Feature/keyvault nonprod (#16)

* "Update GitHub workflow to push to main branch instead of default branch"

* DEVOPS-303 nonprod keyvaul terraform module

* DEVOPS-303 fix variable validation issue

* DEVOPS-303 fix access policy objet type issue

Author: githubofkrishnadhas

.github/workflows/create-root-readme.yaml

@@ -39,4 +39,4 @@ jobs:
         git add .
         git commit -m "Update documentation"
         git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/devwithkrishna/azure-terraform-modules.git
-        git push
+        git push origin main

keyvault-nonprod/data.tf

@@ -0,0 +1 @@
+data "azurerm_client_config" "current" {}

keyvault-nonprod/keyvault.tf

@@ -0,0 +1,60 @@
+resource "azurerm_resource_group" "keyvault_rg" {
+  name     = var.resource_group_name
+  location = var.location
+  tags = {
+    Environment     = upper(var.environment)
+    Orchestrator    = "Terraform"
+    DisplayName     = upper(var.resource_group_name)
+    ApplicationName = lower(var.application_name)
+    Temporary       = upper(var.temporary)
+  }
+}
+
+resource "azurerm_key_vault" "kv" {
+  name                             = var.keyvault_name
+  resource_group_name              = azurerm_resource_group.keyvault_rg.name
+  location                         = azurerm_resource_group.keyvault_rg.location
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  sku_name = var.sku_name
+
+  enable_rbac_authorization = var.enable_rbac_authorization
+  enabled_for_deployment = var.azure_vms_can_access_certs_stored_as_secrets
+  enabled_for_disk_encryption = var.azure_disk_encryption_can_retrieve_secrets
+  enabled_for_template_deployment = var.azure_resource_manager_can_retrieve_secrets
+
+  purge_protection_enabled = var.purge_protection_enabled
+  soft_delete_retention_days = var.soft_delete_retention_days
+
+  public_network_access_enabled = var.public_network_access_enabled
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+    
+    key_permissions = [
+      "Get", "List", "Create", "Recover", "Purge", "UnwrapKey", "Update", "WrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy"
+    ]
+
+    secret_permissions = [
+      "Get","Set", "List", "Delete", "Recover"
+    ]
+
+    storage_permissions = [
+      "Get", "Delete", "List", "Recover", "RegenerateKey","Restore","Set" , "SetSAS", "Update"
+    ]
+
+    certificate_permissions = [
+      "Create", "Delete", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageIssuers", "SetIssuers", "Update"
+    ]
+
+  }
+
+  tags = {
+    Environment     = upper(var.environment)
+    Orchestrator    = "Terraform"
+    DisplayName     = upper(var.keyvault_name)
+    ApplicationName = lower(var.application_name)
+    Temporary       = upper(var.temporary)
+
+  }
+}

keyvault-nonprod/output.tf

@@ -0,0 +1,43 @@
+output "azurerm_resource_group" {
+  description = "Azure resource group name"
+  value       = azurerm_resource_group.keyvault_rg
+}
+
+output "keyvault_name" {
+  description = "Azure keyvault name"
+  value       = azurerm_key_vault.kv.name
+}
+
+output "keyvault_location" {
+  description = "Azure keyvault location"
+  value       = azurerm_key_vault.kv.location
+}
+
+output "keyvault_sku" {
+  description = "Azure Keyvault SKu"
+  value       = azurerm_key_vault.kv.sku_name
+}
+
+output "enable_rbac_authorization" {
+  description = "Azure kv RBAC access enabled or not"
+  value       = azurerm_key_vault.kv.enable_rbac_authorization
+}
+
+output "enabled_for_deployment" {
+  description = "Azure vms can access certs from kv"
+  value       = azurerm_key_vault.kv.enabled_for_deployment
+}
+
+output "enabled_for_disk_encryption" {
+  description = "Azure disk encryption can access keys from keyvault or not"
+  value       = azurerm_key_vault.kv.enabled_for_disk_encryption
+}
+
+output "enabled_for_template_deployment" {
+  description = "Azure resource manager can access secrets or not"
+  value       = azurerm_key_vault.kv.enabled_for_template_deployment
+}
+output "public_access_enabled" {
+  description = "Azure kv enabled public access or not"
+  value       = azurerm_key_vault.kv.public_network_access_enabled
+}

keyvault-nonprod/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}
+provider "azurerm" {
+  features {}
+}

keyvault-nonprod/variables.tf

@@ -0,0 +1,99 @@
+variable "resource_group_name" {
+  type        = string
+  description = "Azure keyvault Rg"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure keyvault location"
+  default     = ""
+}
+
+variable "keyvault_name" {
+  description = "Azure keyvault name"
+  type        = string
+
+}
+
+variable "sku_name" {
+  default     = "standard"
+  description = "Keyvault SKUs available in azure. Valid options are standard and premium"
+  validation {
+    condition = contains(["standard", "premium"], var.sku_name)
+    error_message = "Keyvault SKU should be one among standard or premium"
+  }
+}
+
+variable "environment" {
+  default     = "DEV"
+  description = "Environment tag value in Azure"
+  type        = string
+  validation {
+    condition     = contains(["DEV", "QA", "UAT", "PROD"], var.environment)
+    error_message = "Environment value should be one among DEV or QA or UAT or PROD."
+  }
+}
+
+variable "application_name" {
+  default     = "devwithkrishna"
+  description = "Azure application name tag"
+}
+
+
+variable "temporary" {
+  default     = "TRUE"
+  description = "Temporary tag value in Azure"
+  type        = string
+  validation {
+    condition     = contains(["TRUE", "FALSE"], upper(var.temporary))
+    error_message = "The temporary tag value must be either 'TRUE' or 'FALSE'."
+  }
+
+}
+
+variable "azure_vms_can_access_certs_stored_as_secrets" {
+  default = false
+  type = bool
+  description = "Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault"
+}
+
+variable "azure_disk_encryption_can_retrieve_secrets"{
+  default = false
+  type = bool
+  description = "Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys"
+}
+
+variable "azure_resource_manager_can_retrieve_secrets"{
+  default = false
+  type = bool
+  description = "Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the vault"
+}
+
+variable "enable_rbac_authorization" {
+  default = false
+  type = bool
+  description = "Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions"
+}
+
+variable "purge_protection_enabled" {
+  type = bool
+  default = false
+  description = "Purge Protection enabled or not"
+}
+
+variable "public_network_access_enabled" {
+  default = true
+  type = bool
+  description = "Whether public network access is allowed for this Key Vault"
+}
+
+variable "soft_delete_retention_days" {
+  default = 90
+  type = number
+  description = " The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90"
+  validation {
+    condition = var.soft_delete_retention_days >= 7 && var.soft_delete_retention_days <=90
+    error_message = "This value should be between 7 and 90 both included."
+  }
+}
+