add openhack files
This commit is contained in:
35
support/sqlsecretrotation/iac/bicep/deploy.sh
Normal file
35
support/sqlsecretrotation/iac/bicep/deploy.sh
Normal file
@ -0,0 +1,35 @@
|
||||
#!/bin/bash
|
||||
|
||||
declare LOCATION=$1
|
||||
declare RESOURCES_PREFIX=$2
|
||||
declare RESOURCES_SUFFIX=$3
|
||||
declare KEY_VAULT_RESOURCE_GROUP_NAME=$4
|
||||
declare KEY_VAULT_NAME=$5
|
||||
|
||||
declare -r USAGE_HELP="Usage: ./deploy.sh <LOCATION> <RESOURCES_PREFIX> <RESOURCES_SUFFIX> <KEY_VAULT_RESOURCE_GROUP_NAME> <KEY_VAULT_NAME>"
|
||||
|
||||
if [ $# -ne 5 ]; then
|
||||
echo "${USAGE_HELP}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check for programs
|
||||
if ! [ -x "$(command -v az)" ]; then
|
||||
echo "az is not installed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f "devvars.sh" ]; then
|
||||
. devvars.sh
|
||||
fi
|
||||
|
||||
RESOURCE_GROUP_NAME="${RESOURCES_PREFIX}${RESOURCES_SUFFIX}rg"
|
||||
|
||||
if [ $(az group exists --name "${RESOURCE_GROUP_NAME}") = false ]; then
|
||||
az group create --name "${RESOURCE_GROUP_NAME}" --location "${LOCATION}"
|
||||
fi
|
||||
|
||||
az deployment group create \
|
||||
--resource-group "${RESOURCE_GROUP_NAME}" \
|
||||
--template-file main.bicep \
|
||||
--parameters keyVaultRgName="${KEY_VAULT_RESOURCE_GROUP_NAME}" keyVaultName="${KEY_VAULT_NAME}" resourcesPrefix="${RESOURCES_PREFIX}" resourcesSuffix="${RESOURCES_SUFFIX}"
|
60
support/sqlsecretrotation/iac/bicep/keyVault.bicep
Normal file
60
support/sqlsecretrotation/iac/bicep/keyVault.bicep
Normal file
@ -0,0 +1,60 @@
|
||||
param keyVaultName string
|
||||
param functionAppId string
|
||||
param functionAppPrincipalId string
|
||||
param functionAppTenantId string
|
||||
param eventSubscriptionName string
|
||||
param secretName string
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=bicep
|
||||
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
|
||||
name: keyVaultName
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/accesspolicies?tabs=bicep
|
||||
resource keyVaultAccessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2021-06-01-preview' = {
|
||||
name: 'add'
|
||||
parent: keyVault
|
||||
properties: {
|
||||
accessPolicies: [
|
||||
{
|
||||
tenantId: functionAppTenantId
|
||||
objectId: functionAppPrincipalId
|
||||
permissions: {
|
||||
secrets: [
|
||||
'get'
|
||||
'list'
|
||||
'set'
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.eventgrid/eventsubscriptions?tabs=bicep
|
||||
resource keyVaultEventSubscription 'Microsoft.EventGrid/eventSubscriptions@2021-06-01-preview' = {
|
||||
name: eventSubscriptionName
|
||||
scope: keyVault
|
||||
properties: {
|
||||
destination: {
|
||||
endpointType: 'AzureFunction'
|
||||
properties: {
|
||||
maxEventsPerBatch: 1
|
||||
preferredBatchSizeInKilobytes: 64
|
||||
resourceId: '${functionAppId}/functions/AKVSQLRotation'
|
||||
}
|
||||
}
|
||||
filter: {
|
||||
subjectBeginsWith: secretName
|
||||
subjectEndsWith: secretName
|
||||
includedEventTypes: [
|
||||
'Microsoft.KeyVault.SecretNearExpiry'
|
||||
]
|
||||
}
|
||||
eventDeliverySchema: 'EventGridSchema'
|
||||
retryPolicy: {
|
||||
eventTimeToLiveInMinutes: 60
|
||||
maxDeliveryAttempts: 30
|
||||
}
|
||||
}
|
||||
}
|
115
support/sqlsecretrotation/iac/bicep/main.bicep
Normal file
115
support/sqlsecretrotation/iac/bicep/main.bicep
Normal file
@ -0,0 +1,115 @@
|
||||
param keyVaultRgName string = resourceGroup().name
|
||||
param keyVaultName string
|
||||
param resourcesPrefix string
|
||||
param resourcesSuffix string = 'sqlsecrot'
|
||||
param secretName string = 'SQL-PASSWORD'
|
||||
param repoUrl string = 'https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git'
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep
|
||||
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
|
||||
name: '${resourcesPrefix}${resourcesSuffix}st'
|
||||
location: resourceGroup().location
|
||||
sku: {
|
||||
name: 'Standard_LRS'
|
||||
}
|
||||
kind: 'StorageV2'
|
||||
properties: {
|
||||
supportsHttpsTrafficOnly: true
|
||||
accessTier: 'Hot'
|
||||
}
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/serverfarms?tabs=bicep
|
||||
resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
|
||||
name: '${resourcesPrefix}${resourcesSuffix}plan'
|
||||
location: resourceGroup().location
|
||||
sku: {
|
||||
name: 'Y1'
|
||||
tier: 'Dynamic'
|
||||
}
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=bicep
|
||||
resource functionApp 'Microsoft.Web/sites@2021-02-01' = {
|
||||
name: '${resourcesPrefix}${resourcesSuffix}func'
|
||||
location: resourceGroup().location
|
||||
kind: 'functionapp'
|
||||
identity: {
|
||||
type: 'SystemAssigned'
|
||||
}
|
||||
properties: {
|
||||
enabled: true
|
||||
serverFarmId: appServicePlan.id
|
||||
httpsOnly: true
|
||||
siteConfig: {
|
||||
appSettings: [
|
||||
{
|
||||
name: 'AzureWebJobsStorage'
|
||||
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
|
||||
}
|
||||
{
|
||||
name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
|
||||
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}'
|
||||
}
|
||||
{
|
||||
name: 'WEBSITE_CONTENTSHARE'
|
||||
value: toLower('${resourcesPrefix}${resourcesSuffix}func')
|
||||
}
|
||||
{
|
||||
name: 'FUNCTIONS_EXTENSION_VERSION'
|
||||
value: '~3'
|
||||
}
|
||||
{
|
||||
name: 'FUNCTIONS_WORKER_RUNTIME'
|
||||
value: 'dotnet'
|
||||
}
|
||||
{
|
||||
name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
|
||||
value: applicationInsights.properties.InstrumentationKey
|
||||
}
|
||||
{
|
||||
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
|
||||
value: applicationInsights.properties.ConnectionString
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/sourcecontrols?tabs=bicep
|
||||
resource functionAppSourceControl 'Microsoft.Web/sites/sourcecontrols@2021-02-01' = {
|
||||
name: 'web'
|
||||
parent: functionApp
|
||||
properties: {
|
||||
repoUrl: repoUrl
|
||||
branch: 'main'
|
||||
isManualIntegration: true
|
||||
}
|
||||
}
|
||||
|
||||
// https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/components?tabs=bicep
|
||||
resource applicationInsights 'microsoft.insights/components@2020-02-02' = {
|
||||
name: '${resourcesPrefix}${resourcesSuffix}appi'
|
||||
location: resourceGroup().location
|
||||
kind: 'web'
|
||||
properties: {
|
||||
Application_Type: 'web'
|
||||
}
|
||||
}
|
||||
|
||||
module keyVault './keyVault.bicep' = {
|
||||
name: 'keyVaultDeployment'
|
||||
params: {
|
||||
