Creates an Azure Key Vault.
Supported features:
- AKV name is generated randomly based on (prefix+name)+randomly generated string to ensure WW uniqueness (created on 24 chars, which is max name length of AKV name)
- AKV main settings: enabled for deployment, disk encryption, template deployment
- AKV SKU: Premium or Standard
- AKV networks ACL
Non-supported features:
- Support for AKV policies is kept outside of this module in order to preserve consistency of policies. Ie: for each AKV creation, you should set your access policy tailored to the specific purpose (see AKV sample policy file - access_policy_sample.tf)
Reference the module to a specific version (recommended):
module "azurekevault" {
source = "aztfmod/caf-keyvault/azurerm"
version = "0.x.y"
prefix = var.prefix
location = var.location
rg = var.rg
akv_config = var.akv_config
tags = var.tags
diagnostics_settings = var.ipdiags
diagnostics_map = var.diagsmap
log_analytics_workspace = var.laworkspace
}
(Required) Key Vault Configuration Object"
variable "akv_config" {
description = "(Required) Key Vault Configuration Object"
}
Sample:
akv_config = {
name = "myakv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = false
enabled_for_template_deployment = true
}
#akv_features is optional
sku_name = "premium"
network_acls = {
bypass = "AzureServices"
default_action = "Deny"
}
#network_acls is optional
}
(Required) Location of the resource to be created.
variable "location" {
description = "(Required) Location of the AKV to be created"
}
Sample:
location = "southeastasia"
(Required) Resource group of the resource to be created.
variable "rg" {
description = "(Required) Resource group of the public IP to be created"
}
Sample:
rg = "myrg"
(Required) Map of tags for the deployment.
variable "tags" {
description = "(Required) map of tags for the deployment"
}
Example
tags = {
environment = "DEV"
owner = "Arnaud"
deploymentType = "Terraform"
}
(Required) Log Analytics workspace for AKV
variable "log_analytics_workspace" {
description = "(Required) Log Analytics workspace for AKV"
}
Example
log_analytics_workspace = module.loganalytics.object
(Required) Map with the diagnostics repository information"
variable "diagnostics_map" {
description = "(Required) Map with the diagnostics repository information"
}
Example
diagnostics_map = {
diags_sa = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.Storage/storageAccounts/opslogskumowxv"
eh_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.EventHub/namespaces/opslogskumowxv"
eh_name = "opslogskumowxv"
}
(Required) Map with the diagnostics settings for AKV deployment. See the required structure in the following example or in the diagnostics module documentation.
variable "diagnostics_settings" {
description = "(Required) Map with the diagnostics settings for AKV deployment"
}
Example
diagnostics_settings = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}
(Required) Naming convention to be used.
variable "convention" {
description = "(Required) Naming convention used"
}
Example
convention = "cafclassic"
Name | Type | Description |
---|---|---|
object | object | Returns the full object of the created AKV. |
name | string | Returns the name of the created AKV. |
id | string | Returns the ID of the created AKV. |
vault_uri | string | Returns the FQDN of the created AKV. |