@drunk-pulumi/azure 0.0.25 → 0.0.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/AzAd/EnvRoles.d.ts +7 -3
- package/AzAd/EnvRoles.js +19 -18
- package/AzAd/Group.d.ts +3 -3
- package/AzAd/Group.js +9 -9
- package/AzAd/Identity.js +2 -2
- package/AzAd/KeyVaultRoles.d.ts +8 -0
- package/AzAd/KeyVaultRoles.js +53 -0
- package/AzAd/Role.d.ts +5 -5
- package/AzAd/Role.js +11 -6
- package/AzAd/UserIdentity.d.ts +5 -0
- package/AzAd/UserIdentity.js +12 -0
- package/Cdn/index.d.ts +2 -2
- package/Cdn/index.js +14 -14
- package/Common/AutoTags.js +8 -7
- package/Common/AzureEnv.d.ts +1 -0
- package/Common/AzureEnv.js +5 -2
- package/Common/Naming/AzureRegions.d.ts +4 -0
- package/Common/Naming/AzureRegions.js +49 -0
- package/Common/ResourceEnv.d.ts +1 -4
- package/Common/ResourceEnv.js +9 -4
- package/KeyVault/Helper.d.ts +4 -0
- package/KeyVault/Helper.js +16 -2
- package/KeyVault/VaultPermissions.d.ts +18 -17
- package/KeyVault/VaultPermissions.js +146 -89
- package/KeyVault/index.d.ts +1 -6
- package/KeyVault/index.js +29 -56
- package/MySql/index.d.ts +18 -7
- package/MySql/index.js +94 -32
- package/Postgresql/index.d.ts +7 -4
- package/Postgresql/index.js +29 -12
- package/Sql/SqlDb.d.ts +4 -4
- package/Sql/SqlDb.js +13 -13
- package/Sql/index.js +25 -20
- package/Storage/index.js +4 -2
- package/VNet/PrivateEndpoint.js +3 -1
- package/package.json +3 -3
- package/types.d.ts +2 -0
- package/KeyVault/VaultAccess.d.ts +0 -14
- package/KeyVault/VaultAccess.js +0 -24
package/Common/ResourceEnv.js
CHANGED
|
@@ -3,8 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.getResourceName = exports.resourceConvention = void 0;
|
|
4
4
|
const Helpers_1 = require("./Helpers");
|
|
5
5
|
const StackEnv_1 = require("./StackEnv");
|
|
6
|
+
const AzureEnv_1 = require("./AzureEnv");
|
|
6
7
|
exports.resourceConvention = {
|
|
7
8
|
prefix: StackEnv_1.stack,
|
|
9
|
+
includeRegion: true,
|
|
8
10
|
suffix: undefined, //This may be specified by each resource name
|
|
9
11
|
};
|
|
10
12
|
/** ==================== Resources Variables ========================= */
|
|
@@ -12,12 +14,15 @@ const getName = (name, convention) => {
|
|
|
12
14
|
if (!name)
|
|
13
15
|
return name;
|
|
14
16
|
name = (0, Helpers_1.replaceAll)(name, ' ', '-');
|
|
15
|
-
//Add prefix
|
|
16
|
-
if (convention.prefix && !name.startsWith(convention.prefix))
|
|
17
|
-
name = convention.prefix + '-' + name;
|
|
18
17
|
//Organization
|
|
19
18
|
if (convention.includeOrgName && !name.includes(StackEnv_1.organization))
|
|
20
19
|
name = name + '-' + StackEnv_1.organization;
|
|
20
|
+
//Region
|
|
21
|
+
if (convention.includeRegion && AzureEnv_1.currentLocationCode && !name.includes(AzureEnv_1.currentLocationCode))
|
|
22
|
+
name = name + '-' + AzureEnv_1.currentLocationCode;
|
|
23
|
+
//Add prefix
|
|
24
|
+
if (convention.prefix && !name.startsWith(convention.prefix))
|
|
25
|
+
name = convention.prefix + '-' + name;
|
|
21
26
|
//Add the suffix
|
|
22
27
|
if (convention.suffix && !name.endsWith(convention.suffix))
|
|
23
28
|
name = name + '-' + convention.suffix;
|
|
@@ -26,4 +31,4 @@ const getName = (name, convention) => {
|
|
|
26
31
|
/** The method to get Resource Name. This is not applicable for Azure Storage Account and CosmosDb*/
|
|
27
32
|
const getResourceName = (name, convention) => getName(name, { ...exports.resourceConvention, ...convention });
|
|
28
33
|
exports.getResourceName = getResourceName;
|
|
29
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
34
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUmVzb3VyY2VFbnYuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvQ29tbW9uL1Jlc291cmNlRW52LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHVDQUF1QztBQUd2Qyx5Q0FBaUQ7QUFDakQseUNBQStDO0FBRWxDLFFBQUEsa0JBQWtCLEdBQW1CO0lBQ2hELE1BQU0sRUFBRSxnQkFBSztJQUNiLGFBQWEsRUFBRSxJQUFJO0lBQ25CLE1BQU0sRUFBRSxTQUFTLEVBQUUsNkNBQTZDO0NBQ2pFLENBQUM7QUFFRix5RUFBeUU7QUFFekUsTUFBTSxPQUFPLEdBQUcsQ0FBQyxJQUFZLEVBQUUsVUFBMkIsRUFBVSxFQUFFO0lBQ3BFLElBQUksQ0FBQyxJQUFJO1FBQUUsT0FBTyxJQUFJLENBQUM7SUFDdkIsSUFBSSxHQUFHLElBQUEsb0JBQVUsRUFBQyxJQUFJLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUFDO0lBRWxDLGNBQWM7SUFDZCxJQUFJLFVBQVUsQ0FBQyxjQUFjLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLHVCQUFZLENBQUM7UUFDM0QsSUFBSSxHQUFHLElBQUksR0FBRyxHQUFHLEdBQUcsdUJBQVksQ0FBQztJQUVuQyxRQUFRO0lBQ1IsSUFBSSxVQUFVLENBQUMsYUFBYSxJQUFJLDhCQUFtQixJQUFJLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyw4QkFBbUIsQ0FBQztRQUN4RixJQUFJLEdBQUcsSUFBSSxHQUFHLEdBQUcsR0FBRyw4QkFBbUIsQ0FBQztJQUUxQyxZQUFZO0lBQ1osSUFBSSxVQUFVLENBQUMsTUFBTSxJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDO1FBQzFELElBQUksR0FBRyxVQUFVLENBQUMsTUFBTSxHQUFHLEdBQUcsR0FBRyxJQUFJLENBQUM7SUFFeEMsZ0JBQWdCO0lBQ2hCLElBQUksVUFBVSxDQUFDLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQztRQUN4RCxJQUFJLEdBQUcsSUFBSSxHQUFHLEdBQUcsR0FBRyxVQUFVLENBQUMsTUFBTSxDQUFDO0lBRXhDLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO0FBQzVCLENBQUMsQ0FBQztBQUVGLG9HQUFvRztBQUM3RixNQUFNLGVBQWUsR0FBRyxDQUM3QixJQUFZLEVBQ1osVUFBNEIsRUFDcEIsRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsRUFBRSxHQUFHLDBCQUFrQixFQUFFLEdBQUcsVUFBVSxFQUFFLENBQUMsQ0FBQztBQUh4RCxRQUFBLGVBQWUsbUJBR3lDIn0=
|
package/KeyVault/Helper.d.ts
CHANGED
|
@@ -31,4 +31,8 @@ interface KeyResult {
|
|
|
31
31
|
}
|
|
32
32
|
/** Convert VaultId to VaultInfo */
|
|
33
33
|
export declare const parseKeyUrl: (keyUrl: string) => KeyResult;
|
|
34
|
+
export declare const getVaultRoleNames: (nameOrInfo: string | KeyVaultInfo) => Promise<{
|
|
35
|
+
readOnly: string;
|
|
36
|
+
admin: string;
|
|
37
|
+
} | undefined>;
|
|
34
38
|
export {};
|
package/KeyVault/Helper.js
CHANGED
|
@@ -1,11 +1,12 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.parseKeyUrl = exports.getSecret = exports.getEncryptionKey = exports.getKey = exports.addKey = void 0;
|
|
3
|
+
exports.getVaultRoleNames = exports.parseKeyUrl = exports.getSecret = exports.getEncryptionKey = exports.getKey = exports.addKey = void 0;
|
|
4
4
|
const keyvault = require("@pulumi/azure-native/keyvault");
|
|
5
5
|
const pulumi_1 = require("@pulumi/pulumi");
|
|
6
6
|
const Naming_1 = require("../Common/Naming");
|
|
7
7
|
const Helpers_1 = require("../Common/Helpers");
|
|
8
8
|
const KeyVaultBase_1 = require("@drunk-pulumi/azure-providers/AzBase/KeyVaultBase");
|
|
9
|
+
const VaultRole = require("../AzAd/KeyVaultRoles");
|
|
9
10
|
const addKey = ({ name, vaultInfo, tags, dependsOn, }) => {
|
|
10
11
|
const n = (0, Naming_1.getSecretName)(name);
|
|
11
12
|
return new keyvault.Key((0, Helpers_1.replaceAll)(name, ".", "-"), {
|
|
@@ -61,4 +62,17 @@ const parseKeyUrl = (keyUrl) => {
|
|
|
61
62
|
};
|
|
62
63
|
};
|
|
63
64
|
exports.parseKeyUrl = parseKeyUrl;
|
|
64
|
-
|
|
65
|
+
const getVaultRoleNames = async (nameOrInfo) => {
|
|
66
|
+
if (typeof nameOrInfo === "string") {
|
|
67
|
+
return VaultRole.getVaultRoleNames(nameOrInfo);
|
|
68
|
+
}
|
|
69
|
+
const value = await (0, exports.getSecret)({
|
|
70
|
+
name: "VaultRoleNames",
|
|
71
|
+
vaultInfo: nameOrInfo,
|
|
72
|
+
});
|
|
73
|
+
return value
|
|
74
|
+
? JSON.parse(value.value)
|
|
75
|
+
: undefined;
|
|
76
|
+
};
|
|
77
|
+
exports.getVaultRoleNames = getVaultRoleNames;
|
|
78
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiSGVscGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL0tleVZhdWx0L0hlbHBlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFBQSwwREFBMEQ7QUFDMUQsMkNBQXlEO0FBRXpELDZDQUFpRDtBQUNqRCwrQ0FBK0M7QUFDL0Msb0ZBQW9GO0FBQ3BGLG1EQUFtRDtBQXdCNUMsTUFBTSxNQUFNLEdBQUcsQ0FBQyxFQUNyQixJQUFJLEVBQ0osU0FBUyxFQUNULElBQUksRUFDSixTQUFTLEdBQ2tDLEVBQUUsRUFBRTtJQUMvQyxNQUFNLENBQUMsR0FBRyxJQUFBLHNCQUFhLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFFOUIsT0FBTyxJQUFJLFFBQVEsQ0FBQyxHQUFHLENBQ3JCLElBQUEsb0JBQVUsRUFBQyxJQUFJLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxFQUMxQjtRQUNFLE9BQU8sRUFBRSxDQUFDO1FBQ1YsU0FBUyxFQUFFLFNBQVMsQ0FBQyxJQUFJO1FBQ3pCLEdBQUcsU0FBUyxDQUFDLEtBQUs7UUFDbEIsc0dBQXNHO1FBQ3RHLFVBQVUsRUFBRTtZQUNWLE9BQU8sRUFBRSxJQUFJO1lBQ2IsR0FBRyxFQUFFLEtBQUs7WUFDVixNQUFNLEVBQUU7Z0JBQ04sU0FBUztnQkFDVCxTQUFTO2dCQUNULE1BQU07Z0JBQ04sUUFBUTtnQkFDUixTQUFTO2dCQUNULFdBQVc7YUFDWjtZQUNELG9CQUFvQjtZQUNwQixVQUFVLEVBQUUsRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFO1NBQzlCO1FBQ0QsSUFBSTtLQUNMLEVBQ0QsRUFBRSxTQUFTLEVBQUUsQ0FDZCxDQUFDO0FBQ0osQ0FBQyxDQUFDO0FBakNXLFFBQUEsTUFBTSxVQWlDakI7QUFFRixjQUFjO0FBQ1AsTUFBTSxNQUFNLEdBQUcsS0FBSyxFQUFFLEVBQzNCLElBQUksRUFDSixPQUFPLEVBQ1AsU0FBUyxFQUNULGFBQWEsR0FDSyxFQUFFLEVBQUU7SUFDdEIsTUFBTSxDQUFDLEdBQUcsYUFBYSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLElBQUEsc0JBQWEsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUNyRCxNQUFNLE1BQU0sR0FBRyxJQUFBLDhCQUFlLEVBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQy9DLE9BQU8sTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDbkMsQ0FBQyxDQUFDO0FBVFcsUUFBQSxNQUFNLFVBU2pCO0FBRUssTUFBTSxnQkFBZ0IsR0FBRyxDQUFDLElBQVksRUFBRSxTQUF1QixFQUFFLEVBQUU7SUFDeEUsTUFBTSxDQUFDLEdBQUcsR0FBRyxJQUFJLGNBQWMsQ0FBQztJQUNoQyxPQUFPLElBQUEsZUFBTSxFQUFDLElBQUEsOEJBQWUsRUFBQyxTQUFTLENBQUMsSUFBSSxDQUFDLENBQUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7QUFDbkUsQ0FBQyxDQUFDO0FBSFcsUUFBQSxnQkFBZ0Isb0JBRzNCO0FBRUYsaUJBQWlCO0FBQ1YsTUFBTSxTQUFTLEdBQUcsS0FBSyxFQUFFLEVBQzlCLElBQUksRUFDSixPQUFPLEVBQ1AsU0FBUyxFQUNULGFBQWEsR0FDSyxFQUFFLEVBQUU7SUFDdEIsTUFBTSxDQUFDLEdBQUcsYUFBYSxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLElBQUEsc0JBQWEsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUNyRCxNQUFNLE1BQU0sR0FBRyxJQUFBLDhCQUFlLEVBQUMsU0FBUyxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQy9DLE9BQU8sTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDdEMsQ0FBQyxDQUFDO0FBVFcsUUFBQSxTQUFTLGFBU3BCO0FBVUYsbUNBQW1DO0FBQzVCLE1BQU0sV0FBVyxHQUFHLENBQUMsTUFBYyxFQUFhLEVBQUU7SUFDdkQsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztJQUNqQyxPQUFPO1FBQ0wsY0FBYyxFQUFFLE1BQU07UUFDdEIsSUFBSSxFQUFFLE1BQU0sQ0FBQyxDQUFDLENBQUM7UUFDZixPQUFPLEVBQUUsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRTtRQUMzQyxRQUFRLEVBQUUsV0FBVyxNQUFNLENBQUMsQ0FBQyxDQUFDLEVBQUU7S0FDakMsQ0FBQztBQUNKLENBQUMsQ0FBQztBQVJXLFFBQUEsV0FBVyxlQVF0QjtBQUVLLE1BQU0saUJBQWlCLEdBQUcsS0FBSyxFQUFFLFVBQWlDLEVBQUUsRUFBRTtJQUMzRSxJQUFJLE9BQU8sVUFBVSxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQ25DLE9BQU8sU0FBUyxDQUFDLGlCQUFpQixDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQ2pELENBQUM7SUFDRCxNQUFNLEtBQUssR0FBRyxNQUFNLElBQUEsaUJBQVMsRUFBQztRQUM1QixJQUFJLEVBQUUsZ0JBQWdCO1FBQ3RCLFNBQVMsRUFBRSxVQUFVO0tBQ3RCLENBQUMsQ0FBQztJQUNILE9BQU8sS0FBSztRQUNWLENBQUMsQ0FBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxLQUFNLENBQXlDO1FBQ25FLENBQUMsQ0FBQyxTQUFTLENBQUM7QUFDaEIsQ0FBQyxDQUFDO0FBWFcsUUFBQSxpQkFBaUIscUJBVzVCIn0=
|
|
@@ -1,26 +1,27 @@
|
|
|
1
|
-
import * as pulumi from
|
|
2
|
-
import * as native from
|
|
1
|
+
import * as pulumi from "@pulumi/pulumi";
|
|
2
|
+
import * as native from "@pulumi/azure-native";
|
|
3
|
+
import * as azuread from "@pulumi/azuread";
|
|
4
|
+
import { KeyVaultInfo } from "../types";
|
|
3
5
|
export interface PermissionProps {
|
|
4
6
|
/** The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. */
|
|
5
7
|
objectId: pulumi.Input<string>;
|
|
6
8
|
/** Application ID of the client making request on behalf of a principal */
|
|
7
9
|
applicationId?: pulumi.Input<string>;
|
|
8
|
-
permission:
|
|
10
|
+
permission: "ReadOnly" | "ReadWrite";
|
|
9
11
|
principalType?: native.authorization.PrincipalType;
|
|
10
12
|
}
|
|
11
|
-
export declare const
|
|
13
|
+
export declare const grantVaultAccessToIdentity: ({ name, identity, vaultInfo, }: {
|
|
12
14
|
name: string;
|
|
13
|
-
|
|
15
|
+
identity: pulumi.Output<{
|
|
16
|
+
principalId: string;
|
|
17
|
+
} | undefined>;
|
|
18
|
+
vaultInfo: KeyVaultInfo;
|
|
19
|
+
}) => pulumi.OutputInstance<void>;
|
|
20
|
+
export declare const grantVaultPermissionToRole: ({ name, vaultInfo, roles, }: {
|
|
21
|
+
name: string;
|
|
22
|
+
vaultInfo: KeyVaultInfo;
|
|
23
|
+
roles: {
|
|
24
|
+
adminGroup: pulumi.Output<azuread.Group>;
|
|
25
|
+
readOnlyGroup: pulumi.Output<azuread.Group>;
|
|
26
|
+
};
|
|
14
27
|
}) => void;
|
|
15
|
-
export declare const KeyVaultAdminPolicy: {
|
|
16
|
-
certificates: string[];
|
|
17
|
-
keys: string[];
|
|
18
|
-
secrets: string[];
|
|
19
|
-
storage: string[];
|
|
20
|
-
};
|
|
21
|
-
export declare const KeyVaultReadOnlyPolicy: {
|
|
22
|
-
certificates: string[];
|
|
23
|
-
keys: string[];
|
|
24
|
-
secrets: string[];
|
|
25
|
-
storage: string[];
|
|
26
|
-
};
|
|
@@ -1,31 +1,36 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
3
|
+
exports.grantVaultPermissionToRole = exports.grantVaultAccessToIdentity = void 0;
|
|
4
|
+
const pulumi = require("@pulumi/pulumi");
|
|
4
5
|
const RoleAssignment_1 = require("../AzAd/RoleAssignment");
|
|
5
|
-
const
|
|
6
|
+
const CustomHelper_1 = require("./CustomHelper");
|
|
7
|
+
const AzDevOps_1 = require("../AzAd/Identities/AzDevOps");
|
|
8
|
+
const Helper_1 = require("./Helper");
|
|
9
|
+
const Group_1 = require("../AzAd/Group");
|
|
10
|
+
const grantVaultRbacPermission = ({ name, objectId, permission, scope, principalType = "User", }) => {
|
|
6
11
|
const vn = `${name}-${permission}`.toLowerCase();
|
|
7
12
|
const defaultProps = {
|
|
8
13
|
principalId: objectId,
|
|
9
14
|
scope,
|
|
10
15
|
};
|
|
11
16
|
//ReadOnly
|
|
12
|
-
if (permission ===
|
|
17
|
+
if (permission === "ReadOnly") {
|
|
13
18
|
(0, RoleAssignment_1.roleAssignment)({
|
|
14
19
|
...defaultProps,
|
|
15
20
|
name: `${vn}-encrypt`,
|
|
16
|
-
roleName:
|
|
21
|
+
roleName: "Key Vault Crypto Service Encryption User",
|
|
17
22
|
principalType,
|
|
18
23
|
});
|
|
19
24
|
(0, RoleAssignment_1.roleAssignment)({
|
|
20
25
|
...defaultProps,
|
|
21
26
|
name: `${vn}-crypto`,
|
|
22
|
-
roleName:
|
|
27
|
+
roleName: "Key Vault Crypto User",
|
|
23
28
|
principalType,
|
|
24
29
|
});
|
|
25
30
|
(0, RoleAssignment_1.roleAssignment)({
|
|
26
31
|
...defaultProps,
|
|
27
32
|
name: `${vn}-secret`,
|
|
28
|
-
roleName:
|
|
33
|
+
roleName: "Key Vault Secrets User",
|
|
29
34
|
principalType,
|
|
30
35
|
});
|
|
31
36
|
//Read and Write
|
|
@@ -34,108 +39,160 @@ const grantVaultRbacPermission = ({ name, objectId, permission, scope, principal
|
|
|
34
39
|
(0, RoleAssignment_1.roleAssignment)({
|
|
35
40
|
...defaultProps,
|
|
36
41
|
name: `${vn}-contributor`,
|
|
37
|
-
roleName:
|
|
42
|
+
roleName: "Key Vault Administrator",
|
|
38
43
|
principalType,
|
|
39
44
|
});
|
|
40
45
|
(0, RoleAssignment_1.roleAssignment)({
|
|
41
46
|
...defaultProps,
|
|
42
47
|
name: `${vn}-cert`,
|
|
43
|
-
roleName:
|
|
48
|
+
roleName: "Key Vault Certificates Officer",
|
|
44
49
|
principalType,
|
|
45
50
|
});
|
|
46
51
|
(0, RoleAssignment_1.roleAssignment)({
|
|
47
52
|
...defaultProps,
|
|
48
53
|
name: `${vn}-crypto`,
|
|
49
|
-
roleName:
|
|
54
|
+
roleName: "Key Vault Crypto Officer",
|
|
50
55
|
principalType,
|
|
51
56
|
});
|
|
52
57
|
(0, RoleAssignment_1.roleAssignment)({
|
|
53
58
|
...defaultProps,
|
|
54
59
|
name: `${vn}-secret`,
|
|
55
|
-
roleName:
|
|
60
|
+
roleName: "Key Vault Secrets Officer",
|
|
56
61
|
principalType,
|
|
57
62
|
});
|
|
58
63
|
}
|
|
59
64
|
};
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
'DeleteSAS',
|
|
111
|
-
'Get',
|
|
112
|
-
'GetSAS',
|
|
113
|
-
'List',
|
|
114
|
-
'ListSAS',
|
|
115
|
-
'Purge',
|
|
116
|
-
'Recover',
|
|
117
|
-
'RegenerateKey',
|
|
118
|
-
'Restore',
|
|
119
|
-
'Set',
|
|
120
|
-
'SetSAS',
|
|
121
|
-
'Update',
|
|
122
|
-
],
|
|
123
|
-
};
|
|
124
|
-
exports.KeyVaultReadOnlyPolicy = {
|
|
125
|
-
certificates: ['Get', 'List'],
|
|
126
|
-
keys: [
|
|
127
|
-
'Get',
|
|
128
|
-
'List',
|
|
129
|
-
'Decrypt',
|
|
130
|
-
'Encrypt',
|
|
131
|
-
'Sign',
|
|
132
|
-
'UnwrapKey',
|
|
133
|
-
'Verify',
|
|
134
|
-
'WrapKey',
|
|
135
|
-
],
|
|
136
|
-
secrets: ['Get', 'List'],
|
|
137
|
-
storage: ['Get', 'List'],
|
|
65
|
+
const grantVaultAccessToIdentity = ({ name, identity, vaultInfo, }) => identity.apply(async (i) => {
|
|
66
|
+
if (!i)
|
|
67
|
+
return;
|
|
68
|
+
const vaultRole = await (0, Helper_1.getVaultRoleNames)(vaultInfo);
|
|
69
|
+
if (!vaultRole)
|
|
70
|
+
return;
|
|
71
|
+
(0, Group_1.addMemberToGroup)({
|
|
72
|
+
name: `${name}-identity-readAccess-${vaultInfo.name}`,
|
|
73
|
+
objectId: i.principalId,
|
|
74
|
+
groupObjectId: (0, Group_1.getAdGroup)(vaultRole.readOnly).objectId,
|
|
75
|
+
});
|
|
76
|
+
});
|
|
77
|
+
exports.grantVaultAccessToIdentity = grantVaultAccessToIdentity;
|
|
78
|
+
const grantVaultPermissionToRole = ({ name, vaultInfo, roles, }) => {
|
|
79
|
+
//Grant RBAC permission to Group
|
|
80
|
+
grantVaultRbacPermission({
|
|
81
|
+
name: `${name}-ReadOnlyGroup`,
|
|
82
|
+
scope: vaultInfo.id,
|
|
83
|
+
objectId: roles.readOnlyGroup.objectId,
|
|
84
|
+
permission: "ReadOnly",
|
|
85
|
+
principalType: "Group",
|
|
86
|
+
});
|
|
87
|
+
grantVaultRbacPermission({
|
|
88
|
+
name: `${name}-AdminGroup`,
|
|
89
|
+
scope: vaultInfo.id,
|
|
90
|
+
objectId: roles.adminGroup.objectId,
|
|
91
|
+
permission: "ReadWrite",
|
|
92
|
+
principalType: "Group",
|
|
93
|
+
});
|
|
94
|
+
//Grant Admin RBAC permission current ADO Identity as the Group will be take time to be effective
|
|
95
|
+
const ado = (0, AzDevOps_1.getAdoIdentity)();
|
|
96
|
+
grantVaultRbacPermission({
|
|
97
|
+
name: `${name}-Admin-Ado`,
|
|
98
|
+
scope: vaultInfo.id,
|
|
99
|
+
objectId: ado.principal.objectId,
|
|
100
|
+
permission: "ReadWrite",
|
|
101
|
+
principalType: "ServicePrincipal",
|
|
102
|
+
});
|
|
103
|
+
//Add RoleNames to vault
|
|
104
|
+
(0, CustomHelper_1.addCustomSecret)({
|
|
105
|
+
name: "VaultRoleNames",
|
|
106
|
+
value: pulumi
|
|
107
|
+
.output({
|
|
108
|
+
admin: roles.adminGroup.displayName,
|
|
109
|
+
readOnly: roles.readOnlyGroup.displayName,
|
|
110
|
+
})
|
|
111
|
+
.apply((role) => JSON.stringify(role)),
|
|
112
|
+
vaultInfo,
|
|
113
|
+
contentType: "KeyVault Roles Names",
|
|
114
|
+
});
|
|
138
115
|
};
|
|
116
|
+
exports.grantVaultPermissionToRole = grantVaultPermissionToRole;
|
|
117
|
+
// export const KeyVaultAdminPolicy = {
|
|
118
|
+
// certificates: [
|
|
119
|
+
// 'Backup',
|
|
120
|
+
// 'Create',
|
|
121
|
+
// 'Delete',
|
|
122
|
+
// 'DeleteIssuers',
|
|
123
|
+
// 'Get',
|
|
124
|
+
// 'GetIssuers',
|
|
125
|
+
// 'Import',
|
|
126
|
+
// 'List',
|
|
127
|
+
// 'ManageContacts',
|
|
128
|
+
// 'ManageIssuers',
|
|
129
|
+
// 'Purge',
|
|
130
|
+
// 'Recover',
|
|
131
|
+
// 'Restore',
|
|
132
|
+
// 'SetIssuers',
|
|
133
|
+
// 'Update',
|
|
134
|
+
// ],
|
|
135
|
+
// keys: [
|
|
136
|
+
// 'Backup',
|
|
137
|
+
// 'Create',
|
|
138
|
+
// 'Decrypt',
|
|
139
|
+
// 'Delete',
|
|
140
|
+
// 'Encrypt',
|
|
141
|
+
