An open API service indexing awesome lists of open source software.

https://github.com/libre-devops/terraform-azurerm-keyvault

A module used to deploy an Azure key vault, based on some parameters
https://github.com/libre-devops/terraform-azurerm-keyvault

azurerm azurerm-terraform-provider module terraform terraform-module

Last synced: 2 months ago
JSON representation

A module used to deploy an Azure key vault, based on some parameters

Awesome Lists containing this project

README

        

```hcl
data "azurerm_client_config" "current_client" {
count = var.use_current_client == true ? 1 : 0
}

resource "azurerm_key_vault_access_policy" "client_access" {
count = var.use_current_client == true && var.give_current_client_full_access == true ? 1 : 0
key_vault_id = azurerm_key_vault.keyvault[0].id # Adjust index based on which key vault the policy should apply to
tenant_id = element(data.azurerm_client_config.current_client.*.tenant_id, 0)
object_id = element(data.azurerm_client_config.current_client.*.object_id, 0)

key_permissions = tolist(var.full_key_permissions)
secret_permissions = tolist(var.full_secret_permissions)
certificate_permissions = tolist(var.full_certificate_permissions)
storage_permissions = tolist(var.full_storage_permissions)
}

resource "azurerm_key_vault" "keyvault" {
for_each = { for vault, key_vault in var.key_vaults : vault => key_vault }

name = each.value.name
location = each.value.location
resource_group_name = each.value.rg_name
sku_name = lower(each.value.sku_name)
tenant_id = var.use_current_client == true ? data.azurerm_client_config.current_client[0].tenant_id : each.value.tenant_id
enabled_for_deployment = each.value.enabled_for_deployment
enabled_for_disk_encryption = each.value.enabled_for_disk_encryption
enabled_for_template_deployment = each.value.enabled_for_template_deployment
enable_rbac_authorization = each.value.enable_rbac_authorization
purge_protection_enabled = each.value.purge_protection_enabled
soft_delete_retention_days = each.value.soft_delete_retention_days
public_network_access_enabled = each.value.public_network_access_enabled

dynamic "access_policy" {
for_each = each.value.access_policy != null ? each.value.access_policy : []
content {
tenant_id = access_policy.value.tenant_id
object_id = access_policy.value.object_id

key_permissions = access_policy.value.key_permissions
secret_permissions = access_policy.value.secret_permissions
storage_permissions = access_policy.value.storage_permissions
}
}

dynamic "network_acls" {
for_each = each.value.network_acls != null ? [each.value.network_acls] : []
content {
bypass = network_acls.value.bypass
default_action = title(network_acls.value.default_action)
ip_rules = network_acls.value.ip_rules
virtual_network_subnet_ids = network_acls.value.virtual_network_subnet_ids
}
}

tags = each.value.tags
}

module "diagnostic_settings_custom" {
source = "github.com/libre-devops/terraform-azurerm-diagnostic-settings"

for_each = {
for vault, key_vault in var.key_vaults : vault => key_vault
if key_vault.create_diagnostic_settings == true && key_vault.diagnostic_settings != null && key_vault.diagnostic_settings_enable_all_logs_and_metrics == false
}

diagnostic_settings = merge(
each.value.diagnostic_settings,
{
target_resource_id = azurerm_key_vault.keyvault[each.key].id,
}
)
}

module "diagnostic_settings_enable_all" {
source = "github.com/libre-devops/terraform-azurerm-diagnostic-settings"

for_each = {
for vault, key_vault in var.key_vaults : vault => key_vault
if key_vault.create_diagnostic_settings == true && key_vault.diagnostic_settings_enable_all_logs_and_metrics == true
}

diagnostic_settings = {
target_resource_id = azurerm_key_vault.keyvault[each.key].id
law_id = try(each.value.diagnostic_settings.law_id, null)
diagnostic_settings_name = "${azurerm_key_vault.keyvault[each.key].name}-diagnostics"
enable_all_logs = true
enable_all_metrics = true
storage_account_id = try(each.value.diagnostic_settings.storage_account_id, null)
eventhub_name = try(each.value.diagnostic_settings.eventhub_name, null)
eventhub_authorization_rule_id = try(each.value.diagnostic_settings.eventhub_authorization_rule_id, null)
law_destination_type = each.value.diagnostic_settings.law_destination_type
partner_solution_id = try(each.value.diagnostic_settings.partner_solution_id, null)
}
}
```
## Requirements

No requirements.

