module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
params: {
storageAccountName: 'dep${namePrefix}diasa${serviceShort}03'
logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01'
eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01'
location: location
}
}

// ============== //
// Test Execution //
// ============== //

module testDeployment '../../main.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-test-${serviceShort}'
params: {
enableDefaultTelemetry: enableDefaultTelemetry
name: '${namePrefix}${serviceShort}002'
diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
enablePurgeProtection: false
accessPolicies: [
{
objectId: nestedDependencies.outputs.managedIdentityPrincipalId
permissions: {
keys: [
'get'
'list'
'update'
]
secrets: [
'get'
'list'
]
}
tenantId: tenant().tenantId
}
{
objectId: nestedDependencies.outputs.managedIdentityPrincipalId
permissions: {
certificates: [
'backup'
'create'
'delete'
]
secrets: [
'get'
'list'
]
}
}
]
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipRules: [
{
value: '40.74.28.0/23'
}
]
virtualNetworkRules: [
{
id: nestedDependencies.outputs.subnetResourceId
ignoreMissingVnetServiceEndpoint: false
}
]
}
tags: {
'hidden-title': 'This is visible in the resource name'
Environment: 'Non-Prod'
Role: 'DeploymentValidation'
}
}
}
32 changes: 2 additions & 30 deletions modules/key-vault/vault/.test/common/main.test.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -64,42 +64,14 @@ module testDeployment '../../main.bicep' = {
params: {
enableDefaultTelemetry: enableDefaultTelemetry
name: '${namePrefix}${serviceShort}002'
accessPolicies: [
elbatane marked this conversation as resolved.
Show resolved Hide resolved
{
objectId: nestedDependencies.outputs.managedIdentityPrincipalId
permissions: {
keys: [
'get'
'list'
'update'
]
secrets: [
'all'
]
}
tenantId: tenant().tenantId
}
{
objectId: nestedDependencies.outputs.managedIdentityPrincipalId
permissions: {
certificates: [
'backup'
'create'
'delete'
]
secrets: [
'all'
]
}
}
]

diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
// Only for testing purposes
enablePurgeProtection: false
enableRbacAuthorization: false
enableRbacAuthorization: true
keys: [
{
attributesExp: 1725109032
Expand Down
5 changes: 5 additions & 0 deletions modules/key-vault/vault/.test/pe/dependencies.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = {
name: 'defaultSubnet'
properties: {
addressPrefix: cidrSubnet(addressPrefix, 16, 0)
serviceEndpoints: [
{
service: 'Microsoft.KeyVault'
}
]
}
}
]
Expand Down
35 changes: 35 additions & 0 deletions modules/key-vault/vault/.test/pe/main.test.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,20 @@ module nestedDependencies 'dependencies.bicep' = {
}
}

// Diagnostics
// ===========
module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = {
scope: resourceGroup
name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
params: {
storageAccountName: 'dep${namePrefix}diasa${serviceShort}03'
logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01'
eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01'
location: location
}
}

// ============== //
// Test Execution //
// ============== //
Expand All @@ -49,14 +63,35 @@ module testDeployment '../../main.bicep' = {
params: {
enableDefaultTelemetry: enableDefaultTelemetry
name: '${namePrefix}${serviceShort}001'
diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
// Only for testing purposes
enablePurgeProtection: false
enableRbacAuthorization: true
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipRules: [
{
value: '40.74.28.0/23'
}
]
virtualNetworkRules: [
{
id: nestedDependencies.outputs.subnetResourceId
ignoreMissingVnetServiceEndpoint: false
}
]
}
privateEndpoints: [
{
privateDnsZoneGroup: {
privateDNSResourceIds: [
nestedDependencies.outputs.privateDNSResourceId
]
privateEndpointName: 'dep-${namePrefix}-pe-${serviceShort}'
}
service: 'vault'
subnetResourceId: nestedDependencies.outputs.subnetResourceId
Expand Down
Loading
Loading