// 'Get',
|
|
142
|
+
// 'Import',
|
|
143
|
+
// 'List',
|
|
144
|
+
// 'Purge',
|
|
145
|
+
// 'Recover',
|
|
146
|
+
// 'Restore',
|
|
147
|
+
// 'Sign',
|
|
148
|
+
// 'UnwrapKey',
|
|
149
|
+
// 'Update',
|
|
150
|
+
// 'Verify',
|
|
151
|
+
// 'WrapKey',
|
|
152
|
+
// ],
|
|
153
|
+
// secrets: [
|
|
154
|
+
// 'Backup',
|
|
155
|
+
// 'Delete',
|
|
156
|
+
// 'Get',
|
|
157
|
+
// 'List',
|
|
158
|
+
// 'Purge',
|
|
159
|
+
// 'Recover',
|
|
160
|
+
// 'Restore',
|
|
161
|
+
// 'Set',
|
|
162
|
+
// ],
|
|
163
|
+
// storage: [
|
|
164
|
+
// 'Backup',
|
|
165
|
+
// 'Delete',
|
|
166
|
+
// 'DeleteSAS',
|
|
167
|
+
// 'Get',
|
|
168
|
+
// 'GetSAS',
|
|
169
|
+
// 'List',
|
|
170
|
+
// 'ListSAS',
|
|
171
|
+
// 'Purge',
|
|
172
|
+
// 'Recover',
|
|
173
|
+
// 'RegenerateKey',
|
|
174
|
+
// 'Restore',
|
|
175
|
+
// 'Set',
|
|
176
|
+
// 'SetSAS',
|
|
177
|
+
// 'Update',
|
|
178
|
+
// ],
|
|
179
|
+
// };
|
|
180
|
+
//
|
|
181
|
+
// export const KeyVaultReadOnlyPolicy = {
|
|
182
|
+
// certificates: ['Get', 'List'],
|
|
183
|
+
// keys: [
|
|
184
|
+
// 'Get',
|
|
185
|
+
// 'List',
|
|
186
|
+
// 'Decrypt',
|
|
187
|
+
// 'Encrypt',
|
|
188
|
+
// 'Sign',
|
|
189
|
+
// 'UnwrapKey',
|
|
190
|
+
// 'Verify',
|
|
191
|
+
// 'WrapKey',
|
|
192
|
+
// ],
|
|
193
|
+
// secrets: ['Get', 'List'],
|
|
194
|
+
// storage: ['Get', 'List'],
|
|
195
|
+
// };
|
|
139
196
|
// export const grantVaultAccessPolicy = ({
|
|
140
197
|
// name,
|
|
141
198
|
// objectId,
|
|
@@ -166,4 +223,4 @@ exports.KeyVaultReadOnlyPolicy = {
|
|
|
166
223
|
// ? KeyVaultReadOnlyPolicy.storage
|
|
167
224
|
// : KeyVaultAdminPolicy.storage,
|
|
168
225
|
// });
|
|
169
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
226
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVmF1bHRQZXJtaXNzaW9ucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9LZXlWYXVsdC9WYXVsdFBlcm1pc3Npb25zLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7OztBQUFBLHlDQUF5QztBQUN6QywyREFBd0Q7QUFHeEQsaURBQWlEO0FBRWpELDBEQUE2RDtBQUM3RCxxQ0FBNkM7QUFDN0MseUNBQTZEO0FBVzdELE1BQU0sd0JBQXdCLEdBQUcsQ0FBQyxFQUNoQyxJQUFJLEVBQ0osUUFBUSxFQUNSLFVBQVUsRUFDVixLQUFLLEVBQ0wsYUFBYSxHQUFHLE1BQU0sR0FJdkIsRUFBRSxFQUFFO0lBQ0gsTUFBTSxFQUFFLEdBQUcsR0FBRyxJQUFJLElBQUksVUFBVSxFQUFFLENBQUMsV0FBVyxFQUFFLENBQUM7SUFFakQsTUFBTSxZQUFZLEdBQUc7UUFDbkIsV0FBVyxFQUFFLFFBQVE7UUFDckIsS0FBSztLQUNOLENBQUM7SUFFRixVQUFVO0lBQ1YsSUFBSSxVQUFVLEtBQUssVUFBVSxFQUFFLENBQUM7UUFDOUIsSUFBQSwrQkFBYyxFQUFDO1lBQ2IsR0FBRyxZQUFZO1lBQ2YsSUFBSSxFQUFFLEdBQUcsRUFBRSxVQUFVO1lBQ3JCLFFBQVEsRUFBRSwwQ0FBMEM7WUFDcEQsYUFBYTtTQUNkLENBQUMsQ0FBQztRQUNILElBQUEsK0JBQWMsRUFBQztZQUNiLEdBQUcsWUFBWTtZQUNmLElBQUksRUFBRSxHQUFHLEVBQUUsU0FBUztZQUNwQixRQUFRLEVBQUUsdUJBQXVCO1lBQ2pDLGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxJQUFBLCtCQUFjLEVBQUM7WUFDYixHQUFHLFlBQVk7WUFDZixJQUFJLEVBQUUsR0FBRyxFQUFFLFNBQVM7WUFDcEIsUUFBUSxFQUFFLHdCQUF3QjtZQUNsQyxhQUFhO1NBQ2QsQ0FBQyxDQUFDO1FBQ0gsZ0JBQWdCO0lBQ2xCLENBQUM7U0FBTSxDQUFDO1FBQ04sSUFBQSwrQkFBYyxFQUFDO1lBQ2IsR0FBRyxZQUFZO1lBQ2YsSUFBSSxFQUFFLEdBQUcsRUFBRSxjQUFjO1lBQ3pCLFFBQVEsRUFBRSx5QkFBeUI7WUFDbkMsYUFBYTtTQUNkLENBQUMsQ0FBQztRQUNILElBQUEsK0JBQWMsRUFBQztZQUNiLEdBQUcsWUFBWTtZQUNmLElBQUksRUFBRSxHQUFHLEVBQUUsT0FBTztZQUNsQixRQUFRLEVBQUUsZ0NBQWdDO1lBQzFDLGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxJQUFBLCtCQUFjLEVBQUM7WUFDYixHQUFHLFlBQVk7WUFDZixJQUFJLEVBQUUsR0FBRyxFQUFFLFNBQVM7WUFDcEIsUUFBUSxFQUFFLDBCQUEwQjtZQUNwQyxhQUFhO1NBQ2QsQ0FBQyxDQUFDO1FBQ0gsSUFBQSwrQkFBYyxFQUFDO1lBQ2IsR0FBRyxZQUFZO1lBQ2YsSUFBSSxFQUFFLEdBQUcsRUFBRSxTQUFTO1lBQ3BCLFFBQVEsRUFBRSwyQkFBMkI7WUFDckMsYUFBYTtTQUNkLENBQUMsQ0FBQztJQUNMLENBQUM7QUFDSCxDQUFDLENBQUM7QUFFSyxNQUFNLDBCQUEwQixHQUFHLENBQUMsRUFDekMsSUFBSSxFQUNKLFFBQVEsRUFDUixTQUFTLEdBS1YsRUFBRSxFQUFFLENBQ0gsUUFBUSxDQUFDLEtBQUssQ0FBQyxLQUFLLEVBQUUsQ0FBQyxFQUFFLEVBQUU7SUFDekIsSUFBSSxDQUFDLENBQUM7UUFBRSxPQUFPO0lBQ2YsTUFBTSxTQUFTLEdBQUcsTUFBTSxJQUFBLDBCQUFpQixFQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQ3JELElBQUcsQ0FBQyxTQUFTO1FBQUMsT0FBTztJQUVyQixJQUFBLHdCQUFnQixFQUFDO1FBQ2YsSUFBSSxFQUFFLEdBQUcsSUFBSSx3QkFBd0IsU0FBUyxDQUFDLElBQUksRUFBRTtRQUNyRCxRQUFRLEVBQUUsQ0FBQyxDQUFDLFdBQVc7UUFDdkIsYUFBYSxFQUFFLElBQUEsa0JBQVUsRUFBQyxTQUFTLENBQUMsUUFBUSxDQUFDLENBQUMsUUFBUTtLQUN2RCxDQUFDLENBQUM7QUFDTCxDQUFDLENBQUMsQ0FBQztBQW5CUSxRQUFBLDBCQUEwQiw4QkFtQmxDO0FBRUUsTUFBTSwwQkFBMEIsR0FBRyxDQUFDLEVBQ3pDLElBQUksRUFDSixTQUFTLEVBQ1QsS0FBSyxHQVFOLEVBQUUsRUFBRTtJQUNILGdDQUFnQztJQUNoQyx3QkFBd0IsQ0FBQztRQUN2QixJQUFJLEVBQUUsR0FBRyxJQUFJLGdCQUFnQjtRQUM3QixLQUFLLEVBQUUsU0FBUyxDQUFDLEVBQUU7UUFDbkIsUUFBUSxFQUFFLEtBQUssQ0FBQyxhQUFhLENBQUMsUUFBUTtRQUN0QyxVQUFVLEVBQUUsVUFBVTtRQUN0QixhQUFhLEVBQUUsT0FBTztLQUN2QixDQUFDLENBQUM7SUFFSCx3QkFBd0IsQ0FBQztRQUN2QixJQUFJLEVBQUUsR0FBRyxJQUFJLGFBQWE7UUFDMUIsS0FBSyxFQUFFLFNBQVMsQ0FBQyxFQUFFO1FBQ25CLFFBQVEsRUFBRSxLQUFLLENBQUMsVUFBVSxDQUFDLFFBQVE7UUFDbkMsVUFBVSxFQUFFLFdBQVc7UUFDdkIsYUFBYSxFQUFFLE9BQU87S0FDdkIsQ0FBQyxDQUFDO0lBRUgsaUdBQWlHO0lBQ2pHLE1BQU0sR0FBRyxHQUFHLElBQUEseUJBQWMsR0FBRSxDQUFDO0lBQzdCLHdCQUF3QixDQUFDO1FBQ3ZCLElBQUksRUFBRSxHQUFHLElBQUksWUFBWTtRQUN6QixLQUFLLEVBQUUsU0FBUyxDQUFDLEVBQUU7UUFDbkIsUUFBUSxFQUFFLEdBQUcsQ0FBQyxTQUFTLENBQUMsUUFBUTtRQUNoQyxVQUFVLEVBQUUsV0FBVztRQUN2QixhQUFhLEVBQUUsa0JBQWtCO0tBQ2xDLENBQUMsQ0FBQztJQUVILHdCQUF3QjtJQUN4QixJQUFBLDhCQUFlLEVBQUM7UUFDZCxJQUFJLEVBQUUsZ0JBQWdCO1FBQ3RCLEtBQUssRUFBRSxNQUFNO2FBQ1YsTUFBTSxDQUFDO1lBQ04sS0FBSyxFQUFFLEtBQUssQ0FBQyxVQUFVLENBQUMsV0FBVztZQUNuQyxRQUFRLEVBQUUsS0FBSyxDQUFDLGFBQWEsQ0FBQyxXQUFXO1NBQzFDLENBQUM7YUFDRCxLQUFLLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDeEMsU0FBUztRQUNULFdBQVcsRUFBRSxzQkFBc0I7S0FDcEMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyxDQUFDO0FBbkRXLFFBQUEsMEJBQTBCLDhCQW1EckM7QUFFRix1Q0FBdUM7QUFDdkMsb0JBQW9CO0FBQ3BCLGdCQUFnQjtBQUNoQixnQkFBZ0I7QUFDaEIsZ0JBQWdCO0FBQ2hCLHVCQUF1QjtBQUN2QixhQUFhO0FBQ2Isb0JBQW9CO0FBQ3BCLGdCQUFnQjtBQUNoQixjQUFjO0FBQ2Qsd0JBQXdCO0FBQ3hCLHVCQUF1QjtBQUN2QixlQUFlO0FBQ2YsaUJBQWlCO0FBQ2pCLGlCQUFpQjtBQUNqQixvQkFBb0I7QUFDcEIsZ0JBQWdCO0FBQ2hCLE9BQU87QUFDUCxZQUFZO0FBQ1osZ0JBQWdCO0FBQ2hCLGdCQUFnQjtBQUNoQixpQkFBaUI7QUFDakIsZ0JBQWdCO0FBQ2hCLGlCQUFpQjtBQUNqQixhQUFhO0FBQ2IsZ0JBQWdCO0FBQ2hCLGNBQWM7QUFDZCxlQUFlO0FBQ2YsaUJBQWlCO0FBQ2pCLGlCQUFpQjtBQUNqQixjQUFjO0FBQ2QsbUJBQW1CO0FBQ25CLGdCQUFnQjtBQUNoQixnQkFBZ0I7QUFDaEIsaUJBQWlCO0FBQ2pCLE9BQU87QUFDUCxlQUFlO0FBQ2YsZ0JBQWdCO0FBQ2hCLGdCQUFnQjtBQUNoQixhQUFhO0FBQ2IsY0FBYztBQUNkLGVBQWU7QUFDZixpQkFBaUI7QUFDakIsaUJBQWlCO0FBQ2pCLGFBQWE7QUFDYixPQUFPO0FBQ1AsZUFBZTtBQUNmLGdCQUFnQjtBQUNoQixnQkFBZ0I7QUFDaEIsbUJBQW1CO0FBQ25CLGFBQWE7QUFDYixnQkFBZ0I7QUFDaEIsY0FBYztBQUNkLGlCQUFpQjtBQUNqQixlQUFlO0FBQ2YsaUJBQWlCO0FBQ2pCLHVCQUF1QjtBQUN2QixpQkFBaUI7QUFDakIsYUFBYTtBQUNiLGdCQUFnQjtBQUNoQixnQkFBZ0I7QUFDaEIsT0FBTztBQUNQLEtBQUs7QUFDTCxFQUFFO0FBQ0YsMENBQTBDO0FBQzFDLG1DQUFtQztBQUNuQyxZQUFZO0FBQ1osYUFBYTtBQUNiLGNBQWM7QUFDZCxpQkFBaUI7QUFDakIsaUJBQWlCO0FBQ2pCLGNBQWM7QUFDZCxtQkFBbUI7QUFDbkIsZ0JBQWdCO0FBQ2hCLGlCQUFpQjtBQUNqQixPQUFPO0FBQ1AsOEJBQThCO0FBQzlCLDhCQUE4QjtBQUM5QixLQUFLO0FBRUwsMkNBQTJDO0FBQzNDLFVBQVU7QUFDVixjQUFjO0FBQ2QsZ0JBQWdCO0FBQ2hCLGVBQWU7QUFDZix5QkFBeUI7QUFDekIsa0JBQWtCO0FBQ2xCLDZCQUE2QjtBQUM3QixRQUFRO0FBQ1IsbUNBQW1DO0FBQ25DLGdDQUFnQztBQUNoQyxnQkFBZ0I7QUFDaEIsZ0JBQWdCO0FBQ2hCLDhCQUE4QjtBQUM5QixrQ0FBa0M7QUFDbEMsZ0RBQWdEO0FBQ2hELDhDQUE4QztBQUM5QyxzQkFBc0I7QUFDdEIsa0NBQWtDO0FBQ2xDLHdDQUF3QztBQUN4QyxzQ0FBc0M7QUFDdEMseUJBQXlCO0FBQ3pCLGtDQUFrQztBQUNsQywyQ0FBMkM7QUFDM0MseUNBQXlDO0FBQ3pDLDBCQUEwQjtBQUMxQixrQ0FBa0M7QUFDbEMsMkNBQTJDO0FBQzNDLHlDQUF5QztBQUN6QyxRQUFRIn0=
|
package/KeyVault/index.d.ts
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
import { Input } from "@pulumi/pulumi";
|
|
2
2
|
import { BasicMonitorArgs, PrivateLinkProps } from "../types";
|
|
3
3
|
import { BasicResourceArgs } from "../types";
|
|
4
|
-
import { VaultAccessType } from "./VaultAccess";
|
|
5
4
|
interface Props extends BasicResourceArgs {
|
|
6
5
|
/**The default-encryption-key, tenant-id va subscription-id will be added to the secrets and keys*/
|
|
7
6
|
createDefaultValues?: boolean;
|
|
@@ -9,14 +8,10 @@ interface Props extends BasicResourceArgs {
|
|
|
9
8
|
ipAddresses?: Array<Input<string>>;
|
|
10
9
|
subnetIds?: Array<Input<string>>;
|
|
11
10
|
};
|
|
12
|
-
/** The permission and principals that allows to be access to this Key Vault */
|
|
13
|
-
auth?: VaultAccessType;
|
|
14
11
|
}
|
|
15
|
-
declare const _default: ({ name, group,
|
|
12
|
+
declare const _default: ({ name, group, createDefaultValues, network, ...others }: Props) => {
|
|
16
13
|
name: string;
|
|
17
14
|
vault: import("@pulumi/azure-native/keyvault/vault").Vault;
|
|
18
|
-
readOnlyGroup: import("@pulumi/pulumi").Output<import("@pulumi/pulumi").UnwrappedObject<import("@pulumi/azuread").GetGroupResult>> | import("@pulumi/pulumi").Output<import("@pulumi/azuread/group").Group>;
|
|
19
|
-
adminGroup: import("@pulumi/pulumi").Output<import("@pulumi/pulumi").UnwrappedObject<import("@pulumi/azuread").GetGroupResult>> | import("@pulumi/pulumi").Output<import("@pulumi/azuread/group").Group>;
|
|
20
15
|
toVaultInfo: () => {
|
|
21
16
|
name: string;
|
|
22
17
|
group: import("../types").ResourceGroupInfo;
|
package/KeyVault/index.js
CHANGED
|
@@ -8,28 +8,13 @@ const Helpers_1 = require("../Logs/Helpers");
|
|
|
8
8
|
const PrivateEndpoint_1 = require("../VNet/PrivateEndpoint");
|
|
9
9
|
const CustomHelper_1 = require("./CustomHelper");
|
|
10
10
|
const VaultPermissions_1 = require("./VaultPermissions");
|
|
11
|
-
const
|
|
11
|
+
const KeyVaultRoles_1 = require("../AzAd/KeyVaultRoles");
|
|
12
12
|
exports.default = ({ name,
|
|
13
13
|
//nameConvention,
|
|
14
|
-
group,
|
|
14
|
+
group, createDefaultValues, network, ...others }) => {
|
|
15
15
|
const vaultName = (0, Naming_1.getKeyVaultName)(name);
|
|
16
|
-
const
|
|
17
|
-
|
|
18
|
-
// new Array<native.types.input.keyvault.AccessPolicyEntryArgs>();
|
|
19
|
-
//Grant Access permission
|
|
20
|
-
// if (!auth?.enableRbac) {
|
|
21
|
-
// accessPolicies.push({
|
|
22
|
-
// objectId: readOnlyGroup.objectId,
|
|
23
|
-
// tenantId,
|
|
24
|
-
// permissions: KeyVaultReadOnlyPolicy,
|
|
25
|
-
// });
|
|
26
|
-
// accessPolicies.push({
|
|
27
|
-
// objectId: adminGroup.objectId,
|
|
28
|
-
// tenantId,
|
|
29
|
-
// permissions: KeyVaultAdminPolicy,
|
|
30
|
-
// });
|
|
31
|
-
// }
|
|
32
|
-
const resource = new native.keyvault.Vault(vaultName, {
|
|
16
|
+
const roles = (0, KeyVaultRoles_1.createVaultRoles)(name);
|
|
17
|
+
const vault = new native.keyvault.Vault(vaultName, {
|
|
33
18
|
vaultName,
|
|
34
19
|
...group,
|
|
35
20
|
...others,
|
|
@@ -61,64 +46,52 @@ group, auth = {}, createDefaultValues, network, ...others }) => {
|
|
|
61
46
|
},
|
|
62
47
|
},
|
|
63
48
|
});
|
|
64
|
-
//Grant RBAC permission
|
|
65
|
-
(0, VaultPermissions_1.grantVaultRbacPermission)({
|
|
66
|
-
name: `${name}-ReadOnlyGroup`,
|
|
67
|
-
scope: resource.id,
|
|
68
|
-
objectId: readOnlyGroup.objectId,
|
|
69
|
-
permission: "ReadOnly",
|
|
70
|
-
principalType: "Group",
|
|
71
|
-
});
|
|
72
|
-
(0, VaultPermissions_1.grantVaultRbacPermission)({
|
|
73
|
-
name: `${name}-AdminGroup`,
|
|
74
|
-
scope: resource.id,
|
|
75
|
-
objectId: adminGroup.objectId,
|
|
76
|
-
permission: "ReadWrite",
|
|
77
|
-
principalType: "Group",
|
|
78
|
-
});
|
|
79
49
|
//To Vault Info
|
|
80
|
-
const toVaultInfo = () => ({
|
|
81
|
-
|
|
82
|
-
const addDiagnostic = (logInfo) => (0, Helpers_1.createDiagnostic)({
|
|
83
|
-
name,
|
|
84
|
-
targetResourceId: resource.id,
|
|
85
|
-
...logInfo,
|
|
86
|
-
logsCategories: ["AuditEvent"],
|
|
87
|
-
});
|
|
88
|
-
// Create Private Link
|
|
89
|
-
const createPrivateLink = (props) => (0, PrivateEndpoint_1.default)({
|
|
90
|
-
name: (0, Naming_1.getPrivateEndpointName)(name),
|
|
50
|
+
const toVaultInfo = () => ({
|
|
51
|
+
name: vaultName,
|
|
91
52
|
group,
|
|
92
|
-
|
|
93
|
-
resourceId: resource.id,
|
|
94
|
-
privateDnsZoneName: "privatelink.vaultcore.azure.net",
|
|
95
|
-
linkServiceGroupIds: ["keyVault"],
|
|
53
|
+
id: vault.id,
|
|
96
54
|
});
|
|
55
|
+
const vaultInfo = toVaultInfo();
|
|
56
|
+
(0, VaultPermissions_1.grantVaultPermissionToRole)({ name, vaultInfo, roles });
|
|
97
57
|
if (createDefaultValues) {
|
|
98
|
-
const vaultInfo = toVaultInfo();
|
|
99
58
|
(0, CustomHelper_1.addCustomSecret)({
|
|
100
59
|
name: "tenant-id",
|
|
101
60
|
value: AzureEnv_1.tenantId,
|
|
102
61
|
vaultInfo,
|
|
103
62
|
contentType: "KeyVault Default Values",
|
|
104
|
-
dependsOn:
|
|
63
|
+
dependsOn: vault,
|
|
105
64
|
});
|
|
106
65
|
(0, CustomHelper_1.addCustomSecret)({
|
|
107
66
|
name: "subscription-id",
|
|
108
67
|
value: AzureEnv_1.subscriptionId,
|
|
109
68
|
vaultInfo,
|
|
110
69
|
contentType: "KeyVault Default Values",
|
|
111
|
-
dependsOn:
|
|
70
|
+
dependsOn: vault,
|
|
112
71
|
});
|
|
113
72
|
}
|
|
73
|
+
//Add Diagnostic
|
|
74
|
+
const addDiagnostic = (logInfo) => (0, Helpers_1.createDiagnostic)({
|
|
75
|
+
name,
|
|
76
|
+
targetResourceId: vault.id,
|
|
77
|
+
...logInfo,
|
|
78
|
+
logsCategories: ["AuditEvent"],
|
|
79
|
+
});
|
|
80
|
+
// Create Private Link
|
|
81
|
+
const createPrivateLink = (props) => (0, PrivateEndpoint_1.default)({
|
|
82
|
+
name: (0, Naming_1.getPrivateEndpointName)(name),
|
|
83
|
+
group,
|
|
84
|
+
...props,
|
|
85
|
+
resourceId: vault.id,
|
|
86
|
+
privateDnsZoneName: "privatelink.vaultcore.azure.net",
|
|
87
|
+
linkServiceGroupIds: ["keyVault"],
|
|
88
|
+
});
|
|
114
89
|
return {
|
|
115
90
|
name: vaultName,
|
|
116
|
-
vault
|
|
117
|
-
readOnlyGroup,
|
|
118
|
-
adminGroup,
|
|
91
|
+
vault,
|
|
119
92
|
toVaultInfo,
|
|
120
93
|
addDiagnostic,
|
|
121
94
|
createPrivateLink,
|
|
122
95
|
};
|
|
123
96
|
};
|
|
124
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
97
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvS2V5VmF1bHQvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSwrQ0FBK0M7QUFDL0Msc0RBQW1EO0FBRW5ELGlEQUE4RDtBQUM5RCw2Q0FBMkU7QUFDM0UsNkNBQW1EO0FBRW5ELDZEQUFzRDtBQUV0RCxpREFBaUQ7QUFDakQseURBQWdFO0FBQ2hFLHlEQUF5RDtBQVd6RCxrQkFBZSxDQUFDLEVBQ2QsSUFBSTtBQUNKLGlCQUFpQjtBQUNqQixLQUFLLEVBQ0wsbUJBQW1CLEVBQ25CLE9BQU8sRUFDUCxHQUFHLE1BQU0sRUFDSCxFQUFFLEVBQUU7SUFDVixNQUFNLFNBQVMsR0FBRyxJQUFBLHdCQUFlLEVBQUMsSUFBSSxDQUFDLENBQUM7SUFDeEMsTUFBTSxLQUFLLEdBQUcsSUFBQSxnQ0FBZ0IsRUFBQyxJQUFJLENBQUMsQ0FBQztJQUVyQyxNQUFNLEtBQUssR0FBRyxJQUFJLE1BQU0sQ0FBQyxRQUFRLENBQUMsS0FBSyxDQUFDLFNBQVMsRUFBRTtRQUNqRCxTQUFTO1FBQ1QsR0FBRyxLQUFLO1FBQ1IsR0FBRyxNQUFNO1FBRVQsVUFBVSxFQUFFO1lBQ1YsUUFBUSxFQUFSLG1CQUFRO1lBQ1IsR0FBRyxFQUFFLEVBQUUsSUFBSSxFQUFFLFVBQVUsRUFBRSxNQUFNLEVBQUUsR0FBRyxFQUFFO1lBQ3RDLFVBQVUsRUFBRSxTQUFTO1lBRXJCLHVCQUF1QixFQUFFLElBQUk7WUFDN0IsY0FBYyxFQUFFLFNBQVM7WUFFekIscUJBQXFCLEVBQUUsSUFBSTtZQUMzQixnQkFBZ0IsRUFBRSxJQUFJO1lBQ3RCLHlCQUF5QixFQUFFLENBQUMsRUFBRSwyRUFBMkU7WUFFekcsb0JBQW9CLEVBQUUsSUFBSTtZQUMxQix3QkFBd0IsRUFBRSxJQUFJO1lBRTlCLFdBQVcsRUFBRSxPQUFPO2dCQUNsQixDQUFDLENBQUM7b0JBQ0UsTUFBTSxFQUFFLGVBQWU7b0JBQ3ZCLGFBQWEsRUFBRSxhQUFLLENBQUMsUUFBUSxDQUFDLGlCQUFpQixDQUFDLElBQUk7b0JBRXBELE9BQU8sRUFBRSxPQUFPLENBQUMsV0FBVzt3QkFDMUIsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLEVBQUUsS0FBSyxFQUFFLENBQUMsRUFBRSxDQUFDLENBQUM7d0JBQ2hELENBQUMsQ0FBQyxFQUFFO29CQUVOLG1CQUFtQixFQUFFLE9BQU8sQ0FBQyxTQUFTO3dCQUNwQyxDQUFDLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQzt3QkFDM0MsQ0FBQyxDQUFDLFNBQVM7aUJBQ2Q7Z0JBQ0gsQ0FBQyxDQUFDO29CQUNFLE1BQU0sRUFBRSxlQUFlO29CQUN2QixhQUFhLEVBQUUsYUFBSyxDQUFDLFFBQVEsQ0FBQyxpQkFBaUIsQ0FBQyxLQUFLO2lCQUN0RDtTQUNOO0tBQ0YsQ0FBQyxDQUFDO0lBRUgsZUFBZTtJQUNmLE1BQU0sV0FBVyxHQUFHLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDekIsSUFBSSxFQUFFLFNBQVM7UUFDZixLQUFLO1FBQ0wsRUFBRSxFQUFFLEtBQUssQ0FBQyxFQUFFO0tBQ2IsQ0FBQyxDQUFDO0lBQ0gsTUFBTSxTQUFTLEdBQUcsV0FBVyxFQUFFLENBQUM7SUFFaEMsSUFBQSw2Q0FBMEIsRUFBQyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsS0FBSyxFQUFFLENBQUMsQ0FBQztJQUV2RCxJQUFJLG1CQUFtQixFQUFFLENBQUM7UUFDeEIsSUFBQSw4QkFBZSxFQUFDO1lBQ2QsSUFBSSxFQUFFLFdBQVc7WUFDakIsS0FBSyxFQUFFLG1CQUFRO1lBQ2YsU0FBUztZQUNULFdBQVcsRUFBRSx5QkFBeUI7WUFDdEMsU0FBUyxFQUFFLEtBQUs7U0FDakIsQ0FBQyxDQUFDO1FBRUgsSUFBQSw4QkFBZSxFQUFDO1lBQ2QsSUFBSSxFQUFFLGlCQUFpQjtZQUN2QixLQUFLLEVBQUUseUJBQWM7WUFDckIsU0FBUztZQUNULFdBQVcsRUFBRSx5QkFBeUI7WUFDdEMsU0FBUyxFQUFFLEtBQUs7U0FDakIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELGdCQUFnQjtJQUNoQixNQUFNLGFBQWEsR0FBRyxDQUFDLE9BQXlCLEVBQUUsRUFBRSxDQUNsRCxJQUFBLDBCQUFnQixFQUFDO1FBQ2YsSUFBSTtRQUNKLGdCQUFnQixFQUFFLEtBQUssQ0FBQyxFQUFFO1FBQzFCLEdBQUcsT0FBTztRQUNWLGNBQWMsRUFBRSxDQUFDLFlBQVksQ0FBQztLQUMvQixDQUFDLENBQUM7SUFFTCxzQkFBc0I7SUFDdEIsTUFBTSxpQkFBaUIsR0FBRyxDQUFDLEtBQXVCLEVBQUUsRUFBRSxDQUNwRCxJQUFBLHlCQUFlLEVBQUM7UUFDZCxJQUFJLEVBQUUsSUFBQSwrQkFBc0IsRUFBQyxJQUFJLENBQUM7UUFDbEMsS0FBSztRQUNMLEdBQUcsS0FBSztRQUNSLFVBQVUsRUFBRSxLQUFLLENBQUMsRUFBRTtRQUNwQixrQkFBa0IsRUFBRSxpQ0FBaUM7UUFDckQsbUJBQW1CLEVBQUUsQ0FBQyxVQUFVLENBQUM7S0FDbEMsQ0FBQyxDQUFDO0lBRUwsT0FBTztRQUNMLElBQUksRUFBRSxTQUFTO1FBQ2YsS0FBSztRQUNMLFdBQVc7UUFDWCxhQUFhO1FBQ2IsaUJBQWlCO0tBQ2xCLENBQUM7QUFDSixDQUFDLENBQUMifQ==
|
package/MySql/index.d.ts
CHANGED
|
@@ -1,20 +1,31 @@
|
|
|
1
|
-
import { BasicResourceArgs, KeyVaultInfo } from
|
|
2
|
-
import * as pulumi from
|
|
3
|
-
import * as
|
|
4
|
-
import * as inputs from
|
|
1
|
+
import { BasicResourceArgs, KeyVaultInfo } from "../types";
|
|
2
|
+
import * as pulumi from "@pulumi/pulumi";
|
|
3
|
+
import * as dbformysql from "@pulumi/azure-native/dbformysql";
|
|
4
|
+
import * as inputs from "@pulumi/azure-native/types/input";
|
|
5
|
+
import { EnvRoleNamesType } from "../AzAd/EnvRoles";
|
|
5
6
|
export interface MySqlProps extends BasicResourceArgs {
|
|
7
|
+
enableEncryption?: boolean;
|
|
8
|
+
vaultInfo: KeyVaultInfo;
|
|
9
|
+
auth: {
|
|
10
|
+
enableAdAdministrator?: boolean;
|
|
11
|
+
envRoleNames?: EnvRoleNamesType;
|
|
12
|
+
adminLogin?: pulumi.Input<string>;
|
|
13
|
+
password?: pulumi.Input<string>;
|
|
14
|
+
};
|
|
6
15
|
sku?: pulumi.Input<inputs.dbformysql.SkuArgs>;
|
|
7
|
-
|
|
8
|
-
version?: azure.dbformysql.ServerVersion;
|
|
16
|
+
version?: dbformysql.ServerVersion;
|
|
9
17
|
storageSizeGB?: number;
|
|
10
18
|
databases?: Array<string>;
|
|
11
19
|
network?: {
|
|
12
20
|
allowsPublicAccess?: boolean;
|
|
21
|
+
privateLink?: {
|
|
22
|
+
subnetId: pulumi.Input<string>;
|
|
23
|
+
};
|
|
13
24
|
firewallRules?: Array<{
|
|
14
25
|
startIpAddress: string;
|
|
15
26
|
endIpAddress: string;
|
|
16
27
|
}>;
|
|
17
28
|
};
|
|
18
29
|
}
|
|
19
|
-
declare const _default: ({ name, group, version, storageSizeGB, sku, network, databases, vaultInfo, dependsOn, }: MySqlProps) => import("@pulumi/azure-native/dbformysql/server").Server;
|
|
30
|
+
declare const _default: ({ name, group, auth, enableEncryption, version, storageSizeGB, sku, network, databases, vaultInfo, dependsOn, }: MySqlProps) => import("@pulumi/azure-native/dbformysql/server").Server;
|
|
20
31
|
export default _default;
|