put keyvault fro shared aks to mongo part

Environments/Todo-Mongo-AKS/app/db.bicep

@@ -18,7 +18,6 @@ param collections array = [
 ]
 param databaseName string = ''
 param keyVaultName string
-param keyVaultResourceGroupName string
 
 // Because databaseName is optional in main.bicep, we make sure the database name is set here.
 var defaultDatabaseName = 'Todo'
@@ -32,7 +31,6 @@ module cosmos '../core/database/cosmos/mongo/cosmos-mongo-db.bicep' = {
     location: location
     collections: collections
     keyVaultName: keyVaultName
-    keyVaultResourceGroupName: keyVaultResourceGroupName
     tags: tags
   }
 }

Environments/Todo-Mongo-AKS/core/database/cosmos/cosmos-account.bicep

@@ -5,7 +5,6 @@ param tags object = {}
 
 param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
 param keyVaultName string
-param keyVaultResourceGroupName string
 
 @allowed([ 'GlobalDocumentDB', 'MongoDB', 'Parse' ])
 param kind string
@@ -32,16 +31,18 @@ resource cosmos 'Microsoft.DocumentDB/databaseAccounts@2022-08-15' = {
   }
 }
 
-module cosmosConnectionStringModule './cosmos-connection-string.bicep' = {
-  name: 'cosmosConnectionStringModule'
-  scope: resourceGroup(keyVaultResourceGroupName)
-  params: {
-    keyVaultName: keyVaultName
-    connectionStringKey: connectionStringKey
-    connectionString: cosmos.listConnectionStrings().connectionStrings[0].connectionString
+resource cosmosConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  parent: keyVault
+  name: connectionStringKey
+  properties: {
+    value: cosmos.listConnectionStrings().connectionStrings[0].connectionString
   }
 }
 
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}
+
 output connectionStringKey string = connectionStringKey
 output endpoint string = cosmos.properties.documentEndpoint
 output id string = cosmos.id

Environments/Todo-Mongo-AKS/core/database/cosmos/mongo/cosmos-mongo-account.bicep

@@ -4,7 +4,6 @@ param location string = resourceGroup().location
 param tags object = {}
 
 param keyVaultName string
-param keyVaultResourceGroupName string
 param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
 
 module cosmos '../../cosmos/cosmos-account.bicep' = {
@@ -14,7 +13,6 @@ module cosmos '../../cosmos/cosmos-account.bicep' = {
     location: location
     connectionStringKey: connectionStringKey
     keyVaultName: keyVaultName
-    keyVaultResourceGroupName: keyVaultResourceGroupName
     kind: 'MongoDB'
     tags: tags
   }

Environments/Todo-Mongo-AKS/core/database/cosmos/mongo/cosmos-mongo-db.bicep

@@ -7,15 +7,13 @@ param tags object = {}
 param collections array = []
 param connectionStringKey string = 'AZURE-COSMOS-CONNECTION-STRING'
 param keyVaultName string
-param keyVaultResourceGroupName string
 
 module cosmos 'cosmos-mongo-account.bicep' = {
   name: 'cosmos-mongo-account'
   params: {
     name: accountName
     location: location
     keyVaultName: keyVaultName
-    keyVaultResourceGroupName: keyVaultResourceGroupName
     tags: tags
     connectionStringKey: connectionStringKey
   }

Environments/Todo-Mongo-AKS/core/security/aks-managed-cluster-access.bicep

@@ -0,0 +1,19 @@
+metadata description = 'Assigns RBAC role to the specified AKS cluster and principal.'
+param clusterName string
+param principalId string
+
+var aksClusterAdminRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
+
+resource aksRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: aksCluster // Use when specifying a scope that is different than the deployment scope
+  name: guid(subscription().id, resourceGroup().id, principalId, aksClusterAdminRole)
+  properties: {
+    roleDefinitionId: aksClusterAdminRole
+    principalType: 'User'
+    principalId: principalId
+  }
+}
+
+resource aksCluster 'Microsoft.ContainerService/managedClusters@2023-10-02-preview' existing = {
+  name: clusterName
+}

