From bde05cdd6e5eba20b56a0355b86c2a760fe5840a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Thu, 2 Mar 2023 21:23:13 +0000 Subject: [PATCH 01/10] feature: added initial files for KV --- azurerm/modules/azurerm-kv/README.md | 123 ++++++++++++++++ azurerm/modules/azurerm-kv/constraints.tf | 9 ++ .../azurerm-kv/example/.terraform.lock.hcl | 21 +++ .../modules/azurerm-kv/example/constraints.tf | 9 ++ azurerm/modules/azurerm-kv/example/main.tf | 31 ++++ .../modules/azurerm-kv/example/providers.tf | 14 ++ azurerm/modules/azurerm-kv/example/vars.tf | 62 ++++++++ azurerm/modules/azurerm-kv/main.tf | 53 +++++++ azurerm/modules/azurerm-kv/output.tf | 10 ++ azurerm/modules/azurerm-kv/providers.tf | 8 + azurerm/modules/azurerm-kv/vars.tf | 137 ++++++++++++++++++ 11 files changed, 477 insertions(+) create mode 100644 azurerm/modules/azurerm-kv/README.md create mode 100644 azurerm/modules/azurerm-kv/constraints.tf create mode 100644 azurerm/modules/azurerm-kv/example/.terraform.lock.hcl create mode 100644 azurerm/modules/azurerm-kv/example/constraints.tf create mode 100644 azurerm/modules/azurerm-kv/example/main.tf create mode 100644 azurerm/modules/azurerm-kv/example/providers.tf create mode 100644 azurerm/modules/azurerm-kv/example/vars.tf create mode 100644 azurerm/modules/azurerm-kv/main.tf create mode 100644 azurerm/modules/azurerm-kv/output.tf create mode 100644 azurerm/modules/azurerm-kv/providers.tf create mode 100644 azurerm/modules/azurerm-kv/vars.tf diff --git a/azurerm/modules/azurerm-kv/README.md b/azurerm/modules/azurerm-kv/README.md new file mode 100644 index 00000000..8442d4f2 --- /dev/null +++ b/azurerm/modules/azurerm-kv/README.md @@ -0,0 +1,123 @@ + +# PROJECT_NAME + +DESCRIPTION: +--- +Bootstraps the infrastructure for {{SELECT_APP_TYPE }}. + +Will be used within the provisioned pipeline for your application depending on the options you chose. + +Pipeline implementation for infrastructure relies on workspaces, you can pass in whatever workspace you want from {{ SELECT_DEPLOYMENT_TYPE }} pipeline YAML. + +PREREQUISITES: +--- +Azure Subscripion + - SPN + - Terraform will use this to perform the authentication for the API calls + - you will need the `client_id, subscription_id, client_secret, tenant_id` + +Terraform backend + - resource group (can be manually created for the terraform remote state) + - Blob storage container for the remote state management + + +USAGE: +--- + +To activate the terraform backend for running locally we need to initialise the SPN with env vars to ensure you are running the same way as the pipeline that will ultimately be running any incremental changes. + +```bash +docker run -it --rm -v $(pwd):/opt/tf-lib amidostacks/ci-tf:latest /bin/bash +``` + +```bash +export ARM_CLIENT_ID=xxxx \ +ARM_CLIENT_SECRET=yyyyy \ +ARM_SUBSCRIPTION_ID=yyyyy \ +ARM_TENANT_ID=yyyyy +``` + +alternatively you can run `az login` + +To get up and running locally you will want to create a `terraform.tfvars` file +```bash +TFVAR_CONTENTS=''' +vnet_id = "amido-stacks-vnet-uks-dev" +rg_name = "amido-stacks-rg-uks-dev" +resource_group_location = "uksouth" +name_company = "amido" +name_project = "stacks" +name_component = "spa" +name_environment = "dev" +''' +$TFVAR_CONTENTS > terraform.tfvars +``` + +``` +terraform workspace select dev || terraform workspace new dev +``` + +terraform init -backend-config=./backend.local.tfvars +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [azurerm](#requirement\_azurerm) | ~> 2.5 | + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | ~> 2.5 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_key_vault.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [create\_kv](#input\_create\_kv) | set value wether to create a KV or not | `bool` | `true` | no | +| [create\_kv\_networkacl](#input\_create\_kv\_networkacl) | whether to create a acl for kv or not | `bool` | `false` | no | +| [enable\_rbac\_authorization](#input\_enable\_rbac\_authorization) | whether Azure Resource Manager is permitted to retrieve secrets from the key vault | `bool` | `false` | no | +| [enabled\_for\_disk\_encryption](#input\_enabled\_for\_disk\_encryption) | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys | `bool` | `true` | no | +| [enabled\_for\_template\_deployment](#input\_enabled\_for\_template\_deployment) | whether Azure Resource Manager is permitted to retrieve secrets from the key vault | `bool` | `false` | no | +| [key\_permissions](#input\_key\_permissions) | List of key permissions | `list(string)` | 
[
  "Get"
]
| no | +| [name\_component](#input\_name\_component) | Component Name - should/will be used in conventional resource naming. Typically this will be a logical name for this part of the system i.e. `API` \|\| `middleware` or more generic like `Billing` | `string` | `"kv"` | no | +| [network\_acl\_default\_action](#input\_network\_acl\_default\_action) | he Name of the SKU used for this Key Vault. Possible values are standard and premium | `string` | `"Deny"` | no | +| [network\_acls\_bypass](#input\_network\_acls\_bypass) | Specifies which traffic can bypass the network rules. Possible values are AzureServices and None | `string` | `"AzureServices"` | no | +| [network\_acls\_ip\_rules](#input\_network\_acls\_ip\_rules) | The Default Action to use when no rules match from ip\_rules / virtual\_network\_subnet\_ids. Possible values are Allow and Deny | `list(string)` | `[]` | no | +| [purge\_protection\_enabled](#input\_purge\_protection\_enabled) | Is Purge Protection enabled for this Key Vault | `bool` | `false` | no | +| [resource\_group\_location](#input\_resource\_group\_location) | Location of Resource group | `string` | `"uksouth"` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | name of resource group | `string` | n/a | yes | +| [resource\_namer](#input\_resource\_namer) | User defined naming convention applied to all resources created as part of this module | `string` | n/a | yes | +| [resource\_tags](#input\_resource\_tags) | Map of tags to be applied to all resources created as part of this module | `map(string)` | `{}` | no | +| [secret\_permissions](#input\_secret\_permissions) | List of secret permissions, must be one or more | `list(string)` | 
