Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets.
This Terraform Module creates a Key Vault also adds required access policies for AD users and groups. This also sends all logs to log analytic workspace and storage.
module "key-vault" {
source = "kumarvna/key-vault/azurerm"
version = "2.1.0"
# Resource Group and Key Vault pricing tier details
resource_group_name = "rg-shared-westeurope-01"
key_vault_name = "demo-project-shard"
key_vault_sku_pricing_tier = "premium"
# Once `Purge Protection` has been Enabled it's not possible to Disable it
# Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted
# The default retention period is 90 days, possible values are from 7 to 90 days
# use `soft_delete_retention_days` to set the retention period
enable_purge_protection = false
# Adding Key vault logs to Azure monitoring and Log Analytics space
# to enable key-vault logs, either one of log_analytics_workspace_id or storage_account_id required
log_analytics_workspace_id = var.log_analytics_workspace_id
storage_account_id = var.storage_account_id
# Access policies for users, you can provide list of Azure AD users and set permissions.
# Make sure to use list of user principal names of Azure AD users.
access_policies = [
{
azure_ad_user_principal_names = ["[email protected]", "[email protected]"]
key_permissions = ["get", "list"]
secret_permissions = ["get", "list"]
certificate_permissions = ["get", "import", "list"]
storage_permissions = ["backup", "get", "list", "recover"]
},
# Access policies for AD Groups, enable this feature to provide list of Azure AD groups and set permissions.
{
azure_ad_group_names = ["ADGroupName1", "ADGroupName2"]
secret_permissions = ["get", "list", "set"]
},
]
# Create a required Secrets as per your need.
# When you Add `usernames` with empty password this module creates a strong random password
# use .tfvars file to manage the secrets as variables to avoid security issues.
secrets = {
"message" = "Hello, world!"
"vmpass" = ""
}
# Adding TAG's to your Azure resources (Required)
# ProjectName and Env are already declared above, to use them here or create a varible.
tags = {
ProjectName = "demo-project"
Env = "dev"
Owner = "[email protected]"
BusinessUnit = "CORP"
ServiceClass = "Gold"
}
}Configure Azure Key Vault firewalls and virtual networks to restrict access to the key vault. The virtual network service endpoints for Key Vault (Microsoft.KeyVault) allow you to restrict access to a specified virtual network and set of IPv4 address ranges.
Default action is set to Allow when no network rules matched. A virtual_network_subnet_ids or ip_rules can be added to network_acls block to allow request that is not Azure Services.
module "key-vault" {
source = "kumarvna/key-vault/azurerm"
version = "2.1.0"
# .... omitted
network_acls = {
bypass = "AzureServices"
default_action = "Deny"
# One or more IP Addresses, or CIDR Blocks to access this Key Vault.
ip_rules = ["123.201.18.148"]
# One or more Subnet ID's to access this Key Vault.
virtual_network_subnet_ids = []
}
# ....omitted
}To use Key Vault with Azure Resource Manager virtual machines, the enabled_for_deployment property on Key Vault must be set to true. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_deployment = "false".
We can configure Azure Disk Encryption to use Azure Key Vault to control and manage disk encryption keys and secrets. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_disk_encryption = "false".
Warning: The key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted.
When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. To access the Key Vault when deploying Managed Applications, you must grant access to the Appliance Resource Provider service principal. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_template_deployment = "false".
When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
When creating a new key vault, soft-delete is enabled by default. As of 2020-12-15 Azure now requires that Soft Delete is enabled on Key Vaults and this can no longer be disabled.
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on using this module by setting the argument enable_purge_protection = true.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
The default retention period is 90 days for the soft-delete and the purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed.
Well-defined naming and metadata tagging conventions help to quickly locate and manage resources. These conventions also help associate cloud usage costs with business teams via chargeback and show back accounting mechanisms.
An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these recommended naming conventions, a public IP resource for a production SharePoint workload is named like this: pip-sharepoint-prod-westus-001.
When applying metadata tags to the cloud resources, you can include information about those assets that couldn't be included in the resource name. You can use that information to perform more sophisticated filtering and reporting on resources. This information can be used by IT or business teams to find resources or generate reports about resource usage and billing.
The following list provides the recommended common tags that capture important context and information about resources. Use this list as a starting point to establish your tagging conventions.
| Tag Name | Description | Key | Example Value | Required? |
|---|---|---|---|---|
| Project Name | Name of the Project for the infra is created. This is mandatory to create a resource names. | ProjectName | {Project name} | Yes |
| Application Name | Name of the application, service, or workload the resource is associated with. | ApplicationName | {app name} | Yes |
| Approver | Name Person responsible for approving costs related to this resource. | Approver | {email} | Yes |
| Business Unit | Top-level division of your company that owns the subscription or workload the resource belongs to. In smaller organizations, this may represent a single corporate or shared top-level organizational element. | BusinessUnit | FINANCE, MARKETING,{Product Name},CORP,SHARED | Yes |
| Cost Center | Accounting cost center associated with this resource. | CostCenter | {number} | Yes |
| Disaster Recovery | Business criticality of this application, workload, or service. | DR | Mission Critical, Critical, Essential | Yes |
| Environment | Deployment environment of this application, workload, or service. | Env | Prod, Dev, QA, Stage, Test | Yes |
| Owner Name | Owner of the application, workload, or service. | Owner | {email} | Yes |
| Requester Name | User that requested the creation of this application. | Requestor | {email} | Yes |
| Service Class | Service Level Agreement level of this application, workload, or service. | ServiceClass | Dev, Bronze, Silver, Gold | Yes |
| Start Date of the project | Date when this application, workload, or service was first deployed. | StartDate | {date} | No |
| End Date of the Project | Date when this application, workload, or service is planned to be retired. | EndDate | {date} | No |
This module allows you to manage the above metadata tags directly or as a variable using
variables.tf. All Azure resources which support tagging can be tagged by specifying key-values in argumenttags. TagResourceNameis added automatically to all resources.
module "key-vault" {
source = "kumarvna/key-vault/azurerm"
version = "2.1.0"
# ... omitted
tags = {
ProjectName = "demo-project"
Env = "dev"
Owner = "[email protected]"
BusinessUnit = "CORP"
ServiceClass = "Gold"
}
} | Name | Version |
|---|---|
| terraform | >= 0.13 |
| azurerm | >= 2.59.0 |
| Name | Version |
|---|---|
| azurerm | >= 2.59.0 |
| random | >= 3.1.0 |
| azuread | >= 1.4.0 |
| Name | Description | Type | Default |
|---|---|---|---|
resource_group_name |
The name of the resource group in which resources are created | string | "" |
key_vault_name |
The name of the key vault | string | "" |
key_vault_sku_pricing_tier |
The name of the SKU used for the Key Vault. The options are: standard, premium. |
string | "standard" |
enabled_for_deployment |
Allow Virtual Machines to retrieve certificates stored as secrets from the Key Vault | string | "false" |
enabled_for_disk_encryption |
Allow Disk Encryption to retrieve secrets from the vault and unwrap keys | string | "false" |
enabled_for_template_deployment |
Allow Resource Manager to retrieve secrets from the Key Vault | string | "false" |
enable_purge_protection |
Is Purge Protection enabled for this Key Vault? | string | "false" |
enable_rbac_authorization |
Specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions | string | false |
soft_delete_retention_days |
The number of days that items should be retained for once soft-deleted. The valid value can be between 7 and 90 days | string | 90 |
access_policies |
List of access policies for the Key Vault | list | {} |
azure_ad_user_principal_names |
List of user principal names of Azure AD users | list | [] |
azure_ad_group_names |
List of names of Azure AD groups | list | [] |
key_permissions |
List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey. |
list | [] |
secret_permissions |
List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set. |
list | [] |
certificate_permissions |
List of certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update. |
list | [] |
storage_permissions |
List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update. |
list | [] |
network_acls |
Configure Azure Key Vault firewalls and virtual networks | list | {} |
secrets |
A map of secrets for the Key Vault | map | {} |
log_analytics_workspace_id |
The id of log analytic workspace to send logs and metrics. | string | "null" |
storage_account_id |
The id of storage account to send logs and metrics | string | "null" |
Tags |
A map of tags to add to all resources | map | {} |
| Name | Description |
|---|---|
key_vault_id |
The ID of the Key Vault |
key_vault_name |
Name of key vault created |
key_vault_uri |
The URI of the Key Vault, used for performing operations on keys and secrets |
secrets |
A mapping of secret names and URIs |
Key_vault_references |
A mapping of Key Vault references for App Service and Azure Functions |
Originally created by Kumaraswamy Vithanala
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent