From dab6cdb7dca7dce086d5a33e9674481f47688a37 Mon Sep 17 00:00:00 2001
From: Rob Gil <dds@rem5.com>
Date: Thu, 23 Jan 2020 11:02:12 -0500
Subject: [PATCH] Locks down keyvaults to subnets and administrator ip
 addresses

---
 terraform/modules/keyvault/main.tf      |  7 +++++++
 terraform/modules/keyvault/variables.tf | 17 +++++++++++++++++
 terraform/providers/dev/keyvault.tf     |  3 +++
 terraform/providers/dev/secrets.tf      |  3 +++
 4 files changed, 30 insertions(+)

diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf
index ddfb8465..1df84367 100644
--- a/terraform/modules/keyvault/main.tf
+++ b/terraform/modules/keyvault/main.tf
@@ -13,6 +13,13 @@ resource "azurerm_key_vault" "keyvault" {
 
   sku_name = "premium"
 
+  network_acls {
+    default_action             = var.policy
+    bypass                     = "AzureServices"
+    virtual_network_subnet_ids = var.subnet_ids
+    ip_rules                   = values(var.whitelist)
+  }
+
   tags = {
     environment = var.environment
     owner       = var.owner
diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf
index d2484793..56e7cc13 100644
--- a/terraform/modules/keyvault/variables.tf
+++ b/terraform/modules/keyvault/variables.tf
@@ -32,3 +32,20 @@ variable "admin_principals" {
   type        = map
   description = "A list of user principals who need access to manage the keyvault"
 }
+
+variable "subnet_ids" {
+  description = "List of subnet_ids that will have access to this service"
+  type        = list
+}
+
+variable "policy" {
+  description = "The default policy for the network access rules (Allow/Deny)"
+  default     = "Deny"
+  type        = string
+}
+
+variable "whitelist" {
+  type        = map
+  description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
+  default     = {}
+}
\ No newline at end of file
diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf
index 75f7b13d..4d35fa0f 100644
--- a/terraform/providers/dev/keyvault.tf
+++ b/terraform/providers/dev/keyvault.tf
@@ -7,5 +7,8 @@ module "keyvault" {
   tenant_id        = var.tenant_id
   principal_id     = "f9bcbe58-8b73-4957-aee2-133dc3e58063"
   admin_principals = var.admin_users
+  policy           = "Deny"
+  subnet_ids       = [module.vpc.subnets]
+  whitelist        = var.admin_user_whitelist
 }
 
diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf
index bccdcf50..7a67205e 100644
--- a/terraform/providers/dev/secrets.tf
+++ b/terraform/providers/dev/secrets.tf
@@ -7,4 +7,7 @@ module "operator_keyvault" {
   tenant_id        = var.tenant_id
   principal_id     = ""
   admin_principals = var.admin_users
+  policy           = "Deny"
+  subnet_ids       = [module.vpc.subnets]
+  whitelist        = var.admin_user_whitelist
 }