Creating an Azure key vault, key, and disk encryption set via ARM template

0
votes

I would like to create an Azure key vault, key, and disk encryption set via an ARM template.

I know how to do this via the portal, and I know how to create a key vault, key, and disk encryption set via an ARM template but what I don't understand is 1) how to reference the key (as in how to get the keyUrl with the version number) and 2) how to give the disk encryption set access to the key vault. In the portal I do the latter by going to the key vault and giving the generated identity access, but not sure how to do it via an ARM template or if that's even possible.

Thanks.

Update: Digging around a bit more into this I think the way to do the first one is something like this?

"keyUrl": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', variables('keyvaultName'), variables('keyName'))).keyUriWithVersion]"

(where the vault name etc. are stored in the referenced variables).

1
azureazure-keyvaultarm-template

1 Answers

0
votes

Figured the answer to this. The following snippet deploys a key vault, a key, a disk encryption set, and then an access policy that gives the disk encryption set access to the key vault.

        {
            "type": "Microsoft.KeyVault/vaults/keys",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('keyvaultName'), '/', variables('keyName'))]",
            "location": "[variables('location')]",
            "tags": "[parameters('resourceTags')]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
            ],
            "properties": {
                "kty": "RSA",
                "keySize": 4096
            }
        },
        {
            "type": "Microsoft.Compute/diskEncryptionSets",
            "apiVersion": "2019-07-01",
            "name": "[variables('diskencsetName')]",
            "location": "[variables('location')]",
            "tags": "[parameters('resourceTags')]",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults/keys', variables('keyvaultName'), variables('keyName'))]"
            ],
            "identity": {
                "type": "SystemAssigned"
            },
            "properties": {
                "activeKey": {
                    "sourceVault": {
                        "id": "[resourceId('Microsoft.KeyVault/vaults', variables('keyvaultName'))]"
                    },
                    "keyUrl": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', variables('keyvaultName'), variables('keyName')), '2019-09-01', 'Full').properties.keyUriWithVersion]"
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/accessPolicies",
            "apiVersion": "2019-09-01",
            "name": "[concat(variables('keyvaultName'), '/add')]",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/diskEncryptionSets', variables('diskencsetName'))]"
            ],
            "properties": {
                "accessPolicies": [
                    {
                        "tenantId": "[subscription().tenantId]",
                        "objectId": "[reference(resourceId('Microsoft.Compute/diskEncryptionSets', variables('diskencsetName')), '2019-07-01', 'Full').identity.PrincipalId]",
                        "permissions": {
                            "keys": [
                                "Get",
                                "WrapKey",
                                "UnwrapKey"
                            ],
                            "secrets": [],
                            "certificates": []
                        }
                    }
                ]
            }
        },

I realized I could get the properties I need via the reference() function so it was a matter of figuring out what I need and then putting it all into a template. Had to split out the access policies from the key vault definition so I can create the key vault and disk encryption set and then tie the two together.

Hope this helps anyone else looking for the same. Thanks.