[
  "Get"
]
| no | +| [sku\_name](#input\_sku\_name) | he Name of the SKU used for this Key Vault. Possible values are standard and premium | `string` | `"standard"` | no | +| [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 | `number` | `7` | no | +| [storage\_permissions](#input\_storage\_permissions) | List of storage permissions, must be one or more from the following | `list(string)` | 
[
  "Get"
]
| no | +| [virtual\_network\_subnet\_ids](#input\_virtual\_network\_subnet\_ids) | One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [id](#output\_id) | The ID of the Key Vault. | +| [vault\_uri](#output\_vault\_uri) | The URI of the Key Vault, used for performing operations on keys and secrets. | + +EXAMPLES: +--- +There is an examples folder with possible usage patterns. + +`example` + + \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/constraints.tf b/azurerm/modules/azurerm-kv/constraints.tf new file mode 100644 index 00000000..2d8ede6f --- /dev/null +++ b/azurerm/modules/azurerm-kv/constraints.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.13" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.5" + } + } +} diff --git a/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl b/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl new file mode 100644 index 00000000..492b584e --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "2.99.0" + constraints = "~> 2.5" + hashes = [ + "h1:/M8yLHqv0uOm9IbHRa4yZvQORr9ir1QyJyIyjGs4ryQ=", + "zh:08d81e72e97351538ab4d15548942217bf0c4d3b79ad3f4c95d8f07f902d2fa6", + "zh:11fdfa4f42d6b6f01371f336fea56f28a1db9e7b490c5ca0b352f6bbca5a27f1", + "zh:12376e2c4b56b76098d5d713d1a4e07e748a926c4d165f0bd6f52157b1f7a7e9", + "zh:31f1cb5b88ed1307625050e3ee7dd9948773f522a3f3bf179195d607de843ea3", + "zh:767971161405d38412662a73ea40a422125cdc214c72fbc569bcfbea6e66c366", + "zh:973c402c3728b68c980ea537319b703c009b902a981b0067fbc64e04a90e434c", + "zh:9ec62a4f82ec1e92bceeff80dd8783f61de0a94665c133f7c7a7a68bda9cdbd6", + "zh:bbb3b7e1229c531c4634338e4fc81b28bce58312eb843a931a4420abe42d5b7e", + "zh:cbbe02cd410d21476b3a081b5fa74b4f1b3d9d79b00214009028d60e859c19a3", + "zh:cc00ecc7617a55543b60a0da1196ea92df48c399bcadbedf04c783e3d47c6e08", + "zh:eecb9fd0e7509c7fd4763e546ef0933f125770cbab2b46152416e23d5ec9dd53", + ] +} diff --git a/azurerm/modules/azurerm-kv/example/constraints.tf b/azurerm/modules/azurerm-kv/example/constraints.tf new file mode 100644 index 00000000..2d8ede6f --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/constraints.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.13" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.5" + } + } +} diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf new file mode 100644 index 00000000..d7eb71b0 --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -0,0 +1,31 @@ +data "azurerm_client_config" "current" {} + +module "default_label" { + source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=0.25.0" + namespace = "${var.name_company}-${var.name_project}" + stage = var.stage + name = "${lookup(var.location_name_map, var.resource_group_location, "uksouth")}-${var.name_component}" + attributes = var.attributes + delimiter = "-" + tags = var.tags +} + +################################################## +# ResourceGroups +################################################## + +resource "azurerm_resource_group" "default" { + name = module.default_label.id + location = var.resource_group_location + tags = var.tags +} + +module "kv_default" { + source = "../../azurerm-kv" + resource_namer = module.default_label.id + resource_group_name = azurerm_resource_group.default.name + resource_group_location = azurerm_resource_group.default.location + create_kv_networkacl = true + enable_rbac_authorization = false + +} \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/example/providers.tf b/azurerm/modules/azurerm-kv/example/providers.tf new file mode 100644 index 00000000..92818728 --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/providers.tf @@ -0,0 +1,14 @@ +terraform { + backend "azurerm" { + resource_group_name = "tfstateresourcegroup" + storage_account_name = "tfstaterishi" + container_name = "tfstate" + key = "rishi.terraform.tfstate" + } + +} + +provider "azurerm" { + features {} +} + diff --git a/azurerm/modules/azurerm-kv/example/vars.tf b/azurerm/modules/azurerm-kv/example/vars.tf new file mode 100644 index 00000000..3363ba15 --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/vars.tf @@ -0,0 +1,62 @@ +############################################ +# NAMING +############################################ + +variable "name_company" { + description = "Company Name - should/will be used in conventional resource naming" + type = string +} + +variable "name_project" { + description = "Project Name - should/will be used in conventional resource naming" + type = string +} + +variable "name_component" { + description = "Component Name - should/will be used in conventional resource naming. Typically this will be a logical name for this part of the system i.e. `API` || `middleware` or more generic like `Billing`" + type = string +} + +variable "name_environment" { + type = string +} + +variable "stage" { + type = string + default = "dev" +} + +variable "attributes" { + description = "Additional attributes for tagging" + default = [] +} + +variable "tags" { + description = "Tags to be assigned to all resources, NB if global tagging is enabled these will get overwritten periodically" + type = map(string) + default = {} +} + + +variable "resource_group_location" { + type = string + default = "uksouth" +} + + +# Each region must have corresponding a shortend name for resource naming purposes +variable "location_name_map" { + type = map(string) + + default = { + northeurope = "eun" + westeurope = "euw" + uksouth = "uks" + ukwest = "ukw" + eastus = "use" + eastus2 = "use2" + westus = "usw" + eastasia = "ase" + southeastasia = "asse" + } +} diff --git a/azurerm/modules/azurerm-kv/main.tf b/azurerm/modules/azurerm-kv/main.tf new file mode 100644 index 00000000..e9413ec8 --- /dev/null +++ b/azurerm/modules/azurerm-kv/main.tf @@ -0,0 +1,53 @@ + +# Configure data to access the SPN that has been used to deploy the environment +data "azurerm_client_config" "current" { +} + + +resource "azurerm_key_vault" "example" { + count = var.create_kv ? 1 : 0 + name = var.resource_namer + location = var.resource_group_location + resource_group_name = var.resource_group_name + enabled_for_disk_encryption = var.enabled_for_disk_encryption + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_retention_days = var.soft_delete_retention_days + purge_protection_enabled = var.purge_protection_enabled + enabled_for_template_deployment = var.enabled_for_template_deployment + enable_rbac_authorization = var.enable_rbac_authorization + sku_name = var.sku_name + + + dynamic "access_policy" { + for_each = var.enable_rbac_authorization == true ? toset([]) : toset([1]) + content { + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + key_permissions = var.key_permissions + secret_permissions = var.secret_permissions + storage_permissions = var.storage_permissions + } + } + + + dynamic "network_acls" { + for_each = var.create_kv_networkacl == false ? toset([]) : toset([1]) + content { + bypass = var.network_acls_bypass + default_action = var.network_acl_default_action + ip_rules = var.network_acls_ip_rules + virtual_network_subnet_ids = var.virtual_network_subnet_ids + } + + + } + + + tags = var.resource_tags + lifecycle { + ignore_changes = [ + tags, + ] + } +} \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/output.tf b/azurerm/modules/azurerm-kv/output.tf new file mode 100644 index 00000000..8b1be963 --- /dev/null +++ b/azurerm/modules/azurerm-kv/output.tf @@ -0,0 +1,10 @@ +output "id" { + description = "The ID of the Key Vault." + value = var.create_kv ? azurerm_key_vault.example.0.id : "" +} + + +output "vault_uri" { + description = "vault_uri " + value = var.create_kv ? azurerm_key_vault.example.0.vault_uri : "" +} \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/providers.tf b/azurerm/modules/azurerm-kv/providers.tf new file mode 100644 index 00000000..fd466fa9 --- /dev/null +++ b/azurerm/modules/azurerm-kv/providers.tf @@ -0,0 +1,8 @@ +terraform { + backend "azurerm" { + } +} + +provider "azurerm" { + features {} +} diff --git a/azurerm/modules/azurerm-kv/vars.tf b/azurerm/modules/azurerm-kv/vars.tf new file mode 100644 index 00000000..64743b8e --- /dev/null +++ b/azurerm/modules/azurerm-kv/vars.tf @@ -0,0 +1,137 @@ + + +############################################ +# NAMING +############################################ + +variable "resource_namer" { + type = string + description = "User defined naming convention applied to all resources created as part of this module" +} + +variable "resource_tags" { + description = "Map of tags to be applied to all resources created as part of this module" + type = map(string) + default = {} +} + +variable "name_component" { + default = "kv" + description = "Component Name - should/will be used in conventional resource naming. Typically this will be a logical name for this part of the system i.e. `API` || `middleware` or more generic like `Billing`" + type = string +} +############################################ +# RESOURCE INFORMATION +############################################ + +variable "resource_group_location" { + type = string + default = "uksouth" + description = "Location of Resource group" +} + +variable "resource_group_name" { + type = string + description = "name of resource group" +} + + +########################### +# CONDITIONAL SETTINGS +########################## + +variable "create_kv" { + type = bool + default = true + description = " set value wether to create a KV or not" +} + + +########################### +# KV SETTINGS +########################## + +variable "enabled_for_disk_encryption" { + type = bool + default = true + description = "Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys" + +} + +variable "soft_delete_retention_days" { + type = number + default = 7 + description = "number of days that items should be retained for once soft-deleted. This value can be between 7 and 90" +} + +variable "purge_protection_enabled" { + type = bool + default = false + description = "Is Purge Protection enabled for this Key Vault " +} + +variable "enabled_for_template_deployment" { + type = bool + default = false + description = "whether Azure Resource Manager is permitted to retrieve secrets from the key vault " +} + +variable "enable_rbac_authorization" { + type = bool + default = false + description = "whether Azure Resource Manager is permitted to retrieve secrets from the key vault " +} + +variable "create_kv_networkacl" { + type = bool + default = false + description = "whether to create a acl for kv or not " +} +variable "sku_name" { + type = string + default = "standard" + description = "he Name of the SKU used for this Key Vault. Possible values are standard and premium" +} + + +variable "key_permissions" { + type = list(string) + default = ["Get"] + description = "List of key permissions" +} + +variable "secret_permissions" { + type = list(string) + default = ["Get"] + description = "List of secret permissions, must be one or more " +} + +variable "storage_permissions" { + type = list(string) + default = ["Get"] + description = "List of storage permissions, must be one or more from the following " +} + +variable "virtual_network_subnet_ids" { + type = list(string) + default = [] + description = "One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault " +} + +variable "network_acls_ip_rules" { + type = list(string) + default = [] + description = "The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny " +} + +variable "network_acl_default_action" { + type = string + default = "Deny" + description = "he Name of the SKU used for this Key Vault. Possible values are standard and premium" +} + +variable "network_acls_bypass" { + type = string + default = "AzureServices" + description = "Specifies which traffic can bypass the network rules. Possible values are AzureServices and None" +} From 372e6ff1dcfa644b21206e6898dc616594c9927a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Fri, 3 Mar 2023 09:11:31 +0000 Subject: [PATCH 02/10] fixed: added generic tfstate container --- azurerm/modules/azurerm-kv/example/providers.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azurerm/modules/azurerm-kv/example/providers.tf b/azurerm/modules/azurerm-kv/example/providers.tf index 92818728..8ccb8386 100644 --- a/azurerm/modules/azurerm-kv/example/providers.tf +++ b/azurerm/modules/azurerm-kv/example/providers.tf @@ -1,9 +1,9 @@ terraform { backend "azurerm" { - resource_group_name = "tfstateresourcegroup" - storage_account_name = "tfstaterishi" + resource_group_name = "exampletfstateresourcegroup" + storage_account_name = "exampletfstate" container_name = "tfstate" - key = "rishi.terraform.tfstate" + key = "example.terraform.tfstate" } } From 82fec1706e95c1c895c512b91e27e552bd42c427 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Fri, 3 Mar 2023 09:44:36 +0000 Subject: [PATCH 03/10] fixed: removed testing filed --- .../azurerm-kv/example/.terraform.lock.hcl | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 azurerm/modules/azurerm-kv/example/.terraform.lock.hcl diff --git a/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl b/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl deleted file mode 100644 index 492b584e..00000000 --- a/azurerm/modules/azurerm-kv/example/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "2.99.0" - constraints = "~> 2.5" - hashes = [ - "h1:/M8yLHqv0uOm9IbHRa4yZvQORr9ir1QyJyIyjGs4ryQ=", - "zh:08d81e72e97351538ab4d15548942217bf0c4d3b79ad3f4c95d8f07f902d2fa6", - "zh:11fdfa4f42d6b6f01371f336fea56f28a1db9e7b490c5ca0b352f6bbca5a27f1", - "zh:12376e2c4b56b76098d5d713d1a4e07e748a926c4d165f0bd6f52157b1f7a7e9", - "zh:31f1cb5b88ed1307625050e3ee7dd9948773f522a3f3bf179195d607de843ea3", - "zh:767971161405d38412662a73ea40a422125cdc214c72fbc569bcfbea6e66c366", - "zh:973c402c3728b68c980ea537319b703c009b902a981b0067fbc64e04a90e434c", - "zh:9ec62a4f82ec1e92bceeff80dd8783f61de0a94665c133f7c7a7a68bda9cdbd6", - "zh:bbb3b7e1229c531c4634338e4fc81b28bce58312eb843a931a4420abe42d5b7e", - "zh:cbbe02cd410d21476b3a081b5fa74b4f1b3d9d79b00214009028d60e859c19a3", - "zh:cc00ecc7617a55543b60a0da1196ea92df48c399bcadbedf04c783e3d47c6e08", - "zh:eecb9fd0e7509c7fd4763e546ef0933f125770cbab2b46152416e23d5ec9dd53", - ] -} From c00e36886999ec0cc5b3e983fd894ce463ce2829 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Fri, 3 Mar 2023 14:37:29 +0000 Subject: [PATCH 04/10] feat: added terratest --- azurerm/modules/azurerm-kv/README.md | 20 +++++- azurerm/modules/azurerm-kv/example/main.tf | 2 +- azurerm/modules/azurerm-kv/example/output.tf | 8 +++ azurerm/modules/azurerm-kv/output.tf | 3 + .../terratest/terrafrom_azure_kv_test.go | 63 +++++++++++++++++++ 5 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 azurerm/modules/azurerm-kv/example/output.tf create mode 100644 azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go diff --git a/azurerm/modules/azurerm-kv/README.md b/azurerm/modules/azurerm-kv/README.md index 8442d4f2..93ad04b8 100644 --- a/azurerm/modules/azurerm-kv/README.md +++ b/azurerm/modules/azurerm-kv/README.md @@ -114,10 +114,28 @@ No modules. | [id](#output\_id) | The ID of the Key Vault. | | [vault\_uri](#output\_vault\_uri) | The URI of the Key Vault, used for performing operations on keys and secrets. | -EXAMPLES: +## EXAMPLES: --- There is an examples folder with possible usage patterns. `example` +## Terratest: +--- +There is an terratest folder with possible terratesting patterns + +`terratest` + + +Go (requires version >=1.18) + + +Terratest uses the Go testing framework. To use Terratest, you need to install: + +``` bash + go mod init test + go mod tidy + go test -v terrafrom_azure_kv_test.go +``` + \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf index d7eb71b0..ffafc7ec 100644 --- a/azurerm/modules/azurerm-kv/example/main.tf +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -25,7 +25,7 @@ module "kv_default" { resource_namer = module.default_label.id resource_group_name = azurerm_resource_group.default.name resource_group_location = azurerm_resource_group.default.location - create_kv_networkacl = true + create_kv_networkacl = false enable_rbac_authorization = false } \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/example/output.tf b/azurerm/modules/azurerm-kv/example/output.tf new file mode 100644 index 00000000..acf877b9 --- /dev/null +++ b/azurerm/modules/azurerm-kv/example/output.tf @@ -0,0 +1,8 @@ + +output "resource_group_name" { + value = azurerm_resource_group.default.name +} + +output "key_vault_name" { + value = module.kv_default.key_vault_name +} \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/output.tf b/azurerm/modules/azurerm-kv/output.tf index 8b1be963..75d0d875 100644 --- a/azurerm/modules/azurerm-kv/output.tf +++ b/azurerm/modules/azurerm-kv/output.tf @@ -7,4 +7,7 @@ output "id" { output "vault_uri" { description = "vault_uri " value = var.create_kv ? azurerm_key_vault.example.0.vault_uri : "" +} +output "key_vault_name" { + value = var.create_kv ? azurerm_key_vault.example.0.name : "" } \ No newline at end of file diff --git a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go new file mode 100644 index 00000000..b3802abf --- /dev/null +++ b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go @@ -0,0 +1,63 @@ +//go:build azure +// +build azure + +// NOTE: We use build tags to differentiate azure testing because we currently do not have azure access setup for +// CircleCI. + +package test + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/azure" + //"github.com/gruntwork-io/terratest/modules/random" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +func TestTerraformAzureKeyVaultExample(t *testing.T) { + t.Parallel() + + // uniquePostfix := random.UniqueId() + + // website::tag::1:: Configure Terraform setting up a path to Terraform code. + terraformOptions := &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../../azurerm-kv/example/", + Vars: map[string]interface{}{ + // "postfix": uniquePostfix, + //name_company: amido, + "name_company": "bsi", + "name_project": "data", + "name_component": "kv", + "name_environment": "dev", + }, + } + + // website::tag::6:: At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // website::tag::2:: Run `terraform init` and `terraform apply`. Fail the test if there are any errors. + terraform.InitAndApply(t, terraformOptions) + + // website::tag::3:: Run `terraform output` to get the values of output variables + resourceGroupName := terraform.Output(t, terraformOptions, "resource_group_name") + keyVaultName := terraform.Output(t, terraformOptions, "key_vault_name") + //expectedSecretName := terraform.Output(t, terraformOptions, "secret_name") + //expectedKeyName := terraform.Output(t, terraformOptions, "key_name") + //expectedCertificateName := terraform.Output(t, terraformOptions, "certificate_name") + + // website::tag::4:: Determine whether the keyvault exists + keyVault := azure.GetKeyVault(t, resourceGroupName, keyVaultName, "") + assert.Equal(t, keyVaultName, *keyVault.Name) + + // website::tag::5:: Determine whether the secret, key, and certificate exists + //secretExists := azure.KeyVaultSecretExists(t, keyVaultName, expectedSecretName) + //assert.True(t, secretExists, "kv-secret does not exist") + + //keyExists := azure.KeyVaultKeyExists(t, keyVaultName, expectedKeyName) + //assert.True(t, keyExists, "kv-key does not exist") + + //certificateExists := azure.KeyVaultCertificateExists(t, keyVaultName, expectedCertificateName) + //assert.True(t, certificateExists, "kv-cert does not exist") +} From f40853944a76e6efaf78844dbf016b84aaa71d14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Mon, 6 Mar 2023 22:05:53 +0000 Subject: [PATCH 05/10] fixed: review comments --- azurerm/modules/azurerm-kv/example/main.tf | 2 +- azurerm/modules/azurerm-kv/example/output.tf | 2 +- azurerm/modules/azurerm-kv/main.tf | 2 +- azurerm/modules/azurerm-kv/output.tf | 2 +- .../modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go | 5 +---- 5 files changed, 5 insertions(+), 8 deletions(-) diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf index ffafc7ec..d0a0252f 100644 --- a/azurerm/modules/azurerm-kv/example/main.tf +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -28,4 +28,4 @@ module "kv_default" { create_kv_networkacl = false enable_rbac_authorization = false -} \ No newline at end of file +} diff --git a/azurerm/modules/azurerm-kv/example/output.tf b/azurerm/modules/azurerm-kv/example/output.tf index acf877b9..9e548fce 100644 --- a/azurerm/modules/azurerm-kv/example/output.tf +++ b/azurerm/modules/azurerm-kv/example/output.tf @@ -5,4 +5,4 @@ output "resource_group_name" { output "key_vault_name" { value = module.kv_default.key_vault_name -} \ No newline at end of file +} diff --git a/azurerm/modules/azurerm-kv/main.tf b/azurerm/modules/azurerm-kv/main.tf index e9413ec8..c79a827f 100644 --- a/azurerm/modules/azurerm-kv/main.tf +++ b/azurerm/modules/azurerm-kv/main.tf @@ -50,4 +50,4 @@ resource "azurerm_key_vault" "example" { tags, ] } -} \ No newline at end of file +} diff --git a/azurerm/modules/azurerm-kv/output.tf b/azurerm/modules/azurerm-kv/output.tf index 75d0d875..01365cb7 100644 --- a/azurerm/modules/azurerm-kv/output.tf +++ b/azurerm/modules/azurerm-kv/output.tf @@ -10,4 +10,4 @@ output "vault_uri" { } output "key_vault_name" { value = var.create_kv ? azurerm_key_vault.example.0.name : "" -} \ No newline at end of file +} diff --git a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go index b3802abf..d92190d2 100644 --- a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go +++ b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go @@ -27,11 +27,8 @@ func TestTerraformAzureKeyVaultExample(t *testing.T) { Vars: map[string]interface{}{ // "postfix": uniquePostfix, //name_company: amido, - "name_company": "bsi", - "name_project": "data", - "name_component": "kv", - "name_environment": "dev", }, + VarFiles: []string(filepath.Join("../../azurerm-kv/example/terraform.tfvars")) } // website::tag::6:: At the end of the test, run `terraform destroy` to clean up any resources that were created From 71e3f43c2e17627b4905d4ffe4aa6268061e63e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Mon, 6 Mar 2023 22:28:39 +0000 Subject: [PATCH 06/10] fixe: updated version and newline and terratest --- azurerm/modules/azurerm-kv/constraints.tf | 2 +- azurerm/modules/azurerm-kv/example/constraints.tf | 2 +- azurerm/modules/azurerm-kv/example/providers.tf | 7 +++---- .../azurerm-kv/terratest/terrafrom_azure_kv_test.go | 5 +++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/azurerm/modules/azurerm-kv/constraints.tf b/azurerm/modules/azurerm-kv/constraints.tf index 2d8ede6f..5257ed4f 100644 --- a/azurerm/modules/azurerm-kv/constraints.tf +++ b/azurerm/modules/azurerm-kv/constraints.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.5" + version = "~> 3.0" } } } diff --git a/azurerm/modules/azurerm-kv/example/constraints.tf b/azurerm/modules/azurerm-kv/example/constraints.tf index 2d8ede6f..5257ed4f 100644 --- a/azurerm/modules/azurerm-kv/example/constraints.tf +++ b/azurerm/modules/azurerm-kv/example/constraints.tf @@ -3,7 +3,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.5" + version = "~> 3.0" } } } diff --git a/azurerm/modules/azurerm-kv/example/providers.tf b/azurerm/modules/azurerm-kv/example/providers.tf index 8ccb8386..5a170239 100644 --- a/azurerm/modules/azurerm-kv/example/providers.tf +++ b/azurerm/modules/azurerm-kv/example/providers.tf @@ -1,9 +1,9 @@ terraform { backend "azurerm" { - resource_group_name = "exampletfstateresourcegroup" - storage_account_name = "exampletfstate" + resource_group_name = "tfstateresourcegroup" + storage_account_name = "tfstate" container_name = "tfstate" - key = "example.terraform.tfstate" + key = "dev.terraform.tfstate" } } @@ -11,4 +11,3 @@ terraform { provider "azurerm" { features {} } - diff --git a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go index d92190d2..35fcce49 100644 --- a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go +++ b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go @@ -7,6 +7,7 @@ package test import ( + "path/filepath" "testing" "github.com/gruntwork-io/terratest/modules/azure" @@ -24,11 +25,11 @@ func TestTerraformAzureKeyVaultExample(t *testing.T) { terraformOptions := &terraform.Options{ // The path to where our Terraform code is located TerraformDir: "../../azurerm-kv/example/", - Vars: map[string]interface{}{ + Vars: map[string]interface{}{ // "postfix": uniquePostfix, //name_company: amido, }, - VarFiles: []string(filepath.Join("../../azurerm-kv/example/terraform.tfvars")) + VarFiles: []string{filepath.Join("../../azurerm-kv/example/terraform.tfvars")}, } // website::tag::6:: At the end of the test, run `terraform destroy` to clean up any resources that were created From 1e3fbce89e3daee3ed8d655f1fce3d9f2a2cb423 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Wed, 15 Mar 2023 18:03:06 +0000 Subject: [PATCH 07/10] fixed: removed terratest --- azurerm/modules/azurerm-kv/README.md | 30 ++------- azurerm/modules/azurerm-kv/example/main.tf | 2 +- .../terratest/terrafrom_azure_kv_test.go | 61 ------------------- 3 files changed, 7 insertions(+), 86 deletions(-) delete mode 100644 azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go diff --git a/azurerm/modules/azurerm-kv/README.md b/azurerm/modules/azurerm-kv/README.md index 93ad04b8..15846730 100644 --- a/azurerm/modules/azurerm-kv/README.md +++ b/azurerm/modules/azurerm-kv/README.md @@ -1,5 +1,5 @@ -# PROJECT_NAME + PROJECT_NAME DESCRIPTION: --- @@ -63,13 +63,13 @@ terraform init -backend-config=./backend.local.tfvars | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [azurerm](#requirement\_azurerm) | ~> 2.5 | +| [azurerm](#requirement\_azurerm) | ~> 3.0 | ## Providers | Name | Version | |------|---------| -| [azurerm](#provider\_azurerm) | ~> 2.5 | +| [azurerm](#provider\_azurerm) | ~> 3.0 | ## Modules @@ -112,30 +112,12 @@ No modules. | Name | Description | |------|-------------| | [id](#output\_id) | The ID of the Key Vault. | -| [vault\_uri](#output\_vault\_uri) | The URI of the Key Vault, used for performing operations on keys and secrets. | +| [key\_vault\_name](#output\_key\_vault\_name) | n/a | +| [vault\_uri](#output\_vault\_uri) | vault\_uri | ## EXAMPLES: --- There is an examples folder with possible usage patterns. `example` - -## Terratest: ---- -There is an terratest folder with possible terratesting patterns - -`terratest` - - -Go (requires version >=1.18) - - -Terratest uses the Go testing framework. To use Terratest, you need to install: - -``` bash - go mod init test - go mod tidy - go test -v terrafrom_azure_kv_test.go -``` - - \ No newline at end of file + diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf index d0a0252f..9067a2ee 100644 --- a/azurerm/modules/azurerm-kv/example/main.tf +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -22,7 +22,7 @@ resource "azurerm_resource_group" "default" { module "kv_default" { source = "../../azurerm-kv" - resource_namer = module.default_label.id + resource_namer = "${substr(replace(module.default_label.id, "-", ""), 0, 24)}" resource_group_name = azurerm_resource_group.default.name resource_group_location = azurerm_resource_group.default.location create_kv_networkacl = false diff --git a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go b/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go