stefangordon/deploy.sh

## deploy.sh
#!/bin/bash

echo Deploying a storage account encrypted with a KeyVault key is a two step process
echo because changing the storage settings must happen after the access policy is configured
echo and we are unable to "DependOn" an access policy.
echo This shell script is just an example of how to run the two templates via the Azure CLI

read -p 'Resource Group: ' rgName
echo $rgName

read -p 'Location (default: Central US): ' resourceLocation
echo "${resourceLocation:=Central US}"

read -p 'Storage Name: ' storageName
echo $storageName

read -p 'Key Vault Name: ' vaultname
read -p 'Key Name: ' keyname
read -p 'Key Version: ' version

echo Verifying Resource Group
az group create --name $rgName --location "$resourceLocation"

echo Deploying Storage Account and Creating Access Policy
az group deployment create --resource-group $rgName --template-file storage_step1.json --parameters storageAccountName=$storageName \
keyvaultname=$vaultname


echo Configuring Storage Account Encryption
az group deployment create --resource-group $rgName --template-file storage_step2.json --parameters storageAccountName=$storageName \
keyvaultname=$vaultname keyname=$keyname keyversion=$version


## storage_template_step1.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "keyvaultname": {
            "type": "string"
        },
        "storageAccountName": {
            "type": "string",
            "metadata": {
              "description": "Name of storage account."
            }
        }
    },
    "variables": {
        "identity_resource_id": "[concat(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
    },
    "resources": [
        {
            "apiVersion": "2018-07-01",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageAccountName')]",
            "location": "[resourceGroup().location]",
            "kind": "Storage",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "encryption": {
                    "keySource": "Microsoft.Storage",
                    "services": {
                        "blob": {
                            "enabled": true
                        },
                        "file": {
                            "enabled": true
                        }
                    }
                },
                "networkAcls": {
                    "bypass": "AzureServices",
                    "defaultAction": "Deny"
                },
                "supportsHttpsTrafficOnly": true
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/accessPolicies",
            "name": "[concat(parameters('keyvaultname'), '/add')]",
            "apiVersion": "2018-02-14",
            "properties": {
              "accessPolicies": [
                {
                  "tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
                  "objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]",
                  "permissions": {
                    "keys": [
                        "Get",
                        "WrapKey",
                        "UnwrapKey"
                    ]
                  }
                }
              ]
            },
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
              ]
          }
    ]
}

## storage_template_step2.json
{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "keyvaultname": {
            "type": "string"
        },
        "keyname": {
            "type": "string"
        },
        "keyversion": {
            "type": "string"
        },
        "storageAccountName": {
            "type": "string",
            "metadata": {
              "description": "Name of storage account."
            }
        }
    },
    "variables": {
        "identity_resource_id": "[concat(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
    },
    "resources": [
        {
            "apiVersion": "2018-07-01",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageAccountName')]",
            "location": "[resourceGroup().location]",
            "kind": "Storage",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "encryption": {
                    "keySource": "Microsoft.Keyvault",
                    "keyvaultproperties": {
                        "keyname": "[parameters('keyname')]",
                        "keyvaulturi": "[concat('https://', parameters('keyvaultname'), '.vault.azure.net')]",
                        "keyversion": "[parameters('keyversion')]"
                    },
                    "services": {
                        "blob": {
                            "enabled": true
                        },
                        "file": {
                            "enabled": true
                        }
                    }
                },
                "networkAcls": {
                    "bypass": "AzureServices",
                    "defaultAction": "Deny",
                    "ipRules": [],
                    "virtualNetworkRules": []
                },
                "supportsHttpsTrafficOnly": true
            }
        }
    ],
    "outputs": {}
}
	#!/bin/bash

	echo Deploying a storage account encrypted with a KeyVault key is a two step process
	echo because changing the storage settings must happen after the access policy is configured
	echo and we are unable to "DependOn" an access policy.
	echo This shell script is just an example of how to run the two templates via the Azure CLI

	read -p 'Resource Group: ' rgName
	echo $rgName

	read -p 'Location (default: Central US): ' resourceLocation
	echo "${resourceLocation:=Central US}"

	read -p 'Storage Name: ' storageName
	echo $storageName

	read -p 'Key Vault Name: ' vaultname
	read -p 'Key Name: ' keyname
	read -p 'Key Version: ' version

	echo Verifying Resource Group
	az group create --name $rgName --location "$resourceLocation"

	echo Deploying Storage Account and Creating Access Policy
	az group deployment create --resource-group $rgName --template-file storage_step1.json --parameters storageAccountName=$storageName \
	keyvaultname=$vaultname


	echo Configuring Storage Account Encryption
	az group deployment create --resource-group $rgName --template-file storage_step2.json --parameters storageAccountName=$storageName \
	keyvaultname=$vaultname keyname=$keyname keyversion=$version
	{
	"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
	"contentVersion": "1.0.0.0",
	"parameters": {
	"keyvaultname": {
	"type": "string"
	},
	"storageAccountName": {
	"type": "string",
	"metadata": {
	"description": "Name of storage account."
	}
	}
	},
	"variables": {
	"identity_resource_id": "[concat(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
	},
	"resources": [
	{
	"apiVersion": "2018-07-01",
	"type": "Microsoft.Storage/storageAccounts",
	"name": "[parameters('storageAccountName')]",
	"location": "[resourceGroup().location]",
	"kind": "Storage",
	"sku": {
	"name": "Standard_LRS",
	"tier": "Standard"
	},
	"identity": {
	"type": "SystemAssigned"
	},
	"properties": {
	"encryption": {
	"keySource": "Microsoft.Storage",
	"services": {
	"blob": {
	"enabled": true
	},
	"file": {
	"enabled": true
	}
	}
	},
	"networkAcls": {
	"bypass": "AzureServices",
	"defaultAction": "Deny"
	},
	"supportsHttpsTrafficOnly": true
	}
	},
	{
	"type": "Microsoft.KeyVault/vaults/accessPolicies",
	"name": "[concat(parameters('keyvaultname'), '/add')]",
	"apiVersion": "2018-02-14",
	"properties": {
	"accessPolicies": [
	{
	"tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
	"objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]",
	"permissions": {
	"keys": [
	"Get",
	"WrapKey",
	"UnwrapKey"
	]
	}
	}
	]
	},
	"dependsOn": [
	"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
	]
	}
	]
	}