New-CmAzCoreKeyVault

Completes the following:

• Deploys multiple keyvaults in multiple locations to a specified resource group.
• Adds diagnostic settings linking the keyvaults to the core workspace.
• Optionally create private endpoints.

This command forms part of the Core Building Block.

Parameters

-SettingsFile

Required. (String) File path for the settings file to be converted into a settings object.

-SettingsObject

Required. (Object) Object containing the configuration values required to run this cmdlet.

-TagSettingsFile

Required. (String) File path for settings containing tags definition.

-WhatIf

(Switch) Run the command without executing any actions, so that no changes are made. The command will output a description of actions to be performed against the affected resources in the console window. Use this option if you are unsure of the overall impact of your command and wish to review it before committing to making changes.

-Confirm

(Switch) Run the command without executing any actions, so that no changes are made. The command will output a description of actions to be performed against the affected resources in the console window. Use this option if you are unsure of the overall impact of your command and wish to review it before committing to making changes.

Usage

Example 1

1
New-CmAzCoreKeyVault -SettingsFile "c:/directory/settingsFile.yml"

Example 2

1
New-CmAzCoreKeyVault -SettingsObject $settings

Settings

Settings Root.

Component

component [string | null]

Value to determine what cmdlet should be dynamically loaded for these settings.

ResourceGroupName

resourceGroupName [string] Mandatory

Part of key vault's resource group name.

Location

location [string] Mandatory

Resource group deployment location.

Service

service [object] Mandatory

Contains dependency and publish details for service location.

Dependencies

dependencies [object]

Contains dependency details for service location.

Workspace

workspace [string]

Dependency value to fetch existing resource type.

Actiongroup

actiongroup [string | null]

Dependency value to fetch existing resource type.

Vnet

vnet [string | null]

Global default dependency value to fetch existing resource type.

PrivateZones

privateZones [array | null]

Dependency value to fetch existing resource type. Enables private zone integration.

Publish

publish [object]

Contains publish details for service location.

ResourceGroup

resourceGroup [string]

Value to publish on deployed resource type.

Keyvault

keyvault [string | null]

Global default value to publish on deployed resource type.

PrivateEndpoint

privateEndpoint [string | null]

Global default value to publish on deployed resource type.

KeyVaults

keyVaults [array] Mandatory

All details required to deploy multiple key vaults.

Name

name [string]

Becomes part of the generated key vault's name.

Type

type [string]

Specifies if a user or service principal will be linked to the key vault's access policy.

Valid values:"ServicePrincipal" , "User" , "serviceprincipal" , "user"

Location

location [string] Mandatory

key vault deployment location

Service

service [object | null] Mandatory

Contains dependency and publish details for service location.

Publish

publish [object | null]

Contains publish details for service location.

Keyvault

keyvault [string | null]

Local overriding value to publish on deployed existing resource type.

PrivateEndpoints

privateEndpoints [array | null]

Container for private endpoint details.

SubnetName

subnetName [string]

Names of underlying sub-resources to create private connection with.

Name

name [string | null]

Becomes part of private endpoint name.

Service

service [object | null] Mandatory

Contains dependency and publish details for service location.

Dependencies

dependencies [object | null]

Contains dependency details for service location.

Vnet

vnet [string | null]

Local overriding dependency value to fetch existing resource type.

PrivateZones

privateZones [array | null]

Dependency value to fetch existing resource type. Enables private zone integration.

Publish

publish [object | null]

Contains publish details for service location.

privateEndpoint

privateEndpoint [string | null]

Local overriding value to publish on deployed existing resource type.

EnableSoftDelete

enableSoftDelete [boolean | null]

Enable recovery of deleted key vaults and their objects.

Default:true

SoftDeleteRetentionInDays

softDeleteRetentionInDays [integer | null]

Retention period for the deleted resources.

Default:90

EnablePurgeProtection

enablePurgeProtection [boolean | null]

Prevents key vaults and their objects from being purged until the soft delete retention period has elapsed (Can only be enabled once soft delete is enabled).

Default:true

SecretNames

secretNames [array | null]

List of secrets to provision for the deployed key vault.

EncryptionKeyNames

encryptionKeyNames [array | null]

List of key encryption keys for the deployed key vault.

Examples

The following example files are automatically generated from the settings file schema definition to show how the specification can be used in practise. Cloudmarque can accept both JSON and YAML parameter files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
{
  "component": "string",
  "resourceGroupName": "string",
  "location": "string",
  "service": {
    "dependencies": {
      "workspace": "string",
      "actiongroup": "string",
      "vnet": "string",
      "privateZones": [

      ]
    },
    "publish": {
      "resourceGroup": "string",
      "keyvault": "string",
      "privateEndpoint": "string"
    }
  },
  "keyVaults": [
    {
      "name": "string",
      "type": "ServicePrincipal",
      "location": "string",
      "service": {
        "publish": {
          "keyvault": "string"
        }
      },
      "privateEndpoints": [
        {
          "subnetName": "string",
          "name": "string",
          "service": {
            "dependencies": {
              "vnet": "string",
              "privateZones": [

              ]
            },
            "publish": {
              "privateEndpoint": "string"
            }
          }
        }
      ],
      "enableSoftDelete": "true",
      "softDeleteRetentionInDays": "90",
      "enablePurgeProtection": "true",
      "secretNames": [
        "string"
      ],
      "encryptionKeyNames": [
        "string"
      ]
    }
  ]
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
component: "string"    # Optional
resourceGroupName: "string"    # Mandatory
location: "string"    # Mandatory
service:     # Mandatory
  dependencies:     # Mandatory
    workspace: "string"    # Mandatory
    actiongroup: "string"    # Optional
    vnet: "string"    # Optional
    privateZones:     # Optional
      -   publish:     # Mandatory
    resourceGroup: "string"    # Mandatory
    keyvault: "string"    # Optional
    privateEndpoint: "string"    # Optional
keyVaults:     # Mandatory
  - name: "string"    # Mandatory
    type: "ServicePrincipal"    # Mandatory
    location: "string"    # Mandatory
    service:     # Optional
      publish:     # Optional
        keyvault: "string"    # Optional
    privateEndpoints:     # Optional
      - subnetName: "string"    # Mandatory
        name: "string"    # Optional
        service:     # Optional
          dependencies:     # Optional
            vnet: "string"    # Optional
            privateZones:     # Optional
              -           publish:     # Optional
            privateEndpoint: "string"    # Optional
    enableSoftDelete: "true"    # Optional
    softDeleteRetentionInDays: "90"    # Optional
    enablePurgeProtection: "true"    # Optional
    secretNames:     # Optional
      - "string"
    encryptionKeyNames:     # Optional
      - "string"