christopherhouse/keyVault

## keyVault
param keyVaultName string
param location string = resourceGroup().location
param tenantId string = subscription().tenantId
param adminUserObjectIds array
param applicationUserObjectIds array

var adminAccessPolicies = [for adminUser in adminUserObjectIds: {
  objectId: adminUser
  tenantId: tenantId
  permissions: {
    certificates: [ 'all' ]
    secrets: [ 'all' ]
    keys: [ 'all' ]
  }
}]

var applicationUserPolicies = [for appUser in applicationUserObjectIds: {
  objectId: appUser
  tenantId: tenantId
  permissions: {
    secrets: [ 'get' ]
  }
}]

var accessPolicies = union(adminAccessPolicies, applicationUserPolicies)

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
  name: keyVaultName
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: tenantId
    accessPolicies: accessPolicies
  }
}

output vaultName string = keyVault.name

## keyVaultSecret.bicep
param secretName string
@secure()
param secretValue string
param vaultName string
param enabledDate string = utcNow()
param expirationDate string = dateTimeAdd(utcNow(), 'P10Y')
param enabled bool = true

resource vault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: vaultName
}

resource secret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
  name: secretName
  parent: vault
  properties: {
    attributes: {
      enabled: enabled
      exp: dateTimeToEpoch(expirationDate)
      nbf: dateTimeToEpoch(enabledDate)
    }
    value: secretValue
  }
}

## main.bicep
var vaultName = 'cmhvault002'
var location = resourceGroup().location
var adminUserObjectIds = [
  'e82dcaa8-7b11-40b7-b476-815c9026035f'
  'ba3f4d11-337c-4316-a579-e6a30fd0d71c'
]
var applicationUserObjectIds = [
  '2bf650d0-afd3-4b85-8e04-53523fa5d351'
  'fdecb9ac-d88e-4619-a3ee-6bb34a65eec7'
]
var secretName = 'FooSecret'
var secretValue = uniqueString(resourceGroup().name)
var storageAccountName = 'cmhstore${uniqueString(resourceGroup().name)}'

module vault 'modules/keyVault.bicep' = {
  name: 'valultdeploy'
  params: {
    adminUserObjectIds: adminUserObjectIds
    keyVaultName: vaultName
    applicationUserObjectIds: applicationUserObjectIds
    location: location
  }
}

module secret 'modules/keyVaultSecret.bicep' = {
  name: 'secretDeploy'
  params: {
    vaultName: vault.outputs.vaultName
    secretValue: secretValue
    secretName: secretName
  }
}
	param keyVaultName string
	param location string = resourceGroup().location
	param tenantId string = subscription().tenantId
	param adminUserObjectIds array
	param applicationUserObjectIds array

	var adminAccessPolicies = [for adminUser in adminUserObjectIds: {
	objectId: adminUser
	tenantId: tenantId
	permissions: {
	certificates: [ 'all' ]
	secrets: [ 'all' ]
	keys: [ 'all' ]
	}
	}]

	var applicationUserPolicies = [for appUser in applicationUserObjectIds: {
	objectId: appUser
	tenantId: tenantId
	permissions: {
	secrets: [ 'get' ]
	}
	}]

	var accessPolicies = union(adminAccessPolicies, applicationUserPolicies)

	resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
	name: keyVaultName
	location: location
	properties: {
	sku: {
	family: 'A'
	name: 'standard'
	}
	tenantId: tenantId
	accessPolicies: accessPolicies
	}
	}

	output vaultName string = keyVault.name
	param secretName string
	@secure()
	param secretValue string
	param vaultName string
	param enabledDate string = utcNow()
	param expirationDate string = dateTimeAdd(utcNow(), 'P10Y')
	param enabled bool = true

	resource vault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
	name: vaultName
	}

	resource secret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
	name: secretName
	parent: vault
	properties: {
	attributes: {
	enabled: enabled
	exp: dateTimeToEpoch(expirationDate)
	nbf: dateTimeToEpoch(enabledDate)
	}
	value: secretValue
	}
	}
	var vaultName = 'cmhvault002'
	var location = resourceGroup().location
	var adminUserObjectIds = [
	'e82dcaa8-7b11-40b7-b476-815c9026035f'
	'ba3f4d11-337c-4316-a579-e6a30fd0d71c'
	]
	var applicationUserObjectIds = [
	'2bf650d0-afd3-4b85-8e04-53523fa5d351'
	'fdecb9ac-d88e-4619-a3ee-6bb34a65eec7'
	]
	var secretName = 'FooSecret'
	var secretValue = uniqueString(resourceGroup().name)
	var storageAccountName = 'cmhstore${uniqueString(resourceGroup().name)}'

	module vault 'modules/keyVault.bicep' = {
	name: 'valultdeploy'
	params: {
	adminUserObjectIds: adminUserObjectIds
	keyVaultName: vaultName
	applicationUserObjectIds: applicationUserObjectIds
	location: location
	}
	}

	module secret 'modules/keyVaultSecret.bicep' = {
	name: 'secretDeploy'
	params: {
	vaultName: vault.outputs.vaultName
	secretValue: secretValue
	secretName: secretName
	}
	}