Update secret handling and configuration in Bicep files

Updated BeyondTrustCredentialClient to retrieve secret name from KEYVAULT_SECRET environment variable and handle deserialization errors. Added keyvaultSecretName property to functionAppConfig type in main.bicep and updated related modules to use this property. Updated functionConfig parameter to include keyvaultSecretName. Added keyvaultSecretName parameter to functionapp.bicep and secretName parameter to vault-role-assignment.bicep. Changed roleAssignment scope to specific secret within Key Vault.
FrodeHus · Dec 18, 2024 · dbfcdec · dbfcdec
1 parent 15653e8
commit dbfcdec
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 9 deletions.
diff --git a/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs b/BeyondTrustConnector/Service/BeyondTrustCredentialClient.cs
@@ -10,12 +10,9 @@ internal class BeyondTrustCredentialClient(IHttpClientFactory httpClientFactory,
 {
     public async Task<string> GetAccessToken(string beyondTrustTenantName)
     {
-        var secret = await SecretReader.GetSecretAsync("BeyondTrustApi");
-        var credential = JsonSerializer.Deserialize<BeyondTrustCredential>(secret);
-        if (credential is null)
-        {
-            throw new Exception("Failed to deserialize BeyondTrust credential");
-        }
+        var secretName = Environment.GetEnvironmentVariable("KEYVAULT_SECRET") ?? throw new Exception("KEYVAULT_SECRET environment variable is not set");
+        var secret = await SecretReader.GetSecretAsync(secretName);
+        var credential = JsonSerializer.Deserialize<BeyondTrustCredential>(secret) ?? throw new Exception("Failed to deserialize BeyondTrust credential");
         var client = httpClientFactory.CreateClient();
         var basicAuth = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{credential.ClientId}:{credential.ClientSecret}"));
         client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", basicAuth);

diff --git a/main.bicep b/main.bicep
@@ -7,6 +7,7 @@ type dataCollectionConfig = {
 type functionAppConfig = {
   name: string
   keyvaultName: string
+  keyvaultSecretName: string
   container: string
 }
 
@@ -35,6 +36,7 @@ module functionappModule './modules/functionapp.bicep' = {
     appName: '${functionConfig.name}-${uniqueString(resourceGroup().name)}'
     location: resourceGroup().location
     keyvaultName: functionConfig.keyvaultName
+    keyvaultSecretName: functionConfig.keyvaultSecretName
     userAssignedIdentityId: userAssignedIdentity.id
     clientId: userAssignedIdentity.properties.clientId
     container: functionConfig.container
@@ -53,7 +55,8 @@ module vaultSecretUserRoleAssignment './modules/vault-role-assignment.bicep' = {
     roleAssignmentName: '${uniqueString(functionConfig.name)}-keyvault-reader-role-assignment'
     roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6' // Key Vault Secret User
     principalId: userAssignedIdentity.properties.principalId
-    keyVaultName: functionConfig.keyvaultName
+    keyVaultName: functionConfig.keyvaultName    
+    secretName: functionConfig.keyvaultSecret
   }
 }
 

diff --git a/main.bicepparam b/main.bicepparam
@@ -9,5 +9,6 @@ param datacollection  = {
 param functionConfig = {
   name: 'func-btconnect'
   keyvaultName: 'btvault'
+  keyvaultSecretName: 'BeyondTrustAPI'
   container: 'frodehus/beyondtrustconnector:v1.2'
 }
diff --git a/modules/functionapp.bicep b/modules/functionapp.bicep
@@ -26,6 +26,7 @@ var applicationInsightsName = appName
 param storageAccountName string = '${uniqueString(resourceGroup().id)}azfunctions'
 param container string = 'frodehus/beyondtrustconnector:v1.2'
 param keyvaultName string
+param keyvaultSecretName string
 param userAssignedIdentityId string
 param clientId string
 
@@ -104,6 +105,10 @@ resource functionApp 'Microsoft.Web/sites@2024-04-01' = {
             name: 'KEYVAULT_NAME'
             value:keyvaultName
         }
+        {
+            name: 'KEYVAULT_SECRET'
+            value: keyvaultSecretName
+        }
         {
             name: 'PRINCIPAL_ID' 
             value: clientId

diff --git a/modules/vault-role-assignment.bicep b/modules/vault-role-assignment.bicep
@@ -5,21 +5,28 @@ param roleDefinitionId string
 param principalId string
 
 param keyVaultName string
+param secretName string
 
 resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = {
   name: keyVaultName
 }
 
+resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' existing = {
+    parent: keyVault
+    name: secretName
+}
+
+
 resource vaultRoleDefinition 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' existing = {
   name: roleDefinitionId
 }
 
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
   name: guid(roleAssignmentName)
-  scope: keyVault
+  scope: keyVaultSecret
   properties: {
     roleDefinitionId: vaultRoleDefinition.id
     principalId: principalId
-    principalType: 'ServicePrincipal'
+    principalType: 'ServicePrincipal'    
   }
 }