From fd6bf723db86b3ac9d5271f71a95bce7cc779833 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Sun, 15 Dec 2019 14:44:02 -0500 Subject: [PATCH 1/2] 169163334 - Enables KeyVault server in dev TF env This keyvault server will be used for db, redis, ad, k8s, and app secrets for this environment. --- terraform/modules/keyvault/main.tf | 26 +------------------------ terraform/modules/keyvault/variables.tf | 7 ++++++- terraform/providers/dev/keyvault.tf | 15 +++++++------- terraform/providers/dev/variables.tf | 5 +++++ 4 files changed, 20 insertions(+), 33 deletions(-) diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 2eb1d6d1..131c7808 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -5,14 +5,6 @@ resource "azurerm_resource_group" "keyvault" { location = var.region } -resource "random_id" "server" { - keepers = { - ami_id = 1 - } - - byte_length = 8 -} - resource "azurerm_key_vault" "keyvault" { name = "${var.name}-${var.environment}-keyvault" location = azurerm_resource_group.keyvault.location @@ -21,24 +13,8 @@ resource "azurerm_key_vault" "keyvault" { sku_name = "premium" - access_policy { - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azurerm_client_config.current.service_principal_object_id - - key_permissions = [ - "create", - "get", - ] - - secret_permissions = [ - "set", - "get", - "delete", - ] - } - tags = { environment = var.environment owner = var.owner } -} \ No newline at end of file +} diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf index 7ad8ab26..f6b7b429 100644 --- a/terraform/modules/keyvault/variables.tf +++ b/terraform/modules/keyvault/variables.tf @@ -14,6 +14,11 @@ variable "environment" { } variable "owner" { - type = string + type = string description = "Owner of this environment" } + +variable "tenant_id" { + type = string + description = "The Tenant ID" +} diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf index 96545568..009cd93f 100644 --- a/terraform/providers/dev/keyvault.tf +++ b/terraform/providers/dev/keyvault.tf @@ -1,7 +1,8 @@ -#module "keyvault" { -# source = "../../modules/keyvault" -# name = var.name -# region = var.region -# owner = var.owner -# environment = var.environment -#} +module "keyvault" { + source = "../../modules/keyvault" + name = var.name + region = var.region + owner = var.owner + environment = var.environment + tenant_id = var.tenant_id +} diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index 3ea68131..7a9eea21 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -54,3 +54,8 @@ variable "k8s_dns_prefix" { type = string default = "atat" } + +variable "tenant_id" { + type = string + default = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3" +} From 3b05f9b830b59da2594b5fcdf4f62f91845442b4 Mon Sep 17 00:00:00 2001 From: Rob Gil Date: Sun, 15 Dec 2019 16:24:44 -0500 Subject: [PATCH 2/2] Adds rgil to keyvault access policy --- terraform/modules/keyvault/main.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 131c7808..d4208e36 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -18,3 +18,23 @@ resource "azurerm_key_vault" "keyvault" { owner = var.owner } } + +resource "azurerm_key_vault_access_policy" "keyvault" { + key_vault_id = azurerm_key_vault.keyvault.id + + tenant_id = "b5ab0e1e-09f8-4258-afb7-fb17654bc5b3" + object_id = "2ca63d41-d058-4e06-aef6-eb517a53b631" + + key_permissions = [ + "get", + "list", + "create", + ] + + secret_permissions = [ + "get", + "list", + "set", + ] +} +