Sunday 30 April 2023

Store Azure Service Bus Connection String as a Secret in Azure Key Vault with Bicep IaC

 We can create Azure Service Bus and Azure key vault as resources using Bicpe IaC (Infrastructure as Code). Setting up of Service Bus connection string as a Secret in Azure Key Vault via IaC is important, so that it can be used by applications by refering to key vault secret. Let's look at the steps required to store the Azure service bus connection string as a secret in Azure key vault with Bicep.

Fist step would be to create the Service Bus and output the service bus Id and the API Version.

param servicebusName string
param servicebusSkuName string // dev value 'Basic'
param servicebusTierName string // dev value 'Basic'
param servicebusCapacity int = 1
param location string = resourceGroup().location

resource servicebus 'Microsoft.ServiceBus/namespaces@2021-06-01-preview' = {
  name: servicebusName
  location:location
  sku: {
    capacity: servicebusCapacity
    name: servicebusSkuName
    tier: servicebusTierName
  }  
}

output servicebusId string = servicebus.id
output servicebusApiVersion string = servicebus.apiVersion

Then we can use the output variables and pass them on to the key vault Bicep module. You can learn how to pass output paramters from one module to another in bicep in the post "Passing Output Parameters from Bicep Modules". Make sure to set the serve bus as a dependency for the keyvault module to ensure key vault is created after the service bus.

module keyvault 'keyvault.bicep' = {
  name: 'keyvault'
  scope:rg
  
  params:{
    keyvaultName:keyvaultName
    keyvaultSKUFamily:keyvaultSKUFamily
    keyvaultSKUName:keyvaultSKUName
    location:rgLocation
    servicebusId:servicebus.outputs.servicebusId
    servicebusApiVersion:servicebus.outputs.servicebusApiVersion
  }

  dependsOn: [
    servicebus
  ]
}

In the key vault module we can refer to the service bus endpoint as shown below.

var serviceBusEndpoint = '${servicebusId}/AuthorizationRules/RootManageSharedAccessKey'

Then we can read the Primary Connection string of the service bus with listKeys function.

listKeys(serviceBusEndpoint, servicebusApiVersion).primaryConnectionString

The full code to create secret in key vault is as below.

param keyvaultName string
param tenantId string = subscription().tenantId
param keyvaultSKUName string
param keyvaultSKUFamily string
param location string = resourceGroup().location
param servicebusId string
param servicebusApiVersion string

resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
  name: keyvaultName
  location: location
  properties: {
    enabledForDeployment: true
    enabledForTemplateDeployment: true
    enabledForDiskEncryption: true
    tenantId: tenantId
    accessPolicies: []
    sku: {
      name: keyvaultSKUName //'standard'
      family: keyvaultSKUFamily //'A'
    }
  }
}

var serviceBusEndpoint = '${servicebusId}/AuthorizationRules/RootManageSharedAccessKey'
resource ServiceBusConnectionString 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
  parent: keyVault
  name: 'ServiceBusConnectionString'
  properties: {
    value: listKeys(serviceBusEndpoint, servicebusApiVersion).primaryConnectionString
  }
}

The service bus connection string will be stored in key vault as a secret once the bicep code is executed.


No comments:

Popular Posts