Skip to content

Commit 4b0c4e0

Browse files
jak-ashuralievjak-ashuraliev
authored
Merge pull request North-Seattle-College#158 from theKunte/feature/team1-issue130-key-vault-script
Feature/team1 issue130 key vault script
2 parents 57e399a + ed22827 commit 4b0c4e0

File tree

3 files changed

+243
-0
lines changed

3 files changed

+243
-0
lines changed

Automation/azKeyVault/deployment.ps1

+67
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
<#
2+
.SYNOPSIS
3+
Deploys a template to Azure
4+
.DESCRIPTION
5+
Deploys an Azure Resource Manager template
6+
.PARAMETER subscriptionId
7+
The subscription id where the template will be deployed.
8+
.PARAMETER resourceGroupName
9+
The resource group where the template will be deployed. Can be the name of an existing or a new resource group.
10+
.PARAMETER templateFilePath
11+
Optional, path to the template file. Defaults to template.json.
12+
.PARAMETER parametersFilePath
13+
Optional, path to the parameters file. Defaults to parameters.json. If file is not found, will prompt for parameter values based on template.
14+
#>
15+
16+
param(
17+
[Parameter(Mandatory = $True)]
18+
[string]
19+
$subscriptionId,
20+
21+
[Parameter(Mandatory = $True)]
22+
[string]
23+
$resourceGroupName,
24+
25+
[string]
26+
$deploymentName = "AzureKeyVaultDeploymentThursday",
27+
28+
[string]
29+
$templateFilePath = "./template.json",
30+
31+
[string]
32+
$parametersFilePath = "./template.parameters.json"
33+
)
34+
35+
#******************************************************************************
36+
# Script body
37+
# Execution begins here
38+
#******************************************************************************
39+
40+
$ErrorActionPreference = "Stop"
41+
42+
# sign in
43+
Write-Host "Logging in...";
44+
Connect-AzAccount;
45+
46+
# Select subscription
47+
Write-Host "Selecting subscription '$subscriptionId'";
48+
Get-AzSubscription -SubscriptionID $subscriptionId;
49+
50+
#Check for existing resource group
51+
$resourceGroup = Get-AzResourceGroup -Name $resourceGroupName -ErrorAction SilentlyContinue
52+
if (!$resourceGroup) {
53+
Write-Host "Resource group '$resourceGroupName' does not exist.";
54+
exit
55+
}
56+
else {
57+
Write-Host "Using existing resource group '$resourceGroupName'";
58+
59+
# Start the deployment
60+
Write-Host "Starting deployment...";
61+
New-AzResourceGroupDeployment `
62+
-DeploymentName $deploymentName `
63+
-ResourceGroupName $resourceGroupName `
64+
-TemplateFile $templateFilePath `
65+
-TemplateParameterFile $parametersFilePath
66+
}
67+

Automation/azKeyVault/template.json

+131
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"keyVaultName": {
6+
"type": "string",
7+
"metadata": {
8+
"description": "Specifies the name of the key vault."
9+
}
10+
},
11+
"location": {
12+
"type": "string",
13+
"defaultValue": "[resourceGroup().location]",
14+
"metadata": {
15+
"description": "Specifies the Azure location where the key vault should be created."
16+
}
17+
},
18+
"enabledForDeployment": {
19+
"type": "bool",
20+
"defaultValue": false,
21+
"allowedValues": [
22+
true,
23+
false
24+
],
25+
"metadata": {
26+
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
27+
}
28+
},
29+
"enabledForDiskEncryption": {
30+
"type": "bool",
31+
"defaultValue": false,
32+
"allowedValues": [
33+
true,
34+
false
35+
],
36+
"metadata": {
37+
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
38+
}
39+
},
40+
"enabledForTemplateDeployment": {
41+
"type": "bool",
42+
"defaultValue": false,
43+
"allowedValues": [
44+
true,
45+
false
46+
],
47+
"metadata": {
48+
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
49+
}
50+
},
51+
"tenantId": {
52+
"type": "string",
53+
"defaultValue": "[subscription().tenantId]",
54+
"metadata": {
55+
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
56+
}
57+
},
58+
"objectId": {
59+
"type": "string",
60+
"metadata": {
61+
"description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
62+
}
63+
},
64+
"keysPermissions": {
65+
"type": "array",
66+
"defaultValue": [
67+
"list"
68+
],
69+
"metadata": {
70+
"description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge."
71+
}
72+
},
73+
"secretsPermissions": {
74+
"type": "array",
75+
"defaultValue": [
76+
"list"
77+
],
78+
"metadata": {
79+
"description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
80+
}
81+
},
82+
"skuName": {
83+
"type": "string",
84+
"defaultValue": "Standard",
85+
"allowedValues": [
86+
"Standard",
87+
"Premium"
88+
],
89+
"metadata": {
90+
"description": "Specifies whether the key vault is a standard vault or a premium vault."
91+
}
92+
}
93+
},
94+
"resources": [
95+
{
96+
"type": "Microsoft.KeyVault/vaults",
97+
"apiVersion": "2019-09-01",
98+
"name": "[parameters('keyVaultName')]",
99+
"location": "[parameters('location')]",
100+
"tags": {
101+
"Purpose": "Create an azure key vault",
102+
"Owner": "Jak Ashuraliev",
103+
"OwnerEmail": "[email protected]"
104+
},
105+
"properties": {
106+
"enabledForDeployment": "[parameters('enabledForDeployment')]",
107+
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
108+
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
109+
"tenantId": "[parameters('tenantId')]",
110+
"accessPolicies": [
111+
{
112+
"objectId": "[parameters('objectId')]",
113+
"tenantId": "[parameters('tenantId')]",
114+
"permissions": {
115+
"keys": "[parameters('keysPermissions')]",
116+
"secrets": "[parameters('secretsPermissions')]"
117+
}
118+
}
119+
],
120+
"sku": {
121+
"name": "[parameters('skuName')]",
122+
"family": "A"
123+
},
124+
"networkAcls": {
125+
"defaultAction": "Allow",
126+
"bypass": "AzureServices"
127+
}
128+
}
129+
}
130+
]
131+
}

Automation/azKeyVault/template.parameters.json

+45
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"keyVaultName": {
6+
"value": "nsc-kv-dev-usw2-thursday"
7+
},
8+
"enabledForDeployment": {
9+
"value": true
10+
},
11+
"enabledForDiskEncryption": {
12+
"value": true
13+
},
14+
"enabledForTemplateDeployment": {
15+
"value": true
16+
},
17+
"objectId": {
18+
"value": "b74fc7c4-e7e0-47d1-9274-110d8e55d7a9"
19+
},
20+
"keysPermissions": {
21+
"value": [
22+
"Get",
23+
"List",
24+
"Update",
25+
"Create",
26+
"Import",
27+
"Delete",
28+
"Recover",
29+
"Backup",
30+
"Restore"
31+
]
32+
},
33+
"secretsPermissions": {
34+
"value": [
35+
"Get",
36+
"List",
37+
"Set",
38+
"Delete",
39+
"Recover",
40+
"Backup",
41+
"Restore"
42+
]
43+
}
44+
}
45+
}

0 commit comments

Comments
 (0)