Skip to content

Commit 6d5716a

Browse files
removed the Unused resource key vault
1 parent b22ea8d commit 6d5716a

9 files changed

Lines changed: 25 additions & 4573 deletions

File tree

README.md

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -181,8 +181,6 @@ Ensures consistent query translation across the organization.
181181

182182
### Security guidelines
183183

184-
This template uses Azure Key Vault for use by AI Foundry.
185-
186184
This template uses [Managed Identity](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview) for all Azure service communication.
187185

188186
To ensure continued best practices in your own repository, we recommend that anyone creating solutions based on our templates ensure that the [Github secret scanning](https://docs.github.com/code-security/secret-scanning/about-secret-scanning) setting is enabled.

infra/main.bicep

Lines changed: 6 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -331,7 +331,6 @@ var privateDnsZones = [
331331
'privatelink.openai.azure.com'
332332
'privatelink.services.ai.azure.com'
333333
'privatelink.documents.azure.com'
334-
'privatelink.vaultcore.azure.net'
335334
'privatelink.blob.${environment().suffixes.storage}'
336335
'privatelink.file.${environment().suffixes.storage}'
337336
'privatelink.monitor.azure.com' // Azure Monitor global endpoints (App Insights, DCE)
@@ -346,13 +345,12 @@ var dnsZoneIndex = {
346345
openAI: 1
347346
aiServices: 2
348347
cosmosDB: 3
349-
keyVault: 4
350-
storageBlob: 5
351-
storageFile: 6
352-
monitor: 7
353-
oms: 8
354-
ods: 9
355-
agentSvc: 10
348+
storageBlob: 4
349+
storageFile: 5
350+
monitor: 6
351+
oms: 7
352+
ods: 8
353+
agentSvc: 9
356354
}
357355

358356
// ===================================================
@@ -854,34 +852,6 @@ module storageAccount 'modules/storageAccount.bicep' = {
854852
}
855853
}
856854

857-
module keyVault 'modules/keyVault.bicep' = {
858-
name: take('module.keyVault.${solutionSuffix}', 64)
859-
#disable-next-line no-unnecessary-dependson
860-
dependsOn: [logAnalyticsWorkspace, virtualNetwork] // required due to optional flags that could change dependency
861-
params: {
862-
name: take('kv-${solutionSuffix}', 24)
863-
location: location
864-
sku: 'standard'
865-
logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspaceResourceId : ''
866-
privateNetworking: enablePrivateNetworking
867-
? {
868-
virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
869-
subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
870-
privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId
871-
}
872-
: null
873-
roleAssignments: [
874-
{
875-
principalId: aiServices.outputs.?systemAssignedMIPrincipalId ?? appIdentity.outputs.principalId
876-
principalType: 'ServicePrincipal'
877-
roleDefinitionIdOrName: 'Key Vault Administrator'
878-
}
879-
]
880-
tags: allTags
881-
enableTelemetry: enableTelemetry
882-
}
883-
}
884-
885855
module cosmosDb 'modules/cosmosDb.bicep' = {
886856
name: take('module.cosmosDb.${solutionSuffix}', 64)
887857
#disable-next-line no-unnecessary-dependson

infra/main.json

Lines changed: 16 additions & 4288 deletions
Large diffs are not rendered by default.

infra/main_custom.bicep

Lines changed: 2 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,6 @@ var privateDnsZones = [
317317
'privatelink.openai.azure.com'
318318
'privatelink.services.ai.azure.com'
319319
'privatelink.documents.azure.com'
320-
'privatelink.vaultcore.azure.net'
321320
'privatelink.blob.${environment().suffixes.storage}'
322321
'privatelink.file.${environment().suffixes.storage}'
323322
]
@@ -328,9 +327,8 @@ var dnsZoneIndex = {
328327
openAI: 1
329328
aiServices: 2
330329
cosmosDB: 3
331-
keyVault: 4
332-
storageBlob: 5
333-
storageFile: 6
330+
storageBlob: 4
331+
storageFile: 5
334332
}
335333

