Wednesday 24 May 2023

Store Azure SignalR Connection String as a Secret in Azure Key Vault with Bicep IaC

  We can create Azure SignalR and Azure key vault as resources using Bicpe IaC (Infrastructure as Code). Setting up of SignalR connection string as a Secret in Azure Key Vault via IaC is important, so that it can be used by applications by refering to key vault secret. Let's look at the steps required to store the Azure SignalR connection string as a secret in Azure key vault with Bicep.

Fist step would be to create the SignalR and output the SignalR Id and  the API Version.

param signalrName string
param signalrSKUName string
param signalrSKUTier string
param location string

resource signalr 'Microsoft.SignalRService/signalR@2022-08-01-preview' = {
  name: signalrName
  location: location
  sku: {
    capacity: 1
    name: signalrSKUName //'Free_F1'
    tier: signalrSKUTier //'Free'
  }
  kind: 'SignalR'
  properties: {
    cors:{
      allowedOrigins:[
        '*'
      ]
    }
    disableAadAuth: false
    disableLocalAuth: false
    features: [
      {
        flag: 'ServiceMode'
        value: 'Serverless'
        properties: {}
      }
      {
        flag: 'EnableConnectivityLogs'
        value: 'True'
        properties: {}
      }
      {
        flag: 'EnableMessagingLogs'
        value: 'False'
        properties: {}
      }
      {
        flag: 'EnableLiveTrace'
        value: 'False'
        properties: {}
      }
    ]
    networkACLs: {
      defaultAction: 'Deny'
      privateEndpoints: [
      ]
      publicNetwork: {
        allow: [
           'ServerConnection'
           'ClientConnection'
           'RESTAPI'
           'Trace' 
        ]
      }
    }
    publicNetworkAccess: 'Enabled'
    tls: {
      clientCertEnabled: false
    }
    upstream: {
      templates: [
      ]
    }
  }
}

output signalrId string = signalr.id
output signalrApiVersion string = signalr.apiVersion

Then we can use the output variables and pass them on to the key vault Bicep module. You can learn how to pass output paramters from one module to another in bicep in the post "Passing Output Parameters from Bicep Modules". Make sure to set the SignalR as a dependency for the keyvault module to ensure key vault is created after the SignalR service.

module keyvault 'keyvault.bicep' = {
  name: 'keyvault'
  scope:rg
  
  params:{
    keyvaultName:keyvaultName
    keyvaultSKUFamily:keyvaultSKUFamily
    keyvaultSKUName:keyvaultSKUName
    location:rgLocation
    accessPolicies:accessPolicies
    signalrId:signalr.outputs.signalrId
    signalrApiVersion:signalr.outputs.signalrApiVersion
  }

  dependsOn: [
    signalr
  ]
}

We can read the Primary Connection string of the SignalR service with listKeys function.

listKeys(signalrId, signalrApiVersion).primaryConnectionString

The full code to create secret in key vault is as below.

param keyvaultName string
param tenantId string = subscription().tenantId
param keyvaultSKUName string
param keyvaultSKUFamily string
param location string = resourceGroup().location
param signalrId string
param signalrApiVersion string

resource keyVault 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
  name: keyvaultName
  location: location
  properties: {
    enabledForDeployment: true
    enabledForTemplateDeployment: true
    enabledForDiskEncryption: true
    tenantId: tenantId
    accessPolicies: []
    sku: {
      name: keyvaultSKUName //'standard'
      family: keyvaultSKUFamily //'A'
    }
  }
}

resource SignalRConnectionString 'Microsoft.KeyVault/vaults/secrets@2021-11-01-preview' = {
  parent: keyVault
  name: 'SignalRConnectionString'
  properties: {
    value: listKeys(signalrId, signalrApiVersion).primaryConnectionString
  }
}

The SignalR connection string will be stored in key vault as a secret once the bicep code is executed.




No comments:

Popular Posts