Enable keyvault for template deployment

deploy/main.bicep

@@ -33,6 +33,9 @@ param engineAppId string
 @description('IPAM-Engine App Registration Client Secret')
 param engineAppSecret string
 
+@description('Array of additional role assignments to create on the Key Vault')
+param additionalKeyVaultRoleAssignments object[] = []
+
 @description('Tags')
 param tags object = {}
 
@@ -88,12 +91,20 @@ module keyVault './modules/keyVault.bicep' = {
   params: {
     location: location
     keyVaultName: resourceNames.keyVaultName
-    identityPrincipalId:  managedIdentity.outputs.principalId
     identityClientId:  managedIdentity.outputs.clientId
     uiAppId: uiAppId
     engineAppId: engineAppId
     engineAppSecret: engineAppSecret
     workspaceId: logAnalyticsWorkspace.outputs.workspaceId
+    roleAssignments: union(
+      [{
+        roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secrets User
+        principalId: managedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+        description: 'Required: Managed Identity for IPAM'
+      }],
+      additionalKeyVaultRoleAssignments
+    )
   }
 }
 

deploy/main.parameters.example.bicepparam

@@ -0,0 +1,30 @@
+using './main.bicep'
+
+param guid = sys.guid('<Contoso Ltd.>')
+param location = 'eastus'
+param namePrefix = 'ipam'
+param azureCloud = 'AZURE_PUBLIC'
+param privateAcr = false
+param deployAsFunc = false
+param deployAsContainer = true
+param uiAppId = '<UI APP REGISTRATION APP/CLIENT ID>'
+param engineAppId = '<ENGINE APP REGISTRATION APP/CLIENT ID>'
+param engineAppSecret = sys.readEnvironmentVariable('ENGINE_APP_SECRET') // recommended to change use az.getSecret() instead after the initial deployment
+// param engineAppSecret = az.getSecret('<subscription-id>', '<rg-name>', '<key-vault-name>', '<secret-name>', '<secret-version>')
+param additionalKeyVaultRoleAssignments = []
+param tags = {}
+param resourceNames = {
+  functionName: '${namePrefix}-${uniqueString(guid)}'
+  appServiceName: '${namePrefix}-${uniqueString(guid)}'
+  functionPlanName: '${namePrefix}-asp-${uniqueString(guid)}'
+  appServicePlanName: '${namePrefix}-asp-${uniqueString(guid)}'
+  cosmosAccountName: '${namePrefix}-dbacct-${uniqueString(guid)}'
+  cosmosContainerName: '${namePrefix}-ctr'
+  cosmosDatabaseName: '${namePrefix}-db'
+  keyVaultName: '${namePrefix}-kv-${uniqueString(guid)}'
+  workspaceName: '${namePrefix}-law-${uniqueString(guid)}'
+  managedIdentityName: '${namePrefix}-mi-${uniqueString(guid)}'
+  resourceGroupName: '${namePrefix}-rg-${uniqueString(guid)}'
+  storageAccountName: '${namePrefix}stg${uniqueString(guid)}'
+  containerRegistryName: '${namePrefix}acr${uniqueString(guid)}'
+}

deploy/modules/keyVault.bicep

@@ -4,9 +4,6 @@ param keyVaultName string
 @description('Deployment Location')
 param location string = resourceGroup().location
 
-@description('Managed Identity PrincipalId')
-param identityPrincipalId string
-
 @description('Managed Identity ClientId')
 param identityClientId string
 
@@ -26,16 +23,16 @@ param engineAppSecret string
 @description('Log Analytics Worskpace ID')
 param workspaceId string
 
-var keyVaultUser = '4633458b-17de-408a-b874-0445c86b69e6'
-var keyVaultUserId = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', keyVaultUser)
-var keyVaultUserRoleAssignmentId = guid(keyVaultUser, identityPrincipalId, keyVault.id)
+@description('Array of role assignments to create.')
+param roleAssignments roleAssignmentType
 
 resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
   name: keyVaultName
   location: location
   properties: {
     enablePurgeProtection: true
     enableRbacAuthorization: true
+    enabledForTemplateDeployment: true
     tenantId: tenantId
     sku: {
       name: 'standard'
@@ -116,15 +113,30 @@ resource diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-pr
   }
 }
 
-resource keyVaultUserAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name: keyVaultUserRoleAssignmentId
+resource keyVaultRoleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (roleAssignment, index) in (roleAssignments ?? []): {
+  name: guid(keyVault.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
   scope: keyVault
   properties: {
-    principalType: 'ServicePrincipal'
-    roleDefinitionId: keyVaultUserId
-    principalId: identityPrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionId)
+    principalId: roleAssignment.principalId
+    description: roleAssignment.?description
+    principalType: roleAssignment.?principalType
   }
-}
+}]
 
 output keyVaultName string = keyVault.name
 output keyVaultUri string = keyVault.properties.vaultUri
+
+type roleAssignmentType = {
+  @description('Required. The role definition GUID to assign.')
+  roleDefinitionId: string
+
+  @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
+  principalId: string
+
+  @description('Optional. The principal type of the assigned principal ID.')
+  principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
+
+  @description('Optional. The description of the role assignment.')
+  description: string?
+}[]?