Skip to content

Commit

Permalink
documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@miekki
miekki committed Mar 2, 2024
1 parent 6af7e92 commit fb05660
Show file tree
Hide file tree
Showing 12 changed files with 321 additions and 108 deletions.
47 changes: 46 additions & 1 deletion modules/database/sqlserver/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,49 @@ This module deploys Azure SQL Server.

## Details

Use this module within other Bicep templates to simplify the usage of a SQL Server.
Use this module within other Bicep templates to simplify the usage of a SQL Server.

## Parameters

| Name | Type | Required | Description |
| :------------------------- | :------: | :------: | :---------------------------------------------------------------------------------------------------------------------------- |
| `sqlServerName` | `string` | Yes | Required. The SQL Server Name |
| `location` | `string` | Yes | Required. Location name for the resource. default to resource group location |
| `tags` | `object` | Yes | Required. Tags of the resources |
| `sqlDatabaseName` | `string` | Yes | Required. The SQL Server Database Name |
| `keyVaultName` | `string` | Yes | Required. The name of the exisiting Key Vault to store connection string |
| `sqlAdministratorUsername` | `string` | No | Optional. Provide the name of sql admin user name |
| `sqlAdministratorPassword` | `string` | No | Optional. Provide the password for sql admin user if left empty it will be generate random password |
| `skuName` | `string` | No | Optional. Database SKU Name e.g. Basic, Standard (S0-S12), Premium(P1-P15). Defaults is Basic. |
| `skuCapacity` | `string` | No | Optional. Database SKU Capacity depends on the sku name for Basic is between 1-5. Defaults is 1 |
| `skuTier` | `string` | No | Optional. Database SKU Tier e.g. Basic, Standard, Premium. Defaults is Basic |
| `sqlServerSubnetId` | `string` | No | Optional. Provide VNet subnet id to protect the database |
| `connectionStringKey` | `string` | No | Optional. Provide a key name in Key Vault where the connection string will be saved. Default is "AZURE-SQL-CONNECTION-STRING" |

## Outputs

| Name | Type | Description |
| :----------- | :------: | :-------------------------------- |
| `resourceId` | `string` | The resource ID of the SQL server |

## Examples

### Examples 1

The example how to deploy the SQL Server using the minimum required oarameters.

```bicep
module sql 'br:mmbicepmoduleregistry.azurecr.io/sqlserver"1.0.2' = {
name: '${uniqueString(deployment().name, 'uksouth')}-sql'
params: {
keyVaultName: 'my-kv-name'
location: 'uksouth'
databaseName: 'my-db-name'
sqlServerName: 'my-sql-server-name'
tags: {
environment: 'production'
}
}
}
```
60 changes: 21 additions & 39 deletions modules/database/sqlserver/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,40 +12,46 @@ param location string
param tags object

@description('Required. The SQL Server Database Name.')
param sqlDatabaseName string
param databaseName string

@description('Required. The name of the exisiting Key Vault to store connection string.')
param keyVaultName string

@description('Optional. Provide the name of sql admin user name.')
@description('Optional. Provide the name of sql admin user name. Default is "sqlAdmin"')
param sqlAdministratorUsername string = 'sqlAdmin'

@description('Optional. Provide the password for sql admin user.')
@description('Optional. Provide the password for sql admin user if left empty it will be generate random password.')
@secure()
param sqlAdministratorPassword string = ''

param skuName string = 'B1'
param skuCapacity int = 1
param skuTier string = 'Basic'
@description('Optional. Database SKU Name e.g. Basic, Standard (S0-S12), Premium(P1-P15). Defaults is "Basic".')
param databaseSkuName string = 'Basic'

@description('Optional. Database SKU Capacity depends on the sku name for Basic is between 1-5. Defaults is 1.')
param databaseSkuCapacity int = 0

@description('Optional. Database SKU Tier e.g. Basic, Standard, Premium. Defaults is "Basic"')
param databaseSkuTier string = 'Basic'
// @description('Optional. Provide the Log Analytics Workspace ID to store logs.')
// param workspaceId string = ''

