|
1 | | -# Azure Key Vault Terraform Module |
2 | | - |
3 | | -Terraform Module to create a Key Vault also adds required access policies for AD users and groups. This module also sends all logs to log analytic workspace and storage. |
4 | | - |
5 | | -## Module Usage |
6 | | - |
7 | | -```hcl |
8 | | -module "key-vault" { |
9 | | - source = "kumarvna/key-vault/azurerm" |
10 | | - version = "2.1.0" |
11 | | -
|
12 | | - # Resource Group and Key Vault pricing tier details |
13 | | - resource_group_name = "rg-shared-westeurope-01" |
14 | | - key_vault_name = "demo-project-shard" |
15 | | - key_vault_sku_pricing_tier = "premium" |
16 | | -
|
17 | | - # Once `Purge Protection` has been Enabled it's not possible to Disable it |
18 | | - # Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted |
19 | | - # The default retention period is 90 days, possible values are from 7 to 90 days |
20 | | - # use `soft_delete_retention_days` to set the retention period |
21 | | - enable_purge_protection = false |
22 | | -
|
23 | | - # Adding Key vault logs to Azure monitoring and Log Analytics space |
24 | | - # to enable key-vault logs, either one of log_analytics_workspace_id or storage_account_id required |
25 | | - log_analytics_workspace_id = var.log_analytics_workspace_id |
26 | | - storage_account_id = var.storage_account_id |
27 | | -
|
28 | | - # Access policies for users, you can provide list of Azure AD users and set permissions. |
29 | | - # Make sure to use list of user principal names of Azure AD users. |
30 | | - access_policies = [ |
31 | | - { |
32 | | - azure_ad_user_principal_names = ["[email protected]", "[email protected]"] |
33 | | - key_permissions = ["get", "list"] |
34 | | - secret_permissions = ["get", "list"] |
35 | | - certificate_permissions = ["get", "import", "list"] |
36 | | - storage_permissions = ["backup", "get", "list", "recover"] |
37 | | - }, |
38 | | -
|
39 | | - # Access policies for AD Groups, enable this feature to provide list of Azure AD groups and set permissions. |
40 | | - { |
41 | | - azure_ad_group_names = ["ADGroupName1", "ADGroupName2"] |
42 | | - secret_permissions = ["get", "list", "set"] |
43 | | - }, |
44 | | -
|
45 | | - ] |
46 | | -
|
47 | | - # Create a required Secrets as per your need. |
48 | | - # When you Add `usernames` with empty password this module creates a strong random password |
49 | | - # use .tfvars file to manage the secrets as variables to avoid security issues. |
50 | | - secrets = { |
51 | | - "message" = "Hello, world!" |
52 | | - "vmpass" = "" |
53 | | - } |
54 | | -
|
55 | | - # Adding TAG's to your Azure resources (Required) |
56 | | - # ProjectName and Env are already declared above, to use them here or create a varible. |
57 | | - tags = { |
58 | | - ProjectName = "demo-project" |
59 | | - Env = "dev" |
60 | | - |
61 | | - BusinessUnit = "CORP" |
62 | | - ServiceClass = "Gold" |
63 | | - } |
64 | | -} |
65 | | -``` |
66 | | - |
67 | | -## Terraform Usage |
68 | | - |
69 | | -To run this example you need to execute following Terraform commands |
70 | | - |
71 | | -```hcl |
72 | | -terraform init |
73 | | -
|
74 | | -terraform plan |
75 | | -
|
76 | | -terraform apply |
77 | | -``` |
78 | | - |
79 | | -Run `terraform destroy` when you don't need these resources. |
80 | | - |
81 | | -## Outputs |
82 | | - |
83 | | -Name | Description |
84 | | ----- | ----------- |
85 | | -`key_vault_id`|The ID of the Key Vault |
86 | | -`key_vault_name`|Name of key vault created |
87 | | -`key_vault_uri`|The URI of the Key Vault, used for performing operations on keys and secrets |
88 | | -`secrets`|A mapping of secret names and URIs |
89 | | -`Key_vault_references`|A mapping of Key Vault references for App Service and Azure Functions |
| 1 | +# Azure Key Vault Terraform Module |
| 2 | + |
| 3 | +Terraform Module to create a Key Vault also adds required access policies for azure AD users, groups and azure AD service principals. This module also sends all logs to log analytic workspace and storage. |
| 4 | + |
| 5 | +## Module Usage |
| 6 | + |
| 7 | +```hcl |
| 8 | +# Azurerm Provider configuration |
| 9 | +provider "azurerm" { |
| 10 | + features {} |
| 11 | +} |
| 12 | +
|
| 13 | +module "key-vault" { |
| 14 | + source = "kumarvna/key-vault/azurerm" |
| 15 | + version = "2.2.0" |
| 16 | +
|
| 17 | + # By default, this module will not create a resource group and expect to provide |
| 18 | + # a existing RG name to use an existing resource group. Location will be same as existing RG. |
| 19 | + # set the argument to `create_resource_group = true` to create new resrouce. |
| 20 | + resource_group_name = "rg-shared-westeurope-01" |
| 21 | + key_vault_name = "demo-project-shard" |
| 22 | + key_vault_sku_pricing_tier = "premium" |
| 23 | +
|
| 24 | + # Once `Purge Protection` has been Enabled it's not possible to Disable it |
| 25 | + # Deleting the Key Vault with `Purge Protection` enabled will schedule the Key Vault to be deleted |
| 26 | + # The default retention period is 90 days, possible values are from 7 to 90 days |
| 27 | + # use `soft_delete_retention_days` to set the retention period |
| 28 | + enable_purge_protection = false |
| 29 | + # soft_delete_retention_days = 90 |
| 30 | +
|
| 31 | + # Access policies for users, you can provide list of Azure AD users and set permissions. |
| 32 | + # Make sure to use list of user principal names of Azure AD users. |
| 33 | + access_policies = [ |
| 34 | + { |
| 35 | + azure_ad_user_principal_names = ["[email protected]", "[email protected]"] |
| 36 | + key_permissions = ["get", "list"] |
| 37 | + secret_permissions = ["get", "list"] |
| 38 | + certificate_permissions = ["get", "import", "list"] |
| 39 | + storage_permissions = ["backup", "get", "list", "recover"] |
| 40 | + }, |
| 41 | +
|
| 42 | + # Access policies for AD Groups |
| 43 | + # enable this feature to provide list of Azure AD groups and set permissions. |
| 44 | + { |
| 45 | + azure_ad_group_names = ["ADGroupName1", "ADGroupName2"] |
| 46 | + key_permissions = ["get", "list"] |
| 47 | + secret_permissions = ["get", "list"] |
| 48 | + certificate_permissions = ["get", "import", "list"] |
| 49 | + storage_permissions = ["backup", "get", "list", "recover"] |
| 50 | + }, |
| 51 | +
|
| 52 | + # Access policies for Azure AD Service Principlas |
| 53 | + # enable this feature to provide list of Azure AD SPN and set permissions. |
| 54 | + { |
| 55 | + azure_ad_service_principal_names = ["azure-ad-dev-sp1", "azure-ad-dev-sp1"] |
| 56 | + key_permissions = ["get", "list"] |
| 57 | + secret_permissions = ["get", "list"] |
| 58 | + certificate_permissions = ["get", "import", "list"] |
| 59 | + storage_permissions = ["backup", "get", "list", "recover"] |
| 60 | + } |
| 61 | + ] |
| 62 | +
|
| 63 | + # Create a required Secrets as per your need. |
| 64 | + # When you Add `usernames` with empty password this module creates a strong random password |
| 65 | + # use .tfvars file to manage the secrets as variables to avoid security issues. |
| 66 | + secrets = { |
| 67 | + "message" = "Hello, world!" |
| 68 | + "vmpass" = "" |
| 69 | + } |
| 70 | +
|
| 71 | + # (Optional) To enable Azure Monitoring for Azure Application Gateway |
| 72 | + # (Optional) Specify `storage_account_id` to save monitoring logs to storage. |
| 73 | + log_analytics_workspace_id = var.log_analytics_workspace_id |
| 74 | + #storage_account_id = var.storage_account_id |
| 75 | +
|
| 76 | + # Adding additional TAG's to your Azure resources |
| 77 | + tags = { |
| 78 | + ProjectName = "demo-project" |
| 79 | + Env = "dev" |
| 80 | + |
| 81 | + BusinessUnit = "CORP" |
| 82 | + ServiceClass = "Gold" |
| 83 | + } |
| 84 | +} |
| 85 | +``` |
| 86 | + |
| 87 | +## Terraform Usage |
| 88 | + |
| 89 | +To run this example you need to execute following Terraform commands |
| 90 | + |
| 91 | +```hcl |
| 92 | +terraform init |
| 93 | +terraform plan |
| 94 | +terraform apply |
| 95 | +``` |
| 96 | + |
| 97 | +Run `terraform destroy` when you don't need these resources. |
0 commit comments