[Hub apps] Create the hub-vault module for saving secrets (#1497)

flanakin · web-flow · commit 23b5d7226bb2 · 2025-04-15T09:37:18.000Z
diff --git a/docs-mslearn/toolkit/changelog.md b/docs-mslearn/toolkit/changelog.md
@@ -35,6 +35,7 @@ The following section lists features and enhancements that are currently in deve
   - Created a new bicep modules to support extensibility:
     - The **hub-app** module tracks telemetry when an app is deployed.
     - The **hub-storage** module creates containers in the hub storage account.
+    - The **hub-vault** module adds secrets to the hub vault.
 
 **Fixed**
   - Workaround subnets reordering and bicep limitation
diff --git a/src/templates/finops-hub/modules/hub-vault.bicep b/src/templates/finops-hub/modules/hub-vault.bicep
@@ -0,0 +1,53 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//==============================================================================
+// Parameters
+//==============================================================================
+
+@description('Required. Name of the publisher-specific Key Vault instance.')
+param vaultName string
+
+@description('Required. Name of the Key Vault secret to create or update.')
+param secretName string
+
+@description('Required. Value of the Key Vault secret.')
+@secure()
+param secretValue string
+
+@description('Optional. Value of the Key Vault secret expiration date (exp) property. This is represented as seconds since Jan 1, 1970.')
+param secretExpirationInSeconds int = -1
+
+@description('Optional. Value of the Key Vault secret not before date (nbf) property. This is represented as seconds since Jan 1, 1970.')
+param secretNotBeforeInSeconds int = -1
+
+
+//==============================================================================
+// Resources
+//==============================================================================
+
+resource vault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
+  name: vaultName
+
+  resource secret 'secrets' = {
+    name: secretName
+    properties: {
+      attributes: union({
+        enabled: true
+      }, secretExpirationInSeconds <= 0 ? {} : {
+        exp: secretExpirationInSeconds
+      }, secretNotBeforeInSeconds <= 0 ? {} : {
+        nbf: secretNotBeforeInSeconds
+      })
+      value: secretValue
+    }
+  }
+}
+
+
+//==============================================================================
+// Outputs
+//==============================================================================
+
+@description('Name of the Key Vault secret.')
+output secretName string = vault::secret.name
diff --git a/src/templates/finops-hub/modules/keyVault.bicep b/src/templates/finops-hub/modules/keyVault.bicep
@@ -66,6 +66,7 @@ var formattedAccessPolicies = [for accessPolicy in accessPolicies: {
 // Resources
 //==============================================================================
 
+// TODO: Move vault creation to the hub-app module
 resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
   name: keyVaultName
   location: location
@@ -100,16 +101,14 @@ resource keyVault_accessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2023-
   }
 }
 
-resource keyVault_secret 'Microsoft.KeyVault/vaults/secrets@2023-02-01' = if (!empty(storageAccountKey)) {
-  name: keyVaultSecretName
-  parent: keyVault
-  properties: {
-    attributes: {
-      enabled: true
-      exp: 1702648632
-      nbf: 10000
-    }
-    value: storageAccountKey
+module keyVault_secret 'hub-vault.bicep' = if (!empty(storageAccountKey)) {
+  name: 'keyVault_secret'
+  params: {
+    vaultName: keyVault.name
+    secretName: keyVaultSecretName
+    secretValue: storageAccountKey
+    secretExpirationInSeconds: 1702648632
+    secretNotBeforeInSeconds: 10000
   }
 }
 
