feat: support shared key vault and create secrets in azlocal (#4716)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.azure-stack-hci.cluster](https://github.com/Infrastructure-as-code-Automation/bicep-registry-modules/actions/workflows/avm.res.azure-stack-hci.cluster.yml/badge.svg?branch=hangxu%2Fazlocal2)](https://github.com/Infrastructure-as-code-Automation/bicep-registry-modules/actions/workflows/avm.res.azure-stack-hci.cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change
- [ ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Co-authored-by: Hangyu Xu <[email protected]>

Author: xhy8759

avm/res/azure-stack-hci/cluster/README.md

@@ -8,7 +8,6 @@ This module deploys an Azure Stack HCI Cluster on the provided Arc Machines.
 - [Usage examples](#Usage-examples)
 - [Parameters](#Parameters)
 - [Outputs](#Outputs)
-- [Cross-referenced modules](#Cross-referenced-modules)
 - [Data Collection](#Data-Collection)
 
 ## Resource Types
@@ -18,6 +17,7 @@ This module deploys an Azure Stack HCI Cluster on the provided Arc Machines.
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.AzureStackHCI/clusters` | [2024-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AzureStackHCI/clusters) |
 | `Microsoft.AzureStackHCI/clusters/deploymentSettings` | [2024-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.AzureStackHCI/clusters/deploymentSettings) |
+| `Microsoft.KeyVault/vaults/secrets` | [2023-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KeyVault/2023-07-01/vaults/secrets) |
 
 ## Usage examples
 
@@ -156,6 +156,12 @@ module cluster 'br/public:avm/res/azure-stack-hci/cluster:<version>' = {
       ]
       subnetMask: '255.255.255.0'
     }
+    deploymentUser: 'deployUser'
+    deploymentUserPassword: '<deploymentUserPassword>'
+    localAdminPassword: '<localAdminPassword>'
+    localAdminUser: 'admin-hci'
+    servicePrincipalId: '<servicePrincipalId>'
+    servicePrincipalSecret: '<servicePrincipalSecret>'
   }
 }
 ```
@@ -288,6 +294,24 @@ module cluster 'br/public:avm/res/azure-stack-hci/cluster:<version>' = {
         ],
         "subnetMask": "255.255.255.0"
       }
+    },
+    "deploymentUser": {
+      "value": "deployUser"
+    },
+    "deploymentUserPassword": {
+      "value": "<deploymentUserPassword>"
+    },
+    "localAdminPassword": {
+      "value": "<localAdminPassword>"
+    },
+    "localAdminUser": {
+      "value": "admin-hci"
+    },
+    "servicePrincipalId": {
+      "value": "<servicePrincipalId>"
+    },
+    "servicePrincipalSecret": {
+      "value": "<servicePrincipalSecret>"
     }
   }
 }
@@ -416,6 +440,12 @@ param deploymentSettings = {
   ]
   subnetMask: '255.255.255.0'
 }
+param deploymentUser = 'deployUser'
+param deploymentUserPassword = '<deploymentUserPassword>'
+param localAdminPassword = '<localAdminPassword>'
+param localAdminUser = 'admin-hci'
+param servicePrincipalId = '<servicePrincipalId>'
+param servicePrincipalSecret = '<servicePrincipalSecret>'
 ```
 
