Add Azure Key Vault with Private Endpoint Integration (#23)

* DEVOPS-312 kv with private endpoint inside access

* adding depends on conditions

Author: githubofkrishnadhas

keyvault-with-private-endpoint/README.md

@@ -0,0 +1,75 @@
+<!-- BEGIN_AUTOMATED_TF_DOCS_BLOCK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | ~> 1.3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement_azurerm) | <= 4.0 |
+| <a name="requirement_random"></a> [random](#requirement_random) | >= 3.1 |
+## Usage
+Basic usage of this module is as follows:
+  ```hcl
+    module "example" {
+      	 source  = "<module-path>"
+      
+	 # Required variables
+      	 keyvault_name  = 
+      	 resource_group_name  = 
+      
+	 # Optional variables
+      	 application_name  = "devwithkrishna"
+      	 azure_disk_encryption_can_retrieve_secrets  = false
+      	 azure_resource_manager_can_retrieve_secrets  = false
+      	 azure_vms_can_access_certs_stored_as_secrets  = false
+      	 enable_rbac_authorization  = false
+      	 environment  = "DEV"
+      	 location  = ""
+      	 public_network_access_enabled  = true
+      	 purge_protection_enabled  = false
+      	 sku_name  = "standard"
+      	 soft_delete_retention_days  = 90
+      	 temporary  = "TRUE"
+    }
+  ```
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_resource_group.keyvault_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+
+## Inputs
+
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| <a name="input_application_name"></a> [application_name](#input_application_name) | Azure application name tag | `string` | no |
+| <a name="input_azure_disk_encryption_can_retrieve_secrets"></a> [azure_disk_encryption_can_retrieve_secrets](#input_azure_disk_encryption_can_retrieve_secrets) | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys | `bool` | no |
+| <a name="input_azure_resource_manager_can_retrieve_secrets"></a> [azure_resource_manager_can_retrieve_secrets](#input_azure_resource_manager_can_retrieve_secrets) | Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the vault | `bool` | no |
+| <a name="input_azure_vms_can_access_certs_stored_as_secrets"></a> [azure_vms_can_access_certs_stored_as_secrets](#input_azure_vms_can_access_certs_stored_as_secrets) | Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault | `bool` | no |
+| <a name="input_enable_rbac_authorization"></a> [enable_rbac_authorization](#input_enable_rbac_authorization) | Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions | `bool` | no |
+| <a name="input_environment"></a> [environment](#input_environment) | Environment tag value in Azure | `string` | no |
+| <a name="input_keyvault_name"></a> [keyvault_name](#input_keyvault_name) | Azure keyvault name | `string` | yes |
+| <a name="input_location"></a> [location](#input_location) | Azure keyvault location | `string` | no |
+| <a name="input_public_network_access_enabled"></a> [public_network_access_enabled](#input_public_network_access_enabled) | Whether public network access is allowed for this Key Vault | `bool` | no |
+| <a name="input_purge_protection_enabled"></a> [purge_protection_enabled](#input_purge_protection_enabled) | Purge Protection enabled or not | `bool` | no |
+| <a name="input_resource_group_name"></a> [resource_group_name](#input_resource_group_name) | Azure keyvault Rg | `string` | yes |
+| <a name="input_sku_name"></a> [sku_name](#input_sku_name) | Keyvault SKUs available in azure. Valid options are standard and premium | `string` | no |
+| <a name="input_soft_delete_retention_days"></a> [soft_delete_retention_days](#input_soft_delete_retention_days) | The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 | `number` | no |
+| <a name="input_temporary"></a> [temporary](#input_temporary) | Temporary tag value in Azure | `string` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_azurerm_resource_group"></a> [azurerm_resource_group](#output_azurerm_resource_group) | Azure resource group name |
+| <a name="output_enable_rbac_authorization"></a> [enable_rbac_authorization](#output_enable_rbac_authorization) | Azure kv RBAC access enabled or not |
+| <a name="output_enabled_for_deployment"></a> [enabled_for_deployment](#output_enabled_for_deployment) | Azure vms can access certs from kv |
+| <a name="output_enabled_for_disk_encryption"></a> [enabled_for_disk_encryption](#output_enabled_for_disk_encryption) | Azure disk encryption can access keys from keyvault or not |
+| <a name="output_enabled_for_template_deployment"></a> [enabled_for_template_deployment](#output_enabled_for_template_deployment) | Azure resource manager can access secrets or not |
+| <a name="output_keyvault_location"></a> [keyvault_location](#output_keyvault_location) | Azure keyvault location |
+| <a name="output_keyvault_name"></a> [keyvault_name](#output_keyvault_name) | Azure keyvault name |
+| <a name="output_keyvault_sku"></a> [keyvault_sku](#output_keyvault_sku) | Azure Keyvault SKu |
+| <a name="output_public_access_enabled"></a> [public_access_enabled](#output_public_access_enabled) | Azure kv enabled public access or not |
+<!-- END_AUTOMATED_TF_DOCS_BLOCK -->

