@drunk-pulumi/azure 0.0.19

package/IOT/Hub/index.js

@@ -0,0 +1,208 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const Naming_1 = require("../../Common/Naming");
+const devices = require("@pulumi/azure-native/devices");
+const AzureEnv_1 = require("../../Common/AzureEnv");
+const Locker_1 = require("../../Core/Locker");
+const RoleAssignment_1 = require("../../AzAd/RoleAssignment");
+const Group_1 = require("../../AzAd/Group");
+const CustomHelper_1 = require("../../KeyVault/CustomHelper");
+exports.default = async ({ name, group, auth, sku = { name: 'F1', capacity: 1 }, storage, serviceBus, dependsOn, vaultInfo, lock, }) => {
+    const hubName = (0, Naming_1.getIotHubName)(name);
+    const busQueueEndpointName = 'busQueue';
+    const busTopicEndpointName = 'busTopic';
+    const storageMessageEndpointName = 'hubStorage';
+    const storageEventEndpointName = 'hubEventStorage';
+    const routeEndpoints = new Array();
+    const storageEndpoints = new Array();
+    if (storage?.connectionString && storage?.messageContainerName) {
+        routeEndpoints.push(storageMessageEndpointName);
+        storageEndpoints.push({
+            name: storageMessageEndpointName,
+            resourceGroup: group.resourceGroupName,
+            subscriptionId: AzureEnv_1.subscriptionId,
+            connectionString: storage.connectionString,
+            containerName: storage.messageContainerName,
+            encoding: 'avro', // 'avroDeflate' and 'avro'
+            batchFrequencyInSeconds: 60, //60 to 720
+            fileNameFormat: '{iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm}', //Must have all these {iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm} but order and delimiter can be changed.
+            maxChunkSizeInBytes: 300 * 1024 * 1024, // 10485760(10MB) and 524288000(500MB). Default value is 314572800(300MB).
+        });
+    }
+    if (storage?.connectionString && storage?.eventContainerName) {
+        storageEndpoints.push({
+            name: storageEventEndpointName,
+            resourceGroup: group.resourceGroupName,
+            subscriptionId: AzureEnv_1.subscriptionId,
+            connectionString: storage.connectionString,
+            containerName: storage.eventContainerName,
+            encoding: 'avro', // 'avroDeflate' and 'avro'
+            batchFrequencyInSeconds: 60, //60 to 720
+            fileNameFormat: '{iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm}', //Must have all these {iothub}/{partition}/{YYYY}/{MM}/{DD}/{HH}/{mm} but order and delimiter can be changed.
+            maxChunkSizeInBytes: 300 * 1024 * 1024, // 10485760(10MB) and 524288000(500MB). Default value is 314572800(300MB).
+        });
+    }
+    if (serviceBus?.queueMessageConnectionString)
+        routeEndpoints.push(busQueueEndpointName);
+    if (serviceBus?.topicMessageConnectionString)
+        routeEndpoints.push(busTopicEndpointName);
+    const routes = routeEndpoints.map((r) => ({
+        name: `routeMessageTo${r}`,
+        source: devices.RoutingSource.DeviceMessages,
+        endpointNames: [r],
+        isEnabled: true,
+        condition: 'true',
+    }));
+    if (storage?.eventContainerName) {
+        routes.push({
+            name: `routeMessageTo${storageEventEndpointName}`,
+            source: devices.RoutingSource.DeviceLifecycleEvents,
+            endpointNames: [storageEventEndpointName],
+            isEnabled: true,
+            condition: 'true',
+        });
+    }
+    const hub = new devices.IotHubResource(hubName, {
+        resourceName: hubName,
+        ...group,
+        sku,
+        tags: AzureEnv_1.defaultTags,
+        properties: {
+            //authorizationPolicies: [{}],
+            //cloudToDevice:{}
+            //comments
+            enableFileUploadNotifications: Boolean(storage?.fileContainerName),
+            storageEndpoints: storage?.fileContainerName
+                ? {
+                    $default: {
+                        connectionString: storage.connectionString,
+                        containerName: storage.fileContainerName,
+                        sasTtlAsIso8601: 'PT1H',
+                    },
+                }
+                : undefined,
+            //eventHubEndpoints: {},
+            features: devices.Capabilities.None,
+            //ipFilterRules: {},
+            // networkRuleSets: {
+            //   applyToBuiltInEventHubEndpoint: true,
+            //   defaultAction: 'Deny',
+            //   ipRules: [
+            //     {
+            //       action: 'Allow',
+            //       filterName: 'rule1',
+            //       ipMask: '131.117.159.53',
+            //     },
+            //     {
+            //       action: 'Allow',
+            //       filterName: 'rule2',
+            //       ipMask: '157.55.59.128/25',
+            //     },
+            //   ],
+            // },
+            //privateEndpointConnections: {},
+            messagingEndpoints: {
+                fileNotifications: {
+                    lockDurationAsIso8601: 'PT1M',
+                    maxDeliveryCount: 10,
+                    ttlAsIso8601: 'PT1H',
+                },
+            },
+            minTlsVersion: '1.2',
+            routing: {
+                endpoints: {
+                    //eventHubs: [],
+                    serviceBusQueues: serviceBus?.queueMessageConnectionString
+                        ? [
+                            {
+                                name: busQueueEndpointName,
+                                connectionString: serviceBus.queueMessageConnectionString,
+                                resourceGroup: group.resourceGroupName,
+                                subscriptionId: AzureEnv_1.subscriptionId,
+                            },
+                        ]
+                        : undefined,
+                    serviceBusTopics: serviceBus?.topicMessageConnectionString
+                        ? [
+                            {
+                                name: busTopicEndpointName,
+                                connectionString: serviceBus.topicMessageConnectionString,
+                                resourceGroup: group.resourceGroupName,
+                                subscriptionId: AzureEnv_1.subscriptionId,
+                            },
+                        ]
+                        : undefined,
+                    storageContainers: storageEndpoints,
+                },
+                fallbackRoute: {
+                    name: `$fallback`,
+                    condition: 'true',
+                    isEnabled: true,
+                    source: devices.RoutingSource.DeviceMessages,
+                    endpointNames: storage?.eventContainerName
+                        ? [storageEventEndpointName]
+                        : ['events'],
+                },
+                routes: routes,
+            },
+        },
+    }, { dependsOn });
+    if (lock) {
+        (0, Locker_1.default)({ name, resourceId: hub.id, dependsOn: hub });
+    }
+    //Connection Strings
+    if (vaultInfo) {
+        hub.id.apply(async (id) => {
+            if (!id)
+                return;
+            const keys = await devices.listIotHubResourceKeys({
+                resourceGroupName: group.resourceGroupName,
+                resourceName: hubName,
+            });
+            return keys.value?.forEach((k) => {
+                const conn = `HostName=${hubName}.azure-devices.net;SharedAccessKeyName=${k.keyName};SharedAccessKey=${k.primaryKey}`;
+                return (0, CustomHelper_1.addCustomSecret)({
+                    name: `${hubName}-${k.keyName}`,
+                    value: conn,
+                    vaultInfo,
+                    contentType: 'IOT Hub',
+                });
+            });
+        });
+    }
+    //Roles
+    if (auth?.envRoleNames) {
+        const readOnlyGroup = await (0, Group_1.getAdGroup)(auth.envRoleNames.readOnly);
+        const contributorGroup = await (0, Group_1.getAdGroup)(auth.envRoleNames.contributor);
+        await (0, RoleAssignment_1.roleAssignment)({
+            name: `${name}-iot-readonly`,
+            principalId: readOnlyGroup.objectId,
+            principalType: 'Group',
+            roleName: 'IoT Hub Data Reader',
+            scope: hub.id,
+        });
+        await (0, RoleAssignment_1.roleAssignment)({
+            name: `${name}-iot-contributor`,
+            principalId: contributorGroup.objectId,
+            principalType: 'Group',
+            roleName: 'IoT Hub Data Contributor',
+            scope: hub.id,
+        });
+        await (0, RoleAssignment_1.roleAssignment)({
+            name: `${name}-iot-registry-admin`,
+            principalId: contributorGroup.objectId,
+            principalType: 'Group',
+            roleName: 'IoT Hub Registry Contributor',
+            scope: hub.id,
+        });
+        await (0, RoleAssignment_1.roleAssignment)({
+            name: `${name}-iot-twin-admin`,
+            principalId: contributorGroup.objectId,
+            principalType: 'Group',
+            roleName: 'IoT Hub Twin Contributor',
+            scope: hub.id,
+        });
+    }
+    return hub;
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvSU9UL0h1Yi9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUNBLGdEQUFvRDtBQUNwRCx3REFBd0Q7QUFDeEQsb0RBQW9FO0FBRXBFLDhDQUF1QztBQUV2Qyw4REFBMkQ7QUFDM0QsNENBQThDO0FBQzlDLDhEQUE4RDtBQXVDOUQsa0JBQWUsS0FBSyxFQUFFLEVBQ3BCLElBQUksRUFDSixLQUFLLEVBQ0wsSUFBSSxFQUNKLEdBQUcsR0FBRyxFQUFFLElBQUksRUFBRSxJQUFJLEVBQUUsUUFBUSxFQUFFLENBQUMsRUFBRSxFQUNqQyxPQUFPLEVBQ1AsVUFBVSxFQUNWLFNBQVMsRUFDVCxTQUFTLEVBQ1QsSUFBSSxHQUNFLEVBQUUsRUFBRTtJQUNWLE1BQU0sT0FBTyxHQUFHLElBQUEsc0JBQWEsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUNwQyxNQUFNLG9CQUFvQixHQUFHLFVBQVUsQ0FBQztJQUN4QyxNQUFNLG9CQUFvQixHQUFHLFVBQVUsQ0FBQztJQUN4QyxNQUFNLDBCQUEwQixHQUFHLFlBQVksQ0FBQztJQUNoRCxNQUFNLHdCQUF3QixHQUFHLGlCQUFpQixDQUFDO0lBRW5ELE1BQU0sY0FBYyxHQUFHLElBQUksS0FBSyxFQUFVLENBQUM7SUFDM0MsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLEtBQUssRUFBaUMsQ0FBQztJQUVwRSxJQUFJLE9BQU8sRUFBRSxnQkFBZ0IsSUFBSSxPQUFPLEVBQUUsb0JBQW9CLEVBQUUsQ0FBQztRQUMvRCxjQUFjLENBQUMsSUFBSSxDQUFDLDBCQUEwQixDQUFDLENBQUM7UUFDaEQsZ0JBQWdCLENBQUMsSUFBSSxDQUFDO1lBQ3BCLElBQUksRUFBRSwwQkFBMEI7WUFDaEMsYUFBYSxFQUFFLEtBQUssQ0FBQyxpQkFBaUI7WUFDdEMsY0FBYyxFQUFkLHlCQUFjO1lBQ2QsZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLGdCQUFnQjtZQUMxQyxhQUFhLEVBQUUsT0FBTyxDQUFDLG9CQUFvQjtZQUMzQyxRQUFRLEVBQUUsTUFBTSxFQUFFLDJCQUEyQjtZQUM3Qyx1QkFBdUIsRUFBRSxFQUFFLEVBQUUsV0FBVztZQUN4QyxjQUFjLEVBQUUsaURBQWlELEVBQUUsNkdBQTZHO1lBQ2hMLG1CQUFtQixFQUFFLEdBQUcsR0FBRyxJQUFJLEdBQUcsSUFBSSxFQUFFLDBFQUEwRTtTQUNuSCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBQ0QsSUFBSSxPQUFPLEVBQUUsZ0JBQWdCLElBQUksT0FBTyxFQUFFLGtCQUFrQixFQUFFLENBQUM7UUFDN0QsZ0JBQWdCLENBQUMsSUFBSSxDQUFDO1lBQ3BCLElBQUksRUFBRSx3QkFBd0I7WUFDOUIsYUFBYSxFQUFFLEtBQUssQ0FBQyxpQkFBaUI7WUFDdEMsY0FBYyxFQUFkLHlCQUFjO1lBQ2QsZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLGdCQUFnQjtZQUMxQyxhQUFhLEVBQUUsT0FBTyxDQUFDLGtCQUFrQjtZQUN6QyxRQUFRLEVBQUUsTUFBTSxFQUFFLDJCQUEyQjtZQUM3Qyx1QkFBdUIsRUFBRSxFQUFFLEVBQUUsV0FBVztZQUN4QyxjQUFjLEVBQUUsaURBQWlELEVBQUUsNkdBQTZHO1lBQ2hMLG1CQUFtQixFQUFFLEdBQUcsR0FBRyxJQUFJLEdBQUcsSUFBSSxFQUFFLDBFQUEwRTtTQUNuSCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsSUFBSSxVQUFVLEVBQUUsNEJBQTRCO1FBQzFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztJQUM1QyxJQUFJLFVBQVUsRUFBRSw0QkFBNEI7UUFDMUMsY0FBYyxDQUFDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO0lBRTVDLE1BQU0sTUFBTSxHQUFlLGNBQWMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDcEQsSUFBSSxFQUFFLGlCQUFpQixDQUFDLEVBQUU7UUFDMUIsTUFBTSxFQUFFLE9BQU8sQ0FBQyxhQUFhLENBQUMsY0FBYztRQUM1QyxhQUFhLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDbEIsU0FBUyxFQUFFLElBQUk7UUFDZixTQUFTLEVBQUUsTUFBTTtLQUNsQixDQUFDLENBQUMsQ0FBQztJQUVKLElBQUksT0FBTyxFQUFFLGtCQUFrQixFQUFFLENBQUM7UUFDaEMsTUFBTSxDQUFDLElBQUksQ0FBQztZQUNWLElBQUksRUFBRSxpQkFBaUIsd0JBQXdCLEVBQUU7WUFDakQsTUFBTSxFQUFFLE9BQU8sQ0FBQyxhQUFhLENBQUMscUJBQXFCO1lBQ25ELGFBQWEsRUFBRSxDQUFDLHdCQUF3QixDQUFDO1lBQ3pDLFNBQVMsRUFBRSxJQUFJO1lBQ2YsU0FBUyxFQUFFLE1BQU07U0FDbEIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELE1BQU0sR0FBRyxHQUFHLElBQUksT0FBTyxDQUFDLGNBQWMsQ0FDcEMsT0FBTyxFQUNQO1FBQ0UsWUFBWSxFQUFFLE9BQU87UUFDckIsR0FBRyxLQUFLO1FBRVIsR0FBRztRQUNILElBQUksRUFBRSxzQkFBVztRQUVqQixVQUFVLEVBQUU7WUFDViw4QkFBOEI7WUFDOUIsa0JBQWtCO1lBQ2xCLFVBQVU7WUFDViw2QkFBNkIsRUFBRSxPQUFPLENBQUMsT0FBTyxFQUFFLGlCQUFpQixDQUFDO1lBQ2xFLGdCQUFnQixFQUFFLE9BQU8sRUFBRSxpQkFBaUI7Z0JBQzFDLENBQUMsQ0FBQztvQkFDRSxRQUFRLEVBQUU7d0JBQ1IsZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLGdCQUFnQjt3QkFDMUMsYUFBYSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUI7d0JBQ3hDLGVBQWUsRUFBRSxNQUFNO3FCQUN4QjtpQkFDRjtnQkFDSCxDQUFDLENBQUMsU0FBUztZQUViLHdCQUF3QjtZQUN4QixRQUFRLEVBQUUsT0FBTyxDQUFDLFlBQVksQ0FBQyxJQUFJO1lBQ25DLG9CQUFvQjtZQUNwQixxQkFBcUI7WUFDckIsMENBQTBDO1lBQzFDLDJCQUEyQjtZQUMzQixlQUFlO1lBQ2YsUUFBUTtZQUNSLHlCQUF5QjtZQUN6Qiw2QkFBNkI7WUFDN0Isa0NBQWtDO1lBQ2xDLFNBQVM7WUFDVCxRQUFRO1lBQ1IseUJBQXlCO1lBQ3pCLDZCQUE2QjtZQUM3QixvQ0FBb0M7WUFDcEMsU0FBUztZQUNULE9BQU87WUFDUCxLQUFLO1lBQ0wsaUNBQWlDO1lBQ2pDLGtCQUFrQixFQUFFO2dCQUNsQixpQkFBaUIsRUFBRTtvQkFDakIscUJBQXFCLEVBQUUsTUFBTTtvQkFDN0IsZ0JBQWdCLEVBQUUsRUFBRTtvQkFDcEIsWUFBWSxFQUFFLE1BQU07aUJBQ3JCO2FBQ0Y7WUFDRCxhQUFhLEVBQUUsS0FBSztZQUVwQixPQUFPLEVBQUU7Z0JBQ1AsU0FBUyxFQUFFO29CQUNULGdCQUFnQjtvQkFDaEIsZ0JBQWdCLEVBQUUsVUFBVSxFQUFFLDRCQUE0Qjt3QkFDeEQsQ0FBQyxDQUFDOzRCQUNFO2dDQUNFLElBQUksRUFBRSxvQkFBb0I7Z0NBQzFCLGdCQUFnQixFQUFFLFVBQVUsQ0FBQyw0QkFBNEI7Z0NBQ3pELGFBQWEsRUFBRSxLQUFLLENBQUMsaUJBQWlCO2dDQUN0QyxjQUFjLEVBQWQseUJBQWM7NkJBQ2Y7eUJBQ0Y7d0JBQ0gsQ0FBQyxDQUFDLFNBQVM7b0JBRWIsZ0JBQWdCLEVBQUUsVUFBVSxFQUFFLDRCQUE0Qjt3QkFDeEQsQ0FBQyxDQUFDOzRCQUNFO2dDQUNFLElBQUksRUFBRSxvQkFBb0I7Z0NBQzFCLGdCQUFnQixFQUFFLFVBQVUsQ0FBQyw0QkFBNEI7Z0NBQ3pELGFBQWEsRUFBRSxLQUFLLENBQUMsaUJBQWlCO2dDQUN0QyxjQUFjLEVBQWQseUJBQWM7NkJBQ2Y7eUJBQ0Y7d0JBQ0gsQ0FBQyxDQUFDLFNBQVM7b0JBRWIsaUJBQWlCLEVBQUUsZ0JBQWdCO2lCQUNwQztnQkFDRCxhQUFhLEVBQUU7b0JBQ2IsSUFBSSxFQUFFLFdBQVc7b0JBQ2pCLFNBQVMsRUFBRSxNQUFNO29CQUNqQixTQUFTLEVBQUUsSUFBSTtvQkFDZixNQUFNLEVBQUUsT0FBTyxDQUFDLGFBQWEsQ0FBQyxjQUFjO29CQUU1QyxhQUFhLEVBQUUsT0FBTyxFQUFFLGtCQUFrQjt3QkFDeEMsQ0FBQyxDQUFDLENBQUMsd0JBQXdCLENBQUM7d0JBQzVCLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQztpQkFDZjtnQkFFRCxNQUFNLEVBQUUsTUFBTTthQUNmO1NBQ0Y7S0FDRixFQUNELEVBQUUsU0FBUyxFQUFFLENBQ2QsQ0FBQztJQUVGLElBQUksSUFBSSxFQUFFLENBQUM7UUFDVCxJQUFBLGdCQUFNLEVBQUMsRUFBRSxJQUFJLEVBQUUsVUFBVSxFQUFFLEdBQUcsQ0FBQyxFQUFFLEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxDQUFDLENBQUM7SUFDdkQsQ0FBQztJQUNELG9CQUFvQjtJQUNwQixJQUFJLFNBQVMsRUFBRSxDQUFDO1FBQ2QsR0FBRyxDQUFDLEVBQUUsQ0FBQyxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRSxFQUFFO1lBQ3hCLElBQUksQ0FBQyxFQUFFO2dCQUFFLE9BQU87WUFFaEIsTUFBTSxJQUFJLEdBQUcsTUFBTSxPQUFPLENBQUMsc0JBQXNCLENBQUM7Z0JBQ2hELGlCQUFpQixFQUFFLEtBQUssQ0FBQyxpQkFBaUI7Z0JBQzFDLFlBQVksRUFBRSxPQUFPO2FBQ3RCLENBQUMsQ0FBQztZQUVILE9BQU8sSUFBSSxDQUFDLEtBQUssRUFBRSxPQUFPLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRTtnQkFDL0IsTUFBTSxJQUFJLEdBQUcsWUFBWSxPQUFPLDBDQUM5QixDQUFDLENBQUMsT0FDSixvQkFBb0IsQ0FBQyxDQUFDLFVBQVcsRUFBRSxDQUFDO2dCQUVwQyxPQUFPLElBQUEsOEJBQWUsRUFBQztvQkFDckIsSUFBSSxFQUFFLEdBQUcsT0FBTyxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUU7b0JBQy9CLEtBQUssRUFBRSxJQUFJO29CQUNYLFNBQVM7b0JBQ1QsV0FBVyxFQUFFLFNBQVM7aUJBQ3ZCLENBQUMsQ0FBQztZQUNMLENBQUMsQ0FBQyxDQUFDO1FBQ0wsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsT0FBTztJQUNQLElBQUksSUFBSSxFQUFFLFlBQVksRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBQSxrQkFBVSxFQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDbkUsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLElBQUEsa0JBQVUsRUFBQyxJQUFJLENBQUMsWUFBWSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBRXpFLE1BQU0sSUFBQSwrQkFBYyxFQUFDO1lBQ25CLElBQUksRUFBRSxHQUFHLElBQUksZUFBZTtZQUM1QixXQUFXLEVBQUUsYUFBYSxDQUFDLFFBQVE7WUFDbkMsYUFBYSxFQUFFLE9BQU87WUFDdEIsUUFBUSxFQUFFLHFCQUFxQjtZQUMvQixLQUFLLEVBQUUsR0FBRyxDQUFDLEVBQUU7U0FDZCxDQUFDLENBQUM7UUFFSCxNQUFNLElBQUEsK0JBQWMsRUFBQztZQUNuQixJQUFJLEVBQUUsR0FBRyxJQUFJLGtCQUFrQjtZQUMvQixXQUFXLEVBQUUsZ0JBQWdCLENBQUMsUUFBUTtZQUN0QyxhQUFhLEVBQUUsT0FBTztZQUN0QixRQUFRLEVBQUUsMEJBQTBCO1lBQ3BDLEtBQUssRUFBRSxHQUFHLENBQUMsRUFBRTtTQUNkLENBQUMsQ0FBQztRQUVILE1BQU0sSUFBQSwrQkFBYyxFQUFDO1lBQ25CLElBQUksRUFBRSxHQUFHLElBQUkscUJBQXFCO1lBQ2xDLFdBQVcsRUFBRSxnQkFBZ0IsQ0FBQyxRQUFRO1lBQ3RDLGFBQWEsRUFBRSxPQUFPO1lBQ3RCLFFBQVEsRUFBRSw4QkFBOEI7WUFDeEMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxFQUFFO1NBQ2QsQ0FBQyxDQUFDO1FBRUgsTUFBTSxJQUFBLCtCQUFjLEVBQUM7WUFDbkIsSUFBSSxFQUFFLEdBQUcsSUFBSSxpQkFBaUI7WUFDOUIsV0FBVyxFQUFFLGdCQUFnQixDQUFDLFFBQVE7WUFDdEMsYUFBYSxFQUFFLE9BQU87WUFDdEIsUUFBUSxFQUFFLDBCQUEwQjtZQUNwQyxLQUFLLEVBQUUsR0FBRyxDQUFDLEVBQUU7U0FDZCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDLENBQUMifQ==

package/KeyVault/CustomHelper.d.ts

@@ -0,0 +1,35 @@
+import { Input, Resource } from '@pulumi/pulumi';
+import { VaultSecretResource } from '@drunk-pulumi/azure-providers/VaultSecret';
+import { KeyVaultInfo } from '../types';
+interface Props {
+    name: string;
+    /** The value of the secret. If Value is not provided the secret will be get from config*/
+    value?: Input<string>;
+    vaultInfo: KeyVaultInfo;
+}
+/**Add key vault secret from a value or from pulumi configuration secret. */
+export declare const addVaultSecretFrom: ({ name, value, vaultInfo }: Props) => VaultSecretResource;
+interface SecretProps {
+    name: string;
+    /**Use the name directly without applying naming format*/
+    formattedName?: boolean;
+    value: Input<string>;
+    vaultInfo: KeyVaultInfo;
+    contentType?: Input<string>;
+    ignoreChange?: boolean;
+    tags?: Input<{
+        [key: string]: string;
+    }>;
+    dependsOn?: Input<Resource> | Input<Input<Resource>[]>;
+}
+/** Add a secret to Key Vault. This will auto recover the deleted item and update with a new value if existed. */
+export declare const addCustomSecret: ({ name, formattedName, vaultInfo, value, contentType, ignoreChange, tags, dependsOn, }: SecretProps) => VaultSecretResource;
+interface MultiSecretProps extends Omit<SecretProps, 'value' | 'name'> {
+    items: Array<{
+        name: string;
+        value: Input<string>;
+    }>;
+}
+/** Add multi secrets to Key Vault. This will auto recover the deleted item and update with a new value if existed. */
+export declare const addCustomSecrets: ({ items, ...others }: MultiSecretProps) => VaultSecretResource[];
+export {};

package/KeyVault/CustomHelper.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addCustomSecrets = exports.addCustomSecret = exports.addVaultSecretFrom = void 0;
+const pulumi_1 = require("@pulumi/pulumi");
+const Naming_1 = require("../Common/Naming");
+const VaultSecret_1 = require("@drunk-pulumi/azure-providers/VaultSecret");
+const ConfigHelper_1 = require("../Common/ConfigHelper");
+const Helpers_1 = require("../Common/Helpers");
+/**Add key vault secret from a value or from pulumi configuration secret. */
+const addVaultSecretFrom = ({ name, value, vaultInfo }) => {
+    if (!value)
+        value = (0, ConfigHelper_1.getSecret)(name);
+    if (!value)
+        throw new Error(`The value of "${name}" is not defined.`);
+    return (0, exports.addCustomSecret)({
+        name,
+        value,
+        vaultInfo,
+        contentType: 'config variables',
+    });
+};
+exports.addVaultSecretFrom = addVaultSecretFrom;
+/** Add a secret to Key Vault. This will auto recover the deleted item and update with a new value if existed. */
+const addCustomSecret = ({ name, formattedName, vaultInfo, value, contentType, ignoreChange, tags, dependsOn, }) => {
+    const n = formattedName ? name : (0, Naming_1.getSecretName)(name);
+    //This KeyVault Secret is not auto recovery the deleted one.
+    return new VaultSecret_1.VaultSecretResource((0, Helpers_1.replaceAll)(name, '.', '-'), {
+        name: (0, Helpers_1.replaceAll)(n, '.', '-'),
+        value: value ? (0, pulumi_1.output)(value).apply((v) => v || '') : '',
+        vaultInfo,
+        contentType: contentType || name,
+        ignoreChange,
+        tags,
+    }, { dependsOn });
+};
+exports.addCustomSecret = addCustomSecret;
+/** Add multi secrets to Key Vault. This will auto recover the deleted item and update with a new value if existed. */
+const addCustomSecrets = ({ items, ...others }) => items.map((i) => (0, exports.addCustomSecret)({ ...i, ...others }));
+exports.addCustomSecrets = addCustomSecrets;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ3VzdG9tSGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL0tleVZhdWx0L0N1c3RvbUhlbHBlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwyQ0FBeUQ7QUFDekQsNkNBQWlEO0FBQ2pELDJFQUFnRjtBQUVoRix5REFBbUQ7QUFDbkQsK0NBQStDO0FBUy9DLDRFQUE0RTtBQUNyRSxNQUFNLGtCQUFrQixHQUFHLENBQUMsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFNBQVMsRUFBUyxFQUFFLEVBQUU7SUFDdEUsSUFBSSxDQUFDLEtBQUs7UUFBRSxLQUFLLEdBQUcsSUFBQSx3QkFBUyxFQUFDLElBQUksQ0FBQyxDQUFDO0lBQ3BDLElBQUksQ0FBQyxLQUFLO1FBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyxpQkFBaUIsSUFBSSxtQkFBbUIsQ0FBQyxDQUFDO0lBRXRFLE9BQU8sSUFBQSx1QkFBZSxFQUFDO1FBQ3JCLElBQUk7UUFDSixLQUFLO1FBQ0wsU0FBUztRQUNULFdBQVcsRUFBRSxrQkFBa0I7S0FDaEMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyxDQUFDO0FBVlcsUUFBQSxrQkFBa0Isc0JBVTdCO0FBZ0JGLGlIQUFpSDtBQUMxRyxNQUFNLGVBQWUsR0FBRyxDQUFDLEVBQzlCLElBQUksRUFDSixhQUFhLEVBQ2IsU0FBUyxFQUNULEtBQUssRUFDTCxXQUFXLEVBQ1gsWUFBWSxFQUNaLElBQUksRUFDSixTQUFTLEdBQ0csRUFBRSxFQUFFO0lBQ2hCLE1BQU0sQ0FBQyxHQUFHLGFBQWEsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxJQUFBLHNCQUFhLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDckQsNERBQTREO0lBQzVELE9BQU8sSUFBSSxpQ0FBbUIsQ0FDNUIsSUFBQSxvQkFBVSxFQUFDLElBQUksRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLEVBQzFCO1FBQ0UsSUFBSSxFQUFFLElBQUEsb0JBQVUsRUFBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQztRQUM3QixLQUFLLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQyxJQUFBLGVBQU0sRUFBQyxLQUFLLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRTtRQUN2RCxTQUFTO1FBQ1QsV0FBVyxFQUFFLFdBQVcsSUFBSSxJQUFJO1FBQ2hDLFlBQVk7UUFDWixJQUFJO0tBQ0wsRUFDRCxFQUFFLFNBQVMsRUFBRSxDQUNkLENBQUM7QUFDSixDQUFDLENBQUM7QUF4QlcsUUFBQSxlQUFlLG1CQXdCMUI7QUFNRixzSEFBc0g7QUFDL0csTUFBTSxnQkFBZ0IsR0FBRyxDQUFDLEVBQUUsS0FBSyxFQUFFLEdBQUcsTUFBTSxFQUFvQixFQUFFLEVBQUUsQ0FDekUsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsSUFBQSx1QkFBZSxFQUFDLEVBQUUsR0FBRyxDQUFDLEVBQUUsR0FBRyxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFENUMsUUFBQSxnQkFBZ0Isb0JBQzRCIn0=

package/KeyVault/Helper.d.ts

@@ -0,0 +1,33 @@
+import { Input, Resource } from '@pulumi/pulumi';
+import { KeyVaultInfo } from '../types';
+type SecretProps = {
+    name: string;
+    value: Input<string>;
+    vaultInfo: KeyVaultInfo;
+    contentType?: Input<string>;
+    tags?: Input<{
+        [key: string]: Input<string>;
+    }>;
+    dependsOn?: Input<Resource> | Input<Input<Resource>[]>;
+};
+type GetVaultItemProps = {
+    name: string;
+    version?: string;
+    vaultInfo: KeyVaultInfo;
+    nameFormatted?: boolean;
+};
+export declare const addKey: ({ name, vaultInfo, tags, dependsOn, }: Omit<SecretProps, 'value' | 'contentType'>) => import("@pulumi/azure-native/keyvault/key").Key;
+/** Get Key */
+export declare const getKey: ({ name, version, vaultInfo, nameFormatted, }: GetVaultItemProps) => Promise<import("@azure/keyvault-keys").KeyVaultKey | undefined>;
+/** Get Secret */
+export declare const getSecret: ({ name, version, vaultInfo, nameFormatted, }: GetVaultItemProps) => Promise<import("@azure/keyvault-secrets").KeyVaultSecret | undefined>;
+interface KeyResult {
+    name: string;
+    /** The version may be empty if it is not found in the url */
+    version: string;
+    keyIdentityUrl: string;
+    vaultUrl: string;
+}
+/** Convert VaultId to VaultInfo */
+export declare const parseKeyUrl: (keyUrl: string) => KeyResult;
+export {};

package/KeyVault/Helper.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseKeyUrl = exports.getSecret = exports.getKey = exports.addKey = void 0;
+const keyvault = require("@pulumi/azure-native/keyvault");
+const Naming_1 = require("../Common/Naming");
+const Helpers_1 = require("../Common/Helpers");
+const KeyVaultBase_1 = require("@drunk-pulumi/azure-providers/AzBase/KeyVaultBase");
+const addKey = ({ name, vaultInfo, tags, dependsOn, }) => {
+    const n = (0, Naming_1.getSecretName)(name);
+    return new keyvault.Key((0, Helpers_1.replaceAll)(name, '.', '-'), {
+        keyName: n,
+        vaultName: vaultInfo.name,
+        ...vaultInfo.group,
+        //https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.keyvault.webkey?view=azure-dotnet-legacy
+        properties: {
+            keySize: 2048,
+            kty: 'RSA',
+            keyOps: [
+                'decrypt',
+                'encrypt',
+                'sign',
+                'verify',
+                'wrapKey',
+                'unwrapKey',
+            ],
+            //curveName: 'P512',
+            attributes: { enabled: true },
+        },
+        tags,
+    }, { dependsOn });
+};
+exports.addKey = addKey;
+/** Get Key */
+const getKey = async ({ name, version, vaultInfo, nameFormatted, }) => {
+    const n = nameFormatted ? name : (0, Naming_1.getSecretName)(name);
+    const client = (0, KeyVaultBase_1.getKeyVaultBase)(vaultInfo.name);
+    return client.getKey(n, version);
+};
+exports.getKey = getKey;
+/** Get Secret */
+const getSecret = async ({ name, version, vaultInfo, nameFormatted, }) => {
+    const n = nameFormatted ? name : (0, Naming_1.getSecretName)(name);
+    const client = (0, KeyVaultBase_1.getKeyVaultBase)(vaultInfo.name);
+    return client.getSecret(n, version);
+};
+exports.getSecret = getSecret;
+/** Convert VaultId to VaultInfo */
+const parseKeyUrl = (keyUrl) => {
+    const splits = keyUrl.split('/');
+    return {
+        keyIdentityUrl: keyUrl,
+        name: splits[4],
+        version: splits.length > 4 ? splits[5] : '',
+        vaultUrl: `https://${splits[2]}`,
+    };
+};
+exports.parseKeyUrl = parseKeyUrl;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL0tleVZhdWx0L0hlbHBlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwwREFBMEQ7QUFJMUQsNkNBQWlEO0FBQ2pELCtDQUErQztBQUUvQyxvRkFBb0Y7QUF3QjdFLE1BQU0sTUFBTSxHQUFHLENBQUMsRUFDckIsSUFBSSxFQUNKLFNBQVMsRUFDVCxJQUFJLEVBQ0osU0FBUyxHQUNrQyxFQUFFLEVBQUU7SUFDL0MsTUFBTSxDQUFDLEdBQUcsSUFBQSxzQkFBYSxFQUFDLElBQUksQ0FBQyxDQUFDO0lBRTlCLE9BQU8sSUFBSSxRQUFRLENBQUMsR0FBRyxDQUNyQixJQUFBLG9CQUFVLEVBQUMsSUFBSSxFQUFFLEdBQUcsRUFBRSxHQUFHLENBQUMsRUFDMUI7UUFDRSxPQUFPLEVBQUUsQ0FBQztRQUNWLFNBQVMsRUFBRSxTQUFTLENBQUMsSUFBSTtRQUN6QixHQUFHLFNBQVMsQ0FBQyxLQUFLO1FBQ2xCLHNHQUFzRztRQUN0RyxVQUFVLEVBQUU7WUFDVixPQUFPLEVBQUUsSUFBSTtZQUNiLEdBQUcsRUFBRSxLQUFLO1lBQ1YsTUFBTSxFQUFFO2dCQUNOLFNBQVM7Z0JBQ1QsU0FBUztnQkFDVCxNQUFNO2dCQUNOLFFBQVE7Z0JBQ1IsU0FBUztnQkFDVCxXQUFXO2FBQ1o7WUFDRCxvQkFBb0I7WUFDcEIsVUFBVSxFQUFFLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRTtTQUM5QjtRQUNELElBQUk7S0FDTCxFQUNELEVBQUUsU0FBUyxFQUFFLENBQ2QsQ0FBQztBQUNKLENBQUMsQ0FBQztBQWpDVyxRQUFBLE1BQU0sVUFpQ2pCO0FBRUYsY0FBYztBQUNQLE1BQU0sTUFBTSxHQUFHLEtBQUssRUFBRSxFQUMzQixJQUFJLEVBQ0osT0FBTyxFQUNQLFNBQVMsRUFDVCxhQUFhLEdBQ0ssRUFBRSxFQUFFO0lBQ3RCLE1BQU0sQ0FBQyxHQUFHLGFBQWEsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxJQUFBLHNCQUFhLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDckQsTUFBTSxNQUFNLEdBQUcsSUFBQSw4QkFBZSxFQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUMvQyxPQUFPLE1BQU0sQ0FBQyxNQUFNLENBQUMsQ0FBQyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0FBQ25DLENBQUMsQ0FBQztBQVRXLFFBQUEsTUFBTSxVQVNqQjtBQUVGLGlCQUFpQjtBQUNWLE1BQU0sU0FBUyxHQUFHLEtBQUssRUFBRSxFQUM5QixJQUFJLEVBQ0osT0FBTyxFQUNQLFNBQVMsRUFDVCxhQUFhLEdBQ0ssRUFBRSxFQUFFO0lBQ3RCLE1BQU0sQ0FBQyxHQUFHLGFBQWEsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxJQUFBLHNCQUFhLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDckQsTUFBTSxNQUFNLEdBQUcsSUFBQSw4QkFBZSxFQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUMvQyxPQUFPLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0FBQ3RDLENBQUMsQ0FBQztBQVRXLFFBQUEsU0FBUyxhQVNwQjtBQVVGLG1DQUFtQztBQUM1QixNQUFNLFdBQVcsR0FBRyxDQUFDLE1BQWMsRUFBYSxFQUFFO0lBQ3ZELE1BQU0sTUFBTSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDakMsT0FBTztRQUNMLGNBQWMsRUFBRSxNQUFNO1FBQ3RCLElBQUksRUFBRSxNQUFNLENBQUMsQ0FBQyxDQUFDO1FBQ2YsT0FBTyxFQUFFLE1BQU0sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUU7UUFDM0MsUUFBUSxFQUFFLFdBQVcsTUFBTSxDQUFDLENBQUMsQ0FBQyxFQUFFO0tBQ2pDLENBQUM7QUFDSixDQUFDLENBQUM7QUFSVyxRQUFBLFdBQVcsZUFRdEIifQ==

package/KeyVault/VaultAccess.d.ts

@@ -0,0 +1,15 @@
+import { EnvRoleNamesType } from '../AzAd/EnvRoles';
+export type VaultAccessType = {
+    /** Grant permission of this group into Environment Roles groups*/
+    envRoleNames?: EnvRoleNamesType;
+    includeOrganization?: boolean;
+};
+interface Props {
+    name: string;
+    auth: VaultAccessType;
+}
+declare const _default: ({ name, auth }: Props) => {
+    readOnlyGroup: import("@pulumi/pulumi").Output<import("@pulumi/pulumi").UnwrappedObject<import("@pulumi/azuread").GetGroupResult>> | import("@pulumi/pulumi").Output<import("@pulumi/azuread/group").Group>;
+    adminGroup: import("@pulumi/pulumi").Output<import("@pulumi/pulumi").UnwrappedObject<import("@pulumi/azuread").GetGroupResult>> | import("@pulumi/pulumi").Output<import("@pulumi/azuread/group").Group>;
+};
+export default _default;

package/KeyVault/VaultAccess.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const Role_1 = require("../AzAd/Role");
+const AzureEnv_1 = require("../Common/AzureEnv");
+const Group_1 = require("../AzAd/Group");
+exports.default = ({ name, auth }) => {
+    //Permission Groups
+    const readOnlyGroup = auth.envRoleNames
+        ? (0, Group_1.getAdGroup)(auth.envRoleNames.readOnly)
+        : (0, Role_1.default)({
+            env: AzureEnv_1.currentEnv,
+            appName: `${name}-vault`,
+            roleName: 'ReadOnly',
+            includeOrganization: auth.includeOrganization,
+        });
+    const adminGroup = auth.envRoleNames
+        ? (0, Group_1.getAdGroup)(auth.envRoleNames.contributor)
+        : (0, Role_1.default)({
+            env: AzureEnv_1.currentEnv,
+            appName: `${name}-vault`,
+            roleName: 'Admin',
+            includeOrganization: auth.includeOrganization,
+        });
+    //Add current service principal in
+    // if (auth.permissions == undefined) {
+    //   auth.permissions = [
+    //     // {
+    //     //   objectId: currentServicePrincipal,
+    //     //   permission: 'ReadWrite',
+    //     // },
+    //   ];
+    // }
+    //Add Permission to Groups
+    // auth.permissions.forEach(
+    //   ({ objectId, applicationId, permission, ...others }, index) =>
+    //     new azuread.GroupMember(`${name}-${permission}-${index}`, {
+    //       groupObjectId:
+    //         permission === 'ReadOnly'
+    //           ? readOnlyGroup.objectId
+    //           : adminGroup.objectId,
+    //       memberObjectId: objectId ?? applicationId,
+    //       ...others,
+    //     })
+    // );
+    return { readOnlyGroup, adminGroup };
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVmF1bHRBY2Nlc3MuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvS2V5VmF1bHQvVmF1bHRBY2Nlc3MudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFDQSx1Q0FBcUM7QUFDckMsaURBQWdEO0FBQ2hELHlDQUEyQztBQWUzQyxrQkFBZSxDQUFDLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBUyxFQUFFLEVBQUU7SUFDdkMsbUJBQW1CO0lBQ25CLE1BQU0sYUFBYSxHQUFHLElBQUksQ0FBQyxZQUFZO1FBQ3JDLENBQUMsQ0FBQyxJQUFBLGtCQUFVLEVBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxRQUFRLENBQUM7UUFDeEMsQ0FBQyxDQUFDLElBQUEsY0FBUyxFQUFDO1lBQ1IsR0FBRyxFQUFFLHFCQUFVO1lBQ2YsT0FBTyxFQUFFLEdBQUcsSUFBSSxRQUFRO1lBQ3hCLFFBQVEsRUFBRSxVQUFVO1lBQ3BCLG1CQUFtQixFQUFFLElBQUksQ0FBQyxtQkFBbUI7U0FDOUMsQ0FBQyxDQUFDO0lBRVAsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLFlBQVk7UUFDbEMsQ0FBQyxDQUFDLElBQUEsa0JBQVUsRUFBQyxJQUFJLENBQUMsWUFBWSxDQUFDLFdBQVcsQ0FBQztRQUMzQyxDQUFDLENBQUMsSUFBQSxjQUFTLEVBQUM7WUFDUixHQUFHLEVBQUUscUJBQVU7WUFDZixPQUFPLEVBQUUsR0FBRyxJQUFJLFFBQVE7WUFDeEIsUUFBUSxFQUFFLE9BQU87WUFDakIsbUJBQW1CLEVBQUUsSUFBSSxDQUFDLG1CQUFtQjtTQUM5QyxDQUFDLENBQUM7SUFFUCxrQ0FBa0M7SUFDbEMsdUNBQXVDO0lBQ3ZDLHlCQUF5QjtJQUN6QixXQUFXO0lBQ1gsOENBQThDO0lBQzlDLG9DQUFvQztJQUNwQyxZQUFZO0lBQ1osT0FBTztJQUNQLElBQUk7SUFFSiwwQkFBMEI7SUFDMUIsNEJBQTRCO0lBQzVCLG1FQUFtRTtJQUNuRSxrRUFBa0U7SUFDbEUsdUJBQXVCO0lBQ3ZCLG9DQUFvQztJQUNwQyxxQ0FBcUM7SUFDckMsbUNBQW1DO0lBQ25DLG1EQUFtRDtJQUNuRCxtQkFBbUI7SUFDbkIsU0FBUztJQUNULEtBQUs7SUFFTCxPQUFPLEVBQUUsYUFBYSxFQUFFLFVBQVUsRUFBRSxDQUFDO0FBQ3ZDLENBQUMsQ0FBQyJ9

package/KeyVault/VaultPermissions.d.ts

@@ -0,0 +1,26 @@
+import * as pulumi from '@pulumi/pulumi';
+import * as native from '@pulumi/azure-native';
+export interface PermissionProps {
+    /** The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. */
+    objectId: pulumi.Input<string>;
+    /** Application ID of the client making request on behalf of a principal */
+    applicationId?: pulumi.Input<string>;
+    permission: 'ReadOnly' | 'ReadWrite';
+    principalType?: native.authorization.PrincipalType;
+}
+export declare const grantVaultRbacPermission: ({ name, objectId, permission, scope, principalType, }: PermissionProps & {
+    name: string;
+    scope: pulumi.Input<string>;
+}) => void;
+export declare const KeyVaultAdminPolicy: {
+    certificates: string[];
+    keys: string[];
+    secrets: string[];
+    storage: string[];
+};
+export declare const KeyVaultReadOnlyPolicy: {
+    certificates: string[];
+    keys: string[];
+    secrets: string[];
+    storage: string[];
+};

package/KeyVault/VaultPermissions.js

@@ -0,0 +1,169 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeyVaultReadOnlyPolicy = exports.KeyVaultAdminPolicy = exports.grantVaultRbacPermission = void 0;
+const RoleAssignment_1 = require("../AzAd/RoleAssignment");
+const grantVaultRbacPermission = ({ name, objectId, permission, scope, principalType = 'User', }) => {
+    const vn = `${name}-${permission}`.toLowerCase();
+    const defaultProps = {
+        principalId: objectId,
+        scope,
+    };
+    //ReadOnly
+    if (permission === 'ReadOnly') {
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-encrypt`,
+            roleName: 'Key Vault Crypto Service Encryption User',
+            principalType,
+        });
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-crypto`,
+            roleName: 'Key Vault Crypto User',
+            principalType,
+        });
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-secret`,
+            roleName: 'Key Vault Secrets User',
+            principalType,
+        });
+        //Read and Write
+    }
+    else {
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-contributor`,
+            roleName: 'Key Vault Administrator',
+            principalType,
+        });
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-cert`,
+            roleName: 'Key Vault Certificates Officer',
+            principalType,
+        });
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-crypto`,
+            roleName: 'Key Vault Crypto Officer',
+            principalType,
+        });
+        (0, RoleAssignment_1.roleAssignment)({
+            ...defaultProps,
+            name: `${vn}-secret`,
+            roleName: 'Key Vault Secrets Officer',
+            principalType,
+        });
+    }
+};
+exports.grantVaultRbacPermission = grantVaultRbacPermission;
+exports.KeyVaultAdminPolicy = {
+    certificates: [
+        'Backup',
+        'Create',
+        'Delete',
+        'DeleteIssuers',
+        'Get',
+        'GetIssuers',
+        'Import',
+        'List',
+        'ManageContacts',
+        'ManageIssuers',
+        'Purge',
+        'Recover',
+        'Restore',
+        'SetIssuers',
+        'Update',
+    ],
+    keys: [
+        'Backup',
+        'Create',
+        'Decrypt',
+        'Delete',
+        'Encrypt',
+        'Get',
+        'Import',
+        'List',
+        'Purge',
+        'Recover',
+        'Restore',
+        'Sign',
+        'UnwrapKey',
+        'Update',
+        'Verify',
+        'WrapKey',
+    ],
+    secrets: [
+        'Backup',
+        'Delete',
+        'Get',
+        'List',
+        'Purge',
+        'Recover',
+        'Restore',
+        'Set',
+    ],
+    storage: [
+        'Backup',
+        'Delete',
+        'DeleteSAS',
+        'Get',
+        'GetSAS',
+        'List',
+        'ListSAS',
+        'Purge',
+        'Recover',
+        'RegenerateKey',
+        'Restore',
+        'Set',
+        'SetSAS',
+        'Update',
+    ],
+};
+exports.KeyVaultReadOnlyPolicy = {
+    certificates: ['Get', 'List'],
+    keys: [
+        'Get',
+        'List',
+        'Decrypt',
+        'Encrypt',
+        'Sign',
+        'UnwrapKey',
+        'Verify',
+        'WrapKey',
+    ],
+    secrets: ['Get', 'List'],
+    storage: ['Get', 'List'],
+};
+// export const grantVaultAccessPolicy = ({
+//   name,
+//   objectId,
+//   permission,
+//   vaultInfo,
+// }: PermissionProps & {
+//   name: string;
+//   vaultInfo: KeyVaultInfo;
+// }) =>
+//   new vault.AccessPolicy(name, {
+//     keyVaultId: vaultInfo.id,
+//     objectId,
+//     tenantId,
+//     certificatePermissions:
+//       permission === 'ReadOnly'
+//         ? KeyVaultReadOnlyPolicy.certificates
+//         : KeyVaultAdminPolicy.certificates,
+//     keyPermissions:
+//       permission === 'ReadOnly'
+//         ? KeyVaultReadOnlyPolicy.keys
+//         : KeyVaultAdminPolicy.keys,
+//     secretPermissions:
+//       permission === 'ReadOnly'
+//         ? KeyVaultReadOnlyPolicy.secrets
+//         : KeyVaultAdminPolicy.secrets,
+//     storagePermissions:
+//       permission === 'ReadOnly'
+//         ? KeyVaultReadOnlyPolicy.storage
+//         : KeyVaultAdminPolicy.storage,
+//   });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVmF1bHRQZXJtaXNzaW9ucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9LZXlWYXVsdC9WYXVsdFBlcm1pc3Npb25zLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUNBLDJEQUF3RDtBQVlqRCxNQUFNLHdCQUF3QixHQUFHLENBQUMsRUFDdkMsSUFBSSxFQUNKLFFBQVEsRUFDUixVQUFVLEVBQ1YsS0FBSyxFQUNMLGFBQWEsR0FBRyxNQUFNLEdBSXZCLEVBQUUsRUFBRTtJQUNILE1BQU0sRUFBRSxHQUFHLEdBQUcsSUFBSSxJQUFJLFVBQVUsRUFBRSxDQUFDLFdBQVcsRUFBRSxDQUFDO0lBRWpELE1BQU0sWUFBWSxHQUFHO1FBQ25CLFdBQVcsRUFBRSxRQUFRO1FBQ3JCLEtBQUs7S0FDTixDQUFDO0lBRUYsVUFBVTtJQUNWLElBQUksVUFBVSxLQUFLLFVBQVUsRUFBRSxDQUFDO1FBQzlCLElBQUEsK0JBQWMsRUFBQztZQUNiLEdBQUcsWUFBWTtZQUNmLElBQUksRUFBRSxHQUFHLEVBQUUsVUFBVTtZQUNyQixRQUFRLEVBQUUsMENBQTBDO1lBQ3BELGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxJQUFBLCtCQUFjLEVBQUM7WUFDYixHQUFHLFlBQVk7WUFDZixJQUFJLEVBQUUsR0FBRyxFQUFFLFNBQVM7WUFDcEIsUUFBUSxFQUFFLHVCQUF1QjtZQUNqQyxhQUFhO1NBQ2QsQ0FBQyxDQUFDO1FBQ0gsSUFBQSwrQkFBYyxFQUFDO1lBQ2IsR0FBRyxZQUFZO1lBQ2YsSUFBSSxFQUFFLEdBQUcsRUFBRSxTQUFTO1lBQ3BCLFFBQVEsRUFBRSx3QkFBd0I7WUFDbEMsYUFBYTtTQUNkLENBQUMsQ0FBQztRQUNILGdCQUFnQjtJQUNsQixDQUFDO1NBQU0sQ0FBQztRQUNOLElBQUEsK0JBQWMsRUFBQztZQUNiLEdBQUcsWUFBWTtZQUNmLElBQUksRUFBRSxHQUFHLEVBQUUsY0FBYztZQUN6QixRQUFRLEVBQUUseUJBQXlCO1lBQ25DLGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxJQUFBLCtCQUFjLEVBQUM7WUFDYixHQUFHLFlBQVk7WUFDZixJQUFJLEVBQUUsR0FBRyxFQUFFLE9BQU87WUFDbEIsUUFBUSxFQUFFLGdDQUFnQztZQUMxQyxhQUFhO1NBQ2QsQ0FBQyxDQUFDO1FBQ0gsSUFBQSwrQkFBYyxFQUFDO1lBQ2IsR0FBRyxZQUFZO1lBQ2YsSUFBSSxFQUFFLEdBQUcsRUFBRSxTQUFTO1lBQ3BCLFFBQVEsRUFBRSwwQkFBMEI7WUFDcEMsYUFBYTtTQUNkLENBQUMsQ0FBQztRQUNILElBQUEsK0JBQWMsRUFBQztZQUNiLEdBQUcsWUFBWTtZQUNmLElBQUksRUFBRSxHQUFHLEVBQUUsU0FBUztZQUNwQixRQUFRLEVBQUUsMkJBQTJCO1lBQ3JDLGFBQWE7U0FDZCxDQUFDLENBQUM7SUFDTCxDQUFDO0FBQ0gsQ0FBQyxDQUFDO0FBaEVXLFFBQUEsd0JBQXdCLDRCQWdFbkM7QUFFVyxRQUFBLG1CQUFtQixHQUFHO0lBQ2pDLFlBQVksRUFBRTtRQUNaLFFBQVE7UUFDUixRQUFRO1FBQ1IsUUFBUTtRQUNSLGVBQWU7UUFDZixLQUFLO1FBQ0wsWUFBWTtRQUNaLFFBQVE7UUFDUixNQUFNO1FBQ04sZ0JBQWdCO1FBQ2hCLGVBQWU7UUFDZixPQUFPO1FBQ1AsU0FBUztRQUNULFNBQVM7UUFDVCxZQUFZO1FBQ1osUUFBUTtLQUNUO0lBQ0QsSUFBSSxFQUFFO1FBQ0osUUFBUTtRQUNSLFFBQVE7UUFDUixTQUFTO1FBQ1QsUUFBUTtRQUNSLFNBQVM7UUFDVCxLQUFLO1FBQ0wsUUFBUTtRQUNSLE1BQU07UUFDTixPQUFPO1FBQ1AsU0FBUztRQUNULFNBQVM7UUFDVCxNQUFNO1FBQ04sV0FBVztRQUNYLFFBQVE7UUFDUixRQUFRO1FBQ1IsU0FBUztLQUNWO0lBQ0QsT0FBTyxFQUFFO1FBQ1AsUUFBUTtRQUNSLFFBQVE7UUFDUixLQUFLO1FBQ0wsTUFBTTtRQUNOLE9BQU87UUFDUCxTQUFTO1FBQ1QsU0FBUztRQUNULEtBQUs7S0FDTjtJQUNELE9BQU8sRUFBRTtRQUNQLFFBQVE7UUFDUixRQUFRO1FBQ1IsV0FBVztRQUNYLEtBQUs7UUFDTCxRQUFRO1FBQ1IsTUFBTTtRQUNOLFNBQVM7UUFDVCxPQUFPO1FBQ1AsU0FBUztRQUNULGVBQWU7UUFDZixTQUFTO1FBQ1QsS0FBSztRQUNMLFFBQVE7UUFDUixRQUFRO0tBQ1Q7Q0FDRixDQUFDO0FBRVcsUUFBQSxzQkFBc0IsR0FBRztJQUNwQyxZQUFZLEVBQUUsQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDO0lBQzdCLElBQUksRUFBRTtRQUNKLEtBQUs7UUFDTCxNQUFNO1FBQ04sU0FBUztRQUNULFNBQVM7UUFDVCxNQUFNO1FBQ04sV0FBVztRQUNYLFFBQVE7UUFDUixTQUFTO0tBQ1Y7SUFDRCxPQUFPLEVBQUUsQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDO0lBQ3hCLE9BQU8sRUFBRSxDQUFDLEtBQUssRUFBRSxNQUFNLENBQUM7Q0FDekIsQ0FBQztBQUVGLDJDQUEyQztBQUMzQyxVQUFVO0FBQ1YsY0FBYztBQUNkLGdCQUFnQjtBQUNoQixlQUFlO0FBQ2YseUJBQXlCO0FBQ3pCLGtCQUFrQjtBQUNsQiw2QkFBNkI7QUFDN0IsUUFBUTtBQUNSLG1DQUFtQztBQUNuQyxnQ0FBZ0M7QUFDaEMsZ0JBQWdCO0FBQ2hCLGdCQUFnQjtBQUNoQiw4QkFBOEI7QUFDOUIsa0NBQWtDO0FBQ2xDLGdEQUFnRDtBQUNoRCw4Q0FBOEM7QUFDOUMsc0JBQXNCO0FBQ3RCLGtDQUFrQztBQUNsQyx3Q0FBd0M7QUFDeEMsc0NBQXNDO0FBQ3RDLHlCQUF5QjtBQUN6QixrQ0FBa0M7QUFDbEMsMkNBQTJDO0FBQzNDLHlDQUF5QztBQUN6QywwQkFBMEI7QUFDMUIsa0NBQWtDO0FBQ2xDLDJDQUEyQztBQUMzQyx5Q0FBeUM7QUFDekMsUUFBUSJ9