terraform-azurerm-keyvault
terraform-azurerm-keyvault copied to clipboard
claranet
Terraform module composition (feature) for Azure KeyVault
trafficstars
Azure Key Vault feature
This Terraform module creates an Azure Key Vault with "reader" and "admin" pre-configured Access policies and Diagnostic settings enabled.
Global versioning rule for Claranet Azure modules
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
Contributing
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
Usage
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
data "azuread_group" "admin_group" {
display_name = "Admin"
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
}
module "key_vault" {
source = "claranet/keyvault/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
stack = var.stack
logs_destinations_ids = [
module.logs.logs_storage_account_id,
module.logs.log_analytics_workspace_id,
]
# WebApp or other applications Object IDs
reader_objects_ids = [
var.webapp_service_principal_id
]
# Current user should be here to be able to create keys and secrets
admin_objects_ids = [
data.azuread_group.admin_group.id
]
# Specify Network ACLs
network_acls = {
bypass = "None"
default_action = "Deny"
ip_rules = ["10.10.0.0/26", "1.2.3.4/32"]
virtual_network_subnet_ids = var.subnet_ids
}
}
Providers
| Name | Version |
|---|---|
| azurecaf | ~> 1.2, >= 1.2.22 |
| azurerm | ~> 3.39 |
Modules
| Name | Source | Version |
|---|---|---|
| diagnostics | claranet/diagnostic-settings/azurerm | ~> 6.5.0 |
Resources
| Name | Type |
|---|---|
| azurerm_key_vault.keyvault | resource |
| azurerm_key_vault_access_policy.admin_policy | resource |
| azurerm_key_vault_access_policy.readers_policy | resource |
| azurerm_key_vault_managed_hardware_security_module.keyvault_hsm | resource |
| azurerm_role_assignment.rbac_keyvault_administrator | resource |
| azurerm_role_assignment.rbac_keyvault_reader | resource |
| azurerm_role_assignment.rbac_keyvault_secrets_users | resource |
| azurecaf_name.keyvault | data source |
| azurecaf_name.keyvault_hsm | data source |
| azurerm_client_config.current_config | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_objects_ids | IDs of the objects that can do all operations on all keys, secrets and certificates. | list(string) |
[] |
no |
| client_name | Client name | string |
n/a | yes |
| custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
| custom_name | Name of the Key Vault, generated if not set. | string |
"" |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| enabled_for_deployment | Whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the Key Vault. | bool |
false |
no |
| enabled_for_disk_encryption | Whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
| enabled_for_template_deployment | Whether Azure Resource Manager is permitted to retrieve secrets from the Key Vault. | bool |
false |
no |
| environment | Environment name | string |
n/a | yes |
| extra_tags | Extra tags to add. | map(string) |
{} |
no |
| location | Azure location for Key Vault. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
| logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
| logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
| managed_hardware_security_module_enabled | Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created. | bool |
false |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| network_acls | Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. Set to null to disable. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more information. |
object({ |
{} |
no |
| public_network_access_enabled | Whether the Key Vault is available from public network. | bool |
false |
no |
| purge_protection_enabled | Whether to activate purge protection. | bool |
true |
no |
| rbac_authorization_enabled | Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies. | bool |
false |
no |
| reader_objects_ids | IDs of the objects that can read all keys, secrets and certificates. | list(string) |
[] |
no |
| resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
| sku_name | The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". | string |
"standard" |
no |
| soft_delete_retention_days | The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. |
number |
7 |
no |
| stack | Stack name | string |
n/a | yes |
| tenant_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one. | string |
"" |
no |
| use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
Outputs
| Name | Description |
|---|---|
| key_vault_hsm_uri | The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys. |
| key_vault_id | ID of the Key Vault. |
| key_vault_name | Name of the Key Vault. |
| key_vault_uri | URI of the Key Vault |
Related documentation
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/key-vault/
claranet