#this scripts will create keyvault, assign permissions to users, apps, and group

1. #this scripts will create keyvault, assign permissions to users, apps, and groups.
2. #pipeline service principal App ObjectID will be assigned list,get and set permissions.
3.  
4.  
5. [CmdletBinding()]
6. Param(
7. [Parameter(Mandatory=$true)]$location,
8. [Parameter(Mandatory=$true)]$resourceGroupName,
9. [Parameter(Mandatory=$true)]$keyVaultName,
10. [Parameter(Mandatory=$true)]$secretName,
11. [Parameter(Mandatory=$true)]$secretValue,
12. [Parameter(Mandatory=$true)]$keyVaultUsers,
13. [Parameter(Mandatory=$true)]$svcPrincipalAppObjectId
14. )
15.  
16. Write-Host "Starting to Create the Key Vault"
17.  
18. # Create new resource group if not exists.
19. $rgAvail = Get-AzResourceGroup -Name $resourceGroupName -Location $location -ErrorAction SilentlyContinue
20. if(!$rgAvail){
21. New-AzResourceGroup -Name $resourceGroupName -Location $location
22. }
23.  
24.  
25.  
26. # Create new key vault if not exists. (enabling it for Disk Encryption, Deployment and Template Deployment)
27. $kvAvail = Get-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ErrorAction SilentlyContinue
28. if(!$kvAvail){
29. New-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -Sku 'Standard' -EnabledForDiskEncryption -EnabledForDeployment -EnabledForTemplateDeployment
30. # Wait few seconds for DNS entry to propagate
31. Start-Sleep -Seconds 15
32.  
33. #give permissions to service principal to create secrets
34. Set-AzKeyVaultAccessPolicy -BypassObjectIdValidation -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ObjectId $svcPrincipalAppObjectId -PermissionsToKeys list,get -PermissionsToSecrets list,get,set -PermissionsToCertificates list,get
35. # Add the Administrator policies to the Key Vault
36. foreach ($adminUser in $keyVaultUsers.Split(',')) {
37. #$UserObjectId = (Get-AzureRmADUser -SearchString $adminUser).Id
38. #Write-Host "Connection Key Vault URL is " $adminUser
39. Set-AzKeyVaultAccessPolicy -BypassObjectIdValidation -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ObjectId $adminUser -PermissionsToKeys list,get -PermissionsToSecrets list,get -PermissionsToCertificates list,get
40. }
41. }
42.  
43. # Add or update a secret to key vault.
44. $secretVal = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
45. $secret = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName -SecretValue $secretVal
46.  
47. Write-Host "Connection Key Vault URL is " $secret