102 lines
2.3 KiB
HCL
102 lines
2.3 KiB
HCL
data "azurerm_client_config" "current" {}
|
|
|
|
resource "azurerm_resource_group" "keyvault" {
|
|
name = "${var.name}-${var.environment}-keyvault"
|
|
location = var.region
|
|
}
|
|
|
|
resource "azurerm_key_vault" "keyvault" {
|
|
name = "${var.name}-${var.environment}-keyvault"
|
|
location = azurerm_resource_group.keyvault.location
|
|
resource_group_name = azurerm_resource_group.keyvault.name
|
|
tenant_id = data.azurerm_client_config.current.tenant_id
|
|
|
|
sku_name = "premium"
|
|
|
|
network_acls {
|
|
default_action = var.policy
|
|
bypass = "AzureServices"
|
|
virtual_network_subnet_ids = var.subnet_ids
|
|
ip_rules = values(var.whitelist)
|
|
}
|
|
|
|
tags = {
|
|
environment = var.environment
|
|
owner = var.owner
|
|
}
|
|
}
|
|
|
|
resource "azurerm_key_vault_access_policy" "keyvault_k8s_policy" {
|
|
count = length(var.principal_id) > 0 ? 1 : 0
|
|
key_vault_id = azurerm_key_vault.keyvault.id
|
|
|
|
tenant_id = data.azurerm_client_config.current.tenant_id
|
|
object_id = var.principal_id
|
|
|
|
key_permissions = [
|
|
"get",
|
|
]
|
|
|
|
secret_permissions = [
|
|
"get",
|
|
]
|
|
}
|
|
|
|
# Admin Access
|
|
resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
|
|
for_each = var.admin_principals
|
|
key_vault_id = azurerm_key_vault.keyvault.id
|
|
|
|
tenant_id = data.azurerm_client_config.current.tenant_id
|
|
object_id = each.value
|
|
|
|
key_permissions = [
|
|
"get",
|
|
"list",
|
|
"create",
|
|
"update",
|
|
"delete",
|
|
]
|
|
|
|
secret_permissions = [
|
|
"get",
|
|
"list",
|
|
"set",
|
|
]
|
|
|
|
# backup create delete deleteissuers get getissuers import list listissuers managecontacts manageissuers purge recover restore setissuers update
|
|
certificate_permissions = [
|
|
"get",
|
|
"list",
|
|
"create",
|
|
"import",
|
|
"listissuers",
|
|
"manageissuers",
|
|
"deleteissuers",
|
|
"backup",
|
|
"update",
|
|
]
|
|
}
|
|
|
|
resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
|
|
name = "${var.name}-${var.environment}-keyvault-diag"
|
|
target_resource_id = azurerm_key_vault.keyvault.id
|
|
log_analytics_workspace_id = var.workspace_id
|
|
|
|
log {
|
|
category = "AuditEvent"
|
|
enabled = true
|
|
|
|
retention_policy {
|
|
enabled = true
|
|
}
|
|
}
|
|
metric {
|
|
category = "AllMetrics"
|
|
|
|
retention_policy {
|
|
enabled = true
|
|
}
|
|
}
|
|
}
|