Key Vault

Overview

The KeyVault package contains three builders, for the different components used by KeyVault: One for access policies, one for secrets, and one for the overall keyvault container.

  • KeyVault (Microsoft.KeyVault/vaults)
  • Secrets (Microsoft.KeyVault/vaults/secrets)

Secret Builder

The secret builder allows you to store secrets into key vault. Values for a secret are passed by Secure String parameters.

KeywordPurpose
nameSets the name of the secret.
valueSets the name of the secure string parameter that will contain the value of the secret.
content_typeSets the content type of the secret.
enable_secretEnables the secret.
disable_secretDisables the secret.
activation_dateSets the activation date of the secret.
expiration_dateSets the expiration date of the secret.
depends_onProvides dependencies of the key vault.

Access Policy Builder

The Access Policy builder allows you to create access policies for key vault.

KeywordPurpose
object_idSets the Object ID of the permission set.
application_idSets the Application ID of the permission set.
key_permissionsSets the Key permissions of the permission set.
storage_permissionsSets the Storage permissions of the permission set.
secret_permissionsSets the Secret permissions of the permission set.
certificate_permissionsSets the Certificate permissions of the permission set.

Key Vault Builder

The Key Vault builder contains access policies, secrets, and configuration information to create a full key vault account.

KeywordPurpose
nameSets the name of the vault.
skuSets the sku of the vault.
tenant_idSets the Tenant ID of the vault.
enable_vm_accessAllows VM access to the vault.
disable_vm_accessDisallows VM access to the vault.
enable_resource_manager_accessAllows Resource Manager access to the vault.
disable_resource_manager_accessDisallows Resource Manager access to the vault.
enable_disk_encryption_accessAllows Azure Disk Encyption service access to the vault.
disable_disk_encryption_accessDisallows Azure Disk Encyption service access to the vault.
enable_soft_deleteEnables VM access to the vault.
enable_soft_delete_with_purge_protectionDisables VM access to the vault.
uriSets the URI of the vault.
enable_recovery_modeSets the Creation Mode to Recovery.
disable_recovery_modeSets the Creation Mode to Default.
add_access_policyAdds an access policy to the vault.
add_access_policiesAdds access policies to the vault.
enable_azure_services_bypassAllows Azure traffic can bypass network rules.
disable_azure_services_bypassDisallows Azure traffic can bypass network rules.
allow_default_trafficAllow traffic if no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
deny_default_trafficDeny traffic when no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
add_ip_ruleAdds an IP address rule. This can be an IPv4 address range in CIDR notation, such as ‘124.56.78.91’ (simple IP address) or ‘124.56.78.0/24’ (all addresses that start with 124.56.78).
add_vnet_ruleAdds a virtual network rule. This is the full resource id of a vnet subnet, such as ‘/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1’.
add_secretAdds a secret to the vault. This can either be a “full” secret config created using the Secret Builder, a string literal value which represents the parameter name, or a string literal with a resource and an expression based on that resource e.g. a storage account and the Key member.
add_secretsAdds multiple secrets to the vault. This can either be “full” secret configs created using the Secret Builder, string literal values which represents the parameter name.

Utilities

  • The KeyVault module comes with a set of utility functions to quickly create access policies if you do not wish to use the AccessPolicy builder, in the Farmer.KeyVault.AccessPolicy module which enable creating an access policy for a PrincipalId or an ObjectId which will have the GET Secret permission.
  • In addition, the AccessPolicy module also contains helpers to search for users or groups in active directory (requires Azure CLI installed), as well as their Object IDs. These can be used to rapidly create Access Policies for specific users.

Example

open Farmer
open Farmer.Builders
open System

let policy =
    accessPolicy {
        object_id Guid.Empty
        application_id Guid.Empty
        certificate_permissions [ KeyVault.Certificate.List ]
        secret_permissions KeyVault.Secret.All
        key_permissions [ KeyVault.Key.List ]
    }

let complexSecret = secret {
    name "myComplexSecret"
    content_type "application/text"
    enable_secret
    activation_date (DateTime.Today.AddDays -1.)
    expiration_date (DateTime.Today.AddDays 1.)
}

let vault =
    keyVault {
        name "MyVault"
        sku KeyVault.KeyVaultSku.Standard
        tenant_id Guid.Empty

        enable_disk_encryption_access
        enable_resource_manager_access
        enable_soft_delete_with_purge_protection

        disable_vm_access
        enable_recovery_mode
        add_access_policy policy
        enable_azure_services_bypass

        add_ip_rule "127.0.0.1"
        add_vnet_rule "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1"
        allow_default_traffic

        add_secret complexSecret
        add_secret "simpleSecret"
        add_secrets [ "firstSecret"; "secondSecret"]
    }