https://github.com/launchbynttdata/tf-azurerm-module_reference-key_vault
https://github.com/launchbynttdata/tf-azurerm-module_reference-key_vault
azure infrastructure-as-code platform-automation reference terraform
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/launchbynttdata/tf-azurerm-module_reference-key_vault
- Owner: launchbynttdata
- License: apache-2.0
- Created: 2024-05-03T16:14:51.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2026-03-30T14:00:26.000Z (3 months ago)
- Last Synced: 2026-03-30T16:04:33.423Z (3 months ago)
- Topics: azure, infrastructure-as-code, platform-automation, reference, terraform
- Language: HCL
- Homepage:
- Size: 79.1 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
- Notice: NOTICE
Awesome Lists containing this project
README
# tf-azurerm-module_reference-key_vault
[](https://opensource.org/licenses/Apache-2.0)
[](https://creativecommons.org/licenses/by-nc-nd/4.0/)
## Overview
This reference architecture module provisions a Key Vault in its own Resource Group. Based on the inputs provided, it can also
provision a Private Key Vault with private endpoints in a provided subnet.
The module also supports Azure Monitor integration through action groups, metric alerts, diagnostic settings, Log Analytics
workspaces, and scheduled query alerts for Key Vault log-based detections.
## Pre-Commit hooks
[.pre-commit-config.yaml](.pre-commit-config.yaml) file defines certain `pre-commit` hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
`commitlint` hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- **fix**: a commit of the type `fix` patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
- **feat**: a commit of the type `feat` introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
- **BREAKING CHANGE**: a commit that has a footer `BREAKING CHANGE:`, or appends a `!` after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type.
footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
- **build**: a commit of the type `build` adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
- **chore**: a commit of the type `chore` adds changes that don't modify src or test files
- **ci**: a commit of the type `ci` adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
- **docs**: a commit of the type `docs` adds documentation only changes
- **perf**: a commit of the type `perf` adds code change that improves performance
- **refactor**: a commit of the type `refactor` adds code change that neither fixes a bug nor adds a feature
- **revert**: a commit of the type `revert` reverts a previous commit
- **style**: a commit of the type `style` adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
- **test**: a commit of the type `test` adds missing tests or correcting existing tests
Base configuration used for this project is [commitlint-config-conventional (based on the Angular convention)](https://github.com/conventional-changelog/commitlint/tree/master/@commitlint/config-conventional#type-enum)
If you are a developer using vscode, [this](https://marketplace.visualstudio.com/items?itemName=joshbolduc.commitlint) plugin may be helpful.
`detect-secrets-hook` prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for `pre-commit` hooks to work properly
- You need to have the pre-commit package manager installed. [Here](https://pre-commit.com/#install) are the installation instructions.
- `pre-commit` would install all the hooks when commit message is added by default except for `commitlint` hook. `commitlint` hook would need to be installed manually using the command below
```
pre-commit install --hook-type commit-msg
```
## To test the resource group module locally
1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the `configure` target in the project's [`Makefile`](./Makefile). Before you can run `configure`, familiarize yourself with the variables in the `Makefile` and ensure they're pointing to the right places.
```
make configure
```
This adds in several files and directories that are ignored by `git`. They expose many new Make targets.
2. _THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP._ The first target you care about is `env`. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
`make configure` command will bring down `azure_env.sh` file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by `terratest` integration suit.
Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.
```
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
```
Then run this make target to set the environment variables on developer workstation.
```
make env
```
3. The first target you care about is `check`.
**Pre-requisites**
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are `azure` specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named `provider.tf` with contents below
```
provider "azurerm" {
features {}
}
```
- A file named `terraform.tfvars` which contains key value pair of variables used.
Note that since these files are added in `gitignore` they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
```
make check
```
If `make check` target is successful, developer is good to commit the code to primitive/segment's git repo.
`make check` target
- runs `terraform commands` to `lint`,`validate` and `plan` terraform code.
- runs `conftests`. `conftests` make sure `policy` checks are successful.
- runs `terratest`. This is integration test suit.
- runs `opa` tests
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.5 |
| [azurerm](#requirement\_azurerm) | ~> 3.77 |
## Providers
No providers.
