{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "baseName": { "defaultValue": "[resourceGroup().name]", "type": "String", "metadata": { "description": "The base resource name." } }, "keyName": { "defaultValue": "testKey", "type": "String", "metadata": { "description": "The initial key in the keys." } }, "secretName": { "defaultValue": "testSecret", "type": "String", "metadata": { "description": "The initial secret in the secrets." } }, "tenantId": { "defaultValue": "72f988bf-86f1-41af-91ab-2d7cd011db47", "type": "String", "metadata": { "description": "The tenant ID to which the application and resources belong." } }, "testApplicationId": { "type": "String", "metadata": { "description": "The application client ID used to run tests." } }, "testApplicationOid": { "defaultValue": "b3653439-8136-4cd5-aac3-2a9460871ca6", "type": "String", "metadata": { "description": "The client OID to grant access to test resources." } }, "location": { "defaultValue": "[resourceGroup().location]", "type": "String", "metadata": { "description": "The location of the resource. By default, this is the same as the resource group." } }, "hsmLocation": { "type": "string", "defaultValue": "brazilsouth", "allowedValues": [ "australiacentral", "australiacentral2", "australiaeast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "eastus2euap", "francecentral", "germanywestcentral", "israelcentral", "italynorth", "japaneast", "japanwest", "koreacentral", "northcentralus", "northeurope", "norwayeast", "norwaywest", "polandcentral", "qatarcentral", "southafricanorth", "southcentralus", "southindia", "southeastasia", "swedencentral", "switzerlandnorth", "switzerlandwest", "uaenorth", "uksouth", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3" ], "metadata": { "description": "The location of the Managed HSM. By default, this is 'brazilsouth'." } }, "enableSoftDelete": { "defaultValue": true, "type": "Bool", "metadata": { "description": "Whether to enable soft delete for the Key Vault. The default is true." } }, "keyVaultDomainSuffix": { "defaultValue": ".vault.azure.net", "type": "String", "metadata": { "description": "Domain suffix for sovereign clouds, requires the preceding '.'. The default uses the public Azure Cloud (.vault.azure.net)" } }, "keyVaultSku": { "defaultValue": "premium", "type": "String", "metadata": { "description": "Key Vault SKU to deploy. The default is 'premium'" } }, "keyType": { "defaultValue": "RSA", "type": "String", "metadata": { "description": "The JsonWebKeyType of the key to be created." } }, "keyOps": { "defaultValue": [], "type": "Array", "metadata": { "description": "The permitted JSON web key operations of the key to be created." } }, "keySize": { "defaultValue": 2048, "type": "Int", "metadata": { "description": "The size in bits of the key to be created." } }, "curveName": { "defaultValue": "", "type": "String", "metadata": { "description": "The JsonWebKeyCurveName of the key to be created." } }, "provisionerApplicationOid": { "type": "String", "metadata": { "description": "The provisioner OID to grant access to test resources." } }, "enableHSM": { "defaultValue": false, "type": "Bool", "metadata": { "description": "Whether to enable deployment of Managed HSM. The default is false." } } }, "variables": { "azureKeyVaultUrl": "[format('https://{0}{1}/', parameters('baseName'), parameters('keyVaultDomainSuffix'))]", "hsmApiVersion": "2021-11-01-preview", "hsmName": "[concat(parameters('baseName'), 'hsm')]", "networkAcls": { "bypass": "AzureServices", "defaultAction": "Allow", "virtualNetworkRules": [], "ipRules": [] } }, "resources": [ { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2021-11-01-preview", "name": "[parameters('baseName')]", "location": "[parameters('location')]", "properties": { "sku": { "family": "A", "name": "[parameters('keyVaultSku')]" }, "tenantId": "[parameters('tenantId')]", "accessPolicies": [ { "tenantId": "[parameters('tenantId')]", "objectId": "[parameters('testApplicationOid')]", "permissions": { "keys": [ "wrapKey", "decrypt", "list", "purge", "recover", "restore", "getrotationpolicy", "sign", "release", "encrypt", "rotate", "import", "create", "verify", "setrotationpolicy", "backup", "update", "get", "unwrapKey", "delete" ], "secrets": [ "Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge" ], "certificates": [ "Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "ManageContacts", "ManageIssuers", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers", "Purge" ] } } ], "enabledForDeployment": false, "enabledForDiskEncryption": false, "enabledForTemplateDeployment": false, "enableSoftDelete": "[parameters('enableSoftDelete')]" } }, { "type": "Microsoft.KeyVault/vaults/keys", "apiVersion": "2019-09-01", "name": "[concat(parameters('baseName'), '/', parameters('keyName'))]", "location": "[parameters('location')]", "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', parameters('baseName'))]" ], "properties": { "kty": "[parameters('keyType')]", "keyOps": "[parameters('keyOps')]", "keySize": "[parameters('keySize')]", "curveName": "[parameters('curveName')]" } }, { "type": "Microsoft.KeyVault/managedHSMs", "apiVersion": "[variables('hsmApiVersion')]", "name": "[variables('hsmName')]", "location": "[parameters('hsmLocation')]", "sku": { "family": "B", "name": "Standard_B1" }, "properties": { "tenantId": "[parameters('tenantId')]", "initialAdminObjectIds": "[union(array(parameters('testApplicationOid')), array(parameters('provisionerApplicationOid')))]", "enablePurgeProtection": false, "enableSoftDelete": true, "softDeleteRetentionInDays": 7, "publicNetworkAccess": "Enabled", "networkAcls": "[variables('networkAcls')]" }, "condition": "[parameters('enableHSM')]" } ], "outputs": { "AZURE_KEYVAULT_URL": { "type": "String", "value": "[variables('azureKeyVaultUrl')]" }, "AZURE_ENABLE_HSM": { "type": "Bool", "value": "[parameters('enableHSM')]" }, "AZURE_ENABLE_HSM_STR": { "type": "String", "value": "[if(bool(parameters('enableHSM')),'true','false')]" }, "AZURE_KEYVAULT_HSM_URL": { "type": "String", "value": "[if(bool(parameters('enableHSM')),reference(variables('hsmName')).hsmUri,variables('azureKeyVaultUrl'))]" }, "AZURE_TENANT_ID": { "type": "String", "value": "[parameters('tenantId')]" }, "AZURE_CLIENT_ID": { "type": "String", "value": "[parameters('testApplicationId')]" }, "KEYVAULT_SKU": { "type": "String", "value": "[reference(parameters('baseName')).sku.name]" }, "CLIENT_OBJECTID": { "type": "String", "value": "[parameters('testApplicationOid')]" } } }