Skip to content

Commit

Permalink
feat(tools): scope azure role assignment to key vault
Browse files Browse the repository at this point in the history
  • Loading branch information
@Harjot1Singh
Harjot1Singh committed Oct 23, 2023
1 parent 428b711 commit 2116077
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 43 deletions.
20 changes: 0 additions & 20 deletions tools/iam.ts
View file

This file was deleted.

2 changes: 0 additions & 2 deletions tools/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,12 @@ import azureModule from '../shared/azure'
import identityModule from '../shared/identity'
import azureSecretsModule from './azure-secrets'
import codeSigningSecretsModule from './code-signing-secrets'
import iamModule from './iam'
import keyVaultModule from './key-vault'

const stack = async () => {
const azure = await azureModule()

const identity = await identityModule()
await iamModule( { identity } )

const keyVault = await keyVaultModule( { azure, identity } )

Expand Down
60 changes: 39 additions & 21 deletions tools/key-vault.ts
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { keyvault } from '@pulumi/azure-native'
import { authorization, keyvault } from '@pulumi/azure-native'

import azure from '../shared/azure'
import identity from '../shared/identity'
Expand All @@ -11,26 +11,44 @@ type Options = {
const keyVaultModule = async ( {
azure: { tenantId },
identity: { resourceGroup, servicePrincipal },
}: Options ) => new keyvault.Vault( 'shabad-os-tools', {
vaultName: 'shabad-os-tools',
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
properties: {
sku: { name: keyvault.SkuName.Premium, family: keyvault.SkuFamily.A },
tenantId,
enablePurgeProtection: true,
enableSoftDelete: true,
publicNetworkAccess: keyvault.PublicNetworkAccess.Enabled,
accessPolicies: [ {
}: Options ) => {
const vault = new keyvault.Vault( 'shabad-os-tools', {
vaultName: 'shabad-os-tools',
resourceGroupName: resourceGroup.name,
location: resourceGroup.location,
properties: {
sku: { name: keyvault.SkuName.Premium, family: keyvault.SkuFamily.A },
tenantId,
objectId: servicePrincipal.id,
permissions: {
certificates: [ keyvault.CertificatePermissions.Get, keyvault.CertificatePermissions.List ],
keys: [ keyvault.KeyPermissions.Get, keyvault.KeyPermissions.List ],
secrets: [ keyvault.SecretPermissions.Get, keyvault.SecretPermissions.List ],
},
} ],
},
}, { protect: true } )
enablePurgeProtection: true,
enableSoftDelete: true,
publicNetworkAccess: keyvault.PublicNetworkAccess.Enabled,
accessPolicies: [ {
tenantId,
objectId: servicePrincipal.id,
permissions: {
certificates: [
keyvault.CertificatePermissions.Get,
keyvault.CertificatePermissions.List,
],
keys: [
keyvault.KeyPermissions.Get,
keyvault.KeyPermissions.List,
keyvault.KeyPermissions.Sign,
],
secrets: [ keyvault.SecretPermissions.Get, keyvault.SecretPermissions.List ],
},
} ],
},
}, { protect: true } )

new authorization.RoleAssignment( 'azure-sp-key-vault-role-assignment', {
principalId: servicePrincipal.id,
principalType: authorization.PrincipalType.ServicePrincipal,
roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6',
scope: vault.id,
} )

return vault
}

export default keyVaultModule

0 comments on commit 2116077

Please sign in to comment.