forked from terraform-azurerm-examples/terraform-bootstrap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkey_vault.tf
88 lines (73 loc) · 2.72 KB
/
key_vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
resource "azurerm_key_vault" "state" {
name = data.azurerm_storage_account.state.name
resource_group_name = data.azurerm_resource_group.state.name
location = data.azurerm_resource_group.state.location
tags = data.azurerm_resource_group.state.tags
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
enabled_for_deployment = false
enabled_for_disk_encryption = false
enabled_for_template_deployment = false
purge_protection_enabled = false
soft_delete_enabled = true
soft_delete_retention_days = var.key_vault_soft_delete_retention
network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = ["0.0.0.0/0"]
virtual_network_subnet_ids = null
}
}
resource "azurerm_key_vault_access_policy" "terraform_state_owner" {
key_vault_id = azurerm_key_vault.state.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = []
secret_permissions = [
"Get",
"List",
"Set",
"Delete"
]
}
resource "azurerm_key_vault_access_policy" "terraform_state_service_principal" {
key_vault_id = azurerm_key_vault.state.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azuread_service_principal.terraform.object_id
key_permissions = []
secret_permissions = [
"Get",
"List"
]
}
resource "azurerm_key_vault_access_policy" "terraform_state_aad_group" {
for_each = local.terraform_state_aad_group
key_vault_id = azurerm_key_vault.state.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.terraform_state_aad_group[each.value].object_id
key_permissions = []
secret_permissions = [
"Get",
"List",
"Set",
"Delete"
]
}
resource "azurerm_key_vault_secret" "tenant_id" {
depends_on = [azurerm_key_vault_access_policy.terraform_state_owner]
name = "tenant-id"
key_vault_id = azurerm_key_vault.state.id
value = data.azurerm_client_config.current.tenant_id
}
resource "azurerm_key_vault_secret" "client_id" {
depends_on = [azurerm_key_vault_access_policy.terraform_state_owner]
name = "client-id"
key_vault_id = azurerm_key_vault.state.id
value = azuread_service_principal.terraform.application_id
}
resource "azurerm_key_vault_secret" "client_secret" {
depends_on = [azurerm_key_vault_access_policy.terraform_state_owner]
name = "client-secret"
key_vault_id = azurerm_key_vault.state.id
value = azuread_service_principal_password.terraform.value
}