336334
// ===================================================
@@ -797,34 +795,6 @@ resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-
797795
}
798796
}
799797

800-
module keyVault 'modules/keyVault.bicep' = {
801-
name: take('module.keyVault.${solutionSuffix}', 64)
802-
#disable-next-line no-unnecessary-dependson
803-
dependsOn: [logAnalyticsWorkspace, virtualNetwork] // required due to optional flags that could change dependency
804-
params: {
805-
name: take('kv-${solutionSuffix}', 24)
806-
location: location
807-
sku: 'standard'
808-
logAnalyticsWorkspaceResourceId: enableMonitoring ? logAnalyticsWorkspaceResourceId : ''
809-
privateNetworking: enablePrivateNetworking
810-
? {
811-
virtualNetworkResourceId: virtualNetwork!.outputs.resourceId
812-
subnetResourceId: virtualNetwork!.outputs.pepsSubnetResourceId
813-
privateDnsZoneResourceId: avmPrivateDnsZones[dnsZoneIndex.keyVault]!.outputs.resourceId
814-
}
815-
: null
816-
roleAssignments: [
817-
{
818-
principalId: aiServices.outputs.?systemAssignedMIPrincipalId ?? appIdentity.outputs.principalId
819-
principalType: 'ServicePrincipal'
820-
roleDefinitionIdOrName: 'Key Vault Administrator'
821-
}
822-
]
823-
tags: allTags
824-
enableTelemetry: enableTelemetry
825-
}
826-
}
827-
828798
module cosmosDb 'modules/cosmosDb.bicep' = {
829799
name: take('module.cosmosDb.${solutionSuffix}', 64)
830800
#disable-next-line no-unnecessary-dependson

infra/modules/ai-foundry/ai-services.bicep

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -537,16 +537,3 @@ type endpointType = {
537537
@description('The endpoint URI.')
538538
endpoint: string?
539539
}
540-
541-
@export()
542-
@description('The type of the secrets exported to the provided Key Vault.')
543-
type secretsExportConfigurationType = {
544-
@description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
545-
keyVaultResourceId: string
546-
547-
@description('Optional. The name for the accessKey1 secret to create.')
548-
accessKey1Name: string?
549-
550-
@description('Optional. The name for the accessKey2 secret to create.')
551-
accessKey2Name: string?
552-
}

infra/modules/ai-foundry/aifoundry.bicep

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -133,9 +133,6 @@ param managedIdentities managedIdentityAllType?
133133
@description('Optional. Enable/Disable usage telemetry for module.')
134134
param enableTelemetry bool = true
135135

136-
@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
137-
param secretsExportConfiguration secretsExportConfigurationType?
138-
139136
var formattedUserAssignedIdentities = reduce(
140137
map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
141138
{},
@@ -295,7 +292,6 @@ module cognitive_service_dependencies './dependencies.bicep' = if(!useExistingSe
295292
]
296293
: []
297294
roleAssignments: roleAssignments
298-
secretsExportConfiguration: secretsExportConfiguration
299295
sku: sku
300296
tags: tags
301297
}
@@ -314,7 +310,6 @@ module existing_cognitive_service_dependencies './dependencies.bicep' = if(useEx
314310
lock: lock
315311
privateEndpoints: privateEndpoints
316312
roleAssignments: roleAssignments
317-
secretsExportConfiguration: secretsExportConfiguration
318313
sku: sku
319314
tags: tags
320315
}
@@ -521,19 +516,6 @@ type endpointType = {
521516
endpoint: string?
522517
}
523518

524-
@export()
525-
@description('The type of the secrets exported to the provided Key Vault.')
526-
type secretsExportConfigurationType = {
527-
@description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
528-
keyVaultResourceId: string
529-
530-
@description('Optional. The name for the accessKey1 secret to create.')
531-
accessKey1Name: string?
532-
533-
@description('Optional. The name for the accessKey2 secret to create.')
534-
accessKey2Name: string?
535-
}
536-
537519
@export()
538520
@description('Values to establish private networking for resources that support createing private endpoints.')
539521
type aiServicesPrivateNetworkingType = {

infra/modules/ai-foundry/dependencies.bicep

Lines changed: 1 addition & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -32,9 +32,6 @@ param tags object?
3232
@description('Optional. Array of deployments about cognitive service accounts to create.')
3333
param deployments deploymentType[]?
3434

35-
@description('Optional. Key vault reference and secret settings for the module\'s secrets export.')
36-
param secretsExportConfiguration secretsExportConfigurationType?
37-
3835
import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.7.0'
3936
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
4037
param privateEndpoints privateEndpointSingleServiceType[]?
@@ -325,36 +322,6 @@ resource cognitiveService_roleAssignments 'Microsoft.Authorization/roleAssignmen
325322
}
326323
]
327324

328-
module secretsExport 'keyVaultExport.bicep' = if (secretsExportConfiguration != null) {
329-
name: '${uniqueString(deployment().name, location)}-secrets-kv'
330-
scope: resourceGroup(
331-
split(secretsExportConfiguration.?keyVaultResourceId!, '/')[2],
332-
split(secretsExportConfiguration.?keyVaultResourceId!, '/')[4]
333-
)
334-
params: {
335-
keyVaultName: last(split(secretsExportConfiguration.?keyVaultResourceId!, '/'))
336-
secretsToSet: union(
337-
[],
338-
contains(secretsExportConfiguration!, 'accessKey1Name')
339-
? [
340-
{
341-
name: secretsExportConfiguration!.?accessKey1Name
342-
value: cognitiveService.listKeys().key1
343-
}
344-
]
345-
: [],
346-
contains(secretsExportConfiguration!, 'accessKey2Name')
347-
? [
348-
{
349-
name: secretsExportConfiguration!.?accessKey2Name
350-
value: cognitiveService.listKeys().key2
351-
}
352-
]
353-
: []
354-
)
355-
}
356-
}
357-
358325
module aiProject 'project.bicep' = if(!empty(projectName) || !empty(azureExistingAIProjectResourceId)) {
359326
name: take('${name}-ai-project-${projectName}-deployment', 64)
360327
params: {
@@ -369,9 +336,7 @@ module aiProject 'project.bicep' = if(!empty(projectName) || !empty(azureExistin
369336

370337
import { secretsOutputType } from 'br/public:avm/utl/types/avm-common-types:0.7.0'
371338
@description('A hashtable of references to the secrets exported to the provided Key Vault. The key of each reference is each secret\'s name.')
372-
output exportedSecrets secretsOutputType = (secretsExportConfiguration != null)
373-
? toObject(secretsExport!.outputs.secretsSet, secret => last(split(secret.secretResourceId, '/')), secret => secret)
374-
: {}
339+
output exportedSecrets secretsOutputType = {}
375340

376341
@description('The private endpoints of the congitive services account.')
377342
output privateEndpoints privateEndpointOutputType[] = [
@@ -467,16 +432,3 @@ type endpointType = {
467432
@description('The endpoint URI.')
468433
endpoint: string?
469434
}
470-
471-
@export()
472-
@description('The type of the secrets exported to the provided Key Vault.')
473-
type secretsExportConfigurationType = {
474-
@description('Required. The key vault name where to store the keys and connection strings generated by the modules.')
475-
keyVaultResourceId: string
476-
477-
@description('Optional. The name for the accessKey1 secret to create.')
478-
accessKey1Name: string?
479-
480-
@description('Optional. The name for the accessKey2 secret to create.')
481-
accessKey2Name: string?
482-
}

infra/modules/ai-foundry/keyVaultExport.bicep

Lines changed: 0 additions & 43 deletions
This file was deleted.

0 commit comments

Comments
 (0)