This module is an opinionated deployment of the Azure Key Vault primarily for use with Ensono Stacks.
To use the module reference the GitHub repo in the Terraform file, for example:
module "kv_default" {
source = "github.com/ensono/terraform-azurerm-kv"
...
}
No requirements.
| Name | Version |
|---|---|
| azurerm | n/a |
| null | n/a |
No modules.
| Name | Type |
|---|---|
| azurerm_key_vault.example | resource |
| azurerm_key_vault_access_policy.contributors_access_policy | resource |
| azurerm_key_vault_access_policy.reader_access_policy | resource |
| azurerm_monitor_diagnostic_setting.kv_log_analytics | resource |
| azurerm_private_endpoint.pe | resource |
| null_resource.sleep | resource |
| azurerm_monitor_diagnostic_categories.kv_log_analytics_categories | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| contributor_object_ids | A list of Azure active directory user,group or application object ID's that will have contributor role to the key vault | list(string) |
[] |
no |
| create_kv | set value wether to create a KV or not | bool |
true |
no |
| create_kv_networkacl | whether to create a acl for kv or not | bool |
false |
no |
| dns_resource_group_name | Name of the resource group where pvt dns is present. | string |
"amido-stacks-euw-de-hub-network" |
no |
| enable_private_network | Determines if the Key Vault will be created as part of the Secure Data Platform. | bool |
false |
no |
| enable_rbac_authorization | whether Azure Resource Manager is permitted to retrieve secrets from the key vault | bool |
false |
no |
| enabled_for_disk_encryption | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys | bool |
true |
no |
| enabled_for_template_deployment | whether Azure Resource Manager is permitted to retrieve secrets from the key vault | bool |
false |
no |
| is_manual_connection | Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource to be created. | bool |
false |
no |
| key_permissions | List of key permissions | list(string) |
[ |
no |
| kv_private_dns_zone_id | Azure Resource ID of the Key Vault Private DNS Zone | string |
"" |
no |
| la_workspace_id | Log Analytics Workspace ID | string |
"" |
no |
| name_component | Component Name - should/will be used in conventional resource naming. Typically this will be a logical name for this part of the system i.e. API || middleware or more generic like Billing |
string |
"kv" |
no |
| network_acl_default_action | he Name of the SKU used for this Key Vault. Possible values are standard and premium | string |
"Deny" |
no |
| network_acls_bypass | Specifies which traffic can bypass the network rules. Possible values are AzureServices and None | string |
"AzureServices" |
no |
| network_acls_ip_rules | The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny | list(string) |
[] |
no |
| pe_resource_group_location | Location of the resource group to provision private endpoint in. | string |
"" |
no |
| pe_resource_group_name | Name of the resource group to provision private endpoint in. | string |
"" |
no |
| pe_subnet_id | ID for the Private Endpoint Subnet | string |
"" |
no |
| private_dns_zone_name | Specifies the Name of the Private DNS Zone Group. | string |
"privatelink.vaultcore.azure.net" |
no |
| public_network_access_enabled | Allow public network access to Key Vault. Set as true or false. | bool |
true |
no |
| purge_protection_enabled | Is Purge Protection enabled for this Key Vault | bool |
false |
no |
| reader_object_ids | A list of Azure active directory user,group or application object ID's that will have reader role to the key vault | list(string) |
[] |
no |
| resource_group_location | Location of Resource group | string |
"uksouth" |
no |
| resource_group_name | name of resource group | string |
n/a | yes |
| resource_namer | User defined naming convention applied to all resources created as part of this module | string |
n/a | yes |
| resource_tags | Map of tags to be applied to all resources created as part of this module | map(string) |
{} |
no |
| secret_permissions | List of secret permissions, must be one or more | list(string) |
[ |
no |
| sku_name | he Name of the SKU used for this Key Vault. Possible values are standard and premium | string |
"standard" |
no |
| soft_delete_retention_days | number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 | number |
7 |
no |
| storage_permissions | List of storage permissions, must be one or more from the following | list(string) |
[ |
no |
| virtual_network_subnet_ids | One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault | list(string) |
[] |
no |
| Name | Description |
|---|---|
| id | The ID of the Key Vault. |
| key_vault_name | n/a |
| vault_uri | vault_uri |