keyvault-with-private-endpoint/data.tf

@@ -0,0 +1,12 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subnet" "pvt_end_pt" {
+  name                 = var.subnet_name
+  virtual_network_name = var.virtual_network_name
+  resource_group_name  = var.virtual_network_rg
+}
+
+data "azurerm_private_dns_zone" "key_vault_dns_zone" {
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = "ARCHITECTS-CENTRAL-INDIA-AKS-VNET-RG"
+}

keyvault-with-private-endpoint/keyvault.tf

@@ -0,0 +1,101 @@
+resource "azurerm_resource_group" "keyvault_rg" {
+  name     = var.resource_group_name
+  location = var.location
+  tags = {
+    Environment     = upper(var.environment)
+    Orchestrator    = "Terraform"
+    DisplayName     = upper(var.resource_group_name)
+    ApplicationName = lower(var.application_name)
+    Temporary       = upper(var.temporary)
+  }
+}
+
+resource "azurerm_key_vault" "kv" {
+  name                = var.keyvault_name
+  resource_group_name = azurerm_resource_group.keyvault_rg.name
+  location            = azurerm_resource_group.keyvault_rg.location
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = var.sku_name
+
+  enable_rbac_authorization       = var.enable_rbac_authorization
+  enabled_for_deployment          = var.azure_vms_can_access_certs_stored_as_secrets
+  enabled_for_disk_encryption     = var.azure_disk_encryption_can_retrieve_secrets
+  enabled_for_template_deployment = var.azure_resource_manager_can_retrieve_secrets
+
+  purge_protection_enabled   = var.purge_protection_enabled
+  soft_delete_retention_days = var.soft_delete_retention_days
+
+  public_network_access_enabled = var.public_network_access_enabled
+
+  depends_on = [ azurerm_resource_group.keyvault_rg ]
+  network_acls {
+    bypass = "AzureServices" # Specifies which traffic can bypass the network rules
+    default_action = "Deny"  # Specifies the default action when no rule from ip_rules and virtual_network_subnet_ids match
+    virtual_network_subnet_ids = [data.azurerm_subnet.pvt_end_pt.id] # List of subnet ids that can access the key vault
+  }
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = data.azurerm_client_config.current.object_id
+
+    key_permissions = [
+      "Get", "List", "Create", "Recover", "Purge", "UnwrapKey", "Update", "WrapKey", "Rotate", "GetRotationPolicy", "SetRotationPolicy"
+    ]
+
+    secret_permissions = [
+      "Get", "Set", "List", "Delete", "Recover"
+    ]
+
+    storage_permissions = [
+      "Get", "Delete", "List", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update"
+    ]
+
+    certificate_permissions = [
+      "Create", "Delete", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageIssuers", "SetIssuers", "Update"
+    ]
+
+  }
+
+  tags = {
+    Environment     = upper(var.environment)
+    Orchestrator    = "Terraform"
+    DisplayName     = upper(var.keyvault_name)
+    ApplicationName = lower(var.application_name)
+    Temporary       = upper(var.temporary)
+
+  }
+}
+
+
+resource "azurerm_private_endpoint" "pvt_end_pt" {
+  name                = "${var.keyvault_name}-pvt-end-pt"
+  location            = azurerm_resource_group.keyvault_rg.location
+  resource_group_name = azurerm_resource_group.keyvault_rg.name
+  subnet_id           = data.azurerm_subnet.pvt_end_pt.id
+  custom_network_interface_name = "${var.keyvault_name}-pvt-end-pt-nic"
+  
+  depends_on = [ azurerm_key_vault.kv, azurerm_resource_group.keyvault_rg ]
+
+  private_service_connection {
+      name                           = lower("${azurerm_key_vault.kv.name}-psc")
+      private_connection_resource_id = azurerm_key_vault.kv.id
+      is_manual_connection           = false
+      subresource_names              = ["Vault"]
+    }
+
+  private_dns_zone_group {
+    name                 = "privatelink.vaultcore.azure.net"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.key_vault_dns_zone.id]
+  }
+
+}
+
+
+resource "azurerm_private_dns_a_record" "pvt_dns_a_record" {
+  name                = var.keyvault_name
+  zone_name           = data.azurerm_private_dns_zone.key_vault_dns_zone.name
+  resource_group_name = data.azurerm_private_dns_zone.key_vault_dns_zone.resource_group_name
+  ttl                 = 300
+  records             = [azurerm_private_endpoint.pvt_end_pt.private_service_connection.0.private_ip_address]
+  depends_on = [ azurerm_private_endpoint.pvt_end_pt ]
+}

keyvault-with-private-endpoint/output.tf

@@ -0,0 +1,48 @@
+output "azurerm_resource_group" {
+  description = "Azure resource group name"
+  value       = azurerm_resource_group.keyvault_rg
+}
+
+output "keyvault_name" {
+  description = "Azure keyvault name"
+  value       = azurerm_key_vault.kv.name
+}
+
+output "keyvault_location" {
+  description = "Azure keyvault location"
+  value       = azurerm_key_vault.kv.location
+}
+
+output "keyvault_sku" {
+  description = "Azure Keyvault SKu"
+  value       = azurerm_key_vault.kv.sku_name
+}
+
+output "enable_rbac_authorization" {
+  description = "Azure kv RBAC access enabled or not"
+  value       = azurerm_key_vault.kv.enable_rbac_authorization
+}
+
+output "enabled_for_deployment" {
+  description = "Azure vms can access certs from kv"
+  value       = azurerm_key_vault.kv.enabled_for_deployment
+}
+
+output "enabled_for_disk_encryption" {
+  description = "Azure disk encryption can access keys from keyvault or not"
+  value       = azurerm_key_vault.kv.enabled_for_disk_encryption
+}
+
+output "enabled_for_template_deployment" {
+  description = "Azure resource manager can access secrets or not"
+  value       = azurerm_key_vault.kv.enabled_for_template_deployment
+}
+output "public_access_enabled" {
+  description = "Azure kv enabled public access or not"
+  value       = azurerm_key_vault.kv.public_network_access_enabled
+}
+
+output "privat_enedpoint_ipaddress" {
+  description = "Azure kv private endpoint address"
+  value       = azurerm_private_endpoint.pvt_end_pt.private_service_connection.0.private_ip_address
+}

keyvault-with-private-endpoint/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = "~> 1.3"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 4.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.1"
+    }
+  }
+}
+provider "azurerm" {
+  features {}
+}

keyvault-with-private-endpoint/variables.tf

@@ -0,0 +1,117 @@
+variable "resource_group_name" {
+  type        = string
+  description = "Azure keyvault Rg"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure keyvault location"
+  default     = ""
+}
+
+variable "keyvault_name" {
+  description = "Azure keyvault name"
+  type        = string
+
+}
+
+variable "sku_name" {
+  default     = "standard"
+  description = "Keyvault SKUs available in azure. Valid options are standard and premium"
+  validation {
+    condition     = contains(["standard", "premium"], var.sku_name)
+    error_message = "Keyvault SKU should be one among standard or premium"
+  }
+}
+
+variable "environment" {
+  default     = "DEV"
+  description = "Environment tag value in Azure"
+  type        = string
+  validation {
+    condition     = contains(["DEV", "QA", "UAT", "PROD"], var.environment)
+    error_message = "Environment value should be one among DEV or QA or UAT or PROD."
+  }
+}
+
+variable "application_name" {
+  default     = "devwithkrishna"
+  description = "Azure application name tag"
+}
+
+
+variable "temporary" {
+  default     = "TRUE"
+  description = "Temporary tag value in Azure"
+  type        = string
+  validation {
+    condition     = contains(["TRUE", "FALSE"], upper(var.temporary))
+    error_message = "The temporary tag value must be either 'TRUE' or 'FALSE'."
+  }
+
+}
+
+variable "azure_vms_can_access_certs_stored_as_secrets" {
+  default     = false
+  type        = bool
+  description = "Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault"
+}
+
+variable "azure_disk_encryption_can_retrieve_secrets" {
+  default     = false
+  type        = bool
+  description = "Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys"
+}
+
+variable "azure_resource_manager_can_retrieve_secrets" {
+  default     = false
+  type        = bool
+  description = "Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the vault"
+}
+
+variable "enable_rbac_authorization" {
+  default     = false
+  type        = bool
+  description = "Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions"
+}
+
+variable "purge_protection_enabled" {
+  type        = bool
+  default     = false
+  description = "Purge Protection enabled or not"
+}
+
+variable "public_network_access_enabled" {
+  default     = true
+  type        = bool
+  description = "Whether public network access is allowed for this Key Vault"
+}
+
+variable "soft_delete_retention_days" {
+  default     = 90
+  type        = number
+  description = " The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90"
+  validation {
+    condition     = var.soft_delete_retention_days >= 7 && var.soft_delete_retention_days <= 90
+    error_message = "This value should be between 7 and 90 both included."
+  }
+}
+
+
+variable "virtual_network_name" {
+  type        = string
+  description = "Name of the virtual network in which private endpoint will be created"
+  default    = ""  
+}
+
+variable "subnet_name" {
+  type        = string
+  description = "Name of the subnet in which private endpoint will be created"
+  default    = ""  
+}
+
+variable "virtual_network_rg" {
+  type = string
+  default = "value"
+  description = "Virtual network resource group"
+}