 </details>
@@ -553,6 +583,12 @@ module cluster 'br/public:avm/res/azure-stack-hci/cluster:<version>' = {
       ]
       subnetMask: '255.255.255.0'
     }
+    deploymentUser: 'deployUser'
+    deploymentUserPassword: '<deploymentUserPassword>'
+    localAdminPassword: '<localAdminPassword>'
+    localAdminUser: 'admin-hci'
+    servicePrincipalId: '<servicePrincipalId>'
+    servicePrincipalSecret: '<servicePrincipalSecret>'
     tags: {
       Environment: 'Non-Prod'
       'hidden-title': 'This is visible in the resource name'
@@ -697,6 +733,24 @@ module cluster 'br/public:avm/res/azure-stack-hci/cluster:<version>' = {
         "subnetMask": "255.255.255.0"
       }
     },
+    "deploymentUser": {
+      "value": "deployUser"
+    },
+    "deploymentUserPassword": {
+      "value": "<deploymentUserPassword>"
+    },
+    "localAdminPassword": {
+      "value": "<localAdminPassword>"
+    },
+    "localAdminUser": {
+      "value": "admin-hci"
+    },
+    "servicePrincipalId": {
+      "value": "<servicePrincipalId>"
+    },
+    "servicePrincipalSecret": {
+      "value": "<servicePrincipalSecret>"
+    },
     "tags": {
       "value": {
         "Environment": "Non-Prod",
@@ -837,6 +891,12 @@ param deploymentSettings = {
   ]
   subnetMask: '255.255.255.0'
 }
+param deploymentUser = 'deployUser'
+param deploymentUserPassword = '<deploymentUserPassword>'
+param localAdminPassword = '<localAdminPassword>'
+param localAdminUser = 'admin-hci'
+param servicePrincipalId = '<servicePrincipalId>'
+param servicePrincipalSecret = '<servicePrincipalSecret>'
 param tags = {
   Environment: 'Non-Prod'
   'hidden-title': 'This is visible in the resource name'
@@ -855,17 +915,36 @@ param tags = {
 | :-- | :-- | :-- |
 | [`name`](#parameter-name) | string | The name of the Azure Stack HCI cluster - this must be a valid Active Directory computer name and will be the name of your cluster in Azure. |
 
+**Conditional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`deploymentUser`](#parameter-deploymentuser) | string | The name of the deployment user. Required if useSharedKeyVault is true. |
+| [`deploymentUserPassword`](#parameter-deploymentuserpassword) | securestring | The password of the deployment user. Required if useSharedKeyVault is true. |
+| [`localAdminPassword`](#parameter-localadminpassword) | securestring | The password of the local admin user. Required if useSharedKeyVault is true. |
+| [`localAdminUser`](#parameter-localadminuser) | string | The name of the local admin user. Required if useSharedKeyVault is true. |
+| [`servicePrincipalId`](#parameter-serviceprincipalid) | string | The service principal ID for ARB. Required if useSharedKeyVault is true. |
+| [`servicePrincipalSecret`](#parameter-serviceprincipalsecret) | string | The service principal secret for ARB. Required if useSharedKeyVault is true. |
+
 **Optional parameters**
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`azureStackLCMUserCredentialContentType`](#parameter-azurestacklcmusercredentialcontenttype) | string | Content type of the azure stack lcm user credential. |
+| [`azureStackLCMUserCredentialTags`](#parameter-azurestacklcmusercredentialtags) | object | Tags of azure stack LCM user credential. |
+| [`defaultARBApplicationContentType`](#parameter-defaultarbapplicationcontenttype) | string | Content type of the default ARB application. |
+| [`defaultARBApplicationTags`](#parameter-defaultarbapplicationtags) | object | Tags of the default ARB application. |
 | [`deploymentOperations`](#parameter-deploymentoperations) | array | The cluster deployment operations to execute. Defaults to "[Validate, Deploy]". |
 | [`deploymentSettings`](#parameter-deploymentsettings) | object | The deployment settings of the cluster. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
+| [`localAdminCredentialContentType`](#parameter-localadmincredentialcontenttype) | string | Content type of the local admin credential. |
+| [`localAdminCredentialTags`](#parameter-localadmincredentialtags) | object | Tags of the local admin credential. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 | [`tags`](#parameter-tags) | object | Tags of the resource. |
 | [`useSharedKeyVault`](#parameter-usesharedkeyvault) | bool | Specify whether to use the shared key vault for the HCI cluster. |
+| [`witnessStoragekeyContentType`](#parameter-witnessstoragekeycontenttype) | string | Content type of the witness storage key. |
+| [`witnessStoragekeyTags`](#parameter-witnessstoragekeytags) | object | Tags of the witness storage key. |
 
 ### Parameter: `name`
 
@@ -874,6 +953,78 @@ The name of the Azure Stack HCI cluster - this must be a valid Active Directory
 - Required: Yes
 - Type: string
 
+### Parameter: `deploymentUser`
+
+The name of the deployment user. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: string
+
+### Parameter: `deploymentUserPassword`
+
+The password of the deployment user. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: securestring
+
+### Parameter: `localAdminPassword`
+
+The password of the local admin user. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: securestring
+
+### Parameter: `localAdminUser`
+
+The name of the local admin user. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: string
+
+### Parameter: `servicePrincipalId`
+
+The service principal ID for ARB. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: string
+
+### Parameter: `servicePrincipalSecret`
+
+The service principal secret for ARB. Required if useSharedKeyVault is true.
+
+- Required: No
+- Type: string
+
+### Parameter: `azureStackLCMUserCredentialContentType`
+
+Content type of the azure stack lcm user credential.
+
+- Required: No
+- Type: string
+- Default: `'Secret'`
+
+### Parameter: `azureStackLCMUserCredentialTags`
+
+Tags of azure stack LCM user credential.
+
+- Required: No
+- Type: object
+
+### Parameter: `defaultARBApplicationContentType`
+
+Content type of the default ARB application.
+
+- Required: No
+- Type: string
+- Default: `'Secret'`
+
+### Parameter: `defaultARBApplicationTags`
+
+Tags of the default ARB application.
+
+- Required: No
+- Type: object
+
 ### Parameter: `deploymentOperations`
 
 The cluster deployment operations to execute. Defaults to "[Validate, Deploy]".
@@ -1176,6 +1327,21 @@ Enable/Disable usage telemetry for module.
 - Type: bool
 - Default: `True`
 
+### Parameter: `localAdminCredentialContentType`
+
+Content type of the local admin credential.
+
+- Required: No
+- Type: string
+- Default: `'Secret'`
+
+### Parameter: `localAdminCredentialTags`
+
+Tags of the local admin credential.
+
+- Required: No
+- Type: object
+
 ### Parameter: `location`
 
 Location for all resources.
@@ -1304,6 +1470,21 @@ Specify whether to use the shared key vault for the HCI cluster.
 - Type: bool
 - Default: `True`
 
+### Parameter: `witnessStoragekeyContentType`
+
+Content type of the witness storage key.
+
+- Required: No
+- Type: string
+- Default: `'Secret'`
+
+### Parameter: `witnessStoragekeyTags`
+
+Tags of the witness storage key.
+
+- Required: No
+- Type: object
+
 ## Outputs
 
 | Output | Type | Description |
@@ -1314,14 +1495,6 @@ Specify whether to use the shared key vault for the HCI cluster.
 | `resourceId` | string | The ID of the cluster. |
 | `systemAssignedMIPrincipalId` | string | The managed identity of the cluster. |
 
-## Cross-referenced modules
-
-This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
-
-| Reference | Type |
-| :-- | :-- |
-| `br/public:avm/utl/types/avm-common-types:0.5.1` | Remote reference |
-
 ## Data Collection
 
 The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at <https://go.microsoft.com/fwlink/?LinkID=824704>. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

avm/res/azure-stack-hci/cluster/main.bicep

@@ -36,6 +36,50 @@ param roleAssignments roleAssignmentType[]?
 @description('Optional. Specify whether to use the shared key vault for the HCI cluster.')
 param useSharedKeyVault bool = true
 
