From fed6e82e41369ebf41d61444087397193273c15a Mon Sep 17 00:00:00 2001 From: Deepak Gautam Date: Wed, 28 Aug 2024 12:12:09 +0530 Subject: [PATCH 1/2] create secrets kv template change --- .../create-cluster/azuredeploy.json | 68 ++++++++++++++++++- .../azuredeploy.parameters.json | 6 ++ 2 files changed, 72 insertions(+), 2 deletions(-) diff --git a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json index ecfceecd7c2f..52cb0a8ee511 100644 --- a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json +++ b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json @@ -29,6 +29,23 @@ "softDeleteRetentionDays": { "type": "int", "defaultValue": 30 + }, + "backupSecretskeyVaultName": { + "type": "string", + "metadata": { + "description": "The KeyVault name used to store the Backup secrets." + } + }, + "createNewBackupSecretsKeyVault": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Set this value as false, if you are re-using a Keyvault" + } + }, + "backupSecretskeyVaultsoftDeleteRetentionDays": { + "type": "int", + "defaultValue": 30 }, "diagnosticStorageAccountName": { "type": "string", @@ -502,6 +519,7 @@ "arbDeploymentSpnSecretName": "[concat( parameters('clusterName'), '-', 'DefaultARBApplication')]", "storageWitnessNameVar": "WitnessStorageKey", "secretsLocationVar": "[concat('https://',parameters('keyVaultName'), '.vault.azure.net')]", + "backupsecretsLocationVar": "[concat('https://',parameters('backupSecretskeyVaultName'), '.vault.azure.net')]", "witnessTypeVar": "[if(equals(parameters('witnessType'), 'No Witness'), '','Cloud')]", "clusterWitnessStorageAccountNameVar": "[if(equals(parameters('witnessType'), 'No Witness'), '', parameters('clusterWitnessStorageAccountName'))]", "AzureServiceEndpointVar": "[if(equals(parameters('witnessType'), 'No Witness'), '', 'core.windows.net')]", @@ -717,6 +735,44 @@ } ] } + }, + { + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2021-06-01-preview", + "name": "[parameters('backupSecretskeyVaultName')]", + "location": "[parameters('location')]", + "condition": "[parameters('createNewBackupSecretsKeyVault')]", + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "enableSoftDelete": false, + "softDeleteRetentionInDays": "[parameters('backupSecretskeyVaultsoftDeleteRetentionDays')]", + "enableRbacAuthorization": true, + "publicNetworkAccess": "Enabled", + "accessPolicies": [], + "tenantId": "[parameters('tenantId')]", + "sku": { + "name": "standard", + "family": "A" + } + } + }, + { + "copy": { + "name": "roleAssignmentCopy", + "count": "[length(parameters('arcNodeResourceIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(concat('AKV-', parameters('arcNodeResourceIds')[copyIndex()]))]", + "properties": { + "mode": "Incremental", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "principalId": "[reference(parameters('arcNodeResourceIds')[copyIndex()], '2023-10-03-preview', 'full').identity.principalId]", + "scope": "[resourceId('Microsoft.KeyVault/vaults', parameters('backupSecretskeyVaultName'))]", + "description": "[concat(substring(parameters('arcNodeResourceIds')[copyIndex()],lastIndexOf(parameters('arcNodeResourceIds')[copyIndex()],'/')),'- Key Vault Secrets Officer role')]" + } }, { "condition": "[equals(parameters('deploymentMode'), 'Validate')]", @@ -724,13 +780,21 @@ "apiVersion": "[parameters('apiVersion')]", "name": "[parameters('clusterName')]", "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]", + "[resourceId('Microsoft.KeyVault/vaults', parameters('backupSecretskeyVaultName'))]" ], "identity": { "type": "SystemAssigned" }, "location": "[parameters('location')]", - "properties": {} + "properties": { + "secretLocations": [ + { + "secretsType": "BackupSecrets", + "SecretsLocation": "[variables('backupsecretsLocationVar')]" + } + ] + } }, { "type": "Microsoft.KeyVault/vaults/secrets", diff --git a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.parameters.json b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.parameters.json index ccc4755ecc15..a880285696c3 100644 --- a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.parameters.json +++ b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.parameters.json @@ -14,6 +14,12 @@ "softDeleteRetentionDays": { "value": 30 }, + "backupSecretskeyVaultName": { + "value": "armdeploybkpkv" + }, + "backupSecretskeyVaultsoftDeleteRetentionDays": { + "value": 30 + }, "diagnosticStorageAccountName": { "value": "partnerdiagsa3" }, From a97a981b42e243dc74051f4e00799bc1fcd90eec Mon Sep 17 00:00:00 2001 From: degautam <129389096+degautam@users.noreply.github.com> Date: Tue, 29 Oct 2024 01:01:34 +0530 Subject: [PATCH 2/2] Update azuredeploy.json --- .../create-cluster/azuredeploy.json | 65 ++++++------------- 1 file changed, 19 insertions(+), 46 deletions(-) diff --git a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json index 52cb0a8ee511..3ed1d5f81fbc 100644 --- a/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json +++ b/quickstarts/microsoft.azurestackhci/create-cluster/azuredeploy.json @@ -30,22 +30,12 @@ "type": "int", "defaultValue": 30 }, - "backupSecretskeyVaultName": { - "type": "string", - "metadata": { - "description": "The KeyVault name used to store the Backup secrets." - } - }, - "createNewBackupSecretsKeyVault": { + "enableBackupSecretsToAzure": { "type": "bool", "defaultValue": true, "metadata": { - "description": "Set this value as false, if you are re-using a Keyvault" + "description": "Set this value as false, if you you do not want to backup secrets to cloud" } - }, - "backupSecretskeyVaultsoftDeleteRetentionDays": { - "type": "int", - "defaultValue": 30 }, "diagnosticStorageAccountName": { "type": "string", @@ -519,8 +509,15 @@ "arbDeploymentSpnSecretName": "[concat( parameters('clusterName'), '-', 'DefaultARBApplication')]", "storageWitnessNameVar": "WitnessStorageKey", "secretsLocationVar": "[concat('https://',parameters('keyVaultName'), '.vault.azure.net')]", - "backupsecretsLocationVar": "[concat('https://',parameters('backupSecretskeyVaultName'), '.vault.azure.net')]", + "backupsecretsLocationVar": "[concat('https://',parameters('keyVaultName'), '.vault.azure.net')]", "witnessTypeVar": "[if(equals(parameters('witnessType'), 'No Witness'), '','Cloud')]", + "secretsLocationPayload": [ + { + "secretsType": "BackupSecrets", + "secretsLocation": "[variables('backupsecretsLocationVar')]" + } + ], + "BackupSecretsLocationList": "[if(parameters('enableBackupSecretsToAzure'), variables('secretsLocationPayload'), json('[]'))]", "clusterWitnessStorageAccountNameVar": "[if(equals(parameters('witnessType'), 'No Witness'), '', parameters('clusterWitnessStorageAccountName'))]", "AzureServiceEndpointVar": "[if(equals(parameters('witnessType'), 'No Witness'), '', 'core.windows.net')]", "localAdminSecretValue": "[base64(concat(parameters('localAdminUserName'),':',parameters('localAdminPassword')))]", @@ -735,30 +732,9 @@ } ] } - }, - { - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-06-01-preview", - "name": "[parameters('backupSecretskeyVaultName')]", - "location": "[parameters('location')]", - "condition": "[parameters('createNewBackupSecretsKeyVault')]", - "properties": { - "enabledForDeployment": true, - "enabledForTemplateDeployment": true, - "enabledForDiskEncryption": true, - "enableSoftDelete": false, - "softDeleteRetentionInDays": "[parameters('backupSecretskeyVaultsoftDeleteRetentionDays')]", - "enableRbacAuthorization": true, - "publicNetworkAccess": "Enabled", - "accessPolicies": [], - "tenantId": "[parameters('tenantId')]", - "sku": { - "name": "standard", - "family": "A" - } - } }, { + "condition": "[parameters('enableBackupSecretsToAzure')]", "copy": { "name": "roleAssignmentCopy", "count": "[length(parameters('arcNodeResourceIds'))]" @@ -768,9 +744,9 @@ "name": "[guid(concat('AKV-', parameters('arcNodeResourceIds')[copyIndex()]))]", "properties": { "mode": "Incremental", - "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')]", + "roleDefinitionId": "[concat(subscription().id, '/providers/Microsoft.Authorization/roleDefinitions/', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')]", "principalId": "[reference(parameters('arcNodeResourceIds')[copyIndex()], '2023-10-03-preview', 'full').identity.principalId]", - "scope": "[resourceId('Microsoft.KeyVault/vaults', parameters('backupSecretskeyVaultName'))]", + "scope": "[resourceGroup().id]", "description": "[concat(substring(parameters('arcNodeResourceIds')[copyIndex()],lastIndexOf(parameters('arcNodeResourceIds')[copyIndex()],'/')),'- Key Vault Secrets Officer role')]" } }, @@ -780,20 +756,16 @@ "apiVersion": "[parameters('apiVersion')]", "name": "[parameters('clusterName')]", "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]", - "[resourceId('Microsoft.KeyVault/vaults', parameters('backupSecretskeyVaultName'))]" + "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" ], "identity": { "type": "SystemAssigned" }, "location": "[parameters('location')]", + "kind": "WindowsServer", "properties": { - "secretLocations": [ - { - "secretsType": "BackupSecrets", - "SecretsLocation": "[variables('backupsecretsLocationVar')]" - } - ] + "secretsLocations": "[variables('BackupSecretsLocationList')]" + } }, { @@ -892,6 +864,7 @@ "dependsOn": [ "[resourceId('Microsoft.AzureStackHCI/clusters', parameters('clusterName'))]" ], + "kind": "WindowsServer", "properties": { "arcNodeResourceIds": "[parameters('arcNodeResourceIds')]", "deploymentMode": "[parameters('deploymentMode')]", @@ -973,4 +946,4 @@ } } ] -} \ No newline at end of file +}