From 7cc34167a71a474cbbb4b7f924622bf3bdb1e8d5 Mon Sep 17 00:00:00 2001
From: Eskil Uhlving Larsen <7443949+picccard@users.noreply.github.com>
Date: Sun, 30 Jun 2024 23:26:31 +0200
Subject: [PATCH 1/5] Update kv module with
 additionalKeyVaultSecretsUserPrincipalId

---
 deploy/modules/keyVault.bicep | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/deploy/modules/keyVault.bicep b/deploy/modules/keyVault.bicep
index caba133..0f6d3f7 100644
--- a/deploy/modules/keyVault.bicep
+++ b/deploy/modules/keyVault.bicep
@@ -10,6 +10,9 @@ param identityPrincipalId string
 @description('Managed Identity ClientId')
 param identityClientId string
 
+@description('Additional identities to assign Key Vault Secrets User')
+param additionalKeyVaultSecretsUserPrincipalId string[] = []
+
 @description('AzureAD TenantId')
 param tenantId string = subscription().tenantId
 
@@ -28,7 +31,6 @@ param workspaceId string
 
 var keyVaultUser = '4633458b-17de-408a-b874-0445c86b69e6'
 var keyVaultUserId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultUser)
-var keyVaultUserRoleAssignmentId = guid(keyVaultUser, identityPrincipalId, keyVault.id)
 
 resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   name: keyVaultName
@@ -36,6 +38,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   properties: {
     enablePurgeProtection: true
     enableRbacAuthorization: true
+    enabledForTemplateDeployment: true
     tenantId: tenantId
     sku: {
       name: 'standard'
@@ -116,15 +119,19 @@ resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-pr
   }
 }
 
-resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name: keyVaultUserRoleAssignmentId
+var allKeyVaultSecretsUserPrincipalIds =  union(
+  [identityPrincipalId],
+  additionalKeyVaultSecretsUserPrincipalId
+)
+resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [ for principalId in allKeyVaultSecretsUserPrincipalIds: {
+  name: guid(keyVaultUser, principalId, keyVault.id)
   scope: keyVault
   properties: {
     principalType: 'ServicePrincipal'
     roleDefinitionId: keyVaultUserId
-    principalId: identityPrincipalId
+    principalId: principalId
   }
-}
+}]
 
 output keyVaultName string = keyVault.name
 output keyVaultUri string = keyVault.properties.vaultUri

From 3a5d2b02831714341c9964ff98f66444fe3e74da Mon Sep 17 00:00:00 2001
From: Eskil Uhlving Larsen <7443949+picccard@users.noreply.github.com>
Date: Sun, 30 Jun 2024 23:28:06 +0200
Subject: [PATCH 2/5] Update main with param
 additionalKeyVaultSecretsUserPrincipalIds

---
 deploy/main.bicep | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/deploy/main.bicep b/deploy/main.bicep
index fa29bb9..6ee66b2 100644
--- a/deploy/main.bicep
+++ b/deploy/main.bicep
@@ -33,6 +33,9 @@ param engineAppId string
 @description('IPAM-Engine App Registration Client Secret')
 param engineAppSecret string
 
+@description('Additional identities to assign Key Vault Secrets User on the Key Vault')
+param additionalKeyVaultSecretsUserPrincipalIds string[] = []
+
 @description('Tags')
 param tags object = {}
 
@@ -90,6 +93,7 @@ module keyVault './modules/keyVault.bicep' = {
     keyVaultName: resourceNames.keyVaultName
     identityPrincipalId:  managedIdentity.outputs.principalId
     identityClientId:  managedIdentity.outputs.clientId
+    additionalKeyVaultSecretsUserPrincipalIds: additionalKeyVaultSecretsUserPrincipalIds
     uiAppId: uiAppId
     engineAppId: engineAppId
     engineAppSecret: engineAppSecret

From 9cbde48eb4099a399918be2fc59e6c80f02dcefa Mon Sep 17 00:00:00 2001
From: Eskil Uhlving Larsen <7443949+picccard@users.noreply.github.com>
Date: Sun, 30 Jun 2024 23:28:49 +0200
Subject: [PATCH 3/5] Update typo in kv module

---
 deploy/modules/keyVault.bicep | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/modules/keyVault.bicep b/deploy/modules/keyVault.bicep
index 0f6d3f7..f9d6530 100644
--- a/deploy/modules/keyVault.bicep
+++ b/deploy/modules/keyVault.bicep
@@ -11,7 +11,7 @@ param identityPrincipalId string
 param identityClientId string
 
 @description('Additional identities to assign Key Vault Secrets User')
-param additionalKeyVaultSecretsUserPrincipalId string[] = []
+param additionalKeyVaultSecretsUserPrincipalIds string[] = []
 
 @description('AzureAD TenantId')
 param tenantId string = subscription().tenantId
@@ -121,7 +121,7 @@ resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-pr
 
 var allKeyVaultSecretsUserPrincipalIds =  union(
   [identityPrincipalId],
-  additionalKeyVaultSecretsUserPrincipalId
+  additionalKeyVaultSecretsUserPrincipalIds
 )
 resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [ for principalId in allKeyVaultSecretsUserPrincipalIds: {
   name: guid(keyVaultUser, principalId, keyVault.id)

From f2980c972c99fc488637b3bf751750e13f974c21 Mon Sep 17 00:00:00 2001
From: picccard <7443949+picccard@users.noreply.github.com>
Date: Thu, 11 Jul 2024 15:46:36 +0200
Subject: [PATCH 4/5] allow all role def guids for keyvault

---
 deploy/main.bicep             | 15 ++++++++++----
 deploy/modules/keyVault.bicep | 39 ++++++++++++++++++++---------------
 2 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/deploy/main.bicep b/deploy/main.bicep
index 6ee66b2..6b8458d 100644
--- a/deploy/main.bicep
+++ b/deploy/main.bicep
@@ -33,8 +33,8 @@ param engineAppId string
 @description('IPAM-Engine App Registration Client Secret')
 param engineAppSecret string
 
-@description('Additional identities to assign Key Vault Secrets User on the Key Vault')
-param additionalKeyVaultSecretsUserPrincipalIds string[] = []
+@description('Array of additional role assignments to create on the Key Vault')
+param additionalKeyVaultRoleAssignments object[] = []
 
 @description('Tags')
 param tags object = {}
@@ -91,13 +91,20 @@ module keyVault './modules/keyVault.bicep' = {
   params: {
     location: location
     keyVaultName: resourceNames.keyVaultName
-    identityPrincipalId:  managedIdentity.outputs.principalId
     identityClientId:  managedIdentity.outputs.clientId
-    additionalKeyVaultSecretsUserPrincipalIds: additionalKeyVaultSecretsUserPrincipalIds
     uiAppId: uiAppId
     engineAppId: engineAppId
     engineAppSecret: engineAppSecret
     workspaceId: logAnalyticsWorkspace.outputs.workspaceId
+    roleAssignments: union(
+      [{
+        roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User
+        principalId: managedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+        description: 'Required: Managed Identity for IPAM'
+      }],
+      additionalKeyVaultRoleAssignments
+    )
   }
 }
 
diff --git a/deploy/modules/keyVault.bicep b/deploy/modules/keyVault.bicep
index f9d6530..982fbae 100644
--- a/deploy/modules/keyVault.bicep
+++ b/deploy/modules/keyVault.bicep
@@ -4,15 +4,9 @@ param keyVaultName string
 @description('Deployment Location')
 param location string = resourceGroup().location
 
-@description('Managed Identity PrincipalId')
-param identityPrincipalId string
-
 @description('Managed Identity ClientId')
 param identityClientId string
 
-@description('Additional identities to assign Key Vault Secrets User')
-param additionalKeyVaultSecretsUserPrincipalIds string[] = []
-
 @description('AzureAD TenantId')
 param tenantId string = subscription().tenantId
 
@@ -29,8 +23,8 @@ param engineAppSecret string
 @description('Log Analytics Worskpace ID')
 param workspaceId string
 
