Locks down keyvaults to subnets and administrator ip addresses
This commit is contained in:
parent
c31d68a18c
commit
dab6cdb7dc
@ -13,6 +13,13 @@ resource "azurerm_key_vault" "keyvault" {
|
||||
|
||||
sku_name = "premium"
|
||||
|
||||
network_acls {
|
||||
default_action = var.policy
|
||||
bypass = "AzureServices"
|
||||
virtual_network_subnet_ids = var.subnet_ids
|
||||
ip_rules = values(var.whitelist)
|
||||
}
|
||||
|
||||
tags = {
|
||||
environment = var.environment
|
||||
owner = var.owner
|
||||
|
@ -32,3 +32,20 @@ variable "admin_principals" {
|
||||
type = map
|
||||
description = "A list of user principals who need access to manage the keyvault"
|
||||
}
|
||||
|
||||
variable "subnet_ids" {
|
||||
description = "List of subnet_ids that will have access to this service"
|
||||
type = list
|
||||
}
|
||||
|
||||
variable "policy" {
|
||||
description = "The default policy for the network access rules (Allow/Deny)"
|
||||
default = "Deny"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "whitelist" {
|
||||
type = map
|
||||
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
|
||||
default = {}
|
||||
}
|
@ -7,5 +7,8 @@ module "keyvault" {
|
||||
tenant_id = var.tenant_id
|
||||
principal_id = "f9bcbe58-8b73-4957-aee2-133dc3e58063"
|
||||
admin_principals = var.admin_users
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
}
|
||||
|
||||
|
@ -7,4 +7,7 @@ module "operator_keyvault" {
|
||||
tenant_id = var.tenant_id
|
||||
principal_id = ""
|
||||
admin_principals = var.admin_users
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user