deleted file mode 100644 index 35fcce49..00000000 --- a/azurerm/modules/azurerm-kv/terratest/terrafrom_azure_kv_test.go +++ /dev/null @@ -1,61 +0,0 @@ -//go:build azure -// +build azure - -// NOTE: We use build tags to differentiate azure testing because we currently do not have azure access setup for -// CircleCI. - -package test - -import ( - "path/filepath" - "testing" - - "github.com/gruntwork-io/terratest/modules/azure" - //"github.com/gruntwork-io/terratest/modules/random" - "github.com/gruntwork-io/terratest/modules/terraform" - "github.com/stretchr/testify/assert" -) - -func TestTerraformAzureKeyVaultExample(t *testing.T) { - t.Parallel() - - // uniquePostfix := random.UniqueId() - - // website::tag::1:: Configure Terraform setting up a path to Terraform code. - terraformOptions := &terraform.Options{ - // The path to where our Terraform code is located - TerraformDir: "../../azurerm-kv/example/", - Vars: map[string]interface{}{ - // "postfix": uniquePostfix, - //name_company: amido, - }, - VarFiles: []string{filepath.Join("../../azurerm-kv/example/terraform.tfvars")}, - } - - // website::tag::6:: At the end of the test, run `terraform destroy` to clean up any resources that were created - defer terraform.Destroy(t, terraformOptions) - - // website::tag::2:: Run `terraform init` and `terraform apply`. Fail the test if there are any errors. - terraform.InitAndApply(t, terraformOptions) - - // website::tag::3:: Run `terraform output` to get the values of output variables - resourceGroupName := terraform.Output(t, terraformOptions, "resource_group_name") - keyVaultName := terraform.Output(t, terraformOptions, "key_vault_name") - //expectedSecretName := terraform.Output(t, terraformOptions, "secret_name") - //expectedKeyName := terraform.Output(t, terraformOptions, "key_name") - //expectedCertificateName := terraform.Output(t, terraformOptions, "certificate_name") - - // website::tag::4:: Determine whether the keyvault exists - keyVault := azure.GetKeyVault(t, resourceGroupName, keyVaultName, "") - assert.Equal(t, keyVaultName, *keyVault.Name) - - // website::tag::5:: Determine whether the secret, key, and certificate exists - //secretExists := azure.KeyVaultSecretExists(t, keyVaultName, expectedSecretName) - //assert.True(t, secretExists, "kv-secret does not exist") - - //keyExists := azure.KeyVaultKeyExists(t, keyVaultName, expectedKeyName) - //assert.True(t, keyExists, "kv-key does not exist") - - //certificateExists := azure.KeyVaultCertificateExists(t, keyVaultName, expectedCertificateName) - //assert.True(t, certificateExists, "kv-cert does not exist") -} From b6c92075879cae04ea379115c0fe88be0ee1551c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Wed, 15 Mar 2023 18:05:24 +0000 Subject: [PATCH 08/10] fixed: updated name --- azurerm/modules/azurerm-kv/example/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf index 9067a2ee..d0a0252f 100644 --- a/azurerm/modules/azurerm-kv/example/main.tf +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -22,7 +22,7 @@ resource "azurerm_resource_group" "default" { module "kv_default" { source = "../../azurerm-kv" - resource_namer = "${substr(replace(module.default_label.id, "-", ""), 0, 24)}" + resource_namer = module.default_label.id resource_group_name = azurerm_resource_group.default.name resource_group_location = azurerm_resource_group.default.location create_kv_networkacl = false From 094a7f1b2860d951836feff77cd0f84a786e47a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Wed, 22 Mar 2023 14:26:14 +0000 Subject: [PATCH 09/10] fixed: removed provider --- azurerm/modules/azurerm-kv/providers.tf | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 azurerm/modules/azurerm-kv/providers.tf diff --git a/azurerm/modules/azurerm-kv/providers.tf b/azurerm/modules/azurerm-kv/providers.tf deleted file mode 100644 index fd466fa9..00000000 --- a/azurerm/modules/azurerm-kv/providers.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - backend "azurerm" { - } -} - -provider "azurerm" { - features {} -} From 1ba6a50229a90485d28f77184c2351da6e2631a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CRishikesh?= Date: Wed, 22 Mar 2023 14:54:46 +0000 Subject: [PATCH 10/10] fixed: updated for PR comments --- azurerm/modules/azurerm-kv/README.md | 4 + azurerm/modules/azurerm-kv/example/main.tf | 2 + .../modules/azurerm-kv/example/providers.tf | 2 +- azurerm/modules/azurerm-kv/example/vars.tf | 13 +++ azurerm/modules/azurerm-kv/main.tf | 83 ++++++++++++++++--- azurerm/modules/azurerm-kv/vars.tf | 12 +++ 6 files changed, 102 insertions(+), 14 deletions(-) diff --git a/azurerm/modules/azurerm-kv/README.md b/azurerm/modules/azurerm-kv/README.md index 15846730..231a1f91 100644 --- a/azurerm/modules/azurerm-kv/README.md +++ b/azurerm/modules/azurerm-kv/README.md @@ -80,12 +80,15 @@ No modules. | Name | Type | |------|------| | [azurerm_key_vault.example](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource | +| [azurerm_key_vault_access_policy.contributors_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.reader_access_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [contributor\_object\_ids](#input\_contributor\_object\_ids) | A list of Azure active directory user,group or application object ID's that will have contributor role to the key vault | `list(string)` | `[]` | no | | [create\_kv](#input\_create\_kv) | set value wether to create a KV or not | `bool` | `true` | no | | [create\_kv\_networkacl](#input\_create\_kv\_networkacl) | whether to create a acl for kv or not | `bool` | `false` | no | | [enable\_rbac\_authorization](#input\_enable\_rbac\_authorization) | whether Azure Resource Manager