Added deployAzureAPIMtoAPIC param to avoid setting roleAssignment

Azure-Samples · Apr 26, 2024 · d43e6bd · d43e6bd
1 parent ddfe0ff
commit d43e6bd
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 16 deletions.
diff --git a/infra/core/gateway/apim.bicep b/infra/core/gateway/apim.bicep
@@ -22,7 +22,6 @@ param applicationInsightsName string
 
 param managedIdentityName string
 param apicManagedIdentityName string
-param keyVaultName string
 
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' existing = if (!empty(applicationInsightsName)) {
   name: applicationInsightsName
@@ -41,10 +40,6 @@ resource apicManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2
   name: apicManagedIdentityName
 }
 
-resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
-  name: keyVaultName
-}
-
 resource apimService 'Microsoft.ApiManagement/service@2023-05-01-preview' = {
   name: name
   location: location
@@ -105,16 +100,6 @@ module apicManagedIdentityRoleAssignment '../roleassignments/roleassignment.bice
   }
 }
 
-module apimManagedIdentityRoleAssignment '../roleassignments/roleassignment.bicep' = {
-  name: 'kv-apim-roleAssignment'
-  params: {
-    principalId: managedIdentity.properties.principalId
-    roleName: 'Key Vault Secrets User'
-    targetResourceId: keyVault.id
-    deploymentName: 'kv-apim-roleAssignment-SecretsUser'
-  }
-}
-
 resource apimLogger 'Microsoft.ApiManagement/service/loggers@2023-03-01-preview' = if (!empty(applicationInsightsName)) {
   name: 'app-insights-logger'
   parent: apimService

diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep
@@ -4,6 +4,12 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param principalId string
+param apimManagedIdentityName string
+param deployAzureAPIMtoAPIC bool
+
+resource apimManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' existing = if (deployAzureAPIMtoAPIC) {
+  name: apimManagedIdentityName
+}
 
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: name
@@ -17,6 +23,16 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   }
 }
 
+module apimManagedIdentityRoleAssignment '../roleassignments/roleassignment.bicep' = if (deployAzureAPIMtoAPIC) {
+  name: 'kv-apim-roleAssignment'
+  params: {
+    principalId: apimManagedIdentity.properties.principalId
+    roleName: 'Key Vault Secrets User'
+    targetResourceId: keyVault.id
+    deploymentName: 'kv-apim-roleAssignment-SecretsUser'
+  }
+}
+
 module currentUserRoleAssignment '../roleassignments/roleassignment.bicep' = {
   name: 'kv-currentuser-roleAssignment'
   params: {

diff --git a/infra/main.bicep b/infra/main.bicep
@@ -180,7 +180,6 @@ module apim './core/gateway/apim.bicep' = if(deployAzureAPIMtoAPIC) {
     applicationInsightsName: monitoring.outputs.applicationInsightsName
     managedIdentityName: managedIdentityApim.outputs.managedIdentityName
     apicManagedIdentityName: managedIdentityApic.outputs.managedIdentityName
-    keyVaultName: keyVault.outputs.keyVaultName
   }
 }
 
@@ -209,6 +208,8 @@ module keyVault './core/security/keyvault.bicep' = {
     location: location
     tags: tags
     principalId: myPrincipalId
+    apimManagedIdentityName: deployAzureAPIMtoAPIC ? managedIdentityApim.outputs.managedIdentityName : ''
+    deployAzureAPIMtoAPIC: deployAzureAPIMtoAPIC 
   }
 }