Environments/Todo-Mongo-AKS/core/security/keyvault-access.bicep

@@ -0,0 +1,22 @@
+metadata description = 'Assigns an Azure Key Vault access policy.'
+param name string = 'add'
+
+param keyVaultName string
+param permissions object = { secrets: [ 'get', 'list' ] }
+param principalId string
+
+resource keyVaultAccessPolicies 'Microsoft.KeyVault/vaults/accessPolicies@2022-07-01' = {
+  parent: keyVault
+  name: name
+  properties: {
+    accessPolicies: [ {
+        objectId: principalId
+        tenantId: subscription().tenantId
+        permissions: permissions
+      } ]
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}

Environments/Todo-Mongo-AKS/core/security/keyvault-secret.bicep

@@ -0,0 +1,31 @@
+metadata description = 'Creates or updates a secret in an Azure Key Vault.'
+param name string
+param tags object = {}
+param keyVaultName string
+param contentType string = 'string'
+@description('The value of the secret. Provide only derived values like blob storage access, but do not hard code any secrets in your templates')
+@secure()
+param secretValue string
+
+param enabled bool = true
+param exp int = 0
+param nbf int = 0
+
+resource keyVaultSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
+  name: name
+  tags: tags
+  parent: keyVault
+  properties: {
+    attributes: {
+      enabled: enabled
+      exp: exp
+      nbf: nbf
+    }
+    contentType: contentType
+    value: secretValue
+  }
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
+  name: keyVaultName
+}

Environments/Todo-Mongo-AKS/core/security/keyvault.bicep

@@ -0,0 +1,26 @@
+metadata description = 'Creates an Azure Key Vault.'
+param name string
+param location string = resourceGroup().location
+param tags object = {}
+
+param principalId string = ''
+
+resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
+  name: name
+  location: location
+  tags: tags
+  properties: {
+    tenantId: subscription().tenantId
+    sku: { family: 'A', name: 'standard' }
+    accessPolicies: !empty(principalId) ? [
+      {
+        objectId: principalId
+        permissions: { secrets: [ 'get', 'list' ] }
+        tenantId: subscription().tenantId
+      }
+    ] : []
+  }
+}
+
+output endpoint string = keyVault.properties.vaultUri
+output name string = keyVault.name

Environments/Todo-Mongo-AKS/core/security/registry-access.bicep

@@ -0,0 +1,19 @@
+metadata description = 'Assigns ACR Pull permissions to access an Azure Container Registry.'
+param containerRegistryName string
+param principalId string
+
+var acrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+
+resource aksAcrPull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  scope: containerRegistry // Use when specifying a scope that is different than the deployment scope
+  name: guid(subscription().id, resourceGroup().id, principalId, acrPullRole)
+  properties: {
+    roleDefinitionId: acrPullRole
+    principalType: 'ServicePrincipal'
+    principalId: principalId
+  }
+}
+
+resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' existing = {
+  name: containerRegistryName
+}

Environments/Todo-Mongo-AKS/core/security/role.bicep

@@ -0,0 +1,21 @@
+metadata description = 'Creates a role assignment for a service principal.'
+param principalId string
+
+@allowed([
+  'Device'
+  'ForeignGroup'
+  'Group'
+  'ServicePrincipal'
+  'User'
+])
+param principalType string = 'ServicePrincipal'
+param roleDefinitionId string
+
+resource role 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(subscription().id, resourceGroup().id, principalId, roleDefinitionId)
+  properties: {
+    principalId: principalId
+    principalType: principalType
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
+  }
+}

Environments/Todo-Mongo-AKS/main.bicep

@@ -9,8 +9,9 @@ param location string = resourceGroup().location
 
 param cosmosAccountName string = ''
 param cosmosDatabaseName string = ''
-param keyvaultName string = ''
-param keyVaultResourceGroupName string = resourceGroup().name
+param keyVaultName string = ''
+param principalId string = ''
+param aksClusterIdentityObjectId string
 
