Key Vault(s) to Event Grid to Logic Apps to Azure Pipelines

Demo about Azure Key Vault event notifications via Event Grid and Logic Apps to Azure Pipelines.

Create one or more Key Vaults. Is this demo we'll create two:

az group create -n rg-keyvault1 -l northeurope
$kv1=az keyvault create -n kv1000000000010 -g rg-keyvault1 -l northeurope --query id -o tsv

az group create -n rg-keyvault2 -l northeurope
$kv2=az keyvault create -n kv2000000000010 -g rg-keyvault2 -l northeurope --query id -o tsv

To deploy the demo infrastructure run following script:

cd deploy
.\deploy.ps1 -KeyVaults $kv1,$kv2

Note: It deploys Event Grid System topics to the resource groups of the key vaults since that's currently required. See this feedback item for more details: Allow Event Grid topics and subscriptions to be in separate resource groups

You should now have following Logic App deployed:

Demo

Create or update secret in one of your Key Vaults:

az keyvault secret set -n abc --vault-name kv2000000000010 --value "Hello!"

After a while you should see following data coming into your request bin:

{
  "eventType": "Microsoft.KeyVault.SecretNewVersionCreated",
  "objectName": "abc",
  "objectType": "Secret",
  "vaultName": "kv2000000000010"
}

Also your Azure DevOps pipeline should be executed with access to freshly updated key vault secrets!

Logic Apps development flow

Developing Logic Apps in Azure Portal is easy and you can use jeffhollan/LogicAppTemplateCreator for extracting your templates out. In a nutshell like this:

Import-Module .\LogicAppTemplate.dll

Get-LogicAppTemplate `
  -LogicApp keyvault-event-handler `
  -ResourceGroup rg-keyvault-event-local `
  -SubscriptionId <your-subscription-id-> `
  -TenantName <your-tenant>.onmicrosoft.com `
  -DiagnosticSettings > azuredeploy-export.json

Links

Monitoring Key Vault with Azure Event Grid

Azure Key Vault as Event Grid source