176 lines
4.0 KiB
Bicep
176 lines
4.0 KiB
Bicep
// ------------------------------------------------------------------------
|
|
// Copyright 2021 The Dapr Authors
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
// ------------------------------------------------------------------------
|
|
|
|
param adminId string
|
|
param certAuthSpId string
|
|
param sdkAuthSpId string
|
|
param keyVaultName string
|
|
param rgLocation string = resourceGroup().location
|
|
param confTestTags object = {}
|
|
param tenantId string = subscription().tenantId
|
|
|
|
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' = {
|
|
name: keyVaultName
|
|
location: rgLocation
|
|
tags: confTestTags
|
|
properties: {
|
|
tenantId: tenantId
|
|
sku: {
|
|
family: 'A'
|
|
name: 'standard'
|
|
}
|
|
accessPolicies: [
|
|
// This access policy is to allow the user to manage the KeyVault instance.
|
|
{
|
|
tenantId: tenantId
|
|
objectId: adminId
|
|
permissions: {
|
|
keys: [
|
|
'all'
|
|
]
|
|
secrets: [
|
|
'all'
|
|
]
|
|
certificates: [
|
|
'all'
|
|
]
|
|
storage: [
|
|
'all'
|
|
]
|
|
}
|
|
}
|
|
// This access policy is used by the AKV conformance test to Get and BulkGet secrets, and to perform cryptographic operations.
|
|
{
|
|
tenantId: tenantId
|
|
objectId: certAuthSpId
|
|
permissions: {
|
|
keys: [
|
|
'get'
|
|
'list'
|
|
'encrypt'
|
|
'decrypt'
|
|
'wrapKey'
|
|
'unwrapKey'
|
|
'sign'
|
|
'verify'
|
|
]
|
|
secrets: [
|
|
'get'
|
|
'list'
|
|
]
|
|
certificates: [
|
|
'get'
|
|
'list'
|
|
]
|
|
storage: [
|
|
'get'
|
|
'list'
|
|
]
|
|
}
|
|
}
|
|
// This access policy is used by GitHub workflow to retrieve the required-secrets
|
|
// and required-certs for the conformance tests.
|
|
{
|
|
tenantId: tenantId
|
|
objectId: sdkAuthSpId
|
|
permissions: {
|
|
keys: [
|
|
'get'
|
|
'list'
|
|
'encrypt'
|
|
'decrypt'
|
|
'wrapKey'
|
|
'unwrapKey'
|
|
'sign'
|
|
'verify'
|
|
]
|
|
secrets: [
|
|
'get'
|
|
'list'
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
|
|
// These test secrets are defined by the conformance tests for the Azure Key Vault secret store
|
|
|
|
resource testsecret1 'secrets' = {
|
|
name: 'conftestsecret'
|
|
properties: {
|
|
value: 'abcd'
|
|
contentType: 'text/plain'
|
|
}
|
|
}
|
|
|
|
resource testsecret2 'secrets' = {
|
|
name: 'secondsecret'
|
|
properties: {
|
|
value: 'efgh'
|
|
contentType: 'text/plain'
|
|
}
|
|
}
|
|
|
|
// These test keys are used by the conformance tests for the Azure Key Vault crypto provider
|
|
|
|
resource testKeyRSA 'keys' = {
|
|
name: 'rsakey'
|
|
properties: {
|
|
attributes: {
|
|
enabled: true
|
|
}
|
|
keyOps: [
|
|
'encrypt'
|
|
'decrypt'
|
|
'sign'
|
|
'verify'
|
|
'wrapKey'
|
|
'unwrapKey'
|
|
]
|
|
keySize: 4096
|
|
kty: 'RSA'
|
|
}
|
|
}
|
|
|
|
resource testKeyP256 'keys' = {
|
|
name: 'ec256key'
|
|
properties: {
|
|
attributes: {
|
|
enabled: true
|
|
}
|
|
keyOps: [
|
|
'sign'
|
|
'verify'
|
|
]
|
|
curveName: 'P-256'
|
|
kty: 'EC'
|
|
}
|
|
}
|
|
|
|
resource testKeyP521 'keys' = {
|
|
// Note: "521" is not a typo
|
|
name: 'ec521key'
|
|
properties: {
|
|
attributes: {
|
|
enabled: true
|
|
}
|
|
keyOps: [
|
|
'sign'
|
|
'verify'
|
|
]
|
|
curveName: 'P-521'
|
|
kty: 'EC'
|
|
}
|
|
}
|
|
}
|