Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disk Encryption Set with CMK #296

Merged
merged 35 commits into from
Mar 25, 2021
Merged

Disk Encryption Set with CMK #296

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
b06c052
added disk_encyrption_set module
jorseng Feb 26, 2021
83311ac
update key access policy for encyrption set
jorseng Feb 26, 2021
ccff014
added disk encryption addition to vm module
jorseng Feb 26, 2021
784234f
pass disk_encryption_set local combined object to virtual_machines.tf
jorseng Feb 26, 2021
2bb9cd4
fixed vm modules to handle disk_encryption_set_id when disk_encryptio…
jorseng Mar 1, 2021
3d25e84
fix vm module on disk_encryption_set_id to correct attribute value.
jorseng Mar 3, 2021
f0f8749
added example configuration for disk encryption set
jorseng Mar 3, 2021
71c1a09
Fix disk-encryption-set
anamikanayal01 Mar 3, 2021
84fdc5b
Add standalone module for linux
anamikanayal01 Mar 3, 2021
2035f31
Merge branch 'js-encrypt-disk-cmk' of https://github.com/aztfmod/terr…
anamikanayal01 Mar 3, 2021
9cec49f
DES_Example-100 added standalone for linux vm
anamikanayal01 Mar 3, 2021
3e97448
Enabled VM MSI and reverted changes to vm_linux.tf and vm_windows.tf …
anamikanayal01 Mar 4, 2021
0a29e94
Added tag to KV map to test
anamikanayal01 Mar 4, 2021
7378739
added tags in akv block in example 105_Standalone winows vm
anamikanayal01 Mar 4, 2021
ee26474
updated keyvault_key module with the tags attribute- 105 windows VM
anamikanayal01 Mar 4, 2021
23ff587
added logged_in_app attribute value in access policy in config.tfvars
anamikanayal01 Mar 4, 2021
2d12dff
:added access policy in config.tfvars
anamikanayal01 Mar 4, 2021
a8ca0a0
DES creation with CMK-100-single-linux VM
anamikanayal01 Mar 8, 2021
4745ea5
DES with CMK- standalone-100- linux VM
anamikanayal01 Mar 8, 2021
6e3a203
DES with CMK- Standalone-105-windows vm
anamikanayal01 Mar 8, 2021
4ceb6fa
FMT
Mar 10, 2021
20fcb63
DES with CMK- Linux 100 & windows 105 example test
anamikanayal01 Mar 10, 2021
72d00bf
Merge branch 'js-encrypt-disk-cmk' of github.com:aztfmod/terraform-az…
anamikanayal01 Mar 10, 2021
d513520
Fix ci
LaurentLesle Mar 17, 2021
b6c99e3
Merge branch 'master' into js-encrypt-disk-cmk
LaurentLesle Mar 17, 2021
1465fd0
Merge remote-tracking branch 'origin/master' into js-encrypt-disk-cmk
LaurentLesle Mar 23, 2021
97d99ba
Fix Disk encryption set policy
LaurentLesle Mar 23, 2021
48cd81c
Merge branch 'master' into js-encrypt-disk-cmk
LaurentLesle Mar 24, 2021
b909540
Update standalone
LaurentLesle Mar 24, 2021
09b55b8
Update example
LaurentLesle Mar 24, 2021
eb5cfa2
Update example
LaurentLesle Mar 24, 2021
91eb00d
Fix CMK on storage account
LaurentLesle Mar 25, 2021
7dbc564
Merge branch 'master' into js-encrypt-disk-cmk
arnaudlh Mar 25, 2021
cb81b51
Fix for storage account without CMK
LaurentLesle Mar 25, 2021
7c0c09b
Merge branch 'master' into js-encrypt-disk-cmk
LaurentLesle Mar 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions disk_encryption_sets.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
module "disk_encryption_sets" {
source = "./modules/security/disk_encryption_set"
for_each = local.security.disk_encryption_sets

global_settings = local.global_settings
client_config = local.client_config
settings = each.value
resource_groups = module.resource_groups
base_tags = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
key_vault_key_ids = module.keyvault_keys
}

output disk_encryption_sets {
value = module.disk_encryption_sets
}
1 change: 1 addition & 0 deletions keyvault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ module "keyvault_access_policies" {
managed_identities = local.combined_objects_managed_identities
mssql_managed_instances = local.combined_objects_mssql_managed_instances
mssql_managed_instances_secondary = local.combined_objects_mssql_managed_instances_secondary
disk_encryption_sets = local.combined_objects_disk_encryption_sets
}


