Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow passing in an existing Key Vault instance #573

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Allow passing in an existing Key Vault instance #573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e2ca33e
Allow passing in an existing Key Vault instance
flanakin Feb 3, 2024
5a4aa4a
Update version + publish release
flanakin Feb 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/_includes/version.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.2.1-rc.2
0.2.1-rc.3
5 changes: 4 additions & 1 deletion docs/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,10 @@ Legend:

> ➕ Added:
>
> 1. Started archiving template versions so they can be referenced easily via URL (microsoft.github.io/finops-toolkit/deploy/finops-hub-{version}.json).
> 1. Allow specifying an existing Key Vault instance.
> - If using template deployment, set the `existingKeyVaultId` parameter to the fully-qualified resource ID.
> - If using the `Deploy-FinOpsHub` PowerShell command, set the `-ExistingKeyVaultId` parameter to the fully-qualified resource ID.
> 2. Started archiving template versions so they can be referenced easily via URL (microsoft.github.io/finops-toolkit/deploy/finops-hub-{version}.json).
>
> 🛠️ Fixed:
>
Expand Down
2,138 changes: 2,138 additions & 0 deletions docs/deploy/finops-hub-0.2.1-rc.3.json
View file
Open in desktop

Large diffs are not rendered by default.

119 changes: 85 additions & 34 deletions docs/deploy/finops-hub-latest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "6371350577264419703"
"templateHash": "9748975281421053488"
}
},
"parameters": {
Expand Down Expand Up @@ -33,6 +33,13 @@
"description": "Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: Premium_LRS, Premium_ZRS. Default: Premium_LRS."
}
},
"existingKeyVaultId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Optional. Resource ID of the existing Key Vault resource to use. If not specified, a new Key Vault instance will be created."
}
},
"tags": {
"type": "object",
"defaultValue": {},
Expand Down Expand Up @@ -75,6 +82,9 @@
"storageSku": {
"value": "[parameters('storageSku')]"
},
"existingKeyVaultId": {
"value": "[parameters('existingKeyVaultId')]"
},
"tags": {
"value": "[parameters('tags')]"
},
Expand All @@ -92,7 +102,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "2610829918662778812"
"templateHash": "17411969862525330364"
}
},
"parameters": {
Expand Down Expand Up @@ -120,6 +130,13 @@
"description": "Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: Premium_LRS, Premium_ZRS. Default: Premium_LRS."
}
},
"existingKeyVaultId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Optional. Resource ID of the existing Key Vault resource to use. If not specified, a new Key Vault instance will be created."
}
},
"tags": {
"type": "object",
"defaultValue": {},
Expand Down Expand Up @@ -487,8 +504,8 @@
"convertToParquet": {
"value": "[parameters('convertToParquet')]"
},
"keyVaultName": {
"value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.name.value]"
"keyVaultId": {
"value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.resourceId.value]"
},
"storageAccountName": {
"value": "[reference(resourceId('Microsoft.Resources/deployments', 'storage'), '2022-09-01').outputs.name.value]"
Expand Down Expand Up @@ -516,20 +533,20 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "5738194981634133446"
"templateHash": "8197671316834274442"
}
},
"parameters": {
"dataFactoryName": {
"type": "string",
"metadata": {
"description": "Optional. Name of the hub. Used to ensure unique resource names. Default: \"finops-hub\"."
"description": "Required. Name of the hub. Used to ensure unique resource names."
}
},
"keyVaultName": {
"keyVaultId": {
"type": "string",
"metadata": {
"description": "Required. The name of the Azure Key Vault instance."
"description": "Optional. The resource ID of the Azure Key Vault instance."
}
},
"storageAccountName": {
Expand Down Expand Up @@ -1123,7 +1140,7 @@
"parameters": {},
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-11-01').vaultUri]"
"baseUrl": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('keyVaultId'), '/')[2], split(parameters('keyVaultId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('keyVaultId'), '/'))), '2022-11-01').vaultUri]"
}
}
},
Expand Down Expand Up @@ -1794,6 +1811,9 @@
"hubName": {
"value": "[parameters('hubName')]"
},
"existingKeyVaultName": {
"value": "[last(split(parameters('existingKeyVaultId'), '/'))]"
},
"uniqueSuffix": {
"value": "[variables('uniqueSuffix')]"
},
Expand Down Expand Up @@ -1830,7 +1850,7 @@
"_generator": {
"name": "bicep",
"version": "0.24.24.22086",
"templateHash": "10770478197596540923"
"templateHash": "18385434849803379988"
}
},
"parameters": {
Expand All @@ -1846,6 +1866,12 @@
"description": "Required. Suffix to add to the KeyVault instance name to ensure uniqueness."
}
},
"existingKeyVaultName": {
"type": "string",
"metadata": {
"description": "Optional. Resource ID of the existing Key Vault resource to use. If not specified, a new Key Vault instance will be created."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
Expand Down Expand Up @@ -1911,31 +1937,32 @@
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2022-11-01",
"name": "[variables('keyVaultName')]",
"location": "[parameters('location')]",
"tags": "[union(parameters('tags'), if(contains(parameters('tagsByResource'), 'Microsoft.KeyVault/vaults'), parameters('tagsByResource')['Microsoft.KeyVault/vaults'], createObject()))]",
"condition": "[and(not(empty(parameters('existingKeyVaultName'))), not(empty(parameters('accessPolicies'))))]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2023-07-01",
"name": "[format('{0}/{1}', if(empty(parameters('existingKeyVaultName')), 'placeholder', parameters('existingKeyVaultName')), 'add')]",
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"createMode": "default",
"tenantId": "[subscription().tenantId]",
"accessPolicies": "[variables('formattedAccessPolicies')]",
"sku": {
"name": "[if(startsWith(parameters('location'), 'china'), 'standard', parameters('sku'))]",
"family": "A"
}
"accessPolicies": "[variables('formattedAccessPolicies')]"
}
},
{
"condition": "[not(empty(parameters('accessPolicies')))]",
"condition": "[not(empty(parameters('existingKeyVaultName')))]",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2023-07-01",
"name": "[format('{0}/{1}', if(empty(parameters('existingKeyVaultName')), 'placeholder', parameters('existingKeyVaultName')), parameters('storageAccountName'))]",
"properties": {
"attributes": {
"enabled": true,
"exp": 1702648632,
"nbf": 10000
},
"value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2022-09-01').keys[0].value]"
}
},
{
"condition": "[and(empty(parameters('existingKeyVaultName')), not(empty(parameters('accessPolicies'))))]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2022-11-01",
"apiVersion": "2023-07-01",
"name": "[format('{0}/{1}', variables('keyVaultName'), 'add')]",
"properties": {
"accessPolicies": "[variables('formattedAccessPolicies')]"
Expand All @@ -1945,8 +1972,9 @@
]
},
{
"condition": "[empty(parameters('existingKeyVaultName'))]",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-11-01",
"apiVersion": "2023-07-01",
"name": "[format('{0}/{1}', variables('keyVaultName'), parameters('storageAccountName'))]",
"properties": {
"attributes": {
Expand All @@ -1959,6 +1987,29 @@
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
]
},
{
"condition": "[empty(parameters('existingKeyVaultName'))]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[variables('keyVaultName')]",
"location": "[parameters('location')]",
"tags": "[union(parameters('tags'), if(contains(parameters('tagsByResource'), 'Microsoft.KeyVault/vaults'), parameters('tagsByResource')['Microsoft.KeyVault/vaults'], createObject()))]",
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"createMode": "default",
"tenantId": "[subscription().tenantId]",
"accessPolicies": "[variables('formattedAccessPolicies')]",
"sku": {
"name": "[if(startsWith(parameters('location'), 'china'), 'standard', parameters('sku'))]",
"family": "A"
}
}
}
],
"outputs": {
Expand All @@ -1967,21 +2018,21 @@
"metadata": {
"description": "The resource ID of the key vault."
},
"value": "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
"value": "[if(empty(parameters('existingKeyVaultName')), resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), resourceId('Microsoft.KeyVault/vaults', if(empty(parameters('existingKeyVaultName')), 'placeholder', parameters('existingKeyVaultName'))))]"
},
"name": {
"type": "string",
"metadata": {
"description": "The name of the key vault."
},
"value": "[variables('keyVaultName')]"
"value": "[if(empty(parameters('existingKeyVaultName')), variables('keyVaultName'), if(empty(parameters('existingKeyVaultName')), 'placeholder', parameters('existingKeyVaultName')))]"
},
"uri": {
"type": "string",
"metadata": {
"description": "The URI of the key vault."
},
"value": "[reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2022-11-01').vaultUri]"
"value": "[if(empty(parameters('existingKeyVaultName')), reference(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), '2023-07-01').vaultUri, reference(resourceId('Microsoft.KeyVault/vaults', if(empty(parameters('existingKeyVaultName')), 'placeholder', parameters('existingKeyVaultName'))), '2023-07-01').vaultUri)]"
}
}
}
Expand Down
15 changes: 8 additions & 7 deletions docs/finops-hub/template.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,13 +72,14 @@ Please ensure the following prerequisites are met before deploying this template

