From bd92b5ae536c9dc83543128767c7de45e7e4b880 Mon Sep 17 00:00:00 2001 From: Marvin Buss Date: Thu, 25 Feb 2021 15:58:12 +0100 Subject: [PATCH] Key Vault Fix to not loose access rights --- infra/KeyVault/deploy.keyVault.json | 80 +++++++++++++++++--------- infra/KeyVault/params.keyVault001.json | 3 + 2 files changed, 57 insertions(+), 26 deletions(-) diff --git a/infra/KeyVault/deploy.keyVault.json b/infra/KeyVault/deploy.keyVault.json index 69b0766..951729a 100644 --- a/infra/KeyVault/deploy.keyVault.json +++ b/infra/KeyVault/deploy.keyVault.json @@ -26,6 +26,13 @@ "metadata": { "description": "Specifies the ID of the private dns zone." } + }, + "resourceExists": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Specifies whether this is the first deployment of this resource or whether the resource already exists." + } } }, "functions": [], @@ -34,46 +41,67 @@ "keyVaultName": "[parameters('keyVaultName')]", "subnetId": "[parameters('subnetId')]", "privateDnsZoneId": "[parameters('privateDnsZoneId')]", + "resourceExists": "[parameters('resourceExists')]", "privateEndpointName": "[concat(variables('keyVaultName'), '-private-endpoint')]" }, "resources": [ { - "name": "[variables('keyVaultName')]", - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2019-09-01", - "location": "[variables('location')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('keyVaultName'), 'Deployment')]", "properties": { - "enabledForDeployment": false, - "enabledForTemplateDeployment": false, - "enabledForDiskEncryption": false, - "enablePurgeProtection": true, - "enableSoftDelete": true, - "softDeleteRetentionInDays": 7, - "enableRbacAuthorization": false, - "tenantId": "[subscription().tenantId]", - "createMode": "default", - "accessPolicies": [ - ], - "sku": { - "name": "standard", - "family": "A" + "expressionEvaluationOptions": { + "scope": "outer" }, - "networkAcls": { - "bypass": "AzureServices", - "defaultAction": "Deny", - "ipRules": [ + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "name": "[variables('keyVaultName')]", + "location": "[variables('location')]", + "properties": { + "enabledForDeployment": false, + "enabledForTemplateDeployment": false, + "enabledForDiskEncryption": false, + "enablePurgeProtection": true, + "enableSoftDelete": true, + "enableRbacAuthorization": false, + "tenantId": "[subscription().tenantId]", + "createMode": "default", + "accessPolicies": "[if(variables('resourceExists'), reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2016-10-01').accessPolicies, createArray())]", + "sku": { + "name": "standard", + "family": "A" + }, + "networkAcls": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + ], + "virtualNetworkRules": [ + ] + } + } + } ], - "virtualNetworkRules": [ - ] + "outputs": {} } - } + }, + "subscriptionId": "[subscription().subscriptionId]", + "resourceGroup": "[resourceGroup().name]" }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-05-01", "name": "[variables('privateEndpointName')]", "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" + "[concat(variables('keyVaultName'), 'Deployment')]" ], "location": "[variables('location')]", "properties": { diff --git a/infra/KeyVault/params.keyVault001.json b/infra/KeyVault/params.keyVault001.json index aa3e92d..d259769 100644 --- a/infra/KeyVault/params.keyVault001.json +++ b/infra/KeyVault/params.keyVault001.json @@ -13,6 +13,9 @@ }, "privateDnsZoneId": { "value": "/subscriptions/4060c03e-0d2e-44b7-82a3-da9376fe50b2/resourceGroups/dh-global-dns/providers/Microsoft.Network/privateDnsZones/privatelink.vaultcore.azure.net" + }, + "resourceExists": { + "value": false } } } \ No newline at end of file