We can create Azure SignalR and Azure key vault as resources using Bicpe IaC (Infrastructure as Code). Setting up of SignalR connection string as a Secret in Azure Key Vault via IaC is important, so that it can be used by applications by refering to key vault secret. Let's look at the steps required to store the Azure SignalR connection string as a secret in Azure key vault with Bicep.
Fist step would be to create the SignalR and output the SignalR Id and the API Version.
param signalrName string param signalrSKUName string param signalrSKUTier string param location string resource signalr 'Microsoft.SignalRService/signalR@2022-08-01-preview' = { name: signalrName location: location sku: { capacity: 1 name: signalrSKUName //'Free_F1' tier: signalrSKUTier //'Free' } kind: 'SignalR' properties: { cors:{ allowedOrigins:[ '*' ] } disableAadAuth: false disableLocalAuth: false features: [ { flag: 'ServiceMode' value: 'Serverless' properties: {} } { flag: 'EnableConnectivityLogs' value: 'True' properties: {} } { flag: 'EnableMessagingLogs' value: 'False' properties: {} } { flag: 'EnableLiveTrace' value: 'False' properties: {} } ] networkACLs: { defaultAction: 'Deny' privateEndpoints: [ ] publicNetwork: { allow: [ 'ServerConnection' 'ClientConnection' 'RESTAPI' 'Trace' ] } } publicNetworkAccess: 'Enabled' tls: { clientCertEnabled: false } upstream: { templates: [ ] } } } output signalrId string = signalr.id output signalrApiVersion string = signalr.apiVersion
Then we can use the output variables and pass them on to the key vault Bicep module. You can learn how to pass output paramters from one module to another in bicep in the post "Passing Output Parameters from Bicep Modules". Make sure to set the SignalR as a dependency for the keyvault module to ensure key vault is created after the SignalR service.
module keyvault 'keyvault.bicep' = { name: 'keyvault' scope:rg params:{ keyvaultName:keyvaultName keyvaultSKUFamily:keyvaultSKUFamily keyvaultSKUName:keyvaultSKUName location:rgLocation accessPolicies:accessPolicies signalrId:signalr.outputs.signalrId signalrApiVersion:signalr.outputs.signalrApiVersion } dependsOn: [ signalr ] }
We can read the Primary Connection string of the SignalR service with listKeys function.
listKeys(signalrId, signalrApiVersion).primaryConnectionStringThe full code to create secret in key vault is as below.
param keyvaultName string param tenantId string = subscription().tenantId param keyvaultSKUName string param keyvaultSKUFamily string param location string = resourceGroup().location param signalrId string param signalrApiVersion string resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { name: keyvaultName location: location properties: { enabledForDeployment: true enabledForTemplateDeployment: true enabledForDiskEncryption: true tenantId: tenantId accessPolicies: [] sku: { name: keyvaultSKUName //'standard' family: keyvaultSKUFamily //'A' } } } resource SignalRConnectionString 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = { parent: keyVault name: 'SignalRConnectionString' properties: { value: listKeys(signalrId, signalrApiVersion).primaryConnectionString } }
The SignalR connection string will be stored in key vault as a secret once the bicep code is executed.
No comments:
Post a Comment