Skip to content

DeimosCloud/terraform-azure-key-vault

BranchesTags

Repository files navigation

Terraform Azure Key Vault

A terraform module to creating and configuring keyvault and secrets

Basic Usage

module "key_vault" {
  source              = "."
  name                = "key-vault-${random_string.username.result}"
  resource_group_name = module.resource_group.name
  location            = var.location

  soft_delete_enabled         = true
  purge_protection_enabled    = false
  enabled_for_disk_encryption = true

  sku_name = var.key_vault_sku_name

  # User Permissions
  key_permissions     = var.key_vault_key_permissions
  secret_permissions  = var.key_vault_secret_permissions
  storage_permissions = var.key_vault_storage_permissions

  # Admin Permissions - Terraform
  admin_key_permissions     = var.key_vault_admin_key_permissions
  admin_secret_permissions  = var.key_vault_admin_secret_permissions
  admin_storage_permissions = var.key_vault_admin_storage_permissions

  network_acls_default_action = var.key_vault_network_acls_default_action
  network_acls_bypass         = var.key_vault_network_acls_bypass

  users = var.key_vault_access_policy_users

  # secrets = var.key_vault_secrets
  secrets = local.key_vault_secrets

  tags = local.common_tags
}

Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

Requirements

Name Version
terraform >= 0.12
azurerm ~> 2.0

Providers

Name Version
azurerm ~> 2.0

Inputs

Name Description Type Default Required
admin_key_permissions List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey. list(any) 
[
  "backup",
  "create",
  "decrypt",
  "delete",
  "encrypt",
  "get",
  "import",
  "list",
  "purge",
  "recover",
  "restore",
  "sign",
  "unwrapKey",
  "update",
  "verify",
  "wrapKey"
]
 no
admin_secret_permissions List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set list(string) 
[
  "backup",
  "delete",
  "get",
  "list",
  "purge",
  "recover",
  "restore",
  "set"
]
 no
admin_storage_permissions List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update. list(string) 
[
  "backup",
  "deleteas",
  "delete",
  "getas",
  "get",
  "listas",
  "list",
  "purge",
  "recover",
  "restore",
  "regeneratekey",
  "set",
  "setas",
  "update"
]
 no
enabled_for_disk_encryption Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false bool null no
location Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. string n/a yes
name Specifies the name of the Key Vault. Changing this forces a new resource to be created. string n/a yes
network_acls_bypass Specifies which traffic can bypass the network rules. Possible values are AzureServices and None. string null no
network_acls_default_action The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny. string "Deny" no
network_acls_ip_rules (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault. list(string) null no
network_acls_subnet_ids (Optional) One or more Subnet ID's which should be able to access this Key Vault. list(string) null no
purge_protection_enabled Is Purge Protection enabled for this Key Vault? Defaults to false bool null no
resource_group_name The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. string n/a yes
secrets List of secrets for be created map {} no
sku_name The Name of the SKU used for this Key Vault. Possible values are standard and premium string "standard" no
tags (Optional) A mapping of tags to assign to the resource. map(string) {} no
user_key_permissions List of key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey. list(any) 
[
  "list",
  "get",
  "decrypt",
  "unwrapKey"
]
 no
user_secret_permissions List of secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set list(any) 
[
  "list",
  "get"
]
 no
user_storage_permissions List of storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update. list(any) 
[
  "list",
  "get",
  "listas",
  "getsas"
]
 no
users Object IDs of Users that will have access to the key vault 
list(object({
    user_id = string
    admin   = bool
  }))
 [] no

Outputs

Name Description
id n/a
vault_uri n/a

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

3 tags

Packages

 
 
 

Contributors

Languages