Integrate Azure Key Vault into UrlShortener API and update Bicep modules for role assignments

alnuaimicoder · alnuaimicoder · commit 3a5ba7afdf80 · 2024-12-30T18:11:22.000+03:00
diff --git a/UrlShortener.Api/Program.cs b/UrlShortener.Api/Program.cs
@@ -1,11 +1,19 @@
+using Azure.Identity;
+
 var builder = WebApplication.CreateBuilder(args);
 
+var keyVaultName = builder.Configuration["KeyVaultName"];
+if(!string.IsNullOrEmpty(keyVaultName))
+{
+    builder.Configuration.AddAzureKeyVault(
+        new Uri($"https://{keyVaultName}.vault.azure.net/"),
+        new DefaultAzureCredential());
+}
 
 builder.Services.AddOpenApi();
 
 var app = builder.Build();
 
-// Configure the HTTP request pipeline.
 if (app.Environment.IsDevelopment())
 {
     app.MapOpenApi();
diff --git a/UrlShortener.Api/UrlShortener.Api.csproj b/UrlShortener.Api/UrlShortener.Api.csproj
@@ -7,6 +7,8 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.3.2" />
+    <PackageReference Include="Azure.Identity" Version="1.13.1" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="9.0.0" />
   </ItemGroup>
 
diff --git a/infrastructure/main.bicep b/infrastructure/main.bicep
@@ -2,7 +2,7 @@ param location string = resourceGroup().location
 
 var uniqueId = uniqueString(resourceGroup().id)
 
-module keyVault './modules/secrets/keyvault.bicep' = {
+module keyVault 'modules/secrets/keyvault.bicep' = {
   name: 'keyVaultDeployment'
   params: {
     vaultName: 'kv-${uniqueId}'
@@ -13,8 +13,27 @@ module keyVault './modules/secrets/keyvault.bicep' = {
 module apiService 'modules/compute/appservice.bicep' = {
   name: 'apiDeployment'
   params: {
-    location: location
     appName: 'api-${uniqueId}'
-    appServiceplanName: 'plan-api-${uniqueId}'
+    appServicePlanName: 'plan-api-${uniqueId}'
+    location: location
+    keyVaultName: keyVault.outputs.name
+  }
+  dependsOn: [
+    keyVault
+  ]
+}
+
+module keyVaultRoleAssignment 'modules/secrets/key-role-assignment.bicep' = {
+  name: 'keyVaultRoleAssignmentDeployment'
+  params: {
+    keyVaultName: keyVault.outputs.name
+    principalIds: [
+      apiService.outputs.principalId
+      // Add more principal IDs as needed
+    ]
   }
+  dependsOn: [
+    keyVault
+    apiService
+  ]
 }
diff --git a/infrastructure/modules/compute/appservice.bicep b/infrastructure/modules/compute/appservice.bicep
@@ -1,20 +1,20 @@
 param location string = resourceGroup().location
-param appServiceplanName string
+param appServicePlanName string
 param appName string
+param keyVaultName string
 
 resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {
-  name: appServiceplanName
-  location: location
   kind: 'linux'
-  sku: {
-    name: 'B1'
-  }
+  location: location
+  name: appServicePlanName
   properties: {
     reserved: true
   }
+  sku: {
+    name: 'B1'
+  }
 }
 
-
 resource webApp 'Microsoft.Web/sites@2023-12-01' = {
   name: appName
   location: location
@@ -23,17 +23,26 @@ resource webApp 'Microsoft.Web/sites@2023-12-01' = {
     httpsOnly: true
     siteConfig: {
       linuxFxVersion: 'DOTNETCORE|9.0'
+      appSettings: [
+        {
+          name: 'KeyVaultName'
+          value: keyVaultName
+        }
+      ]
     }
   }
+  identity: {
+    type: 'SystemAssigned'
+  }
 }
 
-
 resource webAppConfig 'Microsoft.Web/sites/config@2023-12-01' = {
   parent: webApp
   name: 'web'
   properties: {
- scmType: 'GitHub'
+    scmType: 'GitHub'
   }
 }
 
-output webAppId string = webApp.id
+output appServiceId string = webApp.id
+output principalId string = webApp.identity.principalId
diff --git a/infrastructure/modules/secrets/key-role-assignment.bicep b/infrastructure/modules/secrets/key-role-assignment.bicep
@@ -0,0 +1,20 @@
+param keyVaultName string
+param principalIds array
+param principalType string = 'ServicePrincipal'
+param roleDefinitionId string = '4633458b-17de-408a-b874-0445c86b69e6'
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: keyVaultName
+}
+
+resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for principalId in principalIds: {
+    name: guid(keyVault.id, principalId, roleDefinitionId)
+    scope: keyVault
+    properties: {
+      roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+      principalId: principalId
+      principalType: principalType
+    }
+  }
+]
diff --git a/infrastructure/modules/secrets/keyvault.bicep b/infrastructure/modules/secrets/keyvault.bicep
@@ -1,20 +1,18 @@
-  param location string = resourceGroup().location
-  param vaultName string
-  
-  resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
-    name: vaultName
-    location: location
-    properties: {
-      sku: {
-        family: 'A'
-        name: 'standard'
-      }
-      enableRbacAuthorization: true
-      tenantId: subscription().tenantId
-   
+param location string = resourceGroup().location
+param vaultName string
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: vaultName
+  location: location
+  properties: {
+    sku: {
+      name: 'standard'
+      family: 'A'
     }
+    enableRbacAuthorization: true
+    tenantId: subscription().tenantId
   }
-  
+}
 
-  output id string = keyVault.id
-  output name string = keyVault.name
+output id string = keyVault.id
+output name string = keyVault.name