-var keyVaultUser = '4633458b-17de-408a-b874-0445c86b69e6'
-var keyVaultUserId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultUser)
+@description('Array of role assignments to create.')
+param roleAssignments roleAssignmentType
 
 resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   name: keyVaultName
@@ -119,19 +113,30 @@ resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-pr
   }
 }
 
-var allKeyVaultSecretsUserPrincipalIds =  union(
-  [identityPrincipalId],
-  additionalKeyVaultSecretsUserPrincipalIds
-)
-resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [ for principalId in allKeyVaultSecretsUserPrincipalIds: {
-  name: guid(keyVaultUser, principalId, keyVault.id)
+resource keyVaultRoleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (roleAssignment, index) in (roleAssignments ?? []): {
+  name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
   scope: keyVault
   properties: {
-    principalType: 'ServicePrincipal'
-    roleDefinitionId: keyVaultUserId
-    principalId: principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionId)
+    principalId: roleAssignment.principalId
+    description: roleAssignment.?description
+    principalType: roleAssignment.?principalType
   }
 }]
 
 output keyVaultName string = keyVault.name
 output keyVaultUri string = keyVault.properties.vaultUri
+
+type roleAssignmentType = {
+  @description('Required. The role definition GUID to assign.')
+  roleDefinitionId: string
+
+  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
+  principalId: string
+
+  @description('Optional. The principal type of the assigned principal ID.')
+  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
+
+  @description('Optional. The description of the role assignment.')
+  description: string?
+}[]?

From 39b4ca4a9a536d9fba4ea5e8e994e1c6f94242fa Mon Sep 17 00:00:00 2001
From: picccard <7443949+picccard@users.noreply.github.com>
Date: Thu, 11 Jul 2024 16:06:17 +0200
Subject: [PATCH 5/5] added example bicepparam file

---
 deploy/main.parameters.example.bicepparam | 30 +++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 deploy/main.parameters.example.bicepparam

diff --git a/deploy/main.parameters.example.bicepparam b/deploy/main.parameters.example.bicepparam
new file mode 100644
index 0000000..8dcd312
--- /dev/null
+++ b/deploy/main.parameters.example.bicepparam
@@ -0,0 +1,30 @@
+using './main.bicep'
+
+param guid = sys.guid('<Contoso Ltd.>')
+param location = 'eastus'
+param namePrefix = 'ipam'
+param azureCloud = 'AZURE_PUBLIC'
+param privateAcr = false
+param deployAsFunc = false
+param deployAsContainer = true
+param uiAppId = '<UI APP REGISTRATION APP/CLIENT ID>'
+param engineAppId = '<ENGINE APP REGISTRATION APP/CLIENT ID>'
+param engineAppSecret = sys.readEnvironmentVariable('ENGINE_APP_SECRET') // recommended to change use az.getSecret() instead after the initial deployment
+// param engineAppSecret = az.getSecret('<subscription-id>', '<rg-name>', '<key-vault-name>', '<secret-name>', '<secret-version>')
+param additionalKeyVaultRoleAssignments = []
+param tags = {}
+param resourceNames = {
+  functionName: '${namePrefix}-${uniqueString(guid)}'
+  appServiceName: '${namePrefix}-${uniqueString(guid)}'
+  functionPlanName: '${namePrefix}-asp-${uniqueString(guid)}'
+  appServicePlanName: '${namePrefix}-asp-${uniqueString(guid)}'
+  cosmosAccountName: '${namePrefix}-dbacct-${uniqueString(guid)}'
+  cosmosContainerName: '${namePrefix}-ctr'
+  cosmosDatabaseName: '${namePrefix}-db'
+  keyVaultName: '${namePrefix}-kv-${uniqueString(guid)}'
+  workspaceName: '${namePrefix}-law-${uniqueString(guid)}'
+  managedIdentityName: '${namePrefix}-mi-${uniqueString(guid)}'
+  resourceGroupName: '${namePrefix}-rg-${uniqueString(guid)}'
+  storageAccountName: '${namePrefix}stg${uniqueString(guid)}'
+  containerRegistryName: '${namePrefix}acr${uniqueString(guid)}'
+}