Merge pull request #18 from Azure/fix_kv_bug

Key Vault Fix to not loose access rights
2021-02-25 16:58:34 +01:00 · 2021-02-25 16:58:34 +01:00 · cc3dfb4379
--- a/infra/KeyVault/deploy.keyVault.json
+++ b/infra/KeyVault/deploy.keyVault.json
@ -26,6 +26,13 @@
            "metadata": {
                "description": "Specifies the ID of the private dns zone."
            }
+        },
+        "resourceExists": {
+            "type": "bool",
+            "defaultValue": false,
+            "metadata": {
+                "description": "Specifies whether this is the first deployment of this resource or whether the resource already exists."
+            }
        }
    },
    "functions": [],
@ -34,46 +41,67 @@
        "keyVaultName": "[parameters('keyVaultName')]",
        "subnetId": "[parameters('subnetId')]",
        "privateDnsZoneId": "[parameters('privateDnsZoneId')]",
+        "resourceExists": "[parameters('resourceExists')]",
        "privateEndpointName": "[concat(variables('keyVaultName'), '-private-endpoint')]"
    },
    "resources": [
        {
-            "name": "[variables('keyVaultName')]",
-            "type": "Microsoft.KeyVault/vaults",
-            "apiVersion": "2019-09-01",
-            "location": "[variables('location')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-06-01",
+            "name": "[concat(variables('keyVaultName'), 'Deployment')]",
            "properties": {
-                "enabledForDeployment": false,
-                "enabledForTemplateDeployment": false,
-                "enabledForDiskEncryption": false,
-                "enablePurgeProtection": true,
-                "enableSoftDelete": true,
-                "softDeleteRetentionInDays": 7,
-                "enableRbacAuthorization": false,
-                "tenantId": "[subscription().tenantId]",
-                "createMode": "default",
-                "accessPolicies": [
-                ],
-                "sku": {
-                    "name": "standard",
-                    "family": "A"
+                "expressionEvaluationOptions": {
+                    "scope": "outer"
                },
-                "networkAcls": {
-                    "bypass": "AzureServices",
-                    "defaultAction": "Deny",
-                    "ipRules": [
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.KeyVault/vaults",
+                            "apiVersion": "2016-10-01",
+                            "name": "[variables('keyVaultName')]",
+                            "location": "[variables('location')]",
+                            "properties": {
+                                "enabledForDeployment": false,
+                                "enabledForTemplateDeployment": false,
+                                "enabledForDiskEncryption": false,
+                                "enablePurgeProtection": true,
+                                "enableSoftDelete": true,
+                                "enableRbacAuthorization": false,
+                                "tenantId": "[subscription().tenantId]",
+                                "createMode": "default",
+                                "accessPolicies": "[if(variables('resourceExists'), reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2016-10-01').accessPolicies, createArray())]",
+                                "sku": {
+                                    "name": "standard",
+                                    "family": "A"
+                                },
+                                "networkAcls": {
+                                    "bypass": "AzureServices",
+                                    "defaultAction": "Deny",
+                                    "ipRules": [
+                                    ],
+                                    "virtualNetworkRules": [
+                                    ]
+                                }
+                            }
+                        }
                    ],
-                    "virtualNetworkRules": [
-                    ]
+                    "outputs": {}
                }
-            }
+            },
+            "subscriptionId": "[subscription().subscriptionId]",
+            "resourceGroup": "[resourceGroup().name]"
        },
        {
            "type": "Microsoft.Network/privateEndpoints",
            "apiVersion": "2020-05-01",
            "name": "[variables('privateEndpointName')]",
            "dependsOn": [
-                "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
+                "[concat(variables('keyVaultName'), 'Deployment')]"
            ],
            "location": "[variables('location')]",
            "properties": {
--- a/infra/KeyVault/params.keyVault001.json
+++ b/infra/KeyVault/params.keyVault001.json
@ -13,6 +13,9 @@
        },
        "privateDnsZoneId": {
            "value": "/subscriptions/4060c03e-0d2e-44b7-82a3-da9376fe50b2/resourceGroups/dh-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net"
+        },
+        "resourceExists": {
+            "value": false
        }
    }
 }