Last active
October 20, 2021 10:33
-
-
Save ShridharParameshwarBhat/59fa6eca10ed4ee97744698135a59972 to your computer and use it in GitHub Desktop.
Client Cert 2pass deployment script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
| "contentVersion": "1.0.0.0", | |
| "parameters": { | |
| "vmName": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name of the virtual machine" | |
| } | |
| }, | |
| "aadClientID": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Client ID of AAD app which has permissions to KeyVault" | |
| } | |
| }, | |
| "aadClientCertThumbprint": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Thumbprint of the certificate associated with the AAD app which has permissions to KeyVault" | |
| } | |
| }, | |
| "keyVaultName": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Name of the KeyVault to place the volume encryption key" | |
| } | |
| }, | |
| "keyVaultResourceGroup": { | |
| "type": "string", | |
| "metadata": { | |
| "description": "Resource group of the KeyVault" | |
| } | |
| }, | |
| "useExistingKek": { | |
| "type": "string", | |
| "defaultValue": "nokek", | |
| "allowedValues": [ | |
| "nokek", | |
| "kek" | |
| ], | |
| "metadata": { | |
| "description": "Select kek if the secret should be encrypted with a key encryption key and pass explicit keyEncryptionKeyURL. For nokek, you can keep keyEncryptionKeyURL empty." | |
| } | |
| }, | |
| "keyEncryptionKeyURL": { | |
| "type": "string", | |
| "defaultValue": "", | |
| "metadata": { | |
| "description": "URL of the KeyEncryptionKey used to encrypt the volume encryption key" | |
| } | |
| }, | |
| "volumeType": { | |
| "type": "string", | |
| "defaultValue": "All", | |
| "metadata": { | |
| "description": "Type of the volume OS or Data to perform encryption operation" | |
| } | |
| }, | |
| "sequenceVersion": { | |
| "type": "string", | |
| "defaultValue": "1.0", | |
| "metadata": { | |
| "description": "Pass in an unique value like a GUID everytime the operation needs to be force run" | |
| } | |
| }, | |
| "location": { | |
| "type": "string", | |
| "defaultValue": "[resourceGroup().location]", | |
| "metadata": { | |
| "description": "Location for all resources." | |
| } | |
| } | |
| }, | |
| "variables": { | |
| "extensionName": "AzureDiskEncryption", | |
| "extensionVersion": "1.1", | |
| "encryptionOperation": "EnableEncryption", | |
| "keyEncryptionAlgorithm": "RSA-OAEP", | |
| "updateVmUrl": "[concat('https://adetestsa.blob.core.windows.net/arm-templates/azure-quickstart-templates/master/201-encrypt-running-windows-vm/updatevm-',parameters('useExistingKek'),'.json')]", | |
| "keyVaultURL": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/')]", | |
| "keyVaultResourceID": "[concat(subscription().id,'/resourceGroups/',parameters('keyVaultResourceGroup'),'/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]" | |
| }, | |
| "resources": [ | |
| { | |
| "type": "Microsoft.Compute/virtualMachines/extensions", | |
| "name": "[concat(parameters('vmName'),'/', variables('extensionName'))]", | |
| "apiVersion": "2016-04-30-preview", | |
| "location": "[parameters('location')]", | |
| "properties": { | |
| "publisher": "Microsoft.Azure.Security", | |
| "type": "AzureDiskEncryption", | |
| "typeHandlerVersion": "[variables('extensionVersion')]", | |
| "autoUpgradeMinorVersion": true, | |
| "forceUpdateTag": "[parameters('sequenceVersion')]", | |
| "settings": { | |
| "AADClientID": "[parameters('aadClientID')]", | |
| "AADClientCertThumbprint": "[parameters('aadClientCertThumbprint')]", | |
| "KeyVaultURL": "[variables('keyVaultURL')]", | |
| "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", | |
| "KeyEncryptionAlgorithm": "[variables('keyEncryptionAlgorithm')]", | |
| "VolumeType": "[parameters('volumeType')]", | |
| "EncryptionOperation": "[variables('encryptionOperation')]" | |
| } | |
| } | |
| }, | |
| { | |
| "name": "updatevm", | |
| "type": "Microsoft.Resources/deployments", | |
| "apiVersion": "2015-01-01", | |
| "dependsOn": [ | |
| "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))]" | |
| ], | |
| "properties": { | |
| "mode": "Incremental", | |
| "templateLink": { | |
| "uri": "[if(equals(parameters('useExistingKek'), 'nokek'), 'https://gist.githubusercontent.com/ShridharParameshwarBhat/b1472d88e7cda8b193d5f7dfd272f341/raw/f3dc57e00bf9971a384b58162aadecad46fe85a3/clientcertnokek.json', 'https://gist.githubusercontent.com/ShridharParameshwarBhat/869405ea68593c8ccca2c8ea1b9537e6/raw/2380a0a5d7f8e2cd6c27c286a1ef082910e28cb8/clientcertusekek.json')]", | |
| "contentVersion": "1.0.0.0" | |
| }, | |
| "parameters": { | |
| "vmName": { | |
| "value": "[parameters('vmName')]" | |
| }, | |
| "keyVaultResourceID": { | |
| "value": "[variables('keyVaultResourceID')]" | |
| }, | |
| "keyVaultSecretUrl": { | |
| "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))).instanceView.statuses[0].message]" | |
| }, | |
| "keyEncryptionKeyURL": { | |
| "value": "[parameters('keyEncryptionKeyURL')]" | |
| } | |
| } | |
| } | |
| } | |
| ], | |
| "outputs": { | |
| "BitLockerKey": { | |
| "type": "string", | |
| "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))).instanceView.statuses[0].message]" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment