Key Vault

Overview

The KeyVault package contains three builders, for the different components used by KeyVault: One for access policies, one for secrets, and one for the overall keyvault container.

  • KeyVault (Microsoft.KeyVault/vaults)
  • Secrets (Microsoft.KeyVault/vaults/secrets)

Secret Builder

The secret builder allows you to store secrets into key vault. Values for a secret are passed by Secure String parameters.

KeywordPurpose
nameSets the name of the secret.
valueSets the name of the secure string parameter that will contain the value of the secret.
content_typeSets the content type of the secret.
enable_secretEnables the secret.
disable_secretDisables the secret.
activation_dateSets the activation date of the secret.
expiration_dateSets the expiration date of the secret.
depends_onProvides dependencies of the key vault.

Access Policy Builder

The Access Policy builder allows you to create access policies for key vault.

KeywordPurpose
object_idSets the Object ID of the permission set.
application_idSets the Application ID of the permission set.
key_permissionsSets the Key permissions of the permission set.
storage_permissionsSets the Storage permissions of the permission set.
secret_permissionsSets the Secret permissions of the permission set.
certificate_permissionsSets the Certificate permissions of the permission set.

Key Vault Builder

The Key Vault builder contains access policies, secrets, and configuration information to create a full key vault account.

KeywordPurpose
nameSets the name of the vault.
skuSets the sku of the vault.
tenant_idSets the Tenant ID of the vault.
enable_vm_accessAllows VM access to the vault.
disable_vm_accessDisallows VM access to the vault.
enable_resource_manager_accessAllows Resource Manager access to the vault.
disable_resource_manager_accessDisallows Resource Manager access to the vault.
enable_disk_encryption_accessAllows Azure Disk Encyption service access to the vault.
disable_disk_encryption_accessDisallows Azure Disk Encyption service access to the vault.
enable_soft_deleteEnables VM access to the vault.
enable_soft_delete_with_purge_protectionDisables VM access to the vault.
uriSets the URI of the vault.
enable_recovery_modeSets the Creation Mode to Recovery.
disable_recovery_modeSets the Creation Mode to Default.
add_access_policyAdds an access policy to the vault.
enable_azure_services_bypassAllows Azure traffic can bypass network rules.
disable_azure_services_bypassDisallows Azure traffic can bypass network rules.
allow_default_trafficAllow traffic if no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
deny_default_trafficDeny traffic when no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
add_ip_ruleAdds an IP address rule. This can be an IPv4 address range in CIDR notation, such as ‘124.56.78.91’ (simple IP address) or ‘124.56.78.0/24’ (all addresses that start with 124.56.78).
add_vnet_ruleAdds a virtual network rule. This is the full resource id of a vnet subnet, such as ‘/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1’.
add_secretAdds a secret to the vault. This can either be a “full” secret config created using the Secret Builder or a string literal value which represents the parameter name.

Example

open Farmer
open Farmer.Builders
open System

let policy =
    accessPolicy {
        object_id Guid.Empty
        application_id Guid.Empty
        certificate_permissions [ KeyVault.Certificate.List ]
        secret_permissions KeyVault.Secret.All
        key_permissions [ KeyVault.Key.List ]
    }

let complexSecret = secret {
    name "myComplexSecret"
    content_type "application/text"
    enable_secret
    activation_date (DateTime.Today.AddDays -1.)
    expiration_date (DateTime.Today.AddDays 1.)
}

let vault =
    keyVault {
        name "MyVault"
        sku KeyVault.KeyVaultSku.Standard
        tenant_id Guid.Empty

        enable_disk_encryption_access
        enable_resource_manager_access
        enable_soft_delete_with_purge_protection

        disable_vm_access
        enable_recovery_mode
        add_access_policy policy
        enable_azure_services_bypass

        add_ip_rule "127.0.0.1"
        add_vnet_rule "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1"
        allow_default_traffic

        add_secret complexSecret
        add_secret "simpleSecret"
    }