keyVaultName: keyVaultName
|
||||
functionAppId: functionApp.id
|
||||
functionAppTenantId: functionApp.identity.tenantId
|
||||
functionAppPrincipalId: functionApp.identity.principalId
|
||||
eventSubscriptionName: '${keyVaultName}-${secretName}-${functionApp.name}'
|
||||
secretName: secretName
|
||||
}
|
||||
scope: resourceGroup(keyVaultRgName)
|
||||
dependsOn: [
|
||||
functionApp
|
||||
functionAppSourceControl
|
||||
]
|
||||
}
|
94
support/sqlsecretrotation/iac/terraform/deploy.sh
Normal file
94
support/sqlsecretrotation/iac/terraform/deploy.sh
Normal file
@ -0,0 +1,94 @@
|
||||
#!/bin/bash
|
||||
|
||||
declare LOCATION=$1
|
||||
declare RESOURCES_PREFIX=$2
|
||||
declare SECRET_NAME=$3
|
||||
declare KEY_VAULT_RESOURCE_GROUP_NAME=$4
|
||||
declare KEY_VAULT_NAME=$5
|
||||
|
||||
declare -r USAGE_HELP="Usage: ./deploy.sh <LOCATION> <RESOURCES_PREFIX> <SECRET_NAME> <KEY_VAULT_RESOURCE_GROUP_NAME> <KEY_VAULT_NAME>"
|
||||
|
||||
if [ $# -ne 5 ]; then
|
||||
echo "${USAGE_HELP}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check for programs
|
||||
if ! [ -x "$(command -v az)" ]; then
|
||||
echo "az is not installed!"
|
||||
exit 1
|
||||
elif ! [ -x "$(command -v terraform)" ]; then
|
||||
echo "terraform is not installed!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f "devvars.sh" ]; then
|
||||
. devvars.sh
|
||||
fi
|
||||
|
||||
export ARM_THREEPOINTZERO_BETA_RESOURCES=true
|
||||
|
||||
azure_login() {
|
||||
_azuresp_json=$(cat azuresp.json)
|
||||
export ARM_CLIENT_ID=$(echo "${_azuresp_json}" | jq -r ".clientId")
|
||||
export ARM_CLIENT_SECRET=$(echo "${_azuresp_json}" | jq -r ".clientSecret")
|
||||
export ARM_SUBSCRIPTION_ID=$(echo "${_azuresp_json}" | jq -r ".subscriptionId")
|
||||
export ARM_TENANT_ID=$(echo "${_azuresp_json}" | jq -r ".tenantId")
|
||||
az login --service-principal --username "${ARM_CLIENT_ID}" --password "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
|
||||
az account set --subscription "${ARM_SUBSCRIPTION_ID}"
|
||||
}
|
||||
|
||||
prepare_tfvars() {
|
||||
echo "Generating tfvars..."
|
||||
echo 'location = "'${LOCATION}'"' > terraform.tfvars
|
||||
echo 'resources_prefix = "'${RESOURCES_PREFIX}'"' >> terraform.tfvars
|
||||
echo 'secret_name = "'${SECRET_NAME}'"' >> terraform.tfvars
|
||||
echo 'key_vault_resource_group_name = "'${KEY_VAULT_RESOURCE_GROUP_NAME}'"' >> terraform.tfvars
|
||||
echo 'key_vault_name = "'${KEY_VAULT_NAME}'"' >> terraform.tfvars
|
||||
terraform fmt
|
||||
}
|
||||
|
||||
lint_terraform(){
|
||||
terraform fmt -check
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Terraform files are not properly formatted!"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
init_terrafrom() {
|
||||
terraform init -backend-config=storage_account_name="${TFSTATE_STORAGE_ACCOUNT_NAME}" -backend-config=container_name="${TFSTATE_STORAGE_CONTAINER_NAME}" -backend-config=key="${TFSTATE_KEY_SECROT}" -backend-config=resource_group_name="${TFSTATE_RESOURCES_GROUP_NAME}"
|
||||
}
|
||||
|
||||
init_terrafrom_local() {
|
||||
terraform init -backend=false
|
||||
}
|
||||
|
||||
validate_terraform(){
|
||||
terraform validate
|
||||
}
|
||||
|
||||
preview_terraform(){
|
||||
terraform plan --detailed-exitcode
|
||||
return $?
