Key Vault

Overview

The KeyVault package contains four builders, for the different components used by KeyVault: One for access policies, one for secrets, one for the overall keyvault container, and one for adding access policies to an existing key vault.

  • Keys (Microsoft.KeyVault/vaults/keys)
  • KeyVault (Microsoft.KeyVault/vaults)
  • Secrets (Microsoft.KeyVault/vaults/secrets)
  • AccessPolicies (Microsoft.KeyVault/vaults/accessPolicies)

Key Builder

The key builder allows you to generate RSA and elliptical curve keys in the key vault.

KeywordPurpose
nameSets the name of the key to generate.
key_operationsSets the operations that they generated key can be used to perform.
key_typeSets the type of key. Helpers are defined for many typical types: RSA_2048, RSA_3072, RSA_4096, EC_P256, EC_P384, EC_P521, EC_P256K
statusEnables or disables the key (defaults to ‘Enabled’).
activation_dateSets the activation date of the key.
expiration_dateSets the expiration date of the key.
link_to_unmanaged_keyvaultLinks this key to an existing keyvault and allows the key to be deployed standalone
depends_onSets the dependencies of the key vault.
add_tagAdds a tag to the secret.
add_tagsAdds multiple tags to the secret.

Secret Builder

The secret builder allows you to store secrets into key vault. Values for a secret are passed by Secure String parameters.

KeywordPurpose
nameSets the name of the secret.
valueSets the name of the secure string parameter that will contain the value of the secret.
content_typeSets the content type of the secret.
statusEnables or disables the secret (defaults to ‘Enabled’).
activation_dateSets the activation date of the secret.
expiration_dateSets the expiration date of the secret.
link_to_unmanaged_keyvaultLinks this secret to an existing keyvault and allows the secret to be deployed standalone
depends_onSets the dependencies of the key vault.
add_tagAdds a tag to the secret.
add_tagsAdds multiple tags to the secret.

Access Policy Builder

The accessPolicy builder allows you to create access policies for key vault.

KeywordPurpose
object_idSets the Object ID of the permission set.
application_idSets the Application ID of the permission set.
key_permissionsSets the Key permissions of the permission set.
storage_permissionsSets the Storage permissions of the permission set.
secret_permissionsSets the Secret permissions of the permission set.
certificate_permissionsSets the Certificate permissions of the permission set.

Key Vault Builder

The keyVault builder contains access policies, secrets, and configuration information to create a full key vault account.

KeywordPurpose
nameSets the name of the vault.
skuSets the sku of the vault.
tenant_idSets the Tenant ID of the vault.
enable_vm_accessAllows VM access to the vault.
disable_vm_accessDisallows VM access to the vault.
enable_resource_manager_accessAllows Resource Manager access to the vault.
disable_resource_manager_accessDisallows Resource Manager access to the vault.
enable_disk_encryption_accessAllows Azure Disk Encyption service access to the vault.
disable_disk_encryption_accessDisallows Azure Disk Encyption service access to the vault.
enable_rbacEnables Azure role based access control for data access.
disable_rbacDisables Azure role based access control for data access.
enable_soft_deleteEnables VM access to the vault.
enable_soft_delete_with_purge_protectionDisables VM access to the vault.
uriSets the URI of the vault.
enable_recovery_modeSets the Creation Mode to Recovery.
disable_recovery_modeSets the Creation Mode to Default.
add_access_policyAdds an access policy to the vault.
add_access_policiesAdds access policies to the vault.
enable_azure_services_bypassAllows Azure traffic can bypass network rules.
disable_azure_services_bypassDisallows Azure traffic can bypass network rules.
allow_default_trafficAllow traffic if no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
deny_default_trafficDeny traffic when no rule from ipRules and virtualNetworkRules match. This is only used after the bypass property has been evaluated.
add_ip_ruleAdds an IP address rule. This can be an IPv4 address range in CIDR notation, such as ‘124.56.78.91’ (simple IP address) or ‘124.56.78.0/24’ (all addresses that start with 124.56.78).
add_vnet_ruleAdds a virtual network rule. This is the full resource id of a vnet subnet, such as ‘/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1’.
add_secretAdds a secret to the vault. This can either be a “full” secret config created using the Secret Builder, a string literal value which represents the parameter name, or a string literal with a resource and an expression based on that resource e.g. a storage account and the Key member.
add_secretsAdds multiple secrets to the vault. This can either be “full” secret configs created using the Secret Builder, string literal values which represents the parameter name.
add_tagAdds a tag to the key vault.
add_tagsAdds multiple tags to the key vault.

Key Vault Add Access Policy Builder (keyVaultAddPolicies)

As applications grow, more components often need access to a key vault. The keyVaultAddPolicies builder is used to add new access policies to an existing key vault without the need to redeploy the full key vault, potentially changing existing access.

KeywordPurpose
key_vaultSets the resource Id or a builder for the existing key vault where the policies should be added.
add_access_policiesA list of policies to add to the key vault.
tenant_idUsed if granting access to users or service principals from another tenant.

Configuration Members

MemberPurpose
VaultUriGets the ARM expression path to the key vault’s URI.

Utilities

  • The KeyVault module comes with a set of utility functions to quickly create access policies if you do not wish to use the AccessPolicy builder, in the Farmer.KeyVault.AccessPolicy module which enable creating an access policy for a PrincipalId or an ObjectId which will have the GET Secret permission.
  • In addition, the AccessPolicy module also contains helpers to search for users or groups in active directory (requires Azure CLI installed), as well as their Object IDs. These can be used to rapidly create Access Policies for specific users.

Example

open Farmer
open Farmer.Builders
open Farmer.KeyVault
open System

let policy =
    accessPolicy {
        object_id Guid.Empty
        application_id Guid.Empty
        certificate_permissions [ KeyVault.Certificate.List ]
        secret_permissions KeyVault.Secret.All
        key_permissions [ KeyVault.Key.List ]
    }

let complexSecret = secret {
    name "myComplexSecret"
    content_type "application/text"
    status Enabled
    activation_date (DateTime.Today.AddDays -1.)
    expiration_date (DateTime.Today.AddDays 1.)
}

let vault =
    keyVault {
        name "MyVault"
        sku KeyVault.Sku.Standard
        tenant_id Guid.Empty

        enable_disk_encryption_access
        enable_resource_manager_access
        enable_soft_delete_with_purge_protection

        disable_vm_access
        enable_recovery_mode
        add_access_policy policy
        enable_azure_services_bypass

        add_ip_rule "127.0.0.1"
        add_vnet_rule "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1"
        allow_default_traffic

        add_secret complexSecret
        add_secret "simpleSecret"
        add_secrets [ "firstSecret"; "secondSecret"]
        add_keys [
            key {
                name "myRsaKey"
                key_type KeyType.RSA_4096
            }
            key {
                name "myRllipticalCurveKey"
                key_type KeyType.EC_P256
            }
        ]
    }

arm {
    add_resource vault
    output "vault-uri" vault.VaultUri
}