Added Key Vault Access Policy to allow ADF MSI to access Key Vault

2021-08-19 19:30:22 +08:00 · 2021-08-19 19:30:22 +08:00 · 605771f2b0
--- a/solution/Deployment/environments/development.json
+++ b/solution/Deployment/environments/development.json
@ -8,7 +8,7 @@
            "BuildAdsGoFastDatabase": true
        },
        "CD": {
-            "EnableDeploy": false,
+            "EnableDeploy": true,
            "EnableConfigure": true,
            "ServicePrincipals": {
                "DeploymentSP": {
--- a/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1
+++ b/solution/Deployment/workflows/CD_2a_CreateMSIs_AAD_Elevated.ps1
@ -1,4 +1,5 @@
 az config set extension.use_dynamic_install=yes_without_prompt
+#Create MSIs
 if($env:AdsOpts_CD_Services_CoreFunctionApp_Enable -eq "True")
 {
    $id = $null
@ -19,6 +20,16 @@ if($env:AdsOpts_CD_Services_WebSite_Enable -eq "True")
    }
 }

+#Get ADF MSI Id
+$dfpid = ((az datafactory show --factory-name $env:AdsOpts_CD_Services_DataFactory_Name --resource-group $env:AdsOpts_CD_ResourceGroup_Name) | ConvertFrom-Json).identity.principalId
+$dfoid = ((az ad sp show --id $dfpid) | ConvertFrom-Json).objectId
+#Allow ADF to Read Key Vault
+az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions get list --key-permissions get list --object-id $dfoid --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions get list --storage-permissions get --subscription $env:AdsOpts_CD_ResourceGroup_Subscription
+
+
+
+
+
 #Give MSIs Required AD Privileges
 #Assign SQL Admin
 $cu = az ad signed-in-user show | ConvertFrom-Json
--- a/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1
+++ b/solution/Deployment/workflows/Steps/CD_ConfigureKeyVault.ps1
@ -15,6 +15,8 @@ if($env:AdsOpts_CD_Services_KeyVault_Enable -eq "True")
    Write-Host "Enabling Access to KeyVault and Adding Secrets"
    #Set KeyVault Policy to allow logged in user to add key
    az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update --key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey --object-id $AADUserId --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions backup delete get list purge recover restore set --storage-permissions backup delete deletesas get getsas list listsas purge recover regeneratekey restore set setsas update --subscription $env:AdsOpts_CD_ResourceGroup_Subscription
+    #Set KeyVault Policy to allow MSI for ADF to Retrieve Key Vault Key
+    #az keyvault set-policy --name $env:AdsOpts_CD_Services_KeyVault_Name --certificate-permissions backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update --key-permissions backup create decrypt delete encrypt get import list purge recover restore sign unwrapKey update verify wrapKey --object-id $AADUserId --resource-group $env:AdsOpts_CD_ResourceGroup_Name --secret-permissions backup delete get list purge recover restore set --storage-permissions backup delete deletesas get getsas list listsas purge recover regeneratekey restore set setsas update --subscription $env:AdsOpts_CD_ResourceGroup_Subscription

    #Save Function Key to KeyVault
    az keyvault secret set --name "AdsGfCoreFunctionAppKey" --vault-name $env:AdsOpts_CD_Services_KeyVault_Name --disabled false --subscription  $env:AdsOpts_CD_ResourceGroup_Subscription --value $functionkey --output none