Azure · mccoyp · Dec 16, 2021 · Dec 15, 2021 · Dec 16, 2021
@@ -76,10 +76,6 @@ if (!$DeploymentOutputs['AZURE_MANAGEDHSM_URL']) {
 [Uri] $hsmUrl = $DeploymentOutputs['AZURE_MANAGEDHSM_URL']
 $hsmName = $hsmUrl.Host.Substring(0, $hsmUrl.Host.IndexOf('.'))
 
-$tenant = $DeploymentOutputs['KEYVAULT_TENANT_ID']
-$username = $DeploymentOutputs['KEYVAULT_CLIENT_ID']
-$password = $DeploymentOutputs['KEYVAULT_CLIENT_SECRET']
-
 Log 'Creating 3 X509 certificates to activate security domain'
 $wrappingFiles = foreach ($i in 0..2) {
     $certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)"
@@ -91,10 +87,6 @@ $wrappingFiles = foreach ($i in 0..2) {
     Resolve-Path "$baseName.cer"
 }
 
-# TODO: Use Az module when available; for now, assumes Azure CLI is installed and in $Env:PATH.
-Log "Logging '$username' into the Azure CLI"
-az login --service-principal --tenant "$tenant" --username "$username" --password="$password"
-
 Log "Downloading security domain from '$hsmUrl'"
 
 $sdPath = "$PSScriptRoot\$hsmName-security-domain.key"
@@ -103,15 +95,18 @@ if (Test-Path $sdpath) {
     Remove-Item $sdPath -Force
 }
 
-az keyvault security-domain download --hsm-name $hsmName --security-domain-file $sdPath --sd-quorum 2 --sd-wrapping-keys $wrappingFiles
+Export-AzKeyVaultSecurityDomain -Name $hsmName -Quorum 2 -Certificates $wrappingFiles -OutputPath $sdPath
 
 Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
 
-# Force a sleep to wait for Managed HSM activation to propagate through Cosmos replication. Issue tracked in AzDo.
-Log "Sleeping for 120 seconds to allow activation to propagate..."
+# Force a sleep to wait for Managed HSM activation to propagate through Cosmos replication. Issue tracked in Azure DevOps.
+Log 'Sleeping for 120 seconds to allow activation to propagate...'
 Start-Sleep -Seconds 120
 
-Log "Creating additional required role assignments for resource access."
-New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $DeploymentOutputs["CLIENT_OBJECTID"]
-New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $DeploymentOutputs["CLIENT_OBJECTID"]
-Log "Done."
+$testApplicationOid = $DeploymentOutputs['CLIENT_OBJECTID']
+
+Log "Creating additional required role assignments for '$testApplicationOid'"
+$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto Officer' -ObjectID $testApplicationOid
+$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User' -ObjectID $testApplicationOid
+
+Log "Role assignments created for '$testApplicationOid'"
@@ -37,22 +37,27 @@
         },
         "hsmLocation": {
             "type": "string",
-            "defaultValue": "westus",
+            "defaultValue": "westus2",
             "allowedValues": [
                 "australiacentral",
                 "canadacentral",
                 "centralus",
                 "eastasia",
+                "eastus",
                 "eastus2",
                 "koreacentral",
+                "northcentralus",
                 "northeurope",
                 "southafricanorth",
                 "southcentralus",
                 "southeastasia",
                 "switzerlandnorth",
                 "uksouth",
+                "westcentralus",
                 "westeurope",
-                "westus"
+                "westus",
+                "westus2",
+                "westus3"
             ],
             "metadata": {
                 "description": "The location of the Managed HSM. By default, this is 'westus'."