Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Deployment Scripts ARM - Blog
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"key-vault-name": {
"type": "string",
"metadata": {
"description": "Specifies the name of the key vault."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specifies the Azure location where the key vault should be created."
}
},
"enabledForDeployment": {
"type": "bool",
"defaultValue": true,
"allowedValues": [
true,
false
],
"metadata": {
"description": "Specifies whether Azure Virtual Machines are permitted to retrieve keys stored as secrets from the key vault."
}
},
"enabledForDiskEncryption": {
"type": "bool",
"defaultValue": true,
"allowedValues": [
true,
false
],
"metadata": {
"description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
}
},
"enabledForTemplateDeployment": {
"type": "bool",
"defaultValue": true,
"allowedValues": [
true,
false
],
"metadata": {
"description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
}
},
"tenantId": {
"type": "string",
"defaultValue": "[subscription().tenantId]",
"metadata": {
"description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
}
},
"objectId": {
"type": "string",
"metadata": {
"description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
}
},
"keysPermissions": {
"type": "array",
"defaultValue": [
"All"
],
"metadata": {
"description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge."
}
},
"secretsPermissions": {
"type": "array",
"defaultValue": [
"All"
],
"metadata": {
"description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
}
},
"skuName": {
"type": "string",
"defaultValue": "Premium",
"allowedValues": [
"Standard",
"Premium"
],
"metadata": {
"description": "Specifies whether the key vault is a standard vault or a premium vault."
}
},
"identityName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the user-assigned managed identity."
}
},
"certificatesPermissions": {
"type": "array",
"defaultValue": [
"get",
"list",
"update",
"create"
],
"metadata": {
"description": "Specifies the permissions to keys in the vault. Valid values are: all, get, list, update, create, import, delete, recover, backup, restore, manage contacts, manage certificate authorities, get certificate authorities, list certificate authorities, set certificate authorities, delete certificate authorities."
}
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"variables": {
"bootstrapRoleAssignmentId": "[guid(concat(resourceGroup().id, 'contributor'))]",
"contributorRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"apiVersion": "2018-11-30",
"name": "[parameters('identityName')]",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2018-09-01-preview",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
],
"properties": {
"roleDefinitionId": "[variables('contributorRoleDefinitionId')]",
"principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')), '2018-11-30').principalId]",
"scope": "[resourceGroup().id]",
"principalType": "ServicePrincipal"
}
},
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2019-09-01",
"name": "[parameters('key-vault-name')]",
"location": "[parameters('location')]",
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enableSoftDelete": true,
"enablePurgeProtection": true,
"tenantId": "[parameters('tenantId')]",
"accessPolicies": [
{
"objectId": "[parameters('objectId')]",
"tenantId": "[parameters('tenantId')]",
"permissions": {
"keys": "[parameters('keysPermissions')]",
"secrets": "[parameters('secretsPermissions')]",
"certificates": "[parameters('certificatesPermissions')]"
}
},
{
"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')), '2018-11-30').principalId]",
"tenantId": "[parameters('tenantId')]",
"permissions": {
"keys": "[parameters('keysPermissions')]",
"secrets": "[parameters('secretsPermissions')]",
"certificates": "[parameters('certificatesPermissions')]"
}
}
],
"sku": {
"name": "[parameters('skuName')]",
"family": "A"
},
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
}
},
{
"type": "Microsoft.Resources/deploymentScripts",
"apiVersion": "2019-10-01-preview",
"name": "addKeyDiskEncryptionSet",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('key-vault-name'))]",
"[resourceId('Microsoft.Authorization/roleAssignments', variables('bootstrapRoleAssignmentId'))]"
],
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]": {
}
}
},
"kind": "AzurePowerShell",
"properties": {
"forceUpdateTag": "[parameters('utcValue')]",
"azPowerShellVersion": "3.0",
"timeout": "PT30M",
"arguments": "[format(' -VaultName {0} -ResourceGroupName {1} -LocationName {2}', parameters('key-vault-name'), resourceGroup().name, resourceGroup().location)]",
"scriptContent": "
param(
[string] [Parameter(Mandatory=$true)] $VaultName,
[string] [Parameter(Mandatory=$true)] $ResourceGroupName,
[string] [Parameter(Mandatory=$true)] $LocationName
)
$ErrorActionPreference = 'Stop'
$DeploymentScriptOutputs = @{}
$KeyName = 'deploy-script-disk-encryption-key'
$DiskEncryptionSetName = 'deploy-script-disk-encryption-set'
$kekEncryptionUrlSecretName = 'disk-key-kek-kid'
# Get KeyVault
$kv = Get-AzKeyVault -Name $VaultName -ResourceGroupName $ResourceGroupName
# Check if Disk Encryption Key exists
$diskEncrptKey = `
(Get-AzKeyVaultKey `
-VaultName $VaultName `
-Name $KeyName `
-ErrorAction SilentlyContinue).Id;
# Create New Disk Encryption Key
if ($null -eq $diskEncrptKey) {
$diskEncrptKey = (Add-AzKeyVaultKey `
-VaultName $VaultName `
-Name $KeyName `
-Destination 'HSM').Id;
}
# Get Disk Encryption Newly Created Key
$diskEncrptKey = (Get-AzKeyVaultKey `
-VaultName $VaultName `
-Name $KeyName)
# Update secret for KeK encryption with KV KeK URL
$secretvalue = ConvertTo-SecureString $diskEncrptKey.Key.Kid -AsPlainText -Force
$secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $kekEncryptionUrlSecretName -SecretValue $secretvalue
# Create New Disk Encryption Set Config
$desConfig = (New-AzDiskEncryptionSetConfig `
-Location $LocationName `
-SourceVaultId $kv.ResourceId `
-KeyUrl $diskEncrptKey.Key.Kid `
-IdentityType SystemAssigned)
# Create New Disk Encryption Set
$desEncrySet = (New-AzDiskEncryptionSet `
-Name $DiskEncryptionSetName `
-ResourceGroupName $ResourceGroupName `
-InputObject $desConfig)
# Get newly created disk encryption Set
$des = (Get-AzDiskEncryptionSet `
-ResourceGroupName $ResourceGroupName `
-Name $DiskEncryptionSetName)
# Add the Disk Encryption Set Application to Key Vault Access Policy
(Set-AzKeyVaultAccessPolicy `
-VaultName $VaultName `
-ObjectId $des.Identity.PrincipalId `
-PermissionsToKeys wrapkey,unwrapkey,get `
-BypassObjectIdValidation)
",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
}
}
]
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"key-vault-name": {
"value": "deploy-script-kv"
},
"objectId": {
"value": "000000-000-0000-0000"
},
"identityName": {
"value": "deploy-script-kv-usr-id"
}
}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachineSize": {
"type": "string",
"defaultValue": "Standard_DS1_v2",
"metadata": {
"description": "Virtual machine size (has to be at least the size of Standard_A3 to support 2 NICs)"
}
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Default Admin username"
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Default Admin password"
}
},
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"metadata": {
"description": "Storage Account type for the VM and VM diagnostic storage"
},
"allowedValues": [
"Standard_LRS",
"Premium_LRS"
]
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"disk-encryption-type": {
"type": "string",
"metadata": {
"description": "Disk Encryption with Customer Managed Key (CMK), choose whether the disk should be encrypted with SSE + CMK or ADE + CMK"
},
"allowedValues": [
"SSE",
"ADE"
]
},
"key-vault-name": {
"type": "string",
"metadata": {
"description": "Specifies the name of the key vault."
}
},
"utcValue": {
"type": "string",
"defaultValue": "[utcNow()]"
}
},
"variables": {
"virtualMachineName": "deployscriptvm",
"nic1": "nic-1",
"virtualNetworkName": "virtualNetwork",
"subnet1Name": "subnet-1",
"subnet2Name": "subnet-2",
"publicIPAddressName": "publicIp",
"subnet1Ref": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), variables('subnet1Name'))]",
"diagStorageAccountName": "[concat('diags',uniqueString(resourceGroup().id))]",
"networkSecurityGroupName": "NSG",
"networkSecurityGroupName2": "[concat(variables('subnet2Name'), '-nsg')]",
"windowsDiskEncryptionExtensionName": "AzureDiskEncryption",
"windowsDiskEncryptionExtensionVersion": "2.2",
"windowsEncryptionOperation": "EnableEncryption",
"windowsKeyEncryptionAlgorithm": "RSA-OAEP",
"disk-encryption-set-name": "deploy-script-disk-encryption-set",
"disk-encryption-set-id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/', 'Microsoft.Compute/diskEncryptionSets/', variables('disk-encryption-set-name'))]",
"managed-disk-json": {
"storageAccountType": "Premium_LRS",
"diskEncryptionSet": {
"id": "[variables('disk-encryption-set-id')]"
}
}
},
"resources": [
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-09-01",
"name": "[variables('virtualMachineName')]",
"dependsOn": [
"[variables('nic1')]",
"[variables('diagStorageAccountName')]"
],
"properties": {
"mode": "Incremental",
"expressionEvaluationOptions": {
"scope": "inner"
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachineName":
{
"type": "string"
},
"virtualMachineSize": {
"type": "string"
},
"managed-disk-json":
{
"type": "object"
},
"disk-encryption-type":
{
"type": "string"
},
"windowsDiskEncryptionExtensionName":
{
"type": "string"
},
"windowsDiskEncryptionExtensionVersion":
{
"type": "string"
},
"windowsKeyEncryptionAlgorithm":
{
"type": "string"
},
"windowsEncryptionOperation":
{
"type": "string"
},
"key-vault-name":
{
"type": "string"
},
"utcValue":
{
"type": "string"
},
"disk-key-encryption-key-url": {
"type": "string"
},
"nic1": {
"type": "string"
},
"diagStorageAccountName": {
"type": "string"
},
"adminUsername": {
"type": "string"
},
"adminPassword": {
"type": "string"
}
},
"resources": [
{
"name": "[parameters('virtualMachineName')]",
"identity":
{
"type": "SystemAssigned"
},
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2019-07-01",
"location": "[resourceGroup().location]",
"comments": "This is the virtual machine that you're building.",
"dependsOn": [
],
"properties": {
"osProfile": {
"computerName": "[parameters('virtualMachineName')]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVmAgent": true
}
},
"hardwareProfile": {
"vmSize": "[parameters('virtualMachineSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2016-Datacenter",
"version": "latest"
},
"osDisk": {
"name": "vm-os-disk",
"osType": "Windows",
"createOption": "FromImage",
"managedDisk": "[if(equals(parameters('disk-encryption-type'), 'ADE'), json('null'), parameters('managed-disk-json'))]"
},
"dataDisks": []
},
"networkProfile": {
"networkInterfaces": [
{
"properties": {
"primary": true
},
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('nic1'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('diagStorageAccountName')), '2017-06-01').primaryEndpoints['blob']]"
}
}
}
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat('/', parameters('virtualMachineName'), '/', parameters('windowsDiskEncryptionExtensionName'))]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]"
],
"apiVersion": "2019-07-01",
"condition": "[bool(equals(parameters('disk-encryption-type'), 'ADE'))]",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "[parameters('windowsDiskEncryptionExtensionName')]",
"typeHandlerVersion": "[parameters('windowsDiskEncryptionExtensionVersion')]",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('utcValue')]",
"settings": {
"EncryptionOperation": "[parameters('windowsEncryptionOperation')]",
"KeyVaultURL": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('key-vault-name')), '2019-09-01').vaultUri]",
"KeyVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('key-vault-name'))]",
"KeyEncryptionKeyURL": "[parameters('disk-key-encryption-key-url')]",
