diff --git a/dev-infrastructure/modules/keyvault/keyvault-private-endpoint.bicep b/dev-infrastructure/modules/keyvault/keyvault-private-endpoint.bicep deleted file mode 100644 index f1b9986d9..000000000 --- a/dev-infrastructure/modules/keyvault/keyvault-private-endpoint.bicep +++ /dev/null @@ -1,77 +0,0 @@ -@description('Location of the endpoint.') -param location string - -@description('ID of the subnet to create the private endpoint in.') -param subnetId string - -@description('ID of the vnet, needs to correlated with subnetId.') -param vnetId string - -@description('Name of the key vault to create this endpoint for.') -param keyVaultName string - -@description('ID of the key vault.') -param keyVaultId string - -// -// P R I V A T E E N D P O I N T -// - -var privateDnsZoneName = 'privatelink.vaultcore.azure.net' - -resource keyVaultPrivateEndpoint 'Microsoft.Network/privateEndpoints@2024-01-01' = { - name: '${keyVaultName}-pe' - location: location - properties: { - privateLinkServiceConnections: [ - { - name: '${keyVaultName}-pe' - properties: { - groupIds: [ - 'vault' - ] - privateLinkServiceId: keyVaultId - } - } - ] - subnet: { - id: subnetId - } - } -} - -resource keyVaultPrivateEndpointDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { - name: privateDnsZoneName - location: 'global' - properties: {} -} - -resource keyVaultPrivateDnsZoneVnetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = { - parent: keyVaultPrivateEndpointDnsZone - name: uniqueString('keyvault-${uniqueString(vnetId)}') - location: 'global' - properties: { - registrationEnabled: false - virtualNetwork: { - id: vnetId - } - } -} - -resource privateEndpointDnsGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2023-09-01' = { - parent: keyVaultPrivateEndpoint - name: '${keyVaultName}-dns-group' - properties: { - privateDnsZoneConfigs: [ - { - name: 'config1' - properties: { - privateDnsZoneId: keyVaultPrivateEndpointDnsZone.id - } - } - ] - } - dependsOn: [ - keyVaultPrivateDnsZoneVnetLink - ] -} diff --git a/dev-infrastructure/modules/private-endpoint.bicep b/dev-infrastructure/modules/private-endpoint.bicep index 84acff45e..4f2148077 100644 --- a/dev-infrastructure/modules/private-endpoint.bicep +++ b/dev-infrastructure/modules/private-endpoint.bicep @@ -3,12 +3,14 @@ param location string @description('The service type the private endpoint is created for') @allowed([ 'eventgrid' + 'keyvault' ]) param serviceType string @description('The group id of the private endpoint service') @allowed([ 'topicspace' + 'vault' ]) param groupId string @@ -25,6 +27,9 @@ var endpointConfig = { eventgrid: { topicspace: 'privatelink.ts.eventgrid.azure.net' } + keyvault: { + vault: 'privatelink.vaultcore.azure.net' + } } resource eventGridPrivateEndpointDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep index b66bcb422..a21a90bc0 100644 --- a/dev-infrastructure/templates/svc-cluster.bicep +++ b/dev-infrastructure/templates/svc-cluster.bicep @@ -257,14 +257,15 @@ module serviceKeyVault '../modules/keyvault/keyvault.bicep' = { output svcKeyVaultName string = serviceKeyVault.outputs.kvName -module serviceKeyVaultPrivateEndpoint '../modules/keyvault/keyvault-private-endpoint.bicep' = { +module serviceKeyVaultPrivateEndpoint '../modules/private-endpoint.bicep' = { name: '${deployment().name}-svcs-kv-pe' params: { location: location - keyVaultName: serviceKeyVaultName - subnetId: svcCluster.outputs.aksNodeSubnetId + subnetIds: [svcCluster.outputs.aksNodeSubnetId] vnetId: svcCluster.outputs.aksVnetId - keyVaultId: serviceKeyVault.outputs.kvId + privateLinkServiceId: serviceKeyVault.outputs.kvId + serviceType: 'keyvault' + groupId: 'vault' } }