is permitted to retrieve secrets from the key vault | `bool` | `false` | no | @@ -97,6 +100,7 @@ No modules. | [network\_acls\_bypass](#input\_network\_acls\_bypass) | Specifies which traffic can bypass the network rules. Possible values are AzureServices and None | `string` | `"AzureServices"` | no | | [network\_acls\_ip\_rules](#input\_network\_acls\_ip\_rules) | The Default Action to use when no rules match from ip\_rules / virtual\_network\_subnet\_ids. Possible values are Allow and Deny | `list(string)` | `[]` | no | | [purge\_protection\_enabled](#input\_purge\_protection\_enabled) | Is Purge Protection enabled for this Key Vault | `bool` | `false` | no | +| [reader\_object\_ids](#input\_reader\_object\_ids) | A list of Azure active directory user,group or application object ID's that will have reader role to the key vault | `list(string)` | `[]` | no | | [resource\_group\_location](#input\_resource\_group\_location) | Location of Resource group | `string` | `"uksouth"` | no | | [resource\_group\_name](#input\_resource\_group\_name) | name of resource group | `string` | n/a | yes | | [resource\_namer](#input\_resource\_namer) | User defined naming convention applied to all resources created as part of this module | `string` | n/a | yes | diff --git a/azurerm/modules/azurerm-kv/example/main.tf b/azurerm/modules/azurerm-kv/example/main.tf index d0a0252f..6ab41033 100644 --- a/azurerm/modules/azurerm-kv/example/main.tf +++ b/azurerm/modules/azurerm-kv/example/main.tf @@ -27,5 +27,7 @@ module "kv_default" { resource_group_location = azurerm_resource_group.default.location create_kv_networkacl = false enable_rbac_authorization = false + contributor_object_ids = var.contributor_object_ids + reader_object_ids = var.reader_object_ids } diff --git a/azurerm/modules/azurerm-kv/example/providers.tf b/azurerm/modules/azurerm-kv/example/providers.tf index 5a170239..bfa215e4 100644 --- a/azurerm/modules/azurerm-kv/example/providers.tf +++ b/azurerm/modules/azurerm-kv/example/providers.tf @@ -3,7 +3,7 @@ terraform { resource_group_name = "tfstateresourcegroup" storage_account_name = "tfstate" container_name = "tfstate" - key = "dev.terraform.tfstate" + key = "devkv.terraform.tfstate" } } diff --git a/azurerm/modules/azurerm-kv/example/vars.tf b/azurerm/modules/azurerm-kv/example/vars.tf index 3363ba15..bb52b82e 100644 --- a/azurerm/modules/azurerm-kv/example/vars.tf +++ b/azurerm/modules/azurerm-kv/example/vars.tf @@ -60,3 +60,16 @@ variable "location_name_map" { southeastasia = "asse" } } + + +variable "contributor_object_ids" { + description = "A list of Azure active directory user,group or application object ID's that will have contributor role to the key vault" + type = list(string) + default = [] +} + +variable "reader_object_ids" { + description = "A list of Azure active directory user,group or application object ID's that will have reader role to the key vault" + type = list(string) + default = [] +} diff --git a/azurerm/modules/azurerm-kv/main.tf b/azurerm/modules/azurerm-kv/main.tf index c79a827f..df99ce0d 100644 --- a/azurerm/modules/azurerm-kv/main.tf +++ b/azurerm/modules/azurerm-kv/main.tf @@ -18,19 +18,6 @@ resource "azurerm_key_vault" "example" { sku_name = var.sku_name - dynamic "access_policy" { - for_each = var.enable_rbac_authorization == true ? toset([]) : toset([1]) - content { - - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.object_id - key_permissions = var.key_permissions - secret_permissions = var.secret_permissions - storage_permissions = var.storage_permissions - } - } - - dynamic "network_acls" { for_each = var.create_kv_networkacl == false ? toset([]) : toset([1]) content { @@ -51,3 +38,73 @@ resource "azurerm_key_vault" "example" { ] } } + + +resource "azurerm_key_vault_access_policy" "contributors_access_policy" { + count = length(var.contributor_object_ids) + + key_vault_id = azurerm_key_vault.example.0.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = var.contributor_object_ids[count.index] + + key_permissions = [ + "Get", + "List", + "Delete", + "Create", + "Update", + "Import", + "Backup", + "Recover", + "Restore" + ] + + secret_permissions = [ + "Get", + "List", + "Delete", + "Set", + "Backup", + "Recover", + "Restore" + ] + + certificate_permissions = [ + "Get", + "List", + "Update", + "Create", + "Import", + "Delete", + "Backup", + "Recover", + "Restore" + ] + + storage_permissions = [] +} + +resource "azurerm_key_vault_access_policy" "reader_access_policy" { + count = length(var.reader_object_ids) + + key_vault_id = azurerm_key_vault.example.0.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = var.reader_object_ids[count.index] + + key_permissions = [ + "Get", + "List" + ] + + secret_permissions = [ + "Get", + "List" + ] + + certificate_permissions = [ + "Get", + "GetIssuers", + "List", + "ListIssuers" + ] +} diff --git a/azurerm/modules/azurerm-kv/vars.tf b/azurerm/modules/azurerm-kv/vars.tf index 64743b8e..37f6d11a 100644 --- a/azurerm/modules/azurerm-kv/vars.tf +++ b/azurerm/modules/azurerm-kv/vars.tf @@ -135,3 +135,15 @@ variable "network_acls_bypass" { default = "AzureServices" description = "Specifies which traffic can bypass the network rules. Possible values are AzureServices and None" } + +variable "contributor_object_ids" { + description = "A list of Azure active directory user,group or application object ID's that will have contributor role to the key vault" + type = list(string) + default = [] +} + +variable "reader_object_ids" { + description = "A list of Azure active directory user,group or application object ID's that will have reader role to the key vault" + type = list(string) + default = [] +}