## 📥 Parameters

| Parameter | Type | Description | Default value |
| ---------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| **hubName** | String | Optional. Name of the hub. Used to ensure unique resource names. | `"finops-hub"` |
| **location** | String | Optional. Azure location where all resources should be created. See https://aka.ms/azureregions. | (resource group location) |
| **storageSku** | String | Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: `Premium_LRS`, `Premium_ZRS`. | `Premium_LRS` |
| **tags** | Object | Optional. Tags to apply to all resources. We will also add the `cm-resource-parent` tag for improved cost roll-ups in Cost Management. |
| **exportScopes** | Array | Optional. List of scope IDs to create exports for. |
| Parameter | Type | Description | Default value |
| ---------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| **hubName** | String | Optional. Name of the hub. Used to ensure unique resource names. | `"finops-hub"` |
| **location** | String | Optional. Azure location where all resources should be created. See https://aka.ms/azureregions. | (resource group location) |
| **storageSku** | String | Optional. Storage SKU to use. LRS = Lowest cost, ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Allowed: `Premium_LRS`, `Premium_ZRS`. | `Premium_LRS` |
| **existingKeyVaultId** | String | Optional. Resource ID of the existing Key Vault resource to use. If not specified, a new Key Vault instance will be created. | |
| **tags** | Object | Optional. Tags to apply to all resources. We will also add the `cm-resource-parent` tag for improved cost roll-ups in Cost Management. | |
| **exportScopes** | Array | Optional. List of scope IDs to create exports for. | |

<br>

Expand Down
16 changes: 15 additions & 1 deletion docs/powershell/hubs/Deploy-FinOpsHub.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ Deploy-FinOpsHub `
-Name <string> `
-ResourceGroup <string> `
-Location <string> `
[-KeyVaultId <string>] `
[-Version <string>] `
[-Preview] `
[-StorageSku <string>] `
Expand All @@ -57,6 +58,7 @@ Deploy-FinOpsHub `
| `‑ResourceGroup` | Required. Name of the resource group to deploy to. Will be created if it doesn't exist. |
| `‑Location` | Required. Azure location to execute the deployment from. |
| `‑Version` | Optional. Version of the FinOps hub template to use. Default = "latest". |
| `‑KeyVaultId` | Optional. Resource ID of the existing Key Vault instance to use. If not specified, one will be created. |
| `‑Preview` | Optional. Indicates that preview releases should also be included. Default = false. |
| `‑StorageSku` | Optional. Storage account SKU. Premium_LRS = Lowest cost, Premium_ZRS = High availability. Note Standard SKUs are not available for Data Lake gen2 storage. Default = "Premium_LRS". |
| `‑Tags` | Optional. Tags for all resources. |
Expand Down Expand Up @@ -88,12 +90,24 @@ Deploy-FinOpsHub `

Deploys a new FinOps hub instance named MyHub to a new resource group named MyNewResourceGroup using version {% include version.txt %} of the template.

### Use existing Key Vault instance

```powershell
Deploy-FinOpsHub `
-Name MyHub `
-ResourceGroupName MyExistingResourceGroup `
-Location westus `
-KeyVaultId "/subscriptions/###/resourceGroups/###/providers/Microsoft.KeyVault/vaults/foo"
```

Deploys a new FinOps hub instance named MyHub using an existing Key Vault instance.

<br>

---

## 🧰 Related tools

{% include tools.md hubs="1" %}
{% include tools.md hubs="1" pbi="1" %}

<br>
Loading
Loading