Bicep Module Documentation
← Back to Overview
Module key-vault
keyVault
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| createMode | 'default' 'recover' |
The vault create mode to indicate whether the vault need to be recovered or not |
| enabledForDeployment | bool | Allow Azure Virtual Machines to retrieve certificates stored as secrets (default: false) |
| enabledForDiskEncryption | bool | Allow Azure Disk Encryption to retrieve secrets and unwrap keys (default: false) |
| enabledForTemplateDeployment | bool | Allow Azure Resource Manager to retrieve secrets (default: false) |
| enablePurgeProtection | bool | Enable purge protection, block users from directly deleting a keyvault, once set to true, cannot be changed to false (default: true) [Requires soft delete] |
| enableSoftDelete | bool | Enable soft delete, once set to true, cannot be changed to false (default: true) [Requires soft delete] |
| enableRbacAuthorization | bool | Type of authorization, enabled by default and replaces vault access policies (default: true) |
| sku | 'premium' 'standard' |
Sku of the keyvault (default: standard) |
| softDeleteRetentionInDays | int | Amount of days required data retention for soft delete (default: 7) |
| tenantId | string | Tenant Id of the tenant to be used for authenticating requests (default: your own tenant) |
| publicNetworkAccess | 'Disabled' 'Enabled' |
Allow public access to the keyvault (default: Enabled) |
| networkAcls | networkAcls | Set firewall rules |
| accessPolicies | keyvaultAccessPolicy[] | Only use this when in vault access policy mode, not required in RBAC mode |
| privateLink | privateLink | Settings for the private endpoint and private link for this resource |
| diagnosticSettings | diagnosticSetting[] | Dianostic Settings for the resource |
networkAcls
| Property | Value | Description |
|---|---|---|
| bypass | 'AzureServices' 'None' |
(default: None) |
| defaultAction | 'Allow' 'Deny' |
(default: deny) |
| ipRules | keyVaultIpRule[] | Add allowed rules to keyvault [Array of IP rules] |
| virtualNetworkRules | keyVaultVirtualNetworkRule[] | Add allowed virtual networks to keyvault [ResourceIds] |
keyVaultIpRule
| Property | Value | Description |
|---|---|---|
| value (required) | string | [[CIDR notation or IP address only IPv4] |
keyVaultVirtualNetworkRule
| Property | Value | Description |
|---|---|---|
| id (required) | string | The virtual network Id which should be allowed |
| ignoreMissingVnetServiceEndpoint (required) | bool | Ignore the fact that there is no service endpoint for keyvault in the virtual network |
keyvaultAccessPolicy
| Property | Value | Description |
|---|---|---|
| applicationId | string | When using delegated access, insert the application id |
| objectId (required) | string | The object Id of the user performing an action |
| tenantId | string | Tenant Id of the tenant to be used for authenticating requests (default: your own tenant) |
| keyPermissions | keyvaultKeyPermissions[] | List of key permissions for this user/sp |
| certificatePermissions | keyvaultCertificatePermissions[] | List of certificate permissions for this user/sp |
| secretPermissions | keyvaultSecretPermissions[] | List of secret permissions for this user/sp |
| storagePermissions | keyvaultStoragePermissions[] | List of storage permissions for this user/sp |
keyvaultKeyPermissions
keyvaultCertificatePermissions
keyvaultSecretPermissions
keyvaultStoragePermissions
keyVaultSecret
| Property | Value | Description |
|---|---|---|
| name (required) | string | Name of the secret |
| tags | object | Tags of the resource [hashtable] |
| keyVaultId (required) | string | Id of the keyvault |
| enabled | bool | Determines whether the object is enabled. |
| exp | int | Expiry date in seconds since 1970-01-01T00:00:00Z. |
| nbf | int | Not before date in seconds since 1970-01-01T00:00:00Z. |
| contentType | string | The content type of the secret. |
| resourceGroupName | string | Resourcegroup where the pwdgen script will be launched |
diagnosticLogSettings
Set the resourceType property to specify the type of object.
For Custom, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Custom' | |
| category | string | Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| categoryGroup | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this log is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this log. |
Set the resourceType property to specify the type of object.
For App Service Plan, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'App Service Plan' |
Set the resourceType property to specify the type of object.
For Azure Firewall, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Azure Firewall' | |
| category | 'AZFWApplicationRule' 'AZFWApplicationRuleAggregation' 'AZFWDnsQuery' 'AZFWFatFlow' 'AZFWFlowTrace' 'AZFWFqdnResolveFailure' 'AZFWIdpsSignature' 'AZFWNatRule' 'AZFWNatRuleAggregation' 'AZFWNetworkRule' 'AZFWNetworkRuleAggregation' 'AZFWThreatIntel' 'AzureFirewallApplicationRule' 'AzureFirewallDnsProxy' 'AzureFirewallNetworkRule' |
Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| categoryGroup | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this log is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this log. |
Set the resourceType property to specify the type of object.
For Application Gateway, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Application Gateway' | |
| category | 'ApplicationGatewayAccessLog' 'ApplicationGatewayFirewallLog' 'ApplicationGatewayPerformanceLog' |
Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| categoryGroup | string | Name of a Diagnostic Log category group for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this log is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this log. |
retentionPolicy
| Property | Value | Description |
|---|---|---|
| days (required) | int | the number of days for the retention in days. A value of 0 will retain the events indefinitely. |
| enabled (required) | bool | a value indicating whether the retention policy is enabled. |
diagnosticMetricSettings
Set the resourceType property to specify the type of object.
For Custom, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Custom' | |
| category | string | Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation. |
| enabled (required) | bool | a value indicating whether this category is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this category. |
| timeGrain | string | the timegrain of the metric in ISO8601 format. |
Set the resourceType property to specify the type of object.
For App Service Plan, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'App Service Plan' | |
| category (required) | 'AllMetrics' | Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this category is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this category. |
| timeGrain | string | the timegrain of the metric in ISO8601 format. |
Set the resourceType property to specify the type of object.
For Azure Firewall, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Azure Firewall' | |
| category (required) | 'AllMetrics' | Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this category is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this category. |
| timeGrain | string | the timegrain of the metric in ISO8601 format. |
Set the resourceType property to specify the type of object.
For Application Gateway, use:
| Property | Value | Description |
|---|---|---|
| resourceType (required) | 'Application Gateway' | |
| category (required) | 'AllMetrics' | Name of a Diagnostic Metric category for a resource type this setting is applied to. To obtain the list of Diagnostic metric categories for a resource, first perform a GET diagnostic settings operation. |
| enabled | bool | a value indicating whether this category is enabled. (default: Enabled) |
| retentionPolicy | retentionPolicy | the retention policy for this category. |
| timeGrain | string | the timegrain of the metric in ISO8601 format. |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
diagnosticSetting
| Property | Value | Description |
|---|---|---|
| name (required) | string | The resource name |
| eventHubAuthorizationRuleId | string | The resource Id for the event hub authorization rule. |
| eventHubName | string | The name of the event hub. If none is specified, the default event hub will be selected. |
| logAnalyticsDestinationType | string | A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type constructed as follows: {normalized service identity}_{normalized category name}. Possible values are: Dedicated and null (null is default.) |
| logs | diagnosticLogSettings[] | The list of logs settings. |
| marketplacePartnerId | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. |
| metrics | diagnosticMetricSettings[] | The list of metric settings. |
| serviceBusRuleId | string | The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility. |
| storageAccountId | string | The resource ID of the storage account to which you would like to send Diagnostic Logs. |
| workspaceId | string | The full ARM resource ID of the Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/4b9e8510-67ab-4e9a-95a9-e2f1e570ea9c/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2 |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
privateLink
| Property | Value | Description |
|---|---|---|
| pepNaming | naming | Name of the private endpoint |
| nicNaming | naming | Name of the network interface of the private endpoint |
| privateLinkNaming | naming | Name of the private link connection |
| subnets (required) | subnets[] | Id of the subnets and optionally the name of the resourcegroup in which the private endpoint should be created |
| dnsZoneIds (required) | string[] | List of DNS zone ids that need to be linked |
subnets
| Property | Value | Description |
|---|---|---|
| resourceGroupName | string | Resourcegroup (default: resourcegroup defined here => resourceGroup of pep resource => resourceGroup of subnet) |
| id (required) | string | Id of the subnet |
| location | string | Location if Vnet is in different location |
Changelog
6.2.0 (2025-11-03)
Features
- add diagnostic settings
6.1.2 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
6.1.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
6.1.0 (2025-03-26)
Features
- add resourceName output