@@ -56,6 +56,7 @@ function Set-KeyVaultAccessRoles {
5656 $dataKeyVault = Get-AzKeyVault - ResourceGroupName $DataResourceGroupName - Name " $SolutionAbbreviation -data-$EnvironmentAbbreviation "
5757 $functionApps = Get-AzFunctionApp - ResourceGroupName $ComputeResourceGroupName
5858
59+ # Grant the Function Apps access to the keyvaults
5960 foreach ($functionApp in $functionApps ) {
6061 $ProductionFunctionAppName = $functionApp.Name
6162 $StagingFunctionAppName = " $ ( $functionApp.Name ) /slots/staging"
@@ -67,43 +68,68 @@ function Set-KeyVaultAccessRoles {
6768 # Grant the app service access to the keyvaults
6869 if ($functionServicePrincipal ) {
6970 # prereqs keyvault
70- if ($null -eq (Get-AzRoleAssignment - ObjectId $functionServicePrincipal.Id - Scope $prereqsKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
71- New-AzRoleAssignment - ObjectId $functionServicePrincipal.Id - Scope $prereqsKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
72- Write-Host " Added role 'Key Vault Secrets User' to $fa on the $ ( $prereqsKeyVault.VaultName ) keyvault."
73- }
74- else {
75- Write-Host " $fa already has 'Key Vault Secrets User' role on $ ( $prereqsKeyVault.VaultName ) ."
76- }
71+ Set-KVRoleAssignment `
72+ - ObjectId $functionServicePrincipal.Id `
73+ - DisplayName $fa `
74+ - Scope $prereqsKeyVault.ResourceId `
75+ - RoleDefinitionName " Key Vault Secrets User" `
76+ - KeyVaultName $prereqsKeyVault.VaultName
7777
7878 # data keyvault
79- if ($null -eq (Get-AzRoleAssignment - ObjectId $functionServicePrincipal.Id - Scope $dataKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
80- New-AzRoleAssignment - ObjectId $functionServicePrincipal.Id - Scope $dataKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
81- Write-Host " Added role 'Key Vault Secrets User' to $fa on the $ ( $dataKeyVault.VaultName ) keyvault."
82- }
83- else {
84- Write-Host " $fa already has 'Key Vault Secrets User' role on $ ( $dataKeyVault.VaultName ) ."
85- }
79+ Set-KVRoleAssignment `
80+ - ObjectId $functionServicePrincipal.Id `
81+ - DisplayName $fa `
82+ - Scope $dataKeyVault.ResourceId `
83+ - RoleDefinitionName " Key Vault Secrets User" `
84+ - KeyVaultName $dataKeyVault.VaultName
8685 }
8786 elseif ($null -eq $functionServicePrincipal ) {
8887 Write-Host " Function $fa was not found!"
8988 }
9089 }
9190 }
9291
92+ # Grant the Web API access to the keyvaults
93+ $webApi = Get-AzWebApp - ResourceGroupName $ComputeResourceGroupName - Name " $ComputeResourceGroupName -webapi"
94+ if ($webApi ) {
95+ $webApiServicePrincipal = Get-AzADServicePrincipal - DisplayName $webApi.Name
96+
97+ if ($webApiServicePrincipal ) {
98+ # prereqs keyvault
99+ Set-KVRoleAssignment `
100+ - ObjectId $webApiServicePrincipal.Id `
101+ - DisplayName $webApi.Name `
102+ - Scope $prereqsKeyVault.ResourceId `
103+ - RoleDefinitionName " Key Vault Secrets User" `
104+ - KeyVaultName $prereqsKeyVault.VaultName
105+
106+ # data keyvault
107+ Set-KVRoleAssignment `
108+ - ObjectId $webApiServicePrincipal.Id `
109+ - DisplayName $webApi.Name `
110+ - Scope $dataKeyVault.ResourceId `
111+ - RoleDefinitionName " Key Vault Secrets User" `
112+ - KeyVaultName $dataKeyVault.VaultName
113+ }
114+ elseif ($null -eq $webApiServicePrincipal ) {
115+ Write-Host " Web API $ ( $webApi.Name ) was not found!"
116+ }
117+ }
118+
119+ # Grant the Data Factories access to the keyvaults
93120 $dataFactories = Get-AzResource - ResourceGroupName $DataResourceGroupName - ResourceType " Microsoft.DataFactory/factories"
94121 foreach ($dataFactory in $dataFactories ) {
95122 $dataFactoryName = $dataFactory.Name
96123 $dataFactoryServicePrincipal = Get-AzADServicePrincipal - DisplayName $dataFactoryName
97124
98125 if ($dataFactoryServicePrincipal ) {
99126 # data keyvault
100- if ($null -eq (Get-AzRoleAssignment - ObjectId $dataFactoryServicePrincipal.Id - Scope $dataKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
101- New-AzRoleAssignment - ObjectId $dataFactoryServicePrincipal.Id - Scope $dataKeyVault.ResourceId - RoleDefinitionName " Key Vault Secrets User"
102- Write-Host " Added role 'Key Vault Secrets User' to $ ( $dataFactoryName ) on the $ ( $dataKeyVault.VaultName ) keyvault."
103- }
104- else {
105- Write-Host " $ ( $dataFactoryName ) already has 'Key Vault Secrets User' role on $ ( $dataKeyVault.VaultName ) ."
106- }
127+ Set-KVRoleAssignment `
128+ - ObjectId $dataFactoryServicePrincipal.Id `
129+ - DisplayName $dataFactoryName `
130+ - Scope $dataKeyVault.ResourceId `
131+ - RoleDefinitionName " Key Vault Secrets User" `
132+ - KeyVaultName $dataKeyVault.VaultName
107133 }
108134 elseif ($null -eq $dataFactoryServicePrincipal ) {
109135 Write-Host " Data Factory $dataFactoryName was not found!"
@@ -112,4 +138,28 @@ function Set-KeyVaultAccessRoles {
112138 }
113139
114140 Write-Host " Done attempting to add keyvault role assignments."
141+ }
142+
143+ function Set-KVRoleAssignment {
144+ [CmdletBinding ()]
145+ param (
146+ [Parameter (Mandatory = $True )]
147+ [string ] $ObjectId ,
148+ [Parameter (Mandatory = $True )]
149+ [string ] $DisplayName ,
150+ [Parameter (Mandatory = $True )]
151+ [string ] $Scope ,
152+ [Parameter (Mandatory = $True )]
153+ [string ] $RoleDefinitionName ,
154+ [Parameter (Mandatory = $True )]
155+ [string ] $KeyVaultName
156+ )
157+
158+ if ($null -eq (Get-AzRoleAssignment - ObjectId $ObjectId - Scope $Scope - RoleDefinitionName $RoleDefinitionName )) {
159+ New-AzRoleAssignment - ObjectId $ObjectId - Scope $Scope - RoleDefinitionName $RoleDefinitionName ;
160+ Write-Host " Added role $RoleDefinitionName to $DisplayName on the $KeyVaultName keyvault."
161+ }
162+ else {
163+ Write-Host " $DisplayName already has $RoleDefinitionName role on $KeyVaultName ."
164+ }
115165}
0 commit comments