## Providers

| Name | Version |
|------|---------|
| [azurerm](#provider\_azurerm) | n/a |

## Modules

| Name | Source | Version |
|------|--------|---------|
| [diagnostic\_settings\_custom](#module\_diagnostic\_settings\_custom) | github.com/libre-devops/terraform-azurerm-diagnostic-settings | n/a |
| [diagnostic\_settings\_enable\_all](#module\_diagnostic\_settings\_enable\_all) | github.com/libre-devops/terraform-azurerm-diagnostic-settings | n/a |

## Resources

| Name | Type |
|------|------|
| [azurerm_key_vault.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
| [azurerm_key_vault_access_policy.client_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_client_config.current_client](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [full\_certificate\_permissions](#input\_full\_certificate\_permissions) | All the available permissions for key access | `list(string)` |

[
"Backup",
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"Recover",
"Restore",
"SetIssuers",
"Update"
]
| no |
| [full\_key\_permissions](#input\_full\_key\_permissions) | All the available permissions for key access | `list(string)` |
[
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey"
]
| no |
| [full\_secret\_permissions](#input\_full\_secret\_permissions) | All the available permissions for key access | `list(string)` |
[
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set"
]
| no |
| [full\_storage\_permissions](#input\_full\_storage\_permissions) | All the available permissions for key access | `list(string)` |
[
"Backup",
"Delete",
"DeleteSAS",
"Get",
"GetSAS",
"List",
"ListSAS",
"Purge",
"Recover",
"RegenerateKey",
"Restore",
"Set",
"SetSAS",
"Update"
]
| no |
| [give\_current\_client\_full\_access](#input\_give\_current\_client\_full\_access) | If you use your current client as the tenant id, do you wish to give it full access to the keyvault? this aids automation, and is thus enable by default for this module. Disable for better security by setting to false | `bool` | `false` | no |
| [key\_vaults](#input\_key\_vaults) | A list of key vaults to create |
list(object({
name = string
location = string
rg_name = string
sku_name = optional(string, "standard")
tenant_id = optional(string)
enabled_for_deployment = optional(bool, true)
enabled_for_disk_encryption = optional(bool, true)
enabled_for_template_deployment = optional(bool, true)
soft_delete_retention_days = optional(number)
public_network_access_enabled = optional(bool)
enable_rbac_authorization = optional(bool, true)
purge_protection_enabled = optional(bool, false) # Easier for automation
access_policy = optional(list(object({
tenant_id = string
object_id = string
key_permissions = list(string)
secret_permissions = list(string)
storage_permissions = list(string)
})))
network_acls = optional(object({
bypass = string
default_action = string
ip_rules = list(string)
virtual_network_subnet_ids = list(string)
}))
contact = optional(list(object({
email = string
name = optional(string)
phone = optional(string)
})))
create_diagnostic_settings = optional(bool, false)
diagnostic_settings_enable_all_logs_and_metrics = optional(bool, false)
diagnostic_settings = optional(object({
diagnostic_settings_name = optional(string)
storage_account_id = optional(string)
eventhub_name = optional(string)
eventhub_authorization_rule_id = optional(string)
law_id = optional(string)
law_destination_type = optional(string, "Dedicated")
partner_solution_id = optional(string)
enabled_log = optional(list(object({
category = optional(string)
category_group = optional(string)
})), [])
metric = optional(list(object({
category = string
enabled = optional(bool, true)
})), [])
enable_all_logs = optional(bool, false)
enable_all_metrics = optional(bool, false)
}), null)
tags = map(string)
}))
| `[]` | no |
| [use\_current\_client](#input\_use\_current\_client) | If you wish to use the current client config or not | `bool` | `true` | no |

## Outputs

| Name | Description |
|------|-------------|
| [client\_access\_policy\_certificate\_permissions](#output\_client\_access\_policy\_certificate\_permissions) | The key permissions of the client access policy. |
| [client\_access\_policy\_id](#output\_client\_access\_policy\_id) | The ID of the client access policy. |
| [client\_access\_policy\_key\_permissions](#output\_client\_access\_policy\_key\_permissions) | The key permissions of the client access policy. |
| [client\_access\_policy\_secret\_permissions](#output\_client\_access\_policy\_secret\_permissions) | The key permissions of the client access policy. |
| [key\_vault\_ids](#output\_key\_vault\_ids) | The IDs of the created Key Vaults. |
| [key\_vault\_locations](#output\_key\_vault\_locations) | The locations of the created Key Vaults. |
| [key\_vault\_names](#output\_key\_vault\_names) | The names of the created Key Vaults. |
| [key\_vault\_uris](#output\_key\_vault\_uris) | The uris of the created Key Vaults. |