Expand Down
1 change: 1 addition & 0 deletions locals.combined_objects.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,5 @@ locals {
combined_objects_resource_groups = merge(tomap({ (local.client_config.landingzone_key) = module.resource_groups }), try(var.remote_objects.resource_groups, {}))
combined_objects_storage_accounts = merge(tomap({ (local.client_config.landingzone_key) = module.storage_accounts }), try(var.remote_objects.storage_accounts, {}))
combined_objects_synapse_workspaces = merge(tomap({ (local.client_config.landingzone_key) = module.synapse_workspaces }), try(var.remote_objects.synapse_workspaces, {}))
combined_objects_disk_encryption_sets = merge(tomap({ (local.client_config.landingzone_key) = module.disk_encryption_sets }), try(var.remote_objects.disk_encryption_sets, {}))
}
1 change: 1 addition & 0 deletions locals.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ locals {
keyvault_certificate_requests = try(var.security.keyvault_certificate_requests, {})
keyvault_certificates = try(var.security.keyvault_certificates, {})
keyvault_keys = try(var.security.keyvault_keys, {})
disk_encryption_sets = try(var.security.disk_encryption_sets, {})
}

networking = {
Expand Down
4 changes: 4 additions & 0 deletions modules/compute/virtual_machine/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,7 @@ variable base_tags {
variable proximity_placement_groups {
default = {}
}

variable disk_encryption_sets {
default = {}
}
1 change: 1 addition & 0 deletions modules/compute/virtual_machine/vm_linux.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ resource "azurerm_linux_virtual_machine" "vm" {
name = try(azurecaf_name.os_disk_linux[each.key].result, null)
storage_account_type = try(each.value.os_disk.storage_account_type, null)
write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false)
disk_encryption_set_id = try(each.value.os_disk.disk_encryption_set_key, null) == null ? null : try(var.disk_encryption_sets[var.client_config.landingzone_key][each.value.os_disk.disk_encryption_set_key], var.disk_encryption_sets[each.value.os_disk.lz_key][each.value.os_disk.disk_encryption_set_key] ,null)
}

source_image_reference {
Expand Down
1 change: 1 addition & 0 deletions modules/compute/virtual_machine/vm_windows.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ resource "azurerm_windows_virtual_machine" "vm" {
name = azurecaf_name.os_disk_windows[each.key].result
storage_account_type = each.value.os_disk.storage_account_type
write_accelerator_enabled = try(each.value.os_disk.write_accelerator_enabled, false)
disk_encryption_set_id = try(each.value.os_disk.disk_encryption_set_key, null) == null ? null : try(var.disk_encryption_sets[var.client_config.landingzone_key][each.value.os_disk.disk_encryption_set_key], var.disk_encryption_sets[each.value.os_disk.lz_key][each.value.os_disk.disk_encryption_set_key] ,null)

dynamic "diff_disk_settings" {
for_each = try(each.value.diff_disk_settings, false) == false ? [] : [1]
Expand Down
11 changes: 11 additions & 0 deletions modules/security/disk_encryption_set/disk_encryption_set.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
resource "azurerm_disk_encryption_set" "encryption_set" {
name = var.settings.name
resource_group_name = var.resource_groups[var.settings.resource_group_key].name
location = lookup(var.settings, "region", null) == null ? var.resource_groups[var.settings.resource_group_key].location : var.global_settings.regions[var.settings.region]
key_vault_key_id = var.key_vault_key_ids[var.settings.key_vault_key_key].id

identity {
type = "SystemAssigned"
}
tags = merge(var.base_tags, try(var.settings.tags, null))
}
8 changes: 8 additions & 0 deletions modules/security/disk_encryption_set/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
terraform {
required_providers {
azurecaf = {
source = "aztfmod/azurecaf"
}
}
required_version = ">= 0.13"
}
14 changes: 14 additions & 0 deletions modules/security/disk_encryption_set/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output principal_id {
value = azurerm_disk_encryption_set.encryption_set.identity.0.principal_id
}
output tenant_id {
value = azurerm_disk_encryption_set.encryption_set.identity.0.tenant_id
}

output id {
value = azurerm_disk_encryption_set.encryption_set.id
}

output rbac_id {
value = azurerm_disk_encryption_set.encryption_set.identity.0.principal_id
}
8 changes: 8 additions & 0 deletions modules/security/disk_encryption_set/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
variable global_settings {}
variable client_config {}
variable base_tags {
default = {}
}
variable settings {}
variable key_vault_key_ids {}
variable resource_groups {}
12 changes: 12 additions & 0 deletions modules/security/keyvault_access_policies/policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,15 @@ module mssