Merge pull request #6 from workcontrolgit/develop

Add Azure Key Vault to Bicep infrastructure with managed identity access

Author: workcontrolgit

infra/main.bicep

@@ -52,6 +52,9 @@ param sqlAdminLogin string
 @secure()
 param sqlAdminPassword string
 
+@description('Name of the Azure Key Vault')
+param keyVaultName string
+
 // ─── App Service Plan ─────────────────────────────────────────────────────────
 module appServicePlan 'modules/appServicePlan.bicep' = {
   name: 'appServicePlan'
@@ -112,9 +115,24 @@ module sqlServer 'modules/sqlServer.bicep' = {
   }
 }
 
+// ─── Key Vault ────────────────────────────────────────────────────────────────
+module keyVault 'modules/keyVault.bicep' = {
+  name: 'keyVault'
+  params: {
+    keyVaultName: keyVaultName
+    location: location
+    readerPrincipalIds: [
+      apiApp.outputs.principalId
+      identityApp.outputs.principalId
+      identityAdminApp.outputs.principalId
+    ]
+  }
+}
+
 // ─── Outputs (used by deployment workflows and post-deployment config) ─────────
 output apiAppUrl string = apiApp.outputs.url
 output identityAppUrl string = identityApp.outputs.url
 output identityAdminAppUrl string = identityAdminApp.outputs.url
 output angularAppUrl string = angularSwa.outputs.url
 output sqlServerFqdn string = sqlServer.outputs.sqlServerFqdn
+output keyVaultUri string = keyVault.outputs.uri

infra/modules/keyVault.bicep

@@ -0,0 +1,45 @@
+@description('Name of the Key Vault')
+param keyVaultName string
+
+@description('Azure region for the Key Vault')
+param location string
+
+@description('Principal IDs of managed identities to grant secret read access')
+param readerPrincipalIds array = []
+
+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: keyVaultName
+  location: location
+  properties: {
+    sku: {
+      family: 'A'
+      name: 'standard'
+    }
+    tenantId: subscription().tenantId
+    enableRbacAuthorization: true
+    enableSoftDelete: true
+    softDeleteRetentionInDays: 7
+    enabledForDeployment: false
+    enabledForTemplateDeployment: false
+    enabledForDiskEncryption: false
+  }
+}
+
+// Grant each managed identity the Key Vault Secrets User role (read secrets)
+@batchSize(1)
+resource secretsUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (principalId, i) in readerPrincipalIds: {
+  // Role assignment scope must be the vault resource
+  scope: keyVault
+  // Deterministic GUID: vaultId + principalId
+  name: guid(keyVault.id, principalId, '4633458b-17de-408a-b874-0445c86b69e6')
+  properties: {
+    // Key Vault Secrets User built-in role
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}]
+
+output id string = keyVault.id
+output name string = keyVault.name
+output uri string = keyVault.properties.vaultUri

infra/modules/webApp.bicep

@@ -1,7 +1,7 @@
 @description('Name of the Web App')
 param webAppName string
 
-@description('Azure region for all resources')
+@description('Azure region for the Web App')
 param location string
 
 @description('Resource ID of the App Service Plan')
@@ -10,6 +10,9 @@ param appServicePlanId string
 resource webApp 'Microsoft.Web/sites@2023-01-01' = {
   name: webAppName
   location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
   properties: {
     serverFarmId: appServicePlanId
     httpsOnly: true
@@ -25,3 +28,4 @@ resource webApp 'Microsoft.Web/sites@2023-01-01' = {
 output id string = webApp.id
 output defaultHostName string = webApp.properties.defaultHostName
 output url string = 'https://${webApp.properties.defaultHostName}'
+output principalId string = webApp.identity.principalId

infra/parameters/dev.bicepparam

@@ -16,6 +16,8 @@ param sqlServerName      = 'sql-talent-dev'
 param apiDbName          = 'sqldb-talent-api-dev'
 param identityDbName     = 'sqldb-talent-ids-dev'
 
+param keyVaultName       = 'kv-talent-dev'
+
 // SQL admin credentials
 param sqlAdminLogin      = 'sqladmin'
 param sqlAdminPassword   = readEnvironmentVariable('SQL_ADMIN_PASSWORD')