@description('Optional. Provide VNet subnet id to protect the database.')
param sqlServerSubnetId string = ''

@description('Optional. Provide a key name in Key Vault where the connection string will be saved. Default is "AZURE-SQL-CONNECTION-STRING"')
param connectionStringKey string = 'AZURE-SQL-CONNECTION-STRING'

param guidValue string = newGuid()

var adminPassword = empty(sqlAdministratorPassword) ? sqlAdministratorPassword : '${toUpper(uniqueString(resourceGroup().id))}-${guidValue}'
var adminPassword = !empty(sqlAdministratorPassword) ? sqlAdministratorPassword : 'P${toUpper(uniqueString(resourceGroup().id))}-${guidValue}'

resource sqlServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
name: sqlServerName
location: location
tags: tags
properties: {
version: '12.0'
minimalTlsVersion: '1.3'
minimalTlsVersion: '1.2'
publicNetworkAccess: 'Enabled'
administratorLogin: sqlAdministratorUsername
administratorLoginPassword: adminPassword
Expand All @@ -58,12 +64,12 @@ resource sqlServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
}

resource sqlDatabase 'databases' = {
name: sqlDatabaseName
name: databaseName
location: location
sku: {
name: skuName
capacity: skuCapacity
tier: skuTier
name: databaseSkuName
capacity: databaseSkuCapacity == 0 ? null : databaseSkuCapacity
tier: databaseSkuTier
}
}

Expand All @@ -76,33 +82,6 @@ resource sqlServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
}
}

// resource vnetRule 'Microsoft.Sql/servers/virtualNetworkRules@2023-05-01-preview' = if (!empty(sqlServerSubnetId)) {
// name: sqlServerName
// properties: {
// virtualNetworkSubnetId: sqlServerSubnetId
// }
// }

// resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-05-01-preview' = {
// parent: sqlServer
// name: sqlDatabaseName
// location: location
// sku: {
// name: skuName
// capacity: skuCapacity
// tier: skuTier
// }
// }

// resource firewall 'Microsoft.Sql/servers/firewallRules@2023-05-01-preview' = {
// parent: sqlServer
// name: 'AllowAllWindowsAzureIps'
// properties: {
// startIpAddress: '0.0.0.0'
// endIpAddress: '0.0.0.0'
// }
// }

resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
name: keyVaultName
}
Expand All @@ -114,3 +93,6 @@ resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {
value: 'Server=${sqlServer.properties.fullyQualifiedDomainName}; Database=${sqlServer::sqlDatabase.name}; User=${sqlAdministratorUsername}; Password=${adminPassword};'
}
}

@description('The resource ID of the SQL server.')
output resourceId string = sqlServer.id
31 changes: 30 additions & 1 deletion modules/security/keyvault-access-policy/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,33 @@ This module deploy Key Vaults Access Policy.

## Details

Use this module within other Bicep template to simplify the usage of a Key Vault Access Policy.
Use this module within other Bicep template to simplify the usage of a Key Vault Access Policy.

## Parameters

| Name | Type | Required | Description |
| :---------------------- | :------: | :------: | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `keyVaultName` | `string` | Yes | Required. Name of Key Vault |
| `objectId` | `string` | Yes | Required. Object Id of a user, service principal or security group |
| `applicationId` | `string` | No | Optional. Application id of the client making request |
| `secretsPermissions` | `array` | No | Optional. Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge |
| `keyPermissions` | `array` | No | Optional. Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge |
| `certificatPermissions` | `array` | No | Optional. Specify the permissions to certificates. Valid values are: all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update |
| `policyName` | `string` | No | Optional. Name of Key Vault Access Policy |

## Examples

### Example 1

Example of how to deploy a key vault access policy using a minimum required parameters.

```bicep
module kv_access_policy '.br:mmbicepmoduleregistry.azurecr.io/keyvault-access-policy:0.1.2' = {
name: '${uniqueString(deployment().name, 'uksouth')}-access-policy'
params: {
keyVaultName: 'az-kv-01'
objectId: '00000000-0000-0000-0000-000000000000'
secretsPermissions: [ 'get', 'list', 'set', 'delete' ]
}
}
```
2 changes: 1 addition & 1 deletion modules/security/keyvault-access-policy/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ param keyPermissions array = []
@description('Optional. Specify the permissions to certificates. Valid values are: all, backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers, update')
param certificatPermissions array = []

@description('Oprional. Name of Key Vault Access Policy.')
@description('Optional. Name of Key Vault Access Policy.')
param policyName string = 'add'

resource keyvault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
Expand Down
27 changes: 26 additions & 1 deletion modules/security/keyvault-secrets/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,29 @@ This module deploy Key Vaults Secrets.

## Details

Use this module within other Bicep template to simplify the usage of a Key Vault Secrets.
Use this module within other Bicep template to simplify the usage of a Key Vault Secrets.

## Parameters

| Name | Type | Required | Description |
| :------------- | :------: | :------: | :-------------------------- |
| `keyVaultName` | `string` | Yes | Required. Name of Key Vault |
| `secretName` | `string` | Yes | Required. Secret name |
| `secretValue` | `string` | Yes | Required. Secret value |

## Examples

# Example 1

Example of how to deploy a key vault secrets using a minimum required parameters

```bicep
module kv_secret 'br:mmbicepmoduleregistry.azurecr.io/keyvault-secrets:0.1.2' = {
name: '${uniqueString(deployment().name, 'uksouth')}-secret'
params: {
keyVaultName: 'az-kv-01'
secretName: 'secret-name'
secretValue: 'secret-value'
}
}
```
54 changes: 53 additions & 1 deletion modules/security/keyvault/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,56 @@ This module deploy Key Vaults.

## Details

Use this module within other Bicep template to simplify the usage of a Key Vault.
Use this module within other Bicep template to simplify the usage of a Key Vault.

## Parameters

| Name | Type | Required | Description |
| :-------------------------- | :--------: | :------: | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `name` | `string` | Yes | Required. Name of Key Vault |
| `location` | `string` | Yes | Required. Location for all resources |
| `tags` | `object` | Yes | Required. Tags of the resources |
| `workspaceId` | `string` | Yes | Required. Provide Log Analytics Workspace Id for diagnostics settings |
| `principalId` | `string` | No | Optional. Provide Service Principal Id with access for the keyvault |
| `enableSoftDelete` | `bool` | No | Optional. Specifies whether soft delete should be enabled for the Key Vault |
| `softDeleteRetentionInDays` | `string` | No | Optional. The number of days to retain deleted data in the Key Vault |
| `enablePurgeProtection` | `string` | No | Optional. Specify whether purge protection should be enabled for the Key Vault |
| `enableRbacAuthorization` | `string` | No | Optional. Specify whether the Key Vault will be using RBAC. Default is false - use the access policy |
| `skuName` | `string` | No | Optional. The SKU name of the Key Vault |
| `skuFamily` | `string` | No | Optional. The SKU family of the Key Vault |
| `networkAcls` | `string` | No | Optional. Configuration for network access rules |
| `publicNetworkAccess` | `string` | No | Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set |
| `lock` | `lockType` | No | Optional. The lock settings of the service |

## Outputs

| Name | Type | Description |
| :----------- | :------: | :------------------------------- |
| `resourceId` | `string` | The resource ID of the key vault |
| `name` | `string` | The name of the key vault |

## Examples

### Example 1

Example of how to deploy a key vault using a minimum required parameters.

```bicep
module kv 'br:mmbicepmoduleregistry.azurecr.io/keyvault:0.1.5' = {
name: '${uniqueString(deployment().name, 'uksouth')}-kv'
params: {
name: 'az-kv-01'
workspaceId: '1234abcd-def89-765a-9abc-def1234abcde'
networkAcls: {
bypass: 'AzureServices'
defaultAction: 'Deny'
ipAllowlist: [ '127.0.0.0/24' ]
}
principalId: '00000000-0000-0000-0000-000000000000'
location: 'uksouth'
tags: {
environment: 'production'
}
}
}
```
Loading

0 comments on commit fb05660

Please sign in to comment.