+@description('Conditional. The name of the deployment user. Required if useSharedKeyVault is true.')
+param deploymentUser string?
+
+@secure()
+@description('Conditional. The password of the deployment user. Required if useSharedKeyVault is true.')
+param deploymentUserPassword string?
+
+@description('Conditional. The name of the local admin user. Required if useSharedKeyVault is true.')
+param localAdminUser string?
+
+@secure()
+@description('Conditional. The password of the local admin user. Required if useSharedKeyVault is true.')
+param localAdminPassword string?
+
+@description('Conditional. The service principal ID for ARB. Required if useSharedKeyVault is true.')
+param servicePrincipalId string?
+
+@description('Conditional. The service principal secret for ARB. Required if useSharedKeyVault is true.')
+param servicePrincipalSecret string?
+
+@description('Optional. Content type of the azure stack lcm user credential.')
+param azureStackLCMUserCredentialContentType string = 'Secret'
+
+@description('Optional. Content type of the local admin credential.')
+param localAdminCredentialContentType string = 'Secret'
+
+@description('Optional. Content type of the witness storage key.')
+param witnessStoragekeyContentType string = 'Secret'
+
+@description('Optional. Content type of the default ARB application.')
+param defaultARBApplicationContentType string = 'Secret'
+
+@description('Optional. Tags of azure stack LCM user credential.')
+param azureStackLCMUserCredentialTags object?
+
+@description('Optional. Tags of the local admin credential.')
+param localAdminCredentialTags object?
+
+@description('Optional. Tags of the witness storage key.')
+param witnessStoragekeyTags object?
+
+@description('Optional. Tags of the default ARB application.')
+param defaultARBApplicationTags object?
+
 // ============= //
 //   Variables   //
 // ============= //
@@ -113,6 +157,30 @@ resource cluster 'Microsoft.AzureStackHCI/clusters@2024-04-01' = {
   tags: tags
 }
 
+module secrets './secrets.bicep' = if (useSharedKeyVault) {
+  name: '${uniqueString(deployment().name, location)}-secrets'
+  params: {
+    clusterName: name
+    cloudId: cluster.properties.cloudId
+    keyVaultName: deploymentSettings!.keyVaultName
+    storageAccountName: deploymentSettings!.clusterWitnessStorageAccountName
+    deploymentUser: deploymentUser!
+    deploymentUserPassword: deploymentUserPassword!
+    localAdminUser: localAdminUser!
+    localAdminPassword: localAdminPassword!
+    servicePrincipalId: servicePrincipalId!
+    servicePrincipalSecret: servicePrincipalSecret!
+    azureStackLCMUserCredentialContentType: azureStackLCMUserCredentialContentType
+    localAdminCredentialContentType: localAdminCredentialContentType
+    witnessStoragekeyContentType: witnessStoragekeyContentType
+    defaultARBApplicationContentType: defaultARBApplicationContentType
+    azureStackLCMUserCredentialTags: azureStackLCMUserCredentialTags
+    localAdminCredentialTags: localAdminCredentialTags
+    witnessStoragekeyTags: witnessStoragekeyTags
+    defaultARBApplicationTags: defaultARBApplicationTags
+  }
+}
+
 @batchSize(1)
 module deploymentSetting 'deployment-setting/main.bicep' = [
   for deploymentOperation in sortedDeploymentOperations: if (!empty(deploymentOperation) && !empty(deploymentSettings)) {
@@ -404,3 +472,16 @@ type deploymentSettingsType = {
   @description('Optional. If using a shared key vault or non-legacy secret naming, pass the properties.cloudId guid from the pre-created HCI cluster resource.')
   cloudId: string?
 }
+
+@export()
+@description('Key vault secret names interface')
+type KeyVaultSecretNames = {
+  @description('Required. The name of the Azure Stack HCI LCM user credential secret.')
+  azureStackLCMUserCredential: string
+  @description('Required. The name of the Azure Stack HCI local admin credential secret.')
+  localAdminCredential: string
+  @description('Required. The name of the Azure Stack HCI default ARB application secret.')
+  defaultARBApplication: string
+  @description('Required. The name of the Azure Stack HCI witness storage key secret.')
+  witnessStorageKey: string
+}