## Modules
| Name | Source | Version |
|------|--------|---------|
| [resource\_names](#module\_resource\_names) | terraform.registry.launch.nttdata.com/module_library/resource_name/launch | ~> 2.0 |
| [resource\_group](#module\_resource\_group) | terraform.registry.launch.nttdata.com/module_primitive/resource_group/azurerm | ~> 1.0 |
| [key\_vault](#module\_key\_vault) | terraform.registry.launch.nttdata.com/module_primitive/key_vault/azurerm | ~> 2.0 |
| [role\_assignment](#module\_role\_assignment) | terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm | ~> 1.2.1 |
| [secrets](#module\_secrets) | terraform.registry.launch.nttdata.com/module_primitive/key_vault_secret/azurerm | ~> 1.0 |
| [imported\_certificates](#module\_imported\_certificates) | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate/azurerm | ~> 1.0 |
| [certificate\_issuers](#module\_certificate\_issuers) | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate_issuer/azurerm | ~> 1.0 |
| [generated\_certificates](#module\_generated\_certificates) | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate/azurerm | ~> 1.0 |
| [private\_endpoint](#module\_private\_endpoint) | terraform.registry.launch.nttdata.com/module_primitive/private_endpoint/azurerm | ~> 1.0 |
| [monitor\_action\_group](#module\_monitor\_action\_group) | terraform.registry.launch.nttdata.com/module_primitive/monitor_action_group/azurerm | ~> 1.0.0 |
| [monitor\_metric\_alert](#module\_monitor\_metric\_alert) | terraform.registry.launch.nttdata.com/module_primitive/monitor_metric_alert/azurerm | ~> 2.0 |
| [monitor\_scheduled\_query\_alert](#module\_monitor\_scheduled\_query\_alert) | terraform.registry.launch.nttdata.com/module_primitive/monitor_scheduled_query_alert/azurerm | ~> 1.0 |
| [log\_analytics\_workspace](#module\_log\_analytics\_workspace) | terraform.registry.launch.nttdata.com/module_primitive/log_analytics_workspace/azurerm | ~> 1.0 |
| [diagnostic\_setting](#module\_diagnostic\_setting) | terraform.registry.launch.nttdata.com/module_primitive/monitor_diagnostic_setting/azurerm | ~> 3.0 |
## Resources
No resources.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [location](#input\_location) | Location of the resource group and other services in this module. | `string` | n/a | yes |
| [key\_vault\_name](#input\_key\_vault\_name) | (Optional) If specified, this module will use this name for key vault else the naming module will create a name.
Length must be less than 24 characters | `string` | `null` | no |
| [enabled\_for\_deployment](#input\_enabled\_for\_deployment) | If Azure VM is permitted to retrieve secrets | `bool` | `false` | no |
| [enabled\_for\_template\_deployment](#input\_enabled\_for\_template\_deployment) | If Azure RM is permitted to retrieve secrets | `bool` | `false` | no |
| [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | Number of retention days for soft delete | `number` | `7` | no |
| [purge\_protection\_enabled](#input\_purge\_protection\_enabled) | If purge\_protection is enabled | `bool` | `false` | no |
| [sku\_name](#input\_sku\_name) | SKU for the key vault - standard or premium | `string` | `"standard"` | no |
| [access\_policies](#input\_access\_policies) | Additional Access policies for the vault except the current user which are added by default.
