Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JCore-Add CMK option for Storage / ZT #717

Open
wants to merge 41 commits into
base: main
Choose a base branch
from
Open

JCore-Add CMK option for Storage / ZT #717

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
a153a1d
initial CMK setup for zt storage
JCoreMS Nov 11, 2024
57a6af1
add baselineStorageResourceGroup dependency to key vault module
JCoreMS Nov 11, 2024
ee21491
update key vault name format in baseline deployment
JCoreMS Nov 11, 2024
fa5088c
add rotation policy for key vault keys with expiry and notification a…
JCoreMS Nov 11, 2024
b4ef84e
add principalType to role assignments for key vault keys
JCoreMS Nov 11, 2024
22be400
add principalType to role assignments for key vault keys
JCoreMS Nov 11, 2024
d3037c5
add rotation policy with expiry and notification actions for key vaul…
JCoreMS Nov 11, 2024
85f2713
update principalId references to use managedIdentityStorageResourceId…
JCoreMS Nov 11, 2024
31b0ef6
update principalId references to use managedIdentityStorageClientId f…
JCoreMS Nov 11, 2024
9cbfeff
update principalId references to use managedIdentityStorageClientId f…
JCoreMS Nov 11, 2024
3309a4d
force update
JCoreMS Nov 11, 2024
40b2327
update principalId references to use managedIdentityStoragePrincipalI…
JCoreMS Nov 12, 2024
ffcfdc9
add managedIdentityStorageResourceId parameter for storage account in…
JCoreMS Nov 12, 2024
07c052f
update principalType to 'ServicePrincipal' in role assignments and up…
JCoreMS Nov 12, 2024
3cafc1b
update key vault module to include role assignments for managed ident…
JCoreMS Nov 12, 2024
90866b0
update key vault module to format storage key names from str acct nam…
JCoreMS Nov 12, 2024
e569432
update key vault module to change default name for zero trust disk en…
JCoreMS Nov 12, 2024
35ea359
update key vault module to include key type and size for MSIX deploym…
JCoreMS Nov 12, 2024
ec960c9
update key vault module to centralize key rotation policy and simplif…
JCoreMS Nov 12, 2024
9be465d
update storage modules to rename userAssignedIdentity to userAssigned…
JCoreMS Nov 12, 2024
ded4943
update storage module to add managed identities support and update te…
JCoreMS Nov 12, 2024
0228efe
ZT Storage CMK now implemented after storage acct created - initial
JCoreMS Nov 14, 2024
677d6ac
update storage module to rename FSLogix CMK resources to resolve dupl…
JCoreMS Nov 14, 2024
feaa5a8
update storage module to add managed identity support for storage acc…
JCoreMS Nov 14, 2024
6a84db5
update storage module to modify template hashes and enhance key vault…
JCoreMS Nov 14, 2024
08fd3ca
update storage module to modify template hashes and enhance key vault…
JCoreMS Nov 14, 2024
9f84045
update storage module to modify template hashes and add user-assigned…
JCoreMS Nov 14, 2024
c0fd75e
update baseline UI to include opt for zt on storage, update condition…
JCoreMS Nov 15, 2024
06ebaa6
update baseline UI to rename zero trust disk configuration to zero tr…
JCoreMS Nov 15, 2024
96d597e
update storage module to use AVM
JCoreMS Nov 15, 2024
402cf05
remove identity dependency from storage key vault module
JCoreMS Nov 15, 2024
7599b99
remove unnecessary dependencies from baseline deployment configuration
JCoreMS Nov 15, 2024
4becf64
add dependencies for key vault module in baseline deployment
JCoreMS Nov 15, 2024
1cf82e0
update condition for storage key vault module to use storageZeroTrust…
JCoreMS Nov 15, 2024
283e78d
refactor: update storage key vault prefix parameters and validation m…
JCoreMS Nov 15, 2024
189df5c
refactor: update parameters and variable names for storage CMK config…
JCoreMS Dec 3, 2024
2bf1b13
refactor: clean up unused parameters and comments in storage CMK conf…
JCoreMS Dec 3, 2024
7903717
Merge branch 'main' into JCore-Accelerator-StgAddCMK-Nov2024
JCoreMS Dec 3, 2024
c23af65
refactor: rename storage key vault prefix variable for consistency in…
JCoreMS Dec 3, 2024
a88aa20
Merge branch 'JCore-Accelerator-StgAddCMK-Nov2024' of https://github.…
JCoreMS Dec 3, 2024
7d29c6d
Update deploy-baseline.json
danycontre Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76,408 changes: 38,203 additions & 38,205 deletions workload/arm/deploy-baseline.json
View file
Open in desktop

Large diffs are not rendered by default.

165 changes: 163 additions & 2 deletions workload/bicep/deploy-baseline.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,9 @@ param avdVnetPrivateDnsZoneKeyvaultId string = ''
@sys.description('Does the hub contains a virtual network gateway. (Default: false)')
param vNetworkGatewayOnHub bool = false

@sys.description('This option will configure the Storage Account(s) to utilize Customer Managed Keys and include an additional Key Vault deployment. (Default: false)')
param storageZeroTrust bool = false

@sys.description('Deploy Fslogix setup. (Default: true)')
param createAvdFslogixDeployment bool = true

Expand Down Expand Up @@ -420,6 +423,10 @@ param msixFileShareCustomName string = 'msix-app1-dev-use2-001'
//@sys.description('AVD fslogix storage account office container file share prefix custom name. (Default: fslogix-oc-app1-dev-001)')
//param avdFslogixOfficeContainerFileShareCustomName string = 'fslogix-oc-app1-dev-001'

@maxLength(6)
@sys.description('AVD keyvault prefix custom name (with Zero Trust to store keys for FSLogix and AppAttach Storage / CMK option). (Default: kv-st)')
param ztKvStPrefixCustomName string = 'kv-st'

@maxLength(6)
@sys.description('AVD keyvault prefix custom name (with Zero Trust to store credentials to domain join and local admin). (Default: kv-sec)')
param avdWrklKvPrefixCustomName string = 'kv-sec'
Expand All @@ -433,8 +440,8 @@ param ztDiskEncryptionSetCustomNamePrefix string = 'des-zt'
param ztManagedIdentityCustomName string = 'id-zt'

@maxLength(6)
@sys.description('AVD key vault custom name for zero trust and store store disk encryption key (Default: kv-key)')
param ztKvPrefixCustomName string = 'kv-key'
@sys.description('AVD key vault custom name for zero trust and store disk encryption keys for VMs (Default: kv-vms)')
param ztKvPrefixCustomName string = 'kv-vms'

//
// Resource tagging
Expand Down Expand Up @@ -607,6 +614,13 @@ var varPrivateEndPointWorkspaceName = 'pe-${varWorkSpaceName}-global'
var varScalingPlanExclusionTag = 'exclude-${varScalingPlanName}'
var varScalingPlanWeekdaysScheduleName = 'Weekdays-${varManagementPlaneNamingStandard}'
var varScalingPlanWeekendScheduleName = 'Weekend-${varManagementPlaneNamingStandard}'
var varStrgKvName = avdUseCustomNaming
? '${ztKvStPrefixCustomName}-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}'
: 'kv-str-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}' // max length limit 24 characters
var varStrgKvPrivateEndpointName = 'pe-${varStrgKvName}-vault'
var varStrgKeyVaultSku = (varAzureCloudName == 'AzureCloud' || varAzureCloudName == 'AzureUSGovernment')
? 'premium'
: (varAzureCloudName == 'AzureChinaCloud' ? 'standard' : null)
var varWrklKvName = avdUseCustomNaming
? '${avdWrklKvPrefixCustomName}-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}'
: 'kv-sec-${varComputeStorageResourcesNamingStandard}-${varNamingUniqueStringTwoChar}' // max length limit 24 characters
Expand Down Expand Up @@ -971,6 +985,9 @@ var varAvdDefaultTags = {
ServiceWorkload: 'AVD'
CreationTimeUTC: time
}
var varStorageKeyvaultTag = {
Purpose: 'Customer Managed Keys for FSLogix and MSIX storage accounts'
}
var varWorkloadKeyvaultTag = {
Purpose: 'Secrets for local admin and domain join credentials'
}
Expand Down Expand Up @@ -999,6 +1016,29 @@ var verResourceGroups = [
: union(varAvdDefaultTags, varAllComputeStorageTags)
}
]
var varZtStorageKeyRotation = {
attributes: {
expiryTime: 'P1Y'
}
lifetimeActions: [
{
action: {
type: 'Rotate'
}
trigger: {
timeBeforeExpiry: 'P1M'
}
}
{
action: {
type: 'Notify'
}
trigger: {
timeBeforeExpiry: 'P1M'
}
}
]
}

// =========== //
// Deployments //
Expand Down Expand Up @@ -1376,6 +1416,82 @@ module managementVm './modules/storageAzureFiles/.bicep/managementVm.bicep' = if
wrklKeyVault
]
}
// Key vault for Storage Account(s) with key for each, 1y expiry and rotation policy for FSLogix and MSIX (CMK)
module strgKeyVault '../../avm/1.0.0/res/key-vault/vault/main.bicep' = if ((varCreateStorageDeployment) && (storageZeroTrust)) {
scope: resourceGroup('${avdWorkloadSubsId}', '${varStorageObjectsRgName}')
name: 'Storage-KeyVault-${time}'
params: {
name: varStrgKvName
location: avdSessionHostLocation
enableRbacAuthorization: true
enablePurgeProtection: enableKvPurgeProtection
roleAssignments: [
{
principalId: identity.outputs.managedIdentityStoragePrincipalId
principalType: 'ServicePrincipal'
roleDefinitionIdOrName: 'Key Vault Crypto Service Encryption User'
}
]
keys: varCreateMsixDeployment ? [
{
name: 'key-${varMsixStorageName}'
kty: 'RSA'
keySize: 2048
rotationPolicy: varZtStorageKeyRotation
}
{
name: 'key-${varFslogixStorageName}'
kty: 'RSA'
keySize: 2048
rotationPolicy: varZtStorageKeyRotation
}
]:[
{
name: 'key-${varFslogixStorageName}'
kty: 'RSA'
keySize: 2048
rotationPolicy: varZtStorageKeyRotation
}
]
sku: varStrgKeyVaultSku
softDeleteRetentionInDays: 7
publicNetworkAccess: deployPrivateEndpointKeyvaultStorage ? 'Disabled' : 'Enabled'
networkAcls: deployPrivateEndpointKeyvaultStorage
? {
bypass: 'AzureServices'
defaultAction: 'Deny'
virtualNetworkRules: []
ipRules: []
}
: {}
privateEndpoints: deployPrivateEndpointKeyvaultStorage? [
{
name: varStrgKvPrivateEndpointName
subnetResourceId: createAvdVnet
? '${networking.outputs.virtualNetworkResourceId}/subnets/${varVnetPrivateEndpointSubnetName}'
: existingVnetPrivateEndpointSubnetResourceId
customNetworkInterfaceName: 'nic-01-${varStrgKvPrivateEndpointName}'
service: 'vault'
privateDnsZoneGroupName: createPrivateDnsZones ? split(networking.outputs.keyVaultDnsZoneResourceId, '/')[8] : split(avdVnetPrivateDnsZoneKeyvaultId, '/')[8]
privateDnsZoneResourceIds: [
createPrivateDnsZones ? networking.outputs.keyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
]
}
]
: []
tags: createResourceTags
? union(varCustomResourceTags, varAvdDefaultTags, varStorageKeyvaultTag)
: union(varAvdDefaultTags, varStorageKeyvaultTag)
}
dependsOn: [
identity
networking
managementVm
baselineResourceGroups
monitoringDiagnosticSettings
]
}


// FSLogix storage
module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (createAvdFslogixDeployment) {
Expand Down Expand Up @@ -1426,6 +1542,7 @@ module fslogixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if
wrklKeyVault
managementVm
monitoringDiagnosticSettings
strgKeyVault
]
}

Expand Down Expand Up @@ -1479,6 +1596,50 @@ module msixAzureFilesStorage './modules/storageAzureFiles/deploy.bicep' = if (va
wrklKeyVault
managementVm
monitoringDiagnosticSettings
strgKeyVault
]
}

// Coniguring CMK after storage deployment ensures key rotation is automatic
// https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?tabs=azure-portal#configure-encryption-for-automatic-updating-of-key-versions

// Storage Zero Trust / Configure CMK - FSLogix
module fslogixCmk './modules/zeroTrust/.bicep/storageCmkConfig.bicep' = if (storageZeroTrust && createAvdFslogixDeployment) {
name: 'FSLogixStorage-CMK-${time}'
scope: resourceGroup('${avdWorkloadSubsId}', '${varStorageObjectsRgName}')
params: {
storageAccountName: varFslogixStorageName
location: avdSessionHostLocation
managedIdentityStorageResourceId: identity.outputs.managedIdentityStorageResourceId
keyVaultUri: strgKeyVault.outputs.uri
storageSkuName: varFslogixStorageSku
}
dependsOn: [
baselineResourceGroups
baselineStorageResourceGroup
identity
fslogixAzureFilesStorage
strgKeyVault
]
}

// Storage Zero Trust / Configure CMK - MSIX
module msixCmk './modules/zeroTrust/.bicep/storageCmkConfig.bicep' = if (storageZeroTrust && varCreateMsixDeployment) {
name: 'MSIXStorage-CMK-${time}'
scope: resourceGroup('${avdWorkloadSubsId}', '${varStorageObjectsRgName}')
params: {
storageAccountName: varMsixStorageName
location: avdSessionHostLocation
managedIdentityStorageResourceId: identity.outputs.managedIdentityStorageResourceId
keyVaultUri: strgKeyVault.outputs.uri
storageSkuName: varMsixStorageSku
}
dependsOn: [
baselineResourceGroups
baselineStorageResourceGroup
identity
msixAzureFilesStorage
strgKeyVault
]
}

Expand Down
1 change: 1 addition & 0 deletions workload/bicep/modules/identity/deploy.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,3 +187,4 @@ module aadIdentityLoginAccessServiceObjects '../../../../avm/1.0.0/ptn/authoriza
// =========== //
output managedIdentityStorageResourceId string = (createStorageDeployment) ? managedIdentityStorage.outputs.resourceId : ''
output managedIdentityStorageClientId string = (createStorageDeployment) ? managedIdentityStorage.outputs.clientId : ''
output managedIdentityStoragePrincipalId string = (createStorageDeployment) ? managedIdentityStorage.outputs.principalId : ''
3 changes: 2 additions & 1 deletion workload/bicep/modules/storageAzureFiles/deploy.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,10 @@ var varStorageToDomainScriptArgs = '-DscPath ${dscAgentPackageLocation} -Storage
var varDiagnosticSettings = !empty(alaWorkspaceResourceId) ? [
{
workspaceResourceId: alaWorkspaceResourceId
logCategoriesAndGroups: []
logCategoriesAndGroups: []
}
]: []

// =========== //
// Deployments //
// =========== //
Expand Down
66 changes: 66 additions & 0 deletions workload/bicep/modules/zeroTrust/.bicep/StorageCmkConfig.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
// Called from deploy-baseline.bicep as storage needs to be created first.

targetScope = 'resourceGroup'

// ========== //
// Parameters //
// ========== //
@sys.description('Name of storage account.')
param storageAccountName string

@sys.description('Location where to deploy compute services.')
param location string = resourceGroup().location

@sys.description('Key Vault URI associated with Storage Account.')
param keyVaultUri string

@sys.description('Managed Identity Resource ID associated with Storage Account and used for Zero Trust.')
param managedIdentityStorageResourceId string

@sys.description('Specifies the SKU for the Storage Account.')
param storageSkuName string

// =========== //
// Variable declaration //
// =========== //

var keyName = 'key-${storageAccountName}'

// =========== //
// Deployments //
// =========== //
// Using AVM - the key rotation is not enabled on the Storage Account.
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = {
name: storageAccountName
location: location
kind: ((storageSkuName == 'Premium_LRS') || (storageSkuName == 'Premium_ZRS')) ? 'FileStorage' : 'StorageV2'
identity: {
type: 'userAssigned'
userAssignedIdentities: {
'${managedIdentityStorageResourceId}': {}
}
}
sku: {
name: storageSkuName
}
properties: {
encryption: {
identity: {
userAssignedIdentity: managedIdentityStorageResourceId
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: keyName
keyvaulturi: keyVaultUri
keyversion: ''
}
services: {
file: {
enabled: true
}
}
}
}
}


5 changes: 3 additions & 2 deletions workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ param enableKvPurgeProtection bool = true
// Deployments //
// =========== //

// Key vault for Zero Trust.
// Key vault for Zero Trust - Session Host Encryption Keys.
module ztKeyVault '../../../../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
scope: resourceGroup('${subscriptionId}', '${rgName}')
name: 'ZT-KeyVault-${time}'
Expand Down Expand Up @@ -95,7 +95,7 @@ module ztKeyVault '../../../../../avm/1.0.0/res/key-vault/vault/main.bicep' = {
dependsOn: []
}

// Disk Encryption Key for Zero Trust.
// Session Host Disk Encryption Key for Zero Trust.
module ztKeyVaultKey '../../../../../avm/1.0.0/res/key-vault/vault/key/main.bicep' = {
scope: resourceGroup('${subscriptionId}', '${rgName}')
name: 'ZT-KeyVaultKey-${time}'
Expand Down Expand Up @@ -150,6 +150,7 @@ module ztDiskEncryptionSet '../../../../../avm/1.0.0/res/compute/disk-encryption
}
}


// =========== //
// Outputs //
// =========== //
Expand Down
5 changes: 2 additions & 3 deletions workload/bicep/modules/zeroTrust/deploy.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ module ztRoleAssignmentCompute '../../../../avm/1.0.0/ptn/authorization/role-ass
params: {
principalId: diskZeroTrust ? ztPolicyAssignmentCompute[i].outputs.principalId : ''
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840'
principalType: ''
principalType: 'ServicePrincipal'
}
dependsOn: [
ztPolicyAssignmentCompute
Expand All @@ -196,7 +196,7 @@ module ztRoleAssignmentServObj '../../../../avm/1.0.0/ptn/authorization/role-ass
params: {
principalId: diskZeroTrust ? ztPolicyAssignmentServiceObjects[i].outputs.principalId : ''
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840'
principalType: ''
principalType: 'ServicePrincipal'
}
dependsOn: [
ztPolicyAssignmentServiceObjects
Expand Down Expand Up @@ -240,7 +240,6 @@ module ztKeyVault './.bicep/zeroTrustKeyVault.bicep' = if (diskZeroTrust) {
enableKvPurgeProtection: enableKvPurgeProtection
}
dependsOn: [

]
}

Expand Down
Loading