Skip to content

Commit 214b563

Browse files
DmytrovelDmytrovel
committed
fix: key-vault-key
1 parent 7fca2eb commit 214b563

File tree

2 files changed

+44
-9
lines changed

2 files changed

+44
-9
lines changed

main.tf

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,9 @@ resource "azurerm_mssql_server" "this" {
3232
}
3333

3434
resource "azurerm_key_vault_access_policy" "tde_policy" {
35-
key_vault_id = var.key_vault_id
35+
for_each = { for k, v in var.key_vault_id : k => v }
36+
37+
key_vault_id = each.value
3638
tenant_id = azurerm_mssql_server.this.identity[0].tenant_id
3739
object_id = azurerm_mssql_server.this.identity[0].principal_id
3840

@@ -43,9 +45,23 @@ resource "azurerm_key_vault_access_policy" "tde_policy" {
4345
]
4446
}
4547

48+
resource "azurerm_key_vault_key" "this" {
49+
for_each = { for k, v in var.key_vault_id : k => v }
50+
51+
name = "tde-${var.project}-${var.env}-${var.location}"
52+
key_type = var.key_type
53+
key_size = var.key_size
54+
key_vault_id = each.value
55+
key_opts = var.key_opts
56+
}
57+
4658
resource "azurerm_mssql_server_transparent_data_encryption" "this" {
59+
for_each = { for k, v in var.key_vault_id : k => v }
60+
4761
server_id = azurerm_mssql_server.this.id
48-
key_vault_key_id = var.tde_key
62+
key_vault_key_id = azurerm_key_vault_key.this[each.key].id
63+
64+
depends_on = [azurerm_key_vault_key.this]
4965
}
5066

5167
resource "azurerm_mssql_firewall_rule" "this" {

variables.tf

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -74,14 +74,33 @@ variable "ip_rules" {
7474
default = {}
7575
}
7676

77-
variable "key_vault_id" {
77+
variable "key_type" {
7878
type = string
79-
description = "Key Vault Id"
80-
default = ""
79+
description = "Key Type to use for this Key Vault Key: [EC|EC-HSM|Oct|RSA|RSA-HSM]"
80+
default = "RSA"
8181
}
8282

83-
variable "tde_key" {
84-
type = string
85-
description = "Transparent data encryption key id"
86-
default = ""
83+
variable "key_size" {
84+
type = number
85+
description = "Size of the RSA key to create in bytes, requied for RSA & RSA-HSM: [1024|2048]"
86+
default = 2048
87+
}
88+
89+
variable "key_opts" {
90+
type = list(string)
91+
description = "JSON web key operations: [decrypt|encrypt|sign|unwrapKey|verify|wrapKey]"
92+
default = [
93+
"decrypt",
94+
"encrypt",
95+
"sign",
96+
"unwrapKey",
97+
"verify",
98+
"wrapKey"
99+
]
87100
}
101+
102+
variable "key_vault_id" {
103+
type = map(string)
104+
description = "Key Vault ID"
105+
default = {}
106+
}

0 commit comments

Comments
 (0)