|
| 1 | +# Azure Key Vault Terraform Module |
| 2 | + |
| 3 | +Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets. |
| 4 | + |
| 5 | +This Terraform Module creates a Key Vault also adds required access policies for AD users and groups. This also sends all logs to log analytic workspace and storage. |
| 6 | + |
| 7 | +## Module Usage |
| 8 | + |
| 9 | +```hcl |
| 10 | +module "key-vault" { |
| 11 | + source = "kumarvna/key-vault/azurerm" |
| 12 | + version = "1.0.0" |
| 13 | +
|
| 14 | + # Resource Group and Key Vault pricing tier details |
| 15 | + resource_group_name = "rg-demo-project-shared-westeurope-001" |
| 16 | + key_vault_name = "demo-project-shard" |
| 17 | + key_vault_sku_pricing_tier = "premium" |
| 18 | +
|
| 19 | + # Once `Purge Protection` has been Enabled it's not possible to Disable it |
| 20 | + # Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted (currently 90 days) |
| 21 | + # Once `Soft Delete` has been Enabled it's not possible to Disable it. |
| 22 | + enable_purge_protection = false |
| 23 | + enable_soft_delete = false |
| 24 | +
|
| 25 | + # Adding Key valut logs to Azure monitoring and Log Analytics space |
| 26 | + log_analytics_workspace_id = var.log_analytics_workspace_id |
| 27 | + storage_account_id = var.storage_account_id |
| 28 | +
|
| 29 | + # Access policies for users, you can provide list of Azure AD users and set permissions. |
| 30 | + # Make sure to use list of user principal names of Azure AD users. |
| 31 | + access_policies = [ |
| 32 | + { |
| 33 | + azure_ad_user_principal_names = ["[email protected]", "[email protected]"] |
| 34 | + key_permissions = ["get", "list"] |
| 35 | + secret_permissions = ["get", "list"] |
| 36 | + certificate_permissions = ["get", "import", "list"] |
| 37 | + storage_permissions = ["backup", "get", "list", "recover"] |
| 38 | + }, |
| 39 | +
|
| 40 | + # Access policies for AD Groups, enable this feature to provide list of Azure AD groups and set permissions. |
| 41 | + { |
| 42 | + azure_ad_group_names = ["ADGroupName1", "ADGroupName2"] |
| 43 | + secret_permissions = ["get", "list", "set"] |
| 44 | + }, |
| 45 | + ] |
| 46 | +
|
| 47 | + # Create a required Secrets as per your need. |
| 48 | + # When you Add `usernames` with empty password this module creates a strong random password |
| 49 | + # use .tfvars file to manage the secrets to avoid security violations. |
| 50 | + secrets = { |
| 51 | + "message" = "Hello, world!" |
| 52 | + "vmpass" = "" |
| 53 | + } |
| 54 | +
|
| 55 | + # Adding TAG's to your Azure resources (Required) |
| 56 | + # ProjectName and Env are already declared above, to use them here or create a varible. |
| 57 | + tags = { |
| 58 | + ProjectName = "demo-project" |
| 59 | + Env = "dev" |
| 60 | + |
| 61 | + BusinessUnit = "CORP" |
| 62 | + ServiceClass = "Gold" |
| 63 | + } |
| 64 | +} |
| 65 | +``` |
| 66 | + |
| 67 | +## Configure Azure Key Vault firewalls and virtual networks |
| 68 | + |
| 69 | +Configure Azure Key Vault firewalls and virtual networks to restrict access to the key vault. The virtual network service endpoints for Key Vault (Microsoft.KeyVault) allow you to restrict access to a specified virtual network and set of IPv4 address ranges. |
| 70 | + |
| 71 | +Default action is set to `Allow` when no network rules matched. A `virtual_network_subnet_ids` or `ip_rules` can be added to `network_acls` block to allow request that is not Azure Services. |
| 72 | + |
| 73 | +```hcl |
| 74 | +module "key-vault" { |
| 75 | + source = "kumarvna/key-vault/azurerm" |
| 76 | + version = "1.0.0" |
| 77 | +
|
| 78 | + # .... omitted |
| 79 | +
|
| 80 | + network_acls = { |
| 81 | + bypass = "AzureServices" |
| 82 | + default_action = "Deny" |
| 83 | + ip_rules = ["123.201.18.148"] # One or more IP Addresses, or CIDR Blocks to access this Key Vault. |
| 84 | + virtual_network_subnet_ids = [] # One or more Subnet ID's to access this Key Vault. |
| 85 | + } |
| 86 | + |
| 87 | +# ....omitted |
| 88 | +
|
| 89 | +} |
| 90 | +``` |
| 91 | + |
| 92 | +## Key Vault Advanced Access Policies |
| 93 | + |
| 94 | +### `enabled_for_deployment` |
| 95 | + |
| 96 | +To use Key Vault with Azure Resource Manager virtual machines, the `enabled_for_deployment` property on Key Vault must be set to `true`. This access is enabled by default for this module. Incase you want to disable it set the argument `enabled_for_deployment = "false"`. |
| 97 | + |
| 98 | +### `enabled_for_disk_encryption` |
| 99 | + |
