0

I have a bicep template that creates 2 webApps and a KeyVault. Each WebApp is created with a managedID which I need to add to Keyvault so the webapp can pull in the secrets.

But when creating 2 webapps, I can't work out how to assign both ManagedIDs to KeyVault.

The bicep template is using modules

  name: 'ciKeyVault'
  params: {
    keyVaultName: keyVaultName
    aclBypass: keyVaultSettings.aclBypass
    aclDefaultAction: keyVaultSettings.aclDefaultAction
    enabledForDeployment: keyVaultSettings.enabledForDeployment
    enabledForDiskEncryption: keyVaultSettings.enabledForDiskEncryption
    enabledForTemplateDeployment: keyVaultSettings.enabledForTemplateDeployment
    keyPermissions: keyVaultSettings.keyPermissions
    keyVaultSettings: keyVaultSettings
    secretsPermissions: keyVaultSettings.secretsPermissions
    skuFamily: keyVaultSettings.skuFamily
    skuName: keyVaultSettings.skuName
    tenantId: subscription().tenantId
    objectId: 'b71e61c4-7cff-41d0-8370-a7d9c01dde84'
  }
}

and the objectId needs to be retrieved from the AppService Deployment. using this module:

module AppService '../../../Modules/Azure.App.Service.template.bicep' = [for i in range(0, length(webAppSettings.webApps)): { 
  name: webAppSettings.webApps[i].Name
  dependsOn: [
    frontEndAppServicePlan
  ]
  params: {
    webAppName: webAppSettings.webApps[i].appServiceType == 'functionApp' ? toLower('fnc-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}') : toLower('web-${webAppSettings.webApps[i].name}-${resourceGroupNameSuffix}')
    hostingPlan:  frontEndAppServicePlan.outputs.hostingPlanId
    virtualNetworkResourceGroup: virtualNetworkResourceGroup
    environmentName:environmentName
    webAppSettings:webAppSettings
    appServiceType: webAppSettings.webApps[i].appServiceType
    LinuxFX:webAppSettings.webApps[i].LinuxFX
    appSettings:webAppSettings.webapps[i].appSettings
  }
}]

Its fine when its a single appService cause I can reference the ID using output usid string = AppServices.identity.principalId

but when I have 2 appServices I can't work out how to pass in both IDs

Any ideas?

Cheers

Thomas
  • 24,234
  • 6
  • 81
  • 125
  • so first you create the webapp with system assigned identity then you want to create access policy in kv for the managed identities ? ā€“ Thomas Oct 14 '21 at 22:48
  • Hi Thomas, yes that is what Iā€™m trying to do. Any ideas how? ā€“  Oct 15 '21 at 05:48
  • I don't know bicep but let me try to understand: the objectid at the bottom of the first snippet refers to a webapp? What confuses me that there's no context to this setting: it seems that there would be an array and/or multiple places to add access policies for multiple web apps. What is actually executing these params? ā€“ Matt Small Oct 15 '21 at 17:17

1 Answers1

0

Let's say you have a module Azure.App.Service.template.bicep that looks like that:

param webAppName string
...

// Create the web app
resource webApp 'Microsoft.Web/sites@2020-09-01' = {
  name: webAppName
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  ...
}

output usid string = webApp.identity.principalId

In the parent template you can create an array of module to create your webapps (the same way you are doing it) and then create an access policies resource to grant access to key vault to all the web apps.

...
// Create the app services
module AppServices '../../../Modules/Azure.App.Service.template.bicep' = [for webApp in webAppSettings.webApps: {
  name: webApp.Name
  params: {
    webAppName: webApp.Name
    ...
  }
}]

resource keyVault 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' existing = {
  name: keyVaultName
}

// Granting the app services access ot key vault
resource appServicesKeyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: 'add'
  parent: keyVault
  properties: {
    accessPolicies: [for i in range(0, length(webAppSettings.webApps)): {
      tenantId: subscription().tenantId
      objectId: AppServices[i].outputs.usid
      permissions: {
        secrets: keyVaultSettings.secretsPermissions
        keys: keyVaultSettings.keyPermissions
      }
    }]
  }
}
Thomas
  • 24,234
  • 6
  • 81
  • 125