Merge pull request #5 from data-platform-hq/key-voult-fix-sql

owlleg6 · web-flow · commit fb05d101e365 · 2022-11-14T16:41:41.000+02:00
fix: key voult fix sql
diff --git a/README.md b/README.md
@@ -30,6 +30,7 @@ No modules.
 | [azurerm_mssql_server_transparent_data_encryption.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_transparent_data_encryption) | resource |
 | [azurerm_mssql_firewall_rule.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule)                                           | resource |
 | [azurerm_mssql_firewall_rule.azure_services](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_firewall_rule)                                 | resource |
+| [azurerm_key_vault_key.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) | resource |
 
 ## Inputs
 
@@ -49,8 +50,10 @@ No modules.
 | <a name="input_public_network_access_enabled"></a> [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | Whether public network access is allowed for this server                                                                      | `bool`        | true    |    no    |
 | <a name="input_tags"></a> [tags](#input\_tags)                                                                                  | A mapping of tags to assign to the resource                                                                                   | `map(any)`    | {}      |    no    |
 | <a name="input_ip_rules"></a> [ip\_rules](#input\_ip\_rules)                                                                    | Map of IP addresses permitted for access to DB                                                                                | `map(string)` | {}      |    no    |
-| <a name="input_key_vault_id"></a> [key\_vault\_id](#input\_key\_vault\_id)                                                      | Key Vault Id                                                                                                                  | `string`      | ""      |    no    |
-| <a name="input_tde_key"></a> [tde\_key](#input\_tde\_key)                                                                       | Transparent data encryption key id                                                                                            | `string`      | ""      |    no    |
+| <a name="input_key_vault_id"></a> [key\_vault\_id](#input\_key\_vault\_id)                                                      | Key Vault Id                                                                                                                  | `map(string)`      | {}      |    no    |
+| <a name="input_key_opts"></a> [key\_opts](#input\_key\_opts) | JSON web key operations: [decrypt\|encrypt\|sign\|unwrapKey\|verify\|wrapKey] | `list(string)` | <pre>[<br>  "decrypt",<br>  "encrypt",<br>  "sign",<br>  "unwrapKey",<br>  "verify",<br>  "wrapKey"<br>]</pre> | no |
+| <a name="input_key_size"></a> [key\_size](#input\_key\_size) | Size of the RSA key to create in bytes, requied for RSA & RSA-HSM: [1024\|2048] | `number` | `2048` | no |
+| <a name="input_key_type"></a> [key\_type](#input\_key\_type) | Key Type to use for this Key Vault Key: [EC\|EC-HSM\|Oct\|RSA\|RSA-HSM] | `string` | `"RSA"` | no |
 
 ## Outputs
 
diff --git a/main.tf b/main.tf
@@ -32,7 +32,9 @@ resource "azurerm_mssql_server" "this" {
 }
 
 resource "azurerm_key_vault_access_policy" "tde_policy" {
-  key_vault_id = var.key_vault_id
+  for_each = { for k, v in var.key_vault_id : k => v }
+
+  key_vault_id = each.value
   tenant_id    = azurerm_mssql_server.this.identity[0].tenant_id
   object_id    = azurerm_mssql_server.this.identity[0].principal_id
 
@@ -43,9 +45,21 @@ resource "azurerm_key_vault_access_policy" "tde_policy" {
   ]
 }
 
+resource "azurerm_key_vault_key" "this" {
+  for_each = { for k, v in var.key_vault_id : k => v }
+
+  name         = "tde-${var.project}-${var.env}-${var.location}"
+  key_type     = var.key_type
+  key_size     = var.key_size
+  key_vault_id = each.value
+  key_opts     = var.key_opts
+}
+
 resource "azurerm_mssql_server_transparent_data_encryption" "this" {
+  for_each = { for k, v in var.key_vault_id : k => v }
+
   server_id        = azurerm_mssql_server.this.id
-  key_vault_key_id = var.tde_key
+  key_vault_key_id = azurerm_key_vault_key.this[each.key].id
 }
 
 resource "azurerm_mssql_firewall_rule" "this" {
diff --git a/variables.tf b/variables.tf
@@ -74,14 +74,33 @@ variable "ip_rules" {
   default     = {}
 }
 
-variable "key_vault_id" {
+variable "key_type" {
   type        = string
-  description = "Key Vault Id"
-  default     = ""
+  description = "Key Type to use for this Key Vault Key: [EC|EC-HSM|Oct|RSA|RSA-HSM]"
+  default     = "RSA"
 }
 
-variable "tde_key" {
-  type        = string
-  description = "Transparent data encryption key id"
-  default     = ""
+variable "key_size" {
+  type        = number
+  description = "Size of the RSA key to create in bytes, requied for RSA & RSA-HSM: [1024|2048]"
+  default     = 2048
+}
+
+variable "key_opts" {
+  type        = list(string)
+  description = "JSON web key operations: [decrypt|encrypt|sign|unwrapKey|verify|wrapKey]"
+  default = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey"
+  ]
+}
+
+variable "key_vault_id" {
+  type        = map(string)
+  description = "Key Vault ID"
+  default     = {}
 }
