Skip to content

Instantly share code, notes, and snippets.

@tspascoal
Created April 27, 2019 13:45
Show Gist options
  • Save tspascoal/8664ddd5ff4032d61c7632875d9f0397 to your computer and use it in GitHub Desktop.
Save tspascoal/8664ddd5ff4032d61c7632875d9f0397 to your computer and use it in GitHub Desktop.
Function app with a key vault for secrets and referencing a secret from another keyvault
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"skuName": {
"type": "string",
"defaultValue": "F1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
]
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Plan instance count"
}
},
"websiteName": {
"type": "string",
"defaultValue": "myWebSite"
},
"ADTenantId": {
"type": "string"
},
"sharedKeyVaultRG": {
"type": "string",
"defaultValue": "[resourceGroup().name]"
},
"SharedKeyVaultName": {
"type": "string"
},
"SecretName": {
"type": "string"
}
},
"variables": {
"storageConnectionString": "[concat(parameters('websiteName') , 'storageConnection')]",
"keyVaultName": "[concat(parameters('websiteName') ,'vault')]",
"hostingPlanName": "[concat(parameters('websiteName'),'-plan-', uniquestring(resourceGroup().id))]",
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'azfunctions')]",
"storageAccountid": "[concat(resourceGroup().id,'/providers/','Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]"
},
"resources": [
{
"name": "[variables('keyVaultName')]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "West Europe",
"dependsOn": [
"[resourceId('Microsoft.Web/sites/', parameters('webSiteName'))]"
],
"properties": {
"tenantId": "[parameters('ADTenantId')]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "[reference(concat('Microsoft.Web/sites/', parameters('webSiteName')), '2018-02-01', 'Full').identity.tenantId]",
"objectId": "[reference(concat('Microsoft.Web/sites/', parameters('webSiteName')), '2018-02-01', 'Full').identity.principalId]",
"permissions": {
"keys": [],
"secrets": ["get"],
"certificates": [],
"storage": []
}
}
],
"enabledForTemplateDeployment": true
}
},
{
"name": "[concat(variables('keyVaultName'), '/', variables('storageConnectionString'))]",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2018-02-14",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-06-15').key1)]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[variables('hostingPlanName')]"
}
},
{
"apiVersion": "2018-02-01",
"name": "[parameters('webSiteName')]",
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverFarms/', variables('hostingPlanName'))]",
"[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]"
],
"properties": {
"name": "[parameters('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
},
"resources": [
{
"name": "appSettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[resourceId('Microsoft.Web/Sites/', parameters('webSiteName'))]",
"[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionString'))]"
],
"properties": {
"AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionString'))).secretUriWithVersion, ')')]",
"ValueFromSharedKeyVault": "[concat('@Microsoft.KeyVault(SecretUri=', reference(resourceId(parameters('sharedKeyVaultRG'),'Microsoft.KeyVault/vaults/secrets', parameters('SharedKeyVaultName'), parameters('SecretName')), '2016-10-01').secretUriWithVersion, ')')]"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "2015-06-15",
"location": "[resourceGroup().location]",
"properties": {
"accountType": "Standard_LRS"
}
}
],
"outputs": {
"managedIdentity" : {
"type": "object",
"value": {
"tenantId" : "[reference(concat('Microsoft.Web/sites/', parameters('webSiteName')), '2018-02-01', 'Full').identity.tenantId]",
"principalId" : "[reference(concat('Microsoft.Web/sites/', parameters('webSiteName')), '2018-02-01', 'Full').identity.principalId]"
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment