feat(azure): copy from keyvault to app config (#593)

Adds references to keyvault from app configuration Related to #571 TODO: Have to update sentinel key 🤔
digdir · Apr 9, 2024 · d216c90 · d216c90
1 parent 8264df4
commit d216c90
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 31 deletions.
diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
@@ -19,22 +19,22 @@ param sourceKeyVaultResourceGroup string
 @minLength(3)
 param sourceKeyVaultName string
 
-import {Sku as KeyVaultSku} from '../modules/keyvault/create.bicep'
+import { Sku as KeyVaultSku } from '../modules/keyvault/create.bicep'
 param keyVaultSku KeyVaultSku
 
-import {Sku as AppConfigurationSku} from '../modules/appConfiguration/create.bicep'
+import { Sku as AppConfigurationSku } from '../modules/appConfiguration/create.bicep'
 param appConfigurationSku AppConfigurationSku
 
-import {Sku as AppInsightsSku} from '../modules/applicationInsights/create.bicep'
+import { Sku as AppInsightsSku } from '../modules/applicationInsights/create.bicep'
 param appInsightsSku AppInsightsSku
 
-import {Sku as SlackNotifierSku} from '../modules/functionApp/slackNotifier.bicep'
+import { Sku as SlackNotifierSku } from '../modules/functionApp/slackNotifier.bicep'
 param slackNotifierSku SlackNotifierSku
 
-import {Sku as PostgresSku} from '../modules/postgreSql/create.bicep'
+import { Sku as PostgresSku } from '../modules/postgreSql/create.bicep'
 param postgresSku PostgresSku
 
-import {Sku as RedisSku} from '../modules/redis/main.bicep'
+import { Sku as RedisSku } from '../modules/redis/main.bicep'
 param redisSku RedisSku
 @minLength(1)
 param redisVersion string
@@ -112,7 +112,9 @@ module postgresql '../modules/postgreSql/create.bicep' = {
     environmentKeyVaultName: environmentKeyVault.outputs.name
     srcKeyVault: srcKeyVault
     srcSecretName: 'dialogportenPgAdminPassword${environment}'
-    administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}') ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}') : secrets.dialogportenPgAdminPassword
+    administratorLoginPassword: contains(keyVaultSourceKeys, 'dialogportenPgAdminPassword${environment}')
+      ? srcKeyVaultResource.getSecret('dialogportenPgAdminPassword${environment}')
+      : secrets.dialogportenPgAdminPassword
     sku: postgresSku
   }
 }
@@ -129,28 +131,31 @@ module redis '../modules/redis/main.bicep' = {
   }
 }
 
-module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
+module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
   scope: resourceGroup
-  name: 'copyEnvironmentSecrets'
+  name: 'copyCrossEnvironmentSecrets'
   params: {
+    appConfigurationName: appConfiguration.outputs.name
     srcKeyVaultKeys: keyVaultSourceKeys
     srcKeyVaultName: secrets.sourceKeyVaultName
     srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
     srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
     destKeyVaultName: environmentKeyVault.outputs.name
-    secretPrefix: 'dialogporten--${environment}--'
+    secretPrefix: 'dialogporten--any--'
   }
 }
 
-module copyCrossEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
+module copyEnvironmentSecrets '../modules/keyvault/copySecrets.bicep' = {
   scope: resourceGroup
-  name: 'copyCrossEnvironmentSecrets'
-  params: { srcKeyVaultKeys: keyVaultSourceKeys
+  name: 'copyEnvironmentSecrets'
+  params: {
+    appConfigurationName: appConfiguration.outputs.name
+    srcKeyVaultKeys: keyVaultSourceKeys
     srcKeyVaultName: secrets.sourceKeyVaultName
     srcKeyVaultRGNName: secrets.sourceKeyVaultResourceGroup
     srcKeyVaultSubId: secrets.sourceKeyVaultSubscriptionId
     destKeyVaultName: environmentKeyVault.outputs.name
-    secretPrefix: 'dialogporten--any--'
+    secretPrefix: 'dialogporten--${environment}--'
   }
 }
 
@@ -181,7 +186,7 @@ module appInsightsReaderAccessPolicy '../modules/applicationInsights/addReaderRo
   name: 'appInsightsReaderAccessPolicy'
   params: {
     appInsightsName: appInsights.outputs.appInsightsName
-    principalIds: [ slackNotifier.outputs.functionAppPrincipalId ]
+    principalIds: [slackNotifier.outputs.functionAppPrincipalId]
   }
 }
 
@@ -212,7 +217,7 @@ module keyVaultReaderAccessPolicy '../modules/keyvault/addReaderRoles.bicep' = {
   name: 'keyVaultReaderAccessPolicyFunctions'
   params: {
     keyvaultName: environmentKeyVault.outputs.name
-    principalIds: [ slackNotifier.outputs.functionAppPrincipalId ]
+    principalIds: [slackNotifier.outputs.functionAppPrincipalId]
   }
 }
 

diff --git a/.azure/modules/keyvault/copySecrets.bicep b/.azure/modules/keyvault/copySecrets.bicep
@@ -1,5 +1,5 @@
 // Source
-param srcKeyVaultKeys array 
+param srcKeyVaultKeys array
 param srcKeyVaultName string
 param srcKeyVaultRGNName string = resourceGroup().name
 param srcKeyVaultSubId string = subscription().subscriptionId
@@ -9,28 +9,54 @@ param destKeyVaultName string
 param destKeyVaultRGName string = resourceGroup().name
 param destKeyVaultSubId string = subscription().subscriptionId
 
+// App configuration
+param appConfigurationName string
+
 // Secret
 #disable-next-line secure-secrets-in-params
 param secretPrefix string
-param removeSecretPrefix bool = true
 
-var environmentKeys = [for key in srcKeyVaultKeys: {
-    isEnvironmentKey: startsWith(key, secretPrefix)
-    value: removeSecretPrefix ? replace(key, secretPrefix, '') : key
-    fullName: key
-}]
+var filteredKeysBySecretPrefix = filter(srcKeyVaultKeys, key => startsWith(key, secretPrefix))
+
+var keys = map(
+  filteredKeysBySecretPrefix,
+  key => {
+    secretNameWithoutPrefix: replace(key, secretPrefix, '')
+    secretName: key
+    appConfigKey: replace(replace(key, secretPrefix, ''), '--', ':')
+  }
+)
 
 resource srcKeyVaultResource 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
-	name: srcKeyVaultName
-    scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName)
+  name: srcKeyVaultName
+  scope: resourceGroup(srcKeyVaultSubId, srcKeyVaultRGNName)
+}
+
+resource appConfigurationResource 'Microsoft.AppConfiguration/configurationStores@2023-03-01' existing = {
+  name: appConfigurationName
 }
 
-module secrets 'upsertSecret.bicep' = [for key in environmentKeys: if (key.isEnvironmentKey) {
-    name: '${take(key.value, 57)}-${take(uniqueString(key.value), 6)}'
+module secrets 'upsertSecret.bicep' = [
+  for key in keys: {
+    name: '${take(key.secretName, 57)}-${take(uniqueString(key.secretName), 6)}'
+    scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName)
+    params: {
+      destKeyVaultName: destKeyVaultName
+      secretName: key.secretNameWithoutPrefix
+      secretValue: srcKeyVaultResource.getSecret(key.secretName)
+    }
+  }
+]
+
+module appConfiguration '../appConfiguration/upsertKeyValue.bicep' = [
+  for key in keys: {
+    name: '${take(key.secretNameWithoutPrefix, 57)}-${take(uniqueString(key.secretNameWithoutPrefix), 6)}'
     scope: resourceGroup(destKeyVaultSubId, destKeyVaultRGName)
     params: {
-        destKeyVaultName: destKeyVaultName
-        secretName: key.value
-        secretValue: srcKeyVaultResource.getSecret(key.fullName)
+      configStoreName: appConfigurationResource.name
+      key: key.appConfigKey
+      value: 'https://${destKeyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${key.secretNameWithoutPrefix}'
+      keyValueType: 'keyVaultReference'
     }
-}]
+  }
+]