add openhack files

2022-11-03 16:41:13 -04:00
commit b2c9f7e29f
920 changed files with 118861 additions and 0 deletions
--- a/support/sqlsecretrotation/iac/bicep/deploy.sh
+++ b/support/sqlsecretrotation/iac/bicep/deploy.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+
+declare LOCATION=$1
+declare RESOURCES_PREFIX=$2
+declare RESOURCES_SUFFIX=$3
+declare KEY_VAULT_RESOURCE_GROUP_NAME=$4
+declare KEY_VAULT_NAME=$5
+
+declare -r USAGE_HELP="Usage: ./deploy.sh <LOCATION> <RESOURCES_PREFIX> <RESOURCES_SUFFIX> <KEY_VAULT_RESOURCE_GROUP_NAME> <KEY_VAULT_NAME>"
+
+if [ $# -ne 5 ]; then
+    echo "${USAGE_HELP}"
+    exit 1
+fi
+
+# Check for programs
+if ! [ -x "$(command -v az)" ]; then
+    echo "az is not installed!"
+    exit 1
+fi
+
+if [ -f "devvars.sh" ]; then
+    . devvars.sh
+fi
+
+RESOURCE_GROUP_NAME="${RESOURCES_PREFIX}${RESOURCES_SUFFIX}rg"
+
+if [ $(az group exists --name "${RESOURCE_GROUP_NAME}") = false ]; then
+    az group create --name "${RESOURCE_GROUP_NAME}" --location "${LOCATION}"
+fi
+
+az deployment group create \
+--resource-group "${RESOURCE_GROUP_NAME}" \
+--template-file main.bicep \
+--parameters keyVaultRgName="${KEY_VAULT_RESOURCE_GROUP_NAME}" keyVaultName="${KEY_VAULT_NAME}" resourcesPrefix="${RESOURCES_PREFIX}" resourcesSuffix="${RESOURCES_SUFFIX}"
--- a/support/sqlsecretrotation/iac/bicep/keyVault.bicep
+++ b/support/sqlsecretrotation/iac/bicep/keyVault.bicep
@ -0,0 +1,60 @@
+param keyVaultName string
+param functionAppId string
+param functionAppPrincipalId string
+param functionAppTenantId string
+param eventSubscriptionName string
+param secretName string
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=bicep
+resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
+  name: keyVaultName
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/accesspolicies?tabs=bicep
+resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
+  name: 'add'
+  parent: keyVault
+  properties: {
+    accessPolicies: [
+      {
+        tenantId: functionAppTenantId
+        objectId: functionAppPrincipalId
+        permissions: {
+          secrets: [
+            'get'
+            'list'
+            'set'
+          ]
+        }
+      }
+    ]
+  }
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?tabs=bicep
+resource keyVaultEventSubscription 'Microsoft.EventGrid/eventSubscriptions@2021-06-01-preview' = {
+  name: eventSubscriptionName
+  scope: keyVault
+  properties: {
+    destination: {
+      endpointType: 'AzureFunction'
+      properties: {
+        maxEventsPerBatch: 1
+        preferredBatchSizeInKilobytes: 64
+        resourceId: '${functionAppId}/functions/AKVSQLRotation'
+      }
+    }
+    filter: {
+      subjectBeginsWith: secretName
+      subjectEndsWith: secretName
+      includedEventTypes: [
+        'Microsoft.KeyVault.SecretNearExpiry'
+      ]
+    }
+    eventDeliverySchema: 'EventGridSchema'
+    retryPolicy: {
+      eventTimeToLiveInMinutes: 60
+      maxDeliveryAttempts: 30
+    }
+  }
+}
--- a/support/sqlsecretrotation/iac/bicep/main.bicep
+++ b/support/sqlsecretrotation/iac/bicep/main.bicep
@ -0,0 +1,115 @@
+param keyVaultRgName string = resourceGroup().name
+param keyVaultName string
+param resourcesPrefix string
+param resourcesSuffix string = 'sqlsecrot'
+param secretName string = 'SQL-PASSWORD'
+param repoUrl string = 'https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git'
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+  name: '${resourcesPrefix}${resourcesSuffix}st'
+  location: resourceGroup().location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    supportsHttpsTrafficOnly: true
+    accessTier: 'Hot'
+  }
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/serverfarms?tabs=bicep
+resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
+  name: '${resourcesPrefix}${resourcesSuffix}plan'
+  location: resourceGroup().location
+  sku: {
+    name: 'Y1'
+    tier: 'Dynamic'
+  }
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=bicep
+resource functionApp 'Microsoft.Web/sites@2021-02-01' = {
+  name: '${resourcesPrefix}${resourcesSuffix}func'
+  location: resourceGroup().location
+  kind: 'functionapp'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    enabled: true
+    serverFarmId: appServicePlan.id
+    httpsOnly: true
+    siteConfig: {
+      appSettings: [
+        {
+          name: 'AzureWebJobsStorage'
+          value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
+        }
+        {
+          name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
+          value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
+        }
+        {
+          name: 'WEBSITE_CONTENTSHARE'
+          value: toLower('${resourcesPrefix}${resourcesSuffix}func')
+        }
+        {
+          name: 'FUNCTIONS_EXTENSION_VERSION'
+          value: '~3'
+        }
+        {
+          name: 'FUNCTIONS_WORKER_RUNTIME'
+          value: 'dotnet'
+        }
+        {
+          name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
+          value: applicationInsights.properties.InstrumentationKey
+        }
+        {
+          name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
+          value: applicationInsights.properties.ConnectionString
+        }
+      ]
+    }
+  }
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/sourcecontrols?tabs=bicep
+resource functionAppSourceControl 'Microsoft.Web/sites/sourcecontrols@2021-02-01' = {
+  name: 'web'
+  parent: functionApp
+  properties: {
+    repoUrl: repoUrl
+    branch: 'main'
+    isManualIntegration: true
+  }
+}
+
+// https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/components?tabs=bicep
+resource applicationInsights 'microsoft.insights/components@2020-02-02' = {
+  name: '${resourcesPrefix}${resourcesSuffix}appi'
+  location: resourceGroup().location
+  kind: 'web'
+  properties: {
+    Application_Type: 'web'
+  }
+}
+
+module keyVault './keyVault.bicep' = {
+  name: 'keyVaultDeployment'
+  params: {
+    keyVaultName: keyVaultName
+    functionAppId: functionApp.id
+    functionAppTenantId: functionApp.identity.tenantId
+    functionAppPrincipalId: functionApp.identity.principalId
+    eventSubscriptionName: '${keyVaultName}-${secretName}-${functionApp.name}'
+    secretName: secretName
+  }
+  scope: resourceGroup(keyVaultRgName)
+  dependsOn: [
+    functionApp
+    functionAppSourceControl
+  ]
+}
--- a/support/sqlsecretrotation/iac/terraform/deploy.sh
+++ b/support/sqlsecretrotation/iac/terraform/deploy.sh
@ -0,0 +1,94 @@
+#!/bin/bash
+
+declare LOCATION=$1
+declare RESOURCES_PREFIX=$2
+declare SECRET_NAME=$3
+declare KEY_VAULT_RESOURCE_GROUP_NAME=$4
+declare KEY_VAULT_NAME=$5
+
+declare -r USAGE_HELP="Usage: ./deploy.sh <LOCATION> <RESOURCES_PREFIX> <SECRET_NAME> <KEY_VAULT_RESOURCE_GROUP_NAME> <KEY_VAULT_NAME>"
+
+if [ $# -ne 5 ]; then
+    echo "${USAGE_HELP}"
+    exit 1
+fi
+
+# Check for programs
+if ! [ -x "$(command -v az)" ]; then
+    echo "az is not installed!"
+    exit 1
+    elif ! [ -x "$(command -v terraform)" ]; then
+    echo "terraform is not installed!"
