-
Notifications
You must be signed in to change notification settings - Fork 0
/
azurerm_key_vault.tf
92 lines (84 loc) · 3.2 KB
/
azurerm_key_vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
provider "azurerm" {
alias = "key_vault"
tenant_id = var.tenant_id
subscription_id = var.key_vault_subscription_id
client_id = var.azurerm_client_id
client_secret = var.azurerm_client_secret
features {}
}
data "azurerm_client_config" "client_config_azurerm_key_vault" {
provider = azurerm.key_vault
}
data "azurerm_resource_group" "resource_group_key_vault" {
provider = azurerm.key_vault
name = var.key_vault_resource_group_name
}
resource "azurerm_key_vault" "key_vault" {
provider = azurerm.key_vault
resource_group_name = data.azurerm_resource_group.resource_group_key_vault.name
name = "kv-${var.solution_name}"
location = data.azurerm_resource_group.resource_group_key_vault.location
sku_name = "standard"
tenant_id = var.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
enable_rbac_authorization = true
access_policy = []
network_acls {
# The key vault needs to be accessed by the automation account (which isn't one of the trusted Azure services) for certificate retrieval, therefore requiring public access
default_action = "Allow"
bypass = "AzureServices"
}
}
resource "azurerm_key_vault_certificate" "key_vault_certificate" {
depends_on = [
azurerm_role_assignment.role_assignment_key_vault_certificates_officer
]
provider = azurerm.key_vault
name = var.solution_name
key_vault_id = azurerm_key_vault.key_vault.id
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = false
key_size = 2048
key_type = "RSA"
reuse_key = false
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
extended_key_usage = ["1.3.6.1.5.5.7.3.2"]
key_usage = [
"digitalSignature"
]
subject = "CN=${var.solution_name}"
validity_in_months = 12
}
}
}
data "azurerm_role_definition" "role_definition_key_vault_certificates_officer" {
# Role: Key Vault Certificates Officer
provider = azurerm.key_vault
role_definition_id = "a4417e6f-fecd-4de8-b567-7b0420556985"
}
resource "azurerm_role_assignment" "role_assignment_key_vault_certificates_officer" {
provider = azurerm.key_vault
scope = azurerm_key_vault.key_vault.id
principal_id = data.azurerm_client_config.client_config_azurerm_key_vault.object_id
role_definition_id = data.azurerm_role_definition.role_definition_key_vault_certificates_officer.id
}
data "azurerm_role_definition" "role_definition_key_vault_secrets_user" {
# Role: Key Vault Secrets User
provider = azurerm.key_vault
role_definition_id = "4633458b-17de-408a-b874-0445c86b69e6"
}
resource "azurerm_role_assignment" "role_assignment_key_vault_secrets_user" {
provider = azurerm.key_vault
scope = azurerm_key_vault.key_vault.id
principal_id = azurerm_automation_account.automation_account.identity[0].principal_id
role_definition_id = data.azurerm_role_definition.role_definition_key_vault_secrets_user.id
}