forked from shibayan/keyvault-acmebot
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azuredeploy.bicep
203 lines (187 loc) · 6.03 KB
/
azuredeploy.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
@description('The name of the function app that you wish to create.')
@maxLength(14)
param appNamePrefix string
@description('The location of the function app that you wish to create.')
param location string = resourceGroup().location
@description('Email address for ACME account.')
param mailAddress string
@description('Certification authority ACME Endpoint.')
@allowed([
'https://acme-v02.api.letsencrypt.org/directory'
'https://api.buypass.com/acme/directory'
'https://acme.zerossl.com/v2/DV90/'
'https://dv.acme-v02.api.pki.goog/directory'
'https://acme.entrust.net/acme2/directory'
])
param acmeEndpoint string = 'https://acme-v02.api.letsencrypt.org/directory'
@description('If you choose true, create and configure a key vault at the same time.')
@allowed([
true
false
])
param createWithKeyVault bool = true
@description('Specifies whether the key vault is a standard vault or a premium vault.')
@allowed([
'standard'
'premium'
])
param keyVaultSkuName string = 'standard'
@description('Enter the base URL of an existing Key Vault. (ex. https://example.vault.azure.net)')
param keyVaultBaseUrl string = ''
@description('Specifies additional name/value pairs to be appended to the functionap app appsettings.')
param additionalAppSettings array = []
var functionAppName = 'func-${appNamePrefix}-${substring(uniqueString(resourceGroup().id, deployment().name), 0, 4)}'
var appServicePlanName = 'plan-${appNamePrefix}-${substring(uniqueString(resourceGroup().id, deployment().name), 0, 4)}'
var appInsightsName = 'appi-${appNamePrefix}-${substring(uniqueString(resourceGroup().id, deployment().name), 0, 4)}'
var workspaceName = 'log-${appNamePrefix}-${substring(uniqueString(resourceGroup().id, deployment().name), 0, 4)}'
var storageAccountName = 'st${uniqueString(resourceGroup().id, deployment().name)}func'
var keyVaultName = 'kv-${appNamePrefix}-${substring(uniqueString(resourceGroup().id, deployment().name), 0, 4)}'
var appInsightsEndpoints = {
AzureCloud: 'applicationinsights.azure.com'
AzureChinaCloud: 'applicationinsights.azure.cn'
AzureUSGovernment: 'applicationinsights.us'
}
var roleDefinitionId = resourceId('Microsoft.Authorization/roleDefinitions/', 'a4417e6f-fecd-4de8-b567-7b0420556985')
var acmebotAppSettings = [
{
name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
value: 'InstrumentationKey=${appInsights.properties.InstrumentationKey};EndpointSuffix=${appInsightsEndpoints[environment().name]}'
}
{
name: 'AzureWebJobsStorage'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
{
name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccountName};AccountKey=${storageAccount.listKeys().keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
{
name: 'WEBSITE_CONTENTSHARE'
value: toLower(functionAppName)
}
{
name: 'WEBSITE_RUN_FROM_PACKAGE'
value: 'https://stacmebotprod.blob.core.windows.net/keyvault-acmebot/v4/latest.zip'
}
{
name: 'FUNCTIONS_EXTENSION_VERSION'
value: '~4'
}
{
name: 'FUNCTIONS_INPROC_NET8_ENABLED'
value: '1'
}
{
name: 'FUNCTIONS_WORKER_RUNTIME'
value: 'dotnet'
}
{
name: 'Acmebot:Contacts'
value: mailAddress
}
{
name: 'Acmebot:Endpoint'
value: acmeEndpoint
}
{
name: 'Acmebot:VaultBaseUrl'
value: (createWithKeyVault ? 'https://${keyVaultName}${environment().suffixes.keyvaultDns}' : keyVaultBaseUrl)
}
{
name: 'Acmebot:Environment'
value: environment().name
}
]
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: storageAccountName
location: location
kind: 'Storage'
sku: {
name: 'Standard_LRS'
}
properties: {
supportsHttpsTrafficOnly: true
allowBlobPublicAccess: false
minimumTlsVersion: 'TLS1_2'
}
}
resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {
name: appServicePlanName
location: location
sku: {
name: 'Y1'
tier: 'Dynamic'
}
properties: {}
}
resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
name: workspaceName
location: location
properties: {
sku: {
name: 'PerGB2018'
}
retentionInDays: 30
}
}
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: appInsightsName
location: location
kind: 'web'
tags: {
'hidden-link:${resourceGroup().id}/providers/Microsoft.Web/sites/${functionAppName}': 'Resource'
}
properties: {
Application_Type: 'web'
WorkspaceResourceId: workspace.id
}
}
resource functionApp 'Microsoft.Web/sites@2023-12-01' = {
name: functionAppName
location: location
kind: 'functionapp'
identity: {
type: 'SystemAssigned'
}
properties: {
clientAffinityEnabled: false
httpsOnly: true
serverFarmId: appServicePlan.id
siteConfig: {
appSettings: concat(acmebotAppSettings, additionalAppSettings)
netFrameworkVersion: 'v8.0'
ftpsState: 'Disabled'
minTlsVersion: '1.2'
scmMinTlsVersion: '1.2'
cors: {
allowedOrigins: ['https://portal.azure.com']
supportCredentials: false
}
}
}
}
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = if (createWithKeyVault) {
name: keyVaultName
location: location
properties: {
tenantId: subscription().tenantId
sku: {
family: 'A'
name: keyVaultSkuName
}
enableRbacAuthorization: true
}
}
resource keyVault_roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (createWithKeyVault) {
scope: keyVault
name: guid(keyVault.id, functionAppName, roleDefinitionId)
properties: {
roleDefinitionId: roleDefinitionId
principalId: functionApp.identity.principalId
principalType: 'ServicePrincipal'
}
}
output functionAppName string = functionApp.name
output principalId string = functionApp.identity.principalId
output tenantId string = functionApp.identity.tenantId
output keyVaultName string = createWithKeyVault ? keyVault.name : ''