Using azure keyvault with nsg-component
TypeScriptIn order to use Azure Key Vault with an NSG (Network Security Group) component in Pulumi, you would typically follow these steps:
- Provision an Azure Key Vault: Key Vault is an Azure service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.
- Set up a Network Security Group: An NSG contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.
- Configure Key Vault network rules: This restricts access to the Key Vault from specific networks, which might include setting up rules within NSG.
Let's write a Pulumi program in TypeScript that performs the following actions:
- Creates an Azure Resource Group.
- Sets up an Azure Key Vault with a specified name.
- Configures network rules and a Network Security Group (NSG) with sample security rules.
Please note, for the Key Vault, policies and permissions to manage keys, secrets, and certificates have to be set. For simplicity and as a starting point, we will not cover that in this base setup; you can add rules according to your use case. For the NSG, the security rules are greatly simplified, and you should adapt them to your specific requirements.
Here is your Pulumi TypeScript program:
import * as azure from '@pulumi/azure-native'; import { ResourceGroup } from '@pulumi/azure-native/resources'; import { NetworkSecurityGroup, SecurityRule } from '@pulumi/azure-native/network'; // Create an Azure Resource Group const resourceGroup = new ResourceGroup('my-resourcegroup'); // Create an Azure Key Vault const vault = new azure.keyvault.Vault('my-keyvault', { resourceGroupName: resourceGroup.name, properties: { sku: { family: 'A', name: azure.keyvault.SkuName.Standard, }, tenantId: 'your-azure-tenant-id', accessPolicies: [], networkAcls: { defaultAction: azure.keyvault.NetworkRuleAction.Deny, bypass: azure.keyvault.NetworkRuleBypassOptions.None, ipRules: [ // Example: Allow traffic from a specific IP { value: '203.0.113.0/24' }, ], virtualNetworkRules: [ // Example: Allow traffic from a specific virtual network // Replace with your actual virtual network ID { id: '/subscriptions/subid/resourceGroups/myRG/providers/Microsoft.Network/virtualNetworks/myVnet', }, ], }, }, }); // Create a Network Security Group and a Security Rule const nsg = new NetworkSecurityGroup('my-nsg', { resourceGroupName: resourceGroup.name, location: resourceGroup.location, }); // Inbound security rule allowing TCP traffic on port 443 (HTTPS) const rule = new SecurityRule('my-https-rule', { resourceGroupName: resourceGroup.name, networkSecurityGroupName: nsg.name, protocol: 'Tcp', access: 'Allow', direction: 'Inbound', sourceAddressPrefix: 'Internet', sourcePortRange: '*', destinationAddressPrefix: '*', destinationPortRange: '443', priority: 100, description: 'Allow inbound HTTPS traffic.', }); // Export the Azure Resource Group name and Key Vault ID export const resourceGroupName = resourceGroup.name; export const keyVaultId = vault.id; export const networkSecurityGroupId = nsg.id;
In this program, we first import the required packages from the
@pulumi/azure-native
module. We then create an Azure Resource Group that acts as a container for all the resources we'll deploy.Next, we create an Azure Key Vault with a network ACL (Access Control List) that denies all access by default (
defaultAction: azure.keyvault.NetworkRuleAction.Deny
). We then explicitly allow traffic from a certain IP range usingipRules
. Replace'your-azure-tenant-id'
with your Azure tenant ID.Following the Key Vault setup, we create a Network Security Group (NSG) and define a sample security rule within it. This sample rule allows inbound HTTPS traffic on port 443, common for secure web traffic. Real-world rules would be more complex and tailored to your environment.
Finally, we export the Resource Group name, Key Vault ID, and Network Security Group ID. These exports could be used to integrate with other parts of your infrastructure or for reference in other Pulumi stacks.
Remember to replace placeholder values with your actual information before running this code. The 'my-resourcegroup', 'my-keyvault', 'my-nsg', and 'my-https-rule' are the logical names that we've used in this program. The actual names within Azure will be generated by Pulumi.
Additionally, the
tenantId
is a placeholder and should be replaced with your Azure Active Directory tenant's unique identifier where the Key Vault is being created. The virtual network and IP rules are just examples, and you need to configure them as required for your use case.