Required only when enable\_rbac\_authorization is set to false. |
map(object({
object_id = string
tenant_id = string
key_permissions = list(string)
certificate_permissions = list(string)
secret_permissions = list(string)
storage_permissions = list(string)
})) | `{}` | no |
| [enable\_rbac\_authorization](#input\_enable\_rbac\_authorization) | Enable RBAC authorization for the key vault | `bool` | `false` | no |
| [network\_acls](#input\_network\_acls) | Network ACLs for the key vault | object({
bypass = string
default_action = string
ip_rules = optional(list(string))
virtual_network_subnet_ids = optional(list(string))
}) | {
"bypass": "AzureServices",
"default_action": "Allow",
"ip_rules": [],
"virtual_network_subnet_ids": []
} | no |
| [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | (Optional) Whether public network access is allowed for this Key Vault. Defaults to true. If false, then only private
endpoints can access the Key Vault. | `bool` | `true` | no |
| [certificates](#input\_certificates) | List of certificates to be imported. If `filepath` is specified then the pfx files should be present in the root of the module (path.root). If `content` is specified then the content of the certificate should be provided in base 64 encoded format. Only one of them should be provided. | map(object({
contents = optional(string)
filepath = optional(string)
password = optional(string)
})) | `{}` | no |
| [certificate\_issuers](#input\_certificate\_issuers) | List of certificate issuers to be created | map(object({
provider_name = string
org_id = string
account_id = string
password = string
admins = optional(list(object({
email_address = string
first_name = optional(string)
last_name = optional(string)
phone = optional(string)
})), [])
})) | `{}` | no |
| [generated\_certificates](#input\_generated\_certificates) | List of certificates to be generated using an issuer. | map(object({
issuer_name = string
key_properties = optional(object({
exportable = bool
reuse_key = bool
key_type = string
key_size = optional(number)
curve = optional(string)
}), {
exportable = true
key_type = "RSA"
key_size = 2048
reuse_key = false
})
lifetime_action = optional(object({
action = object({
action_type = string
})
trigger = object({
lifetime_percentage = optional(number)
days_before_expiry = optional(number)
})
}))
secret_properties = optional(object({
content_type = string
}), {
content_type = "application/x-pkcs12"
})
x509_certificate_properties = optional(object({
key_usage = list(string)
extended_key_usage = optional(list(string))
subject = string
validity_in_months = number
subject_alternative_names = optional(object({
dns_names = optional(list(string))
emails = optional(list(string))
upns = optional(list(string))
}))
}))
})) | `{}` | no |
| [secrets](#input\_secrets) | List of secrets (name and value) | `map(string)` | `{}` | no |
| [resource\_names\_map](#input\_resource\_names\_map) | A map of key to resource\_name that will be used by tf-launch-module\_library-resource\_name to generate resource names | map(object({
name = string
max_length = optional(number, 60)
})) | {
"diagnostic_setting": {
"max_length": 80,
"name": "ds"
},
"key_vault": {
"max_length": 24,
"name": "kv"
},
"log_analytics_workspace": {
"max_length": 80,
"name": "law"
},
"private_endpoint": {
"max_length": 80,
"name": "pe"
},
"private_service_connection": {
"max_length": 80,
"name": "pesc"
},
"resource_group": {
"max_length": 80,
"name": "rg"
}
} | no |
| [environment](#input\_environment) | Environment in which the resource should be provisioned like dev, qa, prod etc. | `string` | n/a | yes |
| [environment\_number](#input\_environment\_number) | The environment count for the respective environment. Defaults to 000. Increments in value of 1 | `string` | `"000"` | no |
| [resource\_number](#input\_resource\_number) | The resource count for the respective resource. Defaults to 000. Increments in value of 1 | `string` | `"000"` | no |
| [logical\_product\_family](#input\_logical\_product\_family) | (Required) Name of the product family for which the resource is created.
Example: org\_name, department\_name. | `string` | n/a | yes |
| [logical\_product\_service](#input\_logical\_product\_service) | (Required) Name of the product service for which the resource is created.
For example, backend, frontend, middleware etc. | `string` | n/a | yes |
| [use\_azure\_region\_abbr](#input\_use\_azure\_region\_abbr) | Use Azure region abbreviation in the resource name | `bool` | `true` | no |
| [role\_assignments](#input\_role\_assignments) | A map of role assignments to be created | map(object({
role_definition_name = string
principal_id = string
principal_type = string
})) | `{}` | no |
| [subnet\_id](#input\_subnet\_id) | The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint.
Changing this forces a new resource to be created. | `string` | `null` | no |
| [private\_dns\_zone\_ids](#input\_private\_dns\_zone\_ids) | A list of Private DNS Zone IDs to link with the Private Endpoint. | `list(string)` | `[]` | no |
| [private\_dns\_zone\_group\_name](#input\_private\_dns\_zone\_group\_name) | Specifies the Name of the Private DNS Zone Group. | `string` | `"vault"` | no |
| [is\_manual\_connection](#input\_is\_manual\_connection) | Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource
to be created. | `bool` | `false` | no |
| [subresource\_names](#input\_subresource\_names) | A list of subresource names which the Private Endpoint is able to connect to. subresource\_names corresponds to group\_id.
Possible values are detailed in the product documentation in the Subresources column.
https://docs.microsoft.com/azure/private-link/private-endpoint-overview#private-link-resource | `list(string)` | [
"vault"
]
| no |
| [request\_message](#input\_request\_message) | A message passed to the owner of the remote resource when the private endpoint attempts to establish the connection
to the remote resource. The request message can be a maximum of 140 characters in length.
Only valid if `is_manual_connection=true` | `string` | `""` | no |
| [tags](#input\_tags) | A map of tags to be associated with the resources | `map(string)` | `{}` | no |
| [action\_group](#input\_action\_group) | An action group object. Each action group can have:
- short\_name: (Required) The short name of the action group
- arm\_role\_receivers: (Optional) List of ARM role receivers
- email\_receivers: (Optional) List of email receivers | object({
name = string
short_name = string
arm_role_receivers = optional(list(object({
name = string
role_id = string
use_common_alert_schema = optional(bool)
})), [])
email_receivers = optional(list(object({
name = string
email_address = string
use_common_alert_schema = optional(bool)
})), [])
}) | `null` | no |
| [action\_group\_ids](#input\_action\_group\_ids) | A list of action group IDs. | `list(string)` | `[]` | no |
| [metric\_alerts](#input\_metric\_alerts) | n/a | map(object({
description = string
action_groups = optional(set(string), [])
frequency = optional(string, "PT1M")
severity = optional(number, 3)
enabled = optional(bool, true)
webhook_properties = optional(map(string))
criteria = optional(list(object({
metric_namespace = string
metric_name = string
aggregation = string
operator = string
threshold = number
skip_metric_validation = optional(bool, false)
dimensions = optional(list(object({
name = string
operator = string
values = list(string)
})))
})))
dynamic_criteria = optional(object({
metric_namespace = string
metric_name = string
aggregation = string
operator = string
alert_sensitivity = string
ignore_data_before = optional(string)
skip_metric_validation = optional(bool, false)
dimensions = optional(list(object({
name = string
operator = string
values = list(string)
})))
}))
})) | `{}` | no |
| [scheduled\_query\_alerts](#input\_scheduled\_query\_alerts) | n/a | map(object({
data_source_id = optional(string)
description = optional(string, "")
enabled = optional(bool, true)
query = string
severity = optional(number, 1)
frequency = optional(number, 5)
time_window = optional(number, 30)
authorized_resource_ids = optional(list(string), [])
trigger_operator = optional(string, "GreaterThan")
trigger_threshold = optional(number, 0)
action_group_ids = optional(list(string), [])
email_subject = optional(string, "Alert Notification")
custom_webhook_payload = optional(string, "{}")
})) | `{}` | no |
| [diagnostic\_settings](#input\_diagnostic\_settings) | n/a | map(object({
enabled_log = optional(list(object({
category_group = optional(string, "allLogs")
category = optional(string, null)
})))
metrics = optional(list(object({
category = string
enabled = optional(bool)
})))
})) | `{}` | no |
| [log\_analytics\_workspace](#input\_log\_analytics\_workspace) | n/a | object({
sku = string
retention_in_days = number
daily_quota_gb = number
identity = optional(object({
type = string
identity_ids = optional(list(string))
}))
local_authentication_disabled = optional(bool)
}) | `null` | no |
| [log\_analytics\_workspace\_id](#input\_log\_analytics\_workspace\_id) | (Optional) The ID of the Log Analytics Workspace. | `string` | `null` | no |
## Outputs
| Name | Description |
|------|-------------|
| [resource\_group\_id](#output\_resource\_group\_id) | ID of the Resource Group |
| [resource\_group\_name](#output\_resource\_group\_name) | Name of the Resource Group |
| [key\_vault\_id](#output\_key\_vault\_id) | ID of the Key Vault |
| [vault\_uri](#output\_vault\_uri) | URI of the Key Vault |
| [access\_policies\_object\_ids](#output\_access\_policies\_object\_ids) | Object IDs of the Key Vault Access Policies |
| [key\_vault\_name](#output\_key\_vault\_name) | Name of the Key Vault |
| [private\_endpoint\_id](#output\_private\_endpoint\_id) | ID of the Private Endpoint |
| [certificate\_ids](#output\_certificate\_ids) | IDs of the certificates from the Key Vault in the reference module |
| [secret\_ids](#output\_secret\_ids) | IDs of the secrets from the Key Vault in the reference module |
| [key\_ids](#output\_key\_ids) | IDs of the keys from the Key Vault in the reference module |
| [scheduled\_query\_alert\_ids](#output\_scheduled\_query\_alert\_ids) | IDs of the scheduled query alerts created by the reference module |
| [scheduled\_query\_alert\_names](#output\_scheduled\_query\_alert\_names) | Names of the scheduled query alerts created by the reference module |