Azure Key Vault feature

This Terraform module creates an Azure Key Vault with "reader" and "admin" pre-configured Access policies and Diagnostic settings enabled.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

data "azuread_group" "admin_group" {
  display_name = "Admin"
}

module "key_vault" {
  source  = "claranet/keyvault/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.name
  stack               = var.stack

  logs_destinations_ids = [
    # module.logs.storage_account_id,
    # module.logs.log_analytics_workspace_id,
  ]

  reader_objects_ids = var.readers_object_ids

  # Current user should be here to be able to create keys and secrets
  admin_objects_ids = [
    data.azuread_group.admin_group.id
  ]

  # Specify Network ACLs
  network_acls = {
    bypass         = "None"
    default_action = "Deny"
    ip_rules       = ["10.10.0.0/26", "1.2.3.4/32"]

    virtual_network_subnet_ids = var.subnet_ids
  }
}

Providers

Name	Version
azurecaf	>= 1.2.28
azurerm	~> 4.31

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 8.2.0

Resources

Name	Type
azurerm_key_vault.main	resource
azurerm_key_vault_access_policy.admins	resource
azurerm_key_vault_access_policy.readers	resource
azurerm_key_vault_managed_hardware_security_module.main	resource
azurerm_role_assignment.key_vault_administrator	resource
azurerm_role_assignment.key_vault_reader	resource
azurerm_role_assignment.key_vault_secrets_users	resource
azurecaf_name.key_vault	data source
azurecaf_name.key_vault_hsm	data source
azurerm_client_config.current_config	data source

Inputs

Name	Description	Type	Default	Required
admin_objects_ids	IDs of the objects that can do all operations on all keys, secrets and certificates.	list(string)	[]	no
client_name	Client name	string	n/a	yes
custom_name	Name of the Key Vault, generated if not set.	string	""	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be 'default' if not set.	string	"default"	no
enabled_for_deployment	Whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the Key Vault.	bool	false	no
enabled_for_disk_encryption	Whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.	bool	false	no
enabled_for_template_deployment	Whether Azure Resource Manager is permitted to retrieve secrets from the Key Vault.	bool	false	no
environment	Environment name	string	n/a	yes
extra_tags	Extra tags to add.	map(string)	{}	no
hsm_security_domain_certificates	List of keyvault certificates ids to be used as security domain certificates.	list(string)	null	no
hsm_security_domain_quorum	Number of security domain certificates needed to perform operations.	number	null	no
location	Azure location for Key Vault.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
managed_hardware_security_module_enabled	Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created.	bool	false	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
network_acls	Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. Set to null to disable. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more information.	object({ bypass = optional(string, "None"), default_action = optional(string, "Deny"), ip_rules = optional(list(string)), virtual_network_subnet_ids = optional(list(string)), })	{}	no
public_network_access_enabled	Whether the Key Vault is available from public network.	bool	false	no
purge_protection_enabled	Whether to activate purge protection.	bool	true	no
rbac_authorization_enabled	Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies.	bool	false	no
reader_objects_ids	IDs of the objects that can read all keys, secrets and certificates.	list(string)	[]	no
resource_group_name	Resource Group the resources will belong to	string	n/a	yes
sku_name	The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium".	string	"standard"	no
soft_delete_retention_days	The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days.	number	7	no
stack	Stack name	string	n/a	yes
tenant_id	The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one.	string	""	no

Outputs

Name	Description
hsm_security_domain	The security domain of the Key Vault Managed Hardware Security Module.
id	Key Vault ID.
module_diagnostics	Diagnostics module output.
name	Key Vault name.
resource	Key Vault resource object.
resource_key_vault_access_policy_admin_policy	Key Vault admin access policy.
resource_key_vault_access_policy_readers_policy	Key Vault readers access policy.
resource_role_assignment_rbac_keyvault_administrator	Role assignment for Key Vault Administrator.
resource_role_assignment_rbac_keyvault_reader	Role assignment for Key Vault Reader.
resource_role_assignment_rbac_keyvault_secrets_users	Role assignment for Key Vault Secrets User.
uri	URI of the Key Vault

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/key-vault/