This Terraform module creates an Azure Key Vault with "reader" and "admin" pre-configured Access policies and Diagnostic settings enabled.
Module version | Terraform version | AzureRM version |
---|---|---|
>= 4.x.x | 0.13.x | >= 2.48 |
>= 3.x.x | 0.12.x | >= 2.48 |
>= 2.x.x | 0.12.x | < 2.0 |
< 2.x.x | 0.11.x | < 2.0 |
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
You can use this module by including it this way:
module "azure-region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure-region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
data "azuread_group" "admin_group" {
name = "Admin"
}
module "key_vault" {
source = "claranet/keyvault/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure-region.location
location_short = module.azure-region.location_short
resource_group_name = module.rg.resource_group_name
stack = var.stack
logs_destinations_ids = [
data.terraform_remote_state.run.outputs.logs_storage_account_id,
data.terraform_remote_state.run.outputs.log_analytics_workspace_id,
]
# WebApp or other applications Object IDs
reader_objects_ids = [
var.webapp_service_principal_id
]
# Current user should be here to be able to create keys and secrets
admin_objects_ids = [
data.azuread_group.admin_group.id
]
# Specify Network ACLs
network_acls = {
bypass = "None"
default_action = "Deny"
ip_rules = ["10.10.0.0/26", "1.2.3.4/32"]
virtual_network_subnet_ids = module.subnet.subnet_ids
}
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_objects_ids | Ids of the objects that can do all operations on all keys, secrets and certificates | list(string) |
[] |
no |
client_name | Client name | string |
n/a | yes |
custom_name | Name of the Key Vault, generated if not set. | string |
"" |
no |
enabled_for_deployment | Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
false |
no |
enabled_for_disk_encryption | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
enabled_for_template_deployment | Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
false |
no |
environment | Environment name | string |
n/a | yes |
extra_tags | Extra tags to add | map(string) |
{} |
no |
location | Azure location for Key Vault. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources Ids for logs diagnostics destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. Empty list to disable logging. | list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
logs_retention_days | Number of days to keep logs on storage account | number |
30 |
no |
network_acls | Object with attributes: bypass , default_action , ip_rules , virtual_network_subnet_ids . See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more informations. |
object({ |
null |
no |
purge_protection_enabled | Whether to activate purge protection | bool |
true |
no |
reader_objects_ids | Ids of the objects that can read all keys, secrets and certificates | list(string) |
[] |
no |
resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
sku_name | The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". | string |
"standard" |
no |
stack | Stack name | string |
n/a | yes |
tenant_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one. | string |
"" |
no |
Name | Description |
---|---|
key_vault_id | Id of the Key Vault |
key_vault_name | Name of the Key Vault |
key_vault_uri | URI of the Key Vault |
Terraform resource documentation: www.terraform.io/docs/providers/azurerm/r/key_vault.html
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/key-vault/