+    exit 1
+fi
+
+if [ -f "devvars.sh" ]; then
+    . devvars.sh
+fi
+
+export ARM_THREEPOINTZERO_BETA_RESOURCES=true
+
+azure_login() {
+    _azuresp_json=$(cat azuresp.json)
+    export ARM_CLIENT_ID=$(echo "${_azuresp_json}" | jq -r ".clientId")
+    export ARM_CLIENT_SECRET=$(echo "${_azuresp_json}" | jq -r ".clientSecret")
+    export ARM_SUBSCRIPTION_ID=$(echo "${_azuresp_json}" | jq -r ".subscriptionId")
+    export ARM_TENANT_ID=$(echo "${_azuresp_json}" | jq -r ".tenantId")
+    az login --service-principal --username "${ARM_CLIENT_ID}" --password "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+    az account set --subscription "${ARM_SUBSCRIPTION_ID}"
+}
+
+prepare_tfvars() {
+    echo "Generating tfvars..."
+    echo 'location = "'${LOCATION}'"' > terraform.tfvars
+    echo 'resources_prefix = "'${RESOURCES_PREFIX}'"' >> terraform.tfvars
+    echo 'secret_name = "'${SECRET_NAME}'"' >> terraform.tfvars
+    echo 'key_vault_resource_group_name = "'${KEY_VAULT_RESOURCE_GROUP_NAME}'"' >> terraform.tfvars
+    echo 'key_vault_name = "'${KEY_VAULT_NAME}'"' >> terraform.tfvars
+    terraform fmt
+}
+
+lint_terraform(){
+    terraform fmt -check
+    if [ $? -ne 0 ]; then
+        echo "Terraform files are not properly formatted!"
+        exit 1
+    fi
+}
+
+init_terrafrom() {
+    terraform init -backend-config=storage_account_name="${TFSTATE_STORAGE_ACCOUNT_NAME}" -backend-config=container_name="${TFSTATE_STORAGE_CONTAINER_NAME}" -backend-config=key="${TFSTATE_KEY_SECROT}" -backend-config=resource_group_name="${TFSTATE_RESOURCES_GROUP_NAME}"
+}
+
+init_terrafrom_local() {
+    terraform init -backend=false
+}
+
+validate_terraform(){
+    terraform validate
+}
+
+preview_terraform(){
+    terraform plan --detailed-exitcode
+    return $?
+}
+
+deploy_terraform(){
+    local _tfplan_exit_code=${1}
+
+    terraform apply --auto-approve
+}
+
+destroy_terraform(){
+    terraform destroy --auto-approve
+}
+
+prepare_tfvars
+azure_login
+lint_terraform
+init_terrafrom
+# init_terrafrom_local
+validate_terraform
+preview_terraform
+deploy_terraform $?
+# destroy_terraform
--- a/support/sqlsecretrotation/iac/terraform/locals.tf
+++ b/support/sqlsecretrotation/iac/terraform/locals.tf
@ -0,0 +1,8 @@
+locals {
+  suffix                    = "sqlsecrot"
+  resource_group_name       = "${var.resources_prefix}${local.suffix}rg"
+  storage_account_name      = "${var.resources_prefix}${local.suffix}st"
+  function_app_name         = "${var.resources_prefix}${local.suffix}func"
+  app_service_plan_name     = "${var.resources_prefix}${local.suffix}plan"
+  application_insights_name = "${var.resources_prefix}${local.suffix}appi"
+}
--- a/support/sqlsecretrotation/iac/terraform/main.tf
+++ b/support/sqlsecretrotation/iac/terraform/main.tf
@ -0,0 +1,132 @@
+data "azurerm_key_vault" "key_vault" {
+  name                = var.key_vault_name
+  resource_group_name = var.key_vault_resource_group_name
+}
+
+resource "azurerm_resource_group" "resource_group" {
+  name     = local.resource_group_name
+  location = var.location
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+
+resource "azurerm_storage_account" "storage_account" {
+  name                      = local.storage_account_name
+  location                  = azurerm_resource_group.resource_group.location
+  resource_group_name       = azurerm_resource_group.resource_group.name
+  account_tier              = "Standard"
+  account_replication_type  = "LRS"
+  min_tls_version           = "TLS1_2"
+  enable_https_traffic_only = true
+
+  lifecycle {
+    ignore_changes = [
+      tags
+    ]
+  }
+}
+
+resource "azurerm_application_insights" "application_insights" {
+  name                = local.application_insights_name
+  location            = azurerm_resource_group.resource_group.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  application_type    = "web"
+}
+