| 100 | +We can configure Azure Disk Encryption to use Azure Key Vault to control and manage disk encryption keys and secrets. This access is enabled by default for this module. Incase you want to disable it set the argument `enabled_for_disk_encryption = "false"`. |
| 101 | + |
| 102 | +> Warning: The key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. |
| 103 | +
|
| 104 | +### `enabled_for_template_deployment` |
| 105 | + |
| 106 | +When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. To access the Key Vault when deploying Managed Applications, you must grant access to the Appliance Resource Provider service principal. This access is enabled by default for this module. Incase you want to disable it set the argument `enabled_for_template_deployment = "false"`. |
| 107 | + |
| 108 | +## Soft Delete and Purge Protection |
| 109 | + |
| 110 | +When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion. |
| 111 | + |
| 112 | +When creating a new key vault, soft-delete is enabled by default. You can create a key vault without soft-delete through this module by setting the argument `enable_soft_delete = false`. Once soft-delete is enabled on a key vault it cannot be disabled. |
| 113 | + |
| 114 | +Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on using this module by setting the argument `enable_purge_protection = true`. |
| 115 | + |
| 116 | +When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. |
| 117 | + |
| 118 | +> The default retention period is 90 days for the soft-delete and the purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed. |
| 119 | +
|
| 120 | +## Recommended naming and tagging conventions |
| 121 | + |
| 122 | +Well-defined naming and metadata tagging conventions help to quickly locate and manage resources. These conventions also help associate cloud usage costs with business teams via chargeback and show back accounting mechanisms. |
| 123 | + |
| 124 | +> ### Resource naming |
| 125 | +
|
| 126 | +An effective naming convention assembles resource names by using important resource information as parts of a resource's name. For example, using these [recommended naming conventions](https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging#example-names), a public IP resource for a production SharePoint workload is named like this: `pip-sharepoint-prod-westus-001`. |
| 127 | + |
| 128 | +> ### Metadata tags |
| 129 | +
|
| 130 | +When applying metadata tags to the cloud resources, you can include information about those assets that couldn't be included in the resource name. You can use that information to perform more sophisticated filtering and reporting on resources. This information can be used by IT or business teams to find resources or generate reports about resource usage and billing. |
| 131 | + |
| 132 | +The following list provides the recommended common tags that capture important context and information about resources. Use this list as a starting point to establish your tagging conventions. |
| 133 | + |
| 134 | +Tag Name|Description|Key|Example Value|Required? |
| 135 | +--------|-----------|---|-------------|---------| |
| 136 | +Project Name|Name of the Project for the infra is created. This is mandatory to create a resource names.|ProjectName|{Project name}|Yes |
| 137 | +Application Name|Name of the application, service, or workload the resource is associated with.|ApplicationName|{app name}|Yes |
| 138 | +Approver|Name Person responsible for approving costs related to this resource.|Approver|{email}|Yes |
| 139 | +Business Unit|Top-level division of your company that owns the subscription or workload the resource belongs to. In smaller organizations, this may represent a single corporate or shared top-level organizational element.|BusinessUnit|FINANCE, MARKETING,{Product Name},CORP,SHARED|Yes |
| 140 | +Cost Center|Accounting cost center associated with this resource.|CostCenter|{number}|Yes |
| 141 | +Disaster Recovery|Business criticality of this application, workload, or service.|DR|Mission Critical, Critical, Essential|Yes |
| 142 | +Environment|Deployment environment of this application, workload, or service.|Env|Prod, Dev, QA, Stage, Test|Yes |
| 143 | +Owner Name|Owner of the application, workload, or service.|Owner|{email}|Yes |
| 144 | +Requester Name|User that requested the creation of this application.|Requestor| {email}|Yes |
| 145 | +Service Class|Service Level Agreement level of this application, workload, or service.|ServiceClass|Dev, Bronze, Silver, Gold|Yes |
| 146 | +Start Date of the project|Date when this application, workload, or service was first deployed.|StartDate|{date}|No |
| 147 | +End Date of the Project|Date when this application, workload, or service is planned to be retired.|EndDate|{date}|No |
| 148 | + |
| 149 | +> This module allows you to manage the above metadata tags directly or as a variable using `variables.tf`. All Azure resources which support tagging can be tagged by specifying key-values in argument `tags`. Tag `ResourceName` is added automatically to all resources. |
| 150 | +
|
| 151 | +```hcl |
| 152 | +module "key-vault" { |
| 153 | + source = "kumarvna/key-vault/azurerm" |
| 154 | + version = "1.0.0" |
| 155 | +
|
| 156 | + # ... omitted |
| 157 | +
|
| 158 | + tags = { |
| 159 | + ProjectName = "demo-project" |
| 160 | + Env = "dev" |
| 161 | + |
| 162 | + BusinessUnit = "CORP" |
| 163 | + ServiceClass = "Gold" |
| 164 | + } |
| 165 | +} |
| 166 | +``` |
| 167 | + |
| 168 | +## Inputs |
| 169 | + |
| 170 | +Name | Description | Type | Default |
| 171 | +---- | ----------- | ---- | ------- |
| 172 | +`resource_group_name` | The name of the resource group in which resources are created | string | `""` |
| 173 | +`key_vault_name`|The name of the key vault|string|`""` |
| 174 | +`key_vault_sku_pricing_tier`|The name of the SKU used for the Key Vault. The options are: `standard`, `premium`.|string|`"standard"` |
| 175 | +`enabled_for_deployment`|Allow Virtual Machines to retrieve certificates stored as secrets from the Key Vault|string|`"false"` |
| 176 | +`enabled_for_disk_encryption`|Allow Disk Encryption to retrieve secrets from the vault and unwrap keys|string|`"false"` |
| 177 | +`enabled_for_template_deployment`|Allow Resource Manager to retrieve secrets from the Key Vault|string|`"false"` |
| 178 | +`enable_purge_protection`|Is Purge Protection enabled for this Key Vault?|string|`"false"` |
| 179 | +`enable_soft_delete`|Should Soft Delete be enabled for this Key Vault?|string|`"false"` |
| 180 | +`access_policies`|List of access policies for the Key Vault|list|`{}` |
| 181 | +`azure_ad_user_principal_names`|List of user principal names of Azure AD users|list| `[]` |
| 182 | +`azure_ad_group_names`|List of names of Azure AD groups|list|`[]` |
| 183 | +`key_permissions`|List of key permissions, must be one or more from the following: `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`, `import`, `list`, `purge`, `recover`, `restore`, `sign`, `unwrapKey`, `update`, `verify` and `wrapKey`.|list|`[]` |
| 184 | +`secret_permissions`|List of secret permissions, must be one or more from the following: `backup`, `delete`, `get`, `list`, `purge`, `recover`, `restore` and `set`. |list|`[]` |
| 185 | +`certificate_permissions`|List of certificate permissions, must be one or more from the following: `backup`, `create`, `delete`, `deleteissuers`, `get`, `getissuers`, `import`, `list`, `listissuers`, `managecontacts`, `manageissuers`, `purge`, `recover`, `restore`, `setissuers` and `update`.|list|`[]` |
| 186 | +`storage_permissions`|List of storage permissions, must be one or more from the following: `backup`, `delete`, `deletesas`, `get`, `getsas`, `list`, `listsas`, `purge`, `recover`, `regeneratekey`, `restore`, `set`, `setsas` and `update`. |list|`[]` |
| 187 | +`network_acls`|Configure Azure Key Vault firewalls and virtual networks|list| `{}` |
| 188 | +`secrets`|A map of secrets for the Key Vault|map| `{}` |
| 189 | +`log_analytics_workspace_id`|The id of log analytic workspace to send logs and metrics.|string|`"null"` |
| 190 | +`storage_account_id`|The id of storage account to send logs and metrics|string|`"null"` |
| 191 | +`Tags`|A map of tags to add to all resources|map|`{}` |
| 192 | + |
| 193 | +## Outputs |
| 194 | + |
| 195 | +Name | Description |
| 196 | +---- | ----------- |
| 197 | +`key_vault_id`|The ID of the Key Vault |
| 198 | +`key_vault_name`|Name of key vault created |
| 199 | +`key_vault_uri`|The URI of the Key Vault, used for performing operations on keys and secrets |
| 200 | +`secrets`|A mapping of secret names and URIs |
| 201 | +`Key_vault_references`|A mapping of Key Vault references for App Service and Azure Functions |
| 202 | + |
| 203 | +## Resource Graph |
| 204 | + |
| 205 | + |
| 206 | + |
| 207 | +## Authors |
| 208 | + |
| 209 | +Module is maintained by [Kumaraswamy Vithanala ](mailto:[email protected]) with the help from other awesome contributors. |
| 210 | + |
| 211 | +## Other resources |
| 212 | + |
| 213 | +* [Azure Key Vault documentation (Azure Documentation)](https://docs.microsoft.com/en-us/azure/key-vault/) |
| 214 | +* [Terraform AzureRM Provider Documentation](https://www.terraform.io/docs/providers/azurerm/index.html) |
0 commit comments