3.2 KiB
KeyVault-Secrets-Rotation-Template-PowerShell Instructions
This template can be used to create project repository for secrets rotation functions for services credentials.
Project template structure
- AKV[ServiceType]Rotation - folder with rotation function code template with event trigger
- -function.json
- -run.ps1
- AKV[ServiceType]RotationHttp - folder rotation function code template with http trigger
- -function.json
- -run.ps1
- ARM-Templates
- Add-Event-Subscription - event subscription deployment for existing function
- -azuredeploy.json
- Function - Azure function and configuration deployment
- -azuredeploy.json
- Add-Event-Subscription - event subscription deployment for existing function
- -host.json
- -profile.ps1
- -requirements.psd1
Setup rotation function project repository steps
-
Create new repository using this project as template.
- Click Use this template on github page
- Type repository name using format "KeyVault-Secrets-Rotation-[ServiceType]-PowerShell" i.e. "KeyVault-Secrets-Rotation-StorageAccount-PowerShell"
- Select Public
- Click Create repository from template
- Click Use this template on github page
-
Download repository code to local machine and use Visual Studio Code to edit files
-
Rename Azure function folders by replacing ServiceType with resource provider/service name i.e. 'AKVStorageAccountRotation' and 'AKVStorageAccountRotationHttp'. Folder names will be used names of deployed Azure functions.
-
Update run.ps1 files under Azure function folders (event trigger and http)
- Update RegenerateCredential to regenerate password/key for your service following provided example.
- Update GetAlternateCredentialId to return alternate username/key id.
-
Update ARM templates
- Update 'azuredeploy.json' under Function and Add-Event-Subscription folders
- Replace "[ServiceType]" with your service/resource provider type name i.e. "StorageAccountRG","StorageAccountName", "StorageKey" in parameters and resources. Notice that 'Microsoft.KeyVault/vaults/providers/eventSubscriptions' need function name to match folder updated in previous step.
- Update "repoURL" default value in Function ARM template to your github url.
- Add script to deploy secret - update listkey function based on your resource provider/service
- Add script for adding access to service/resource provider for your function on the bottom of the template file. Example for assigning role for Storage Account is provided as an example.
- Update 'azuredeploy.json' under Function and Add-Event-Subscription folders
-
Update 'README', 'CHANGELOG' and 'CONTRIBUTING' files. You can use Visual Studio Code replace in files functionality to replace [ServiceType] with service/resource provider type name.
-
Update links for Deploy to Azure buttons in README to point to new ARM templates in your github repository. You can find more information about deployment buttons here