Terraform module which creates Azure Key Vault resources.
- Soft-delete retention set to 90 days by default.
- Purge protection enabled by default (see notes).
- Role-based access control (RBAC) authorization enabled by default.
- Public network access denied by default.
- Audit logs sent to given Log Analytics workspace by default.
- Azure role
Contributorat the resource group scope. - Azure role
Log Analytics Contributorat the Log Analytics workspace scope.
provider "azurerm" {
features {}
}
module "key_vault" {
source = "equinor/key-vault/azurerm"
version = "~> 11.11"
vault_name = "example-vault"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
log_analytics_workspace_id = module.log_analytics.workspace_id
network_acls_ip_rules = ["1.1.1.1/32", "2.2.2.2/32", "3.3.3.3/30"]
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "westeurope"
}
module "log_analytics" {
source = "equinor/log-analytics/azurerm"
version = "~> 2.0"
workspace_name = "example-workspace"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
}Purge protection is enabled by default to protect against malicious or accidental deletion of secrets, as recommended in Azure Key Vault best practices. Once purge protection has been enabled, it can't be disabled.
-
Initialize working directory:
terraform init
-
Execute tests:
terraform testSee
terraform testcommand documentation for options.