|
||||
}
|
||||
|
||||
deploy_terraform(){
|
||||
local _tfplan_exit_code=${1}
|
||||
|
||||
terraform apply --auto-approve
|
||||
}
|
||||
|
||||
destroy_terraform(){
|
||||
terraform destroy --auto-approve
|
||||
}
|
||||
|
||||
prepare_tfvars
|
||||
azure_login
|
||||
lint_terraform
|
||||
init_terrafrom
|
||||
# init_terrafrom_local
|
||||
validate_terraform
|
||||
preview_terraform
|
||||
deploy_terraform $?
|
||||
# destroy_terraform
|
8
support/sqlsecretrotation/iac/terraform/locals.tf
Normal file
8
support/sqlsecretrotation/iac/terraform/locals.tf
Normal file
@ -0,0 +1,8 @@
|
||||
locals {
|
||||
suffix = "sqlsecrot"
|
||||
resource_group_name = "${var.resources_prefix}${local.suffix}rg"
|
||||
storage_account_name = "${var.resources_prefix}${local.suffix}st"
|
||||
function_app_name = "${var.resources_prefix}${local.suffix}func"
|
||||
app_service_plan_name = "${var.resources_prefix}${local.suffix}plan"
|
||||
application_insights_name = "${var.resources_prefix}${local.suffix}appi"
|
||||
}
|
132
support/sqlsecretrotation/iac/terraform/main.tf
Normal file
132
support/sqlsecretrotation/iac/terraform/main.tf
Normal file
@ -0,0 +1,132 @@
|
||||
data "azurerm_key_vault" "key_vault" {
|
||||
name = var.key_vault_name
|
||||
resource_group_name = var.key_vault_resource_group_name
|
||||
}
|
||||
|
||||
resource "azurerm_resource_group" "resource_group" {
|
||||
name = local.resource_group_name
|
||||
location = var.location
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
tags
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_storage_account" "storage_account" {
|
||||
name = local.storage_account_name
|
||||
location = azurerm_resource_group.resource_group.location
|
||||
resource_group_name = azurerm_resource_group.resource_group.name
|
||||
account_tier = "Standard"
|
||||
account_replication_type = "LRS"
|
||||
min_tls_version = "TLS1_2"
|
||||
enable_https_traffic_only = true
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
tags
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_application_insights" "application_insights" {
|
||||
name = local.application_insights_name
|
||||
location = azurerm_resource_group.resource_group.location
|
||||
resource_group_name = azurerm_resource_group.resource_group.name
|
||||
application_type = "web"
|
||||
}
|
||||
|
||||
resource "azurerm_app_service_plan" "app_service_plan" {
|
||||
name = local.app_service_plan_name
|
||||
location = azurerm_resource_group.resource_group.location
|
||||
resource_group_name = azurerm_resource_group.resource_group.name
|
||||
kind = "FunctionApp"
|
||||
|
||||
sku {
|
||||
tier = "Dynamic"
|
||||
size = "Y1"
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
tags,
|
||||
kind
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_function_app" "function_app" {
|
||||
name = local.function_app_name
|
||||
location = azurerm_resource_group.resource_group.location
|
||||
resource_group_name = azurerm_resource_group.resource_group.name
|
||||
app_service_plan_id = azurerm_app_service_plan.app_service_plan.id
|
||||
storage_account_name = azurerm_storage_account.storage_account.name
|
||||
storage_account_access_key = azurerm_storage_account.storage_account.primary_access_key
|
||||
version = "~3"
|
||||
https_only = true
|
||||
|
||||
app_settings = {
|
||||
"APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.application_insights.instrumentation_key
|
||||
"FUNCTIONS_WORKER_RUNTIME" = "dotnet"
|
||||
}
|
||||
|
||||
identity {
|
||||
type = "SystemAssigned"
|
||||
}
|
||||
|
||||
site_config {
|
||||
ftps_state = "Disabled"
|
||||
dotnet_framework_version = "v4.0"
|
||||
use_32_bit_worker_process = false
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [
|
||||
tags,
|
||||
# app_settings["WEBSITE_ENABLE_SYNC_UPDATE_SITE"],
|
||||
# app_settings["WEBSITE_RUN_FROM_PACKAGE"],
|
||||
# app_settings["APPINSIGHTS_INSTRUMENTATIONKEY"],
|
||||
# app_settings["FUNCTIONS_WORKER_RUNTIME"]
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_source_control
|
||||
# resource "azurerm_app_service_source_control" "app_service_source_control" {
|
||||
# app_id = azurerm_function_app.function_app.id
|
||||
# repo_url = "https://github.com/Azure-Samples/KeyVault-Rotation-SQLPassword-Csharp.git"
|
||||
# branch = "main"
|
||||
# manual_integration = true
|
||||
# # scm_type = "ExternalGit"
|
||||
# }
|
||||
|
||||
resource "azurerm_key_vault_access_policy" "key_vault_access_policy_function_app" {
|
||||
key_vault_id = data.azurerm_key_vault.key_vault.id
|
||||
tenant_id = azurerm_function_app.function_app.identity[0].tenant_id
|
||||
object_id = azurerm_function_app.function_app.identity[0].principal_id
|
||||
|
||||
secret_permissions = [
|
||||
"Get", "List", "Set"
|
||||
]
|
||||
}
|
||||
|
||||
# resource "azurerm_eventgrid_event_subscription" "eventgrid_event_subscription" {
|
||||
# name = "${data.azurerm_key_vault.key_vault.name}-${var.secret_name}-${azurerm_function_app.function_app.name}"
|
||||
# scope = data.azurerm_key_vault.key_vault.id
|
||||
|
||||
# azure_function_endpoint {
|
||||
# function_id = "${azurerm_function_app.function_app.id}/functions/AKVSQLRotation"
|
||||
# max_events_per_batch = 1
|
||||
# preferred_batch_size_in_kilobytes = 64
|
||||
# }
|
||||
|
||||
# subject_filter {
|
||||
# subject_begins_with = var.secret_name
|
||||
# subject_ends_with = var.secret_name
|
||||
# }
|
||||
|
||||
# included_event_types = [
|
||||
# "Microsoft.KeyVault.SecretNearExpiry"
|
||||
# ]
|
||||
# }
|
16
support/sqlsecretrotation/iac/terraform/providers.tf
Normal file
16
support/sqlsecretrotation/iac/terraform/providers.tf
Normal file
@ -0,0 +1,16 @@
|
||||
terraform {
|
||||
required_providers {
|
||||
azurerm = {
|
||||
source = "hashicorp/azurerm"
|
||||
version = "2.94.0"
|
||||
}
|
||||
}
|
||||
backend "azurerm" {
|
||||
}
|
||||
}
|
||||
|
||||
data "azurerm_client_config" "current" {}
|
||||
|
||||
provider "azurerm" {
|
||||
features {}
|
||||
}
|
24
support/sqlsecretrotation/iac/terraform/variables.tf
Normal file
24
support/sqlsecretrotation/iac/terraform/variables.tf
Normal file
@ -0,0 +1,24 @@
|
||||
variable "key_vault_resource_group_name" {
|
||||
description = ""
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "key_vault_name" {
|
||||
description = ""
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "resources_prefix" {
|
||||
description = ""
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "location" {
|
||||
description = ""
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "secret_name" {
|
||||
description = ""
|
||||
type = string
|
||||
}
|
Reference in New Issue
Block a user