 var abbrs = loadJsonContent('./abbreviations.json')
 var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
@@ -24,8 +25,26 @@ module cosmos './app/db.bicep' = {
     databaseName: cosmosDatabaseName
     location: location
     tags: tags
-    keyVaultName: keyvaultName
-    keyVaultResourceGroupName: keyVaultResourceGroupName
+    keyVaultName: keyVault.outputs.name
+  }
+}
+
+// Store secrets in a keyvault
+module keyVault './core/security/keyvault.bicep' = {
+  name: 'keyvault'
+  params: {
+    name: !empty(keyVaultName) ? keyVaultName : '${abbrs.keyVaultVaults}${resourceToken}'
+    location: location
+    tags: tags
+    principalId: principalId
+  }
+}
+
+module clusterKeyVaultAccess './core/security/keyvault-access.bicep' = {
+  name: 'cluster-keyvault-access'
+  params: {
+    keyVaultName: keyVaultName
+    principalId: aksClusterIdentityObjectId
   }
 }
 
@@ -36,3 +55,5 @@ output AZURE_COSMOS_DATABASE_NAME string = cosmos.outputs.databaseName
 // App outputs
 output AZURE_LOCATION string = location
 output AZURE_TENANT_ID string = tenant().tenantId
+output AZURE_KEY_VAULT_ENDPOINT string = keyVault.outputs.endpoint
+output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name

Environments/Todo-Shared-AKS/core/host/aks.bicep

@@ -8,9 +8,6 @@ param containerRegistryName string
 @description('The name of the connected log analytics workspace')
 param logAnalyticsName string = ''
 
-@description('The name of the keyvault to grant access')
-param keyVaultName string
-
 @description('The Azure region/location for the AKS resources')
 param location string = resourceGroup().location
 
@@ -212,15 +209,6 @@ module clusterAccess '../security/aks-managed-cluster-access.bicep' = if (enable
   }
 }
 
-// Give the AKS Cluster access to KeyVault
-module clusterKeyVaultAccess '../security/keyvault-access.bicep' = {
-  name: 'cluster-keyvault-access'
-  params: {
-    keyVaultName: keyVaultName
-    principalId: managedCluster.outputs.clusterIdentity.objectId
-  }
-}
-
 // Helpers for node pool configuration
 var nodePoolBase = {
   osType: 'Linux'

Environments/Todo-Shared-AKS/main.bicep

@@ -15,12 +15,8 @@ param containerRegistryName string = ''
 
 param applicationInsightsDashboardName string = ''
 param applicationInsightsName string = ''
-param keyVaultName string = ''
 param logAnalyticsName string = ''
 
-@description('Id of the user or app to assign application roles')
-param principalId string = ''
-
 var abbrs = loadJsonContent('./abbreviations.json')
 var resourceToken = toLower(uniqueString(subscription().id, environmentName, location))
 var tags = { 'azd-env-name': environmentName }
@@ -33,18 +29,6 @@ module aks './core/host/aks.bicep' = {
     name: !empty(clusterName) ? clusterName : '${abbrs.containerServiceManagedClusters}${resourceToken}'
     containerRegistryName: !empty(containerRegistryName) ? containerRegistryName : '${abbrs.containerRegistryRegistries}${resourceToken}'
     logAnalyticsName: monitoring.outputs.logAnalyticsWorkspaceName
-    keyVaultName: keyVault.outputs.name
-  }
-}
-
-// Store secrets in a keyvault
-module keyVault './core/security/keyvault.bicep' = {
-  name: 'keyvault'
-  params: {
-    name: !empty(keyVaultName) ? keyVaultName : '${abbrs.keyVaultVaults}${resourceToken}'
-    location: location
-    tags: tags
-    principalId: principalId
   }
 }
 
@@ -62,8 +46,6 @@ module monitoring './core/monitor/monitoring.bicep' = {
 
 // App outputs
 output APPLICATIONINSIGHTS_CONNECTION_STRING string = monitoring.outputs.applicationInsightsConnectionString
-output AZURE_KEY_VAULT_ENDPOINT string = keyVault.outputs.endpoint
-output AZURE_KEY_VAULT_NAME string = keyVault.outputs.name
 output AZURE_LOCATION string = location
 output AZURE_TENANT_ID string = tenant().tenantId
 output AZURE_AKS_CLUSTER_NAME string = aks.outputs.clusterName