We can create Azure Service Bus and Azure key vault as resources using Bicpe IaC (Infrastructure as Code). Setting up of Service Bus connection string as a Secret in Azure Key Vault via IaC is important, so that it can be used by applications by refering to key vault secret. Let's look at the steps required to store the Azure service bus connection string as a secret in Azure key vault with Bicep.
Fist step would be to create the Service Bus and output the service bus Id and the API Version.
param servicebusName string
param servicebusSkuName string // dev value 'Basic'
param servicebusTierName string // dev value 'Basic'
param servicebusCapacity int = 1
param location string = resourceGroup().location
resource servicebus 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = {
name: servicebusName
location:location
sku: {
capacity: servicebusCapacity
name: servicebusSkuName
tier: servicebusTierName
}
}
output servicebusId string = servicebus.id
output servicebusApiVersion string = servicebus.apiVersion
Then we can use the output variables and pass them on to the key vault Bicep module. You can learn how to pass output paramters from one module to another in bicep in the post "Passing Output Parameters from Bicep Modules". Make sure to set the serve bus as a dependency for the keyvault module to ensure key vault is created after the service bus.
module keyvault 'keyvault.bicep' = {
name: 'keyvault'
scope:rg
params:{
keyvaultName:keyvaultName
keyvaultSKUFamily:keyvaultSKUFamily
keyvaultSKUName:keyvaultSKUName
location:rgLocation
servicebusId:servicebus.outputs.servicebusId
servicebusApiVersion:servicebus.outputs.servicebusApiVersion
}
dependsOn: [
servicebus
]
}
In the key vault module we can refer to the service bus endpoint as shown below.
var serviceBusEndpoint = '${servicebusId}/AuthorizationRules/RootManageSharedAccessKey'Then we can read the Primary Connection string of the service bus with listKeys function.
listKeys(serviceBusEndpoint, servicebusApiVersion).primaryConnectionString
The full code to create secret in key vault is as below.
param keyvaultName string
param tenantId string = subscription().tenantId
param keyvaultSKUName string
param keyvaultSKUFamily string
param location string = resourceGroup().location
param servicebusId string
param servicebusApiVersion string
resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
name: keyvaultName
location: location
properties: {
enabledForDeployment: true
enabledForTemplateDeployment: true
enabledForDiskEncryption: true
tenantId: tenantId
accessPolicies: []
sku: {
name: keyvaultSKUName //'standard'
family: keyvaultSKUFamily //'A'
}
}
}
var serviceBusEndpoint = '${servicebusId}/AuthorizationRules/RootManageSharedAccessKey'
resource ServiceBusConnectionString 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
parent: keyVault
name: 'ServiceBusConnectionString'
properties: {
value: listKeys(serviceBusEndpoint, servicebusApiVersion).primaryConnectionString
}
}
The service bus connection string will be stored in key vault as a secret once the bicep code is executed.
No comments:
Post a Comment