Skip to content

Instantly share code, notes, and snippets.

@ralacher

ralacher/__main__.py

Last active July 8, 2021 14:33
Show Gist options
  • Save ralacher/5ed929f6a71989b31649cbeedcd899cc to your computer and use it in GitHub Desktop.
Save ralacher/5ed929f6a71989b31649cbeedcd899cc to your computer and use it in GitHub Desktop.
Download ZIP
Customer-Managed Key with Pulumi
Raw
__main__.py
import pulumi
import pulumi_azure_native as azure_native
from pulumi import Output
config = pulumi.Config()
# Your AD Tenant ID
TENANT_ID = ''
# Object ID for the principal running Pulumi to access Key Vault
KV_ACCESS_POLICY = ''
# Resource name used for all Azure resources in this demo
RESOURCE_NAME = 'cmkpulumi'
RESOURCE_LOCATION = ''
RESOURCE_TAGS = {'env': 'dev'}
resource_group = azure_native.resources.ResourceGroup(RESOURCE_NAME,
location=RESOURCE_LOCATION,
resource_group_name=RESOURCE_NAME,
tags=RESOURCE_TAGS
)
storage_account_managed_identity = azure_native.managedidentity.UserAssignedIdentity(RESOURCE_NAME,
location=RESOURCE_LOCATION,
resource_group_name=resource_group.name,
tags=RESOURCE_TAGS
)
key_vault = vault = azure_native.keyvault.Vault(RESOURCE_NAME,
location=RESOURCE_LOCATION,
properties=azure_native.keyvault.VaultPropertiesArgs(
access_policies=[
azure_native.keyvault.AccessPolicyEntryArgs(
object_id=KV_ACCESS_POLICY,
permissions=azure_native.keyvault.PermissionsArgs(
certificates=[],
keys=[
'wrapKey',
'unwrapKey',
'get',
],
secrets=[],
),
tenant_id=TENANT_ID,
),
azure_native.keyvault.AccessPolicyEntryArgs(
object_id=storage_account_managed_identity.principal_id,
permissions=azure_native.keyvault.PermissionsArgs(
certificates=[],
keys=[
'wrapKey',
'unwrapKey',
'get'
],
secrets=[],
),
tenant_id=TENANT_ID
)
],
enable_soft_delete=True,
enable_purge_protection=True,
soft_delete_retention_in_days=15,
enabled_for_deployment=False,
enabled_for_disk_encryption=True,
enabled_for_template_deployment=False,
network_acls=azure_native.keyvault.NetworkRuleSetArgs(
bypass='AzureServices',
default_action='Allow',
),
sku=azure_native.keyvault.SkuArgs(
family='A',
name='Premium',
),
tenant_id=TENANT_ID,
),
resource_group_name=resource_group.name,
vault_name=RESOURCE_NAME,
tags=RESOURCE_TAGS
)
storage_key = azure_native.keyvault.Key(RESOURCE_NAME,
key_name=RESOURCE_NAME,
properties=azure_native.keyvault.KeyPropertiesArgs(
kty='RSA-HSM',
key_size=4096,
),
resource_group_name=resource_group.name,
vault_name=key_vault.name,
tags=RESOURCE_TAGS
)
cmk_storage_account = azure_native.storage.StorageAccount(RESOURCE_NAME,
account_name=RESOURCE_NAME,
allow_blob_public_access=False,
encryption=azure_native.storage.EncryptionArgs(
require_infrastructure_encryption=True,
encryption_identity=azure_native.storage.EncryptionIdentityArgs(
encryption_user_assigned_identity=storage_account_managed_identity.id,
),
key_source='Microsoft.Keyvault',
key_vault_properties=azure_native.storage.KeyVaultPropertiesArgs(
key_name=storage_key.name,
key_vault_uri=key_vault.properties.vault_uri,
),
services=azure_native.storage.EncryptionServicesArgs(
blob=azure_native.storage.EncryptionServiceArgs(
enabled=True,
key_type='Account',
),
file=azure_native.storage.EncryptionServiceArgs(
enabled=True,
key_type='Account',
),
),
),
#identity=azure_native.storage.IdentityArgs(type='SystemAssigned'),
identity=azure_native.storage.IdentityArgs(
type='UserAssigned',
user_assigned_identities = storage_account_managed_identity.id.apply(lambda id: { id : {} })
),
kind='StorageV2',
location=RESOURCE_LOCATION,
minimum_tls_version='TLS1_2',
network_rule_set=azure_native.storage.NetworkRuleSetArgs(bypass='AzureServices',
default_action='Deny',
),
resource_group_name=resource_group.name,
sku=azure_native.storage.SkuArgs(name='Standard_ZRS'),
tags=RESOURCE_TAGS
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment