Merge pull request #8 from kumarvna/develop

adding SPN access policies and private endpoint

Author: kumarvna

README.md

@@ -0,0 +1,21 @@
+# Azure Key Vault Terraform Module
+
+Terraform Module to create a Key Vault also adds required access policies for azure AD users, groups and azure AD service principals. This module also creates private endpoint and sends all logs to log analytic workspace or storage.
+
+## Module Usage for
+
+* [Simple Key Vault Creation](simple_keyvault/)
+* [Key Vault with Private Endpoint](keyvault_with_private_end_point/)
+* [Key Vault and Private Endpoiont using existing VNet and Subnet](keyvault_private_end_point_with_existing_VNet_Subnet/)
+
+## Terraform Usage
+
+To run this example you need to execute following Terraform commands
+
+```hcl
+terraform init
+terraform plan
+terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.

examples/README.md

@@ -0,0 +1,116 @@
+# Azure Key Vault Terraform Module
+
+Terraform Module to create a Key Vault also adds required access policies for azure AD users, groups and azure AD service principals. This module also creates private endpoint and sends all logs to log analytic workspace or storage.
+
+## Module Usage to enable privaite endpoint using existing VNet and Subnet
+
+```hcl
+# Azurerm Provider configuration
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_virtual_network" "example" {
+  name                = "vnet-shared-hub-westeurope-001"
+  resource_group_name = "rg-shared-westeurope-01"
+}
+
+data "azurerm_subnet" "example" {
+  name                 = "snet-private-ep"
+  virtual_network_name = data.azurerm_virtual_network.example.name
+  resource_group_name  = data.azurerm_virtual_network.example.resource_group_name
+}
+
+module "key-vault" {
+  source  = "kumarvna/key-vault/azurerm"
+  version = "2.2.0"
+
+  # By default, this module will not create a resource group and expect to provide 
+  # a existing RG name to use an existing resource group. Location will be same as existing RG. 
+  # set the argument to `create_resource_group = true` to create new resrouce.
+  resource_group_name        = "rg-shared-westeurope-01"
+  key_vault_name             = "demo-project-shard"
+  key_vault_sku_pricing_tier = "premium"
+
+  # Once `Purge Protection` has been Enabled it's not possible to Disable it
+  # Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted
+  # The default retention period is 90 days, possible values are from 7 to 90 days
+  # use `soft_delete_retention_days` to set the retention period
+  enable_purge_protection = false
+  # soft_delete_retention_days = 90
+
+  # Access policies for users, you can provide list of Azure AD users and set permissions.
+  # Make sure to use list of user principal names of Azure AD users.
+  access_policies = [
+    {
+      azure_ad_user_principal_names = ["[email protected]", "[email protected]"]
+      key_permissions               = ["get", "list"]
+      secret_permissions            = ["get", "list"]
+      certificate_permissions       = ["get", "import", "list"]
+      storage_permissions           = ["backup", "get", "list", "recover"]
+    },
+
+    # Access policies for AD Groups
+    # to enable this feature, provide a list of Azure AD groups and set permissions as required.
+    {
+      azure_ad_group_names    = ["ADGroupName1", "ADGroupName2"]
+      key_permissions         = ["get", "list"]
+      secret_permissions      = ["get", "list"]
+      certificate_permissions = ["get", "import", "list"]
+      storage_permissions     = ["backup", "get", "list", "recover"]
+    },
+
+    # Access policies for Azure AD Service Principlas
+    # To enable this feature, provide a list of Azure AD SPN and set permissions as required.
+    {
+      azure_ad_service_principal_names = ["azure-ad-dev-sp1", "azure-ad-dev-sp2"]
+      key_permissions                  = ["get", "list"]
+      secret_permissions               = ["get", "list"]
+      certificate_permissions          = ["get", "import", "list"]
+      storage_permissions              = ["backup", "get", "list", "recover"]
+    }
+  ]
+
+  # Create a required Secrets as per your need.
+  # When you Add `usernames` with empty password this module creates a strong random password
+  # use .tfvars file to manage the secrets as variables to avoid security issues.
+  secrets = {
+    "message" = "Hello, world!"
+    "vmpass"  = ""
+  }
+
+  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
+  # By default this will create a `privatelink.vaultcore.azure.net` DNS zone. 
+  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
+  enable_private_endpoint = true
+  existing_vnet_id        = data.azurerm_virtual_network.example.id
+  existing_subnet_id      = data.azurerm_subnet.example.id
+  # existing_private_dns_zone     = "demo.example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure Application Gateway 
+  # (Optional) Specify `storage_account_id` to save monitoring logs to storage. 
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+  #storage_account_id         = var.storage_account_id
+
+  # Adding additional TAG's to your Azure resources
+  tags = {
+    ProjectName  = "demo-project"
+    Env          = "dev"
+    Owner        = "[email protected]"
+    BusinessUnit = "CORP"
+    ServiceClass = "Gold"
+  }
+}
+```
+
+## Terraform Usage
+
+To run this example you need to execute following Terraform commands
+
+```hcl
+terraform init
+terraform plan
+terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.

examples/complete/main.tf

@@ -0,0 +1,96 @@
+# Azurerm Provider configuration
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_virtual_network" "example" {
+  name                = "vnet-shared-hub-westeurope-001"
+  resource_group_name = "rg-shared-westeurope-01"
+}
+
+data "azurerm_subnet" "example" {
+  name                 = "snet-private-ep"
+  virtual_network_name = data.azurerm_virtual_network.example.name
+  resource_group_name  = data.azurerm_virtual_network.example.resource_group_name
+}
+
+module "key-vault" {
+  source  = "kumarvna/key-vault/azurerm"
+  version = "2.2.0"
+
+  # By default, this module will not create a resource group and expect to provide 
+  # a existing RG name to use an existing resource group. Location will be same as existing RG. 
+  # set the argument to `create_resource_group = true` to create new resrouce.
+  resource_group_name        = "rg-shared-westeurope-01"
+  key_vault_name             = "demo-project-shard"
+  key_vault_sku_pricing_tier = "premium"
+
+  # Once `Purge Protection` has been Enabled it's not possible to Disable it
+  # Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted
+  # The default retention period is 90 days, possible values are from 7 to 90 days
+  # use `soft_delete_retention_days` to set the retention period
+  enable_purge_protection = false
+  # soft_delete_retention_days = 90
+
+  # Access policies for users, you can provide list of Azure AD users and set permissions.
+  # Make sure to use list of user principal names of Azure AD users.
+  access_policies = [
+    {
+      azure_ad_user_principal_names = ["[email protected]", "[email protected]"]
+      key_permissions               = ["get", "list"]
+      secret_permissions            = ["get", "list"]
+      certificate_permissions       = ["get", "import", "list"]
+      storage_permissions           = ["backup", "get", "list", "recover"]
+    },
+
+    # Access policies for AD Groups
+    # to enable this feature, provide a list of Azure AD groups and set permissions as required.
+    {
+      azure_ad_group_names    = ["ADGroupName1", "ADGroupName2"]
+      key_permissions         = ["get", "list"]
+      secret_permissions      = ["get", "list"]
+      certificate_permissions = ["get", "import", "list"]
+      storage_permissions     = ["backup", "get", "list", "recover"]
+    },
+
+    # Access policies for Azure AD Service Principlas
+    # To enable this feature, provide a list of Azure AD SPN and set permissions as required.
+    {
+      azure_ad_service_principal_names = ["azure-ad-dev-sp1", "azure-ad-dev-sp2"]
+      key_permissions                  = ["get", "list"]
+      secret_permissions               = ["get", "list"]
+      certificate_permissions          = ["get", "import", "list"]
+      storage_permissions              = ["backup", "get", "list", "recover"]
+    }
+  ]
+
+  # Create a required Secrets as per your need.
+  # When you Add `usernames` with empty password this module creates a strong random password
+  # use .tfvars file to manage the secrets as variables to avoid security issues.
+  secrets = {
+    "message" = "Hello, world!"
+    "vmpass"  = ""
+  }
+
+  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
+  # By default this will create a `privatelink.vaultcore.azure.net` DNS zone. 
+  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
+  enable_private_endpoint = true
+  existing_vnet_id        = data.azurerm_virtual_network.example.id
+  existing_subnet_id      = data.azurerm_subnet.example.id
+  # existing_private_dns_zone     = "demo.example.com"
+
+  # (Optional) To enable Azure Monitoring for Azure Application Gateway 
+  # (Optional) Specify `storage_account_id` to save monitoring logs to storage. 
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+  #storage_account_id         = var.storage_account_id
+
+  # Adding additional TAG's to your Azure resources
+  tags = {
+    ProjectName  = "demo-project"
+    Env          = "dev"
+    Owner        = "[email protected]"
+    BusinessUnit = "CORP"
+    ServiceClass = "Gold"
+  }
+}

examples/complete/output.tf

@@ -0,0 +1,44 @@
+output "key_vault_id" {
+  description = "The ID of the Key Vault."
+  value       = module.key-vault.key_vault_id
+}
+
+output "key_vault_name" {
+  description = "Name of key vault created."
+  value       = module.key-vault.key_vault_name
+}
+
+output "key_vault_uri" {
+  description = "The URI of the Key Vault, used for performing operations on keys and secrets."
+  value       = module.key-vault.key_vault_uri
+}
+
+output "secrets" {
+  description = "A mapping of secret names and URIs."
+  value       = module.key-vault.secrets
+}
+
+output "Key_vault_references" {
+  description = "A mapping of Key Vault references for App Service and Azure Functions."
+  value       = module.key-vault.Key_vault_references
+}
+
+output "key_vault_private_endpoint" {
+  description = "The ID of the Key Vault Private Endpoint"
+  value       = module.key-vault.key_vault_private_endpoint
+}
+
+output "key_vault_private_dns_zone_domain" {
+  description = "DNS zone name for Key Vault Private endpoints dns name records"
+  value       = module.key-vault.key_vault_private_dns_zone_domain
+}
+
+output "key_vault_private_endpoint_ip_addresses" {
+  description = "Key Vault private endpoint IPv4 Addresses"
+  value       = module.key-vault.key_vault_private_endpoint_ip_addresses
+}
+
+output "key_vault_private_endpoint_fqdn" {
+  description = "Key Vault private endpoint FQDN Addresses"
+  value       = module.key-vault.key_vault_private_endpoint_fqdn
+}

examples/keyvault_private_end_point_with_existing_VNet_Subnet/README.md

@@ -1,9 +1,9 @@
-variable "log_analytics_workspace_id" {
-  description = "Specifies the ID of a Log Analytics Workspace where Diagnostics Data to be sent"
-  default     = null
-}
-
-variable "storage_account_id" {
-  description = "The name of the storage account to store the all monitoring logs"
-  default     = null
-}
+variable "log_analytics_workspace_id" {
+  description = "Specifies the ID of a Log Analytics Workspace where Diagnostics Data to be sent"
+  default     = null
+}
+
+variable "storage_account_id" {
+  description = "The name of the storage account to store the all monitoring logs"
+  default     = null
+}