terraform-azure-key-vault/main.tf at master · DeimosCloud/terraform-azure-key-vault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
data "azurerm_client_config" "current_client_config" {}

data "azurerm_resource_group" "rg" {
  name = var.resource_group_name
}

resource "azurerm_key_vault" "key_vault" {
  name                        = var.name
  location                    = var.location
  resource_group_name         = data.azurerm_resource_group.rg.name
  enabled_for_disk_encryption = var.enabled_for_disk_encryption
  tenant_id                   = data.azurerm_client_config.current_client_config.tenant_id
  purge_protection_enabled    = var.purge_protection_enabled

  sku_name = var.sku_name

  # Access policy for service principal running the terraform script
  access_policy {
    tenant_id = data.azurerm_client_config.current_client_config.tenant_id
    object_id = data.azurerm_client_config.current_client_config.object_id

    key_permissions     = var.admin_key_permissions
    secret_permissions  = var.admin_secret_permissions
    storage_permissions = var.admin_storage_permissions
  }

  # access policy for defined users
  dynamic "access_policy" {

    for_each = var.users
    content {
      tenant_id = data.azurerm_client_config.current_client_config.tenant_id
      object_id = access_policy.value.user_id

      key_permissions     = access_policy.value.admin ? var.admin_key_permissions : var.user_key_permissions
      secret_permissions  = access_policy.value.admin ? var.admin_secret_permissions : var.user_secret_permissions
      storage_permissions = access_policy.value.admin ? var.admin_storage_permissions : var.user_storage_permissions
    }
  }

  dynamic "network_acls" {
    for_each = var.network_acls_bypass == null ? [] : ["acls"]

    content {
      default_action             = var.network_acls_default_action
      bypass                     = var.network_acls_bypass
      ip_rules                   = var.network_acls_ip_rules
      virtual_network_subnet_ids = var.network_acls_subnet_ids
    }
  }

  tags = var.tags
}

# KEY VAULT SECRETS

resource "azurerm_key_vault_secret" "key_vault_secret" {
  for_each     = var.secrets
  key_vault_id = azurerm_key_vault.key_vault.id
  name         = each.key
  value        = each.value

  tags = var.tags
}