+resource "azurerm_app_service_plan" "app_service_plan" {
+  name                = local.app_service_plan_name
+  location            = azurerm_resource_group.resource_group.location
+  resource_group_name = azurerm_resource_group.resource_group.name
+  kind                = "FunctionApp"
+
+  sku {
+    tier = "Dynamic"
+    size = "Y1"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags,
+      kind
+    ]
+  }
+}
+
+resource "azurerm_function_app" "function_app" {
+  name                       = local.function_app_name
+  location                   = azurerm_resource_group.resource_group.location
+  resource_group_name        = azurerm_resource_group.resource_group.name
+  app_service_plan_id        = azurerm_app_service_plan.app_service_plan.id
+  storage_account_name       = azurerm_storage_account.storage_account.name
+  storage_account_access_key = azurerm_storage_account.storage_account.primary_access_key
+  version                    = "~3"
+  https_only                 = true
+
+  app_settings = {
+    "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.application_insights.instrumentation_key
+    "FUNCTIONS_WORKER_RUNTIME"       = "dotnet"
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  site_config {
+    ftps_state                = "Disabled"
+    dotnet_framework_version  = "v4.0"
+    use_32_bit_worker_process = false
+  }
+
+  lifecycle {
+    ignore_changes = [
+      tags,
+      # app_settings["WEBSITE_ENABLE_SYNC_UPDATE_SITE"],
+      # app_settings["WEBSITE_RUN_FROM_PACKAGE"],
+      # app_settings["APPINSIGHTS_INSTRUMENTATIONKEY"],
+      # app_settings["FUNCTIONS_WORKER_RUNTIME"]
+    ]
+  }
+}
+
+# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_source_control
+# resource "azurerm_app_service_source_control" "app_service_source_control" {
+#   app_id   = azurerm_function_app.function_app.id
+#   repo_url = "https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git"
+#   branch   = "main"
+#   manual_integration = true
+#   # scm_type           = "ExternalGit"
+# }
+
+resource "azurerm_key_vault_access_policy" "key_vault_access_policy_function_app" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = azurerm_function_app.function_app.identity[0].tenant_id
+  object_id    = azurerm_function_app.function_app.identity[0].principal_id
+
+  secret_permissions = [
+    "Get", "List", "Set"
+  ]
+}
+
+# resource "azurerm_eventgrid_event_subscription" "eventgrid_event_subscription" {
+#   name  = "${data.azurerm_key_vault.key_vault.name}-${var.secret_name}-${azurerm_function_app.function_app.name}"
+#   scope = data.azurerm_key_vault.key_vault.id
+
+#   azure_function_endpoint {
+#     function_id                       = "${azurerm_function_app.function_app.id}/functions/AKVSQLRotation"
+#     max_events_per_batch              = 1
+#     preferred_batch_size_in_kilobytes = 64
+#   }
+
+#   subject_filter {
+#     subject_begins_with = var.secret_name
+#     subject_ends_with   = var.secret_name
+#   }
+
+#   included_event_types = [
+#     "Microsoft.KeyVault.SecretNearExpiry"
+#   ]
+# }
--- a/support/sqlsecretrotation/iac/terraform/providers.tf
+++ b/support/sqlsecretrotation/iac/terraform/providers.tf
@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.94.0"
+    }
+  }
+  backend "azurerm" {
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+provider "azurerm" {
+  features {}
+}
--- a/support/sqlsecretrotation/iac/terraform/variables.tf
+++ b/support/sqlsecretrotation/iac/terraform/variables.tf
@ -0,0 +1,24 @@
+variable "key_vault_resource_group_name" {
+  description = ""
+  type        = string
+}
+
+variable "key_vault_name" {
+  description = ""
+  type        = string
+}
+
+variable "resources_prefix" {
+  description = ""
+  type        = string
+}
+
+variable "location" {
+  description = ""
+  type        = string
+}
+
+variable "secret_name" {
+  description = ""
+  type        = string
+}