"KekVaultResourceId": "[resourceId('Microsoft.KeyVault/vaults', parameters('key-vault-name'))]",
"KeyEncryptionAlgorithm": "[parameters('windowsKeyEncryptionAlgorithm')]",
"VolumeType": "All",
"ResizeOSDisk": false
}
}
}
]
},
"parameters": {
"adminUsername": {
"value": "[parameters('adminUsername')]"
},
"adminPassword": {
"value": "[parameters('adminPassword')]"
},
"nic1": {
"value": "[variables('nic1')]"
},
"diagStorageAccountName": {
"value": "[variables('diagStorageAccountName')]"
},
"disk-key-encryption-key-url": {
"reference": {
"keyVault": {
"id": "[resourceId('Microsoft.KeyVault/vaults', parameters('key-vault-name'))]"
},
"secretName": "disk-key-kek-kid"
}
},
"virtualMachineName":
{
"value": "[variables('virtualMachineName')]"
},
"virtualMachineSize": {
"value": "[parameters('virtualMachineSize')]"
},
"managed-disk-json": {
"value": "[variables('managed-disk-json')]"
},
"disk-encryption-type":
{
"value": "[parameters('disk-encryption-type')]"
},
"windowsDiskEncryptionExtensionName": {
"value": "[variables('windowsDiskEncryptionExtensionName')]"
},
"windowsDiskEncryptionExtensionVersion": {
"value": "[variables('windowsDiskEncryptionExtensionVersion')]"
},
"windowsKeyEncryptionAlgorithm": {
"value": "[variables('windowsKeyEncryptionAlgorithm')]"
},
"windowsEncryptionOperation": {
"value": "[variables('windowsEncryptionOperation')]"
},
"key-vault-name": {
"value": "[parameters('key-vault-name')]"
},
"utcValue": {
"value": "[parameters('utcValue')]"
}
}
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('diagStorageAccountName')]",
"apiVersion": "2017-06-01",
"location": "[parameters('location')]",
"sku": {
"name": "[parameters('storageAccountType')]"
},
"kind": "Storage",
"properties": {}
},
{
"comments": "Simple Network Security Group for subnet [variables('subnet2Name')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-08-01",
"name": "[variables('networkSecurityGroupName2')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/virtualNetworks",
"name": "[variables('virtualNetworkName')]",
"apiVersion": "2017-06-01",
"location": "[parameters('location')]",
"comments": "This will build a Virtual Network.",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName2'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "[variables('subnet1Name')]",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "[variables('subnet2Name')]",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName2'))]"
}
}
}
]
}
},
{
"name": "[variables('nic1')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2017-06-01",
"location": "[parameters('location')]",
"comments": "This will be your Primary NIC",
"dependsOn": [
"[variables('publicIpAddressName')]",
"[variables('networkSecurityGroupName')]",
"[variables('virtualNetworkName')]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"subnet": {
"id": "[variables('subnet1Ref')]"
},
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress": {
"id": "[resourceId('Microsoft.Network/publicIpAddresses', variables('publicIpAddressName'))]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
}
}
},
{
"name": "[variables('publicIpAddressName')]",
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2017-06-01",
"location": "[parameters('location')]",
"comments": "Public IP for your Primary NIC",
"properties": {
"publicIPAllocationMethod": "Dynamic"
}
},
{
"name": "[variables('networkSecurityGroupName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2016-09-01",
"location": "[parameters('location')]",
"comments": "Network Security Group (NSG) for your Primary NIC",
"properties": {
"securityRules": [
{
"name": "default-allow-rdp",
"properties": {
"priority": 1000,
"sourceAddressPrefix": "*",
"protocol": "Tcp",
"destinationPortRange": "3389",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
}
}
]
}
}
],
"outputs": {}
}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualMachineSize": {
"value": "Standard_DS2_v2"
},
"adminUsername": {
"value": "xxxxxx"
},
"adminPassword": {
"value": "xxxxxx"
},
"storageAccountType": {
"value": "Standard_LRS"
},
"location": {
"value": "eastus2"
},
"key-vault-name": {
"value": "deploy-script-kv"
},
"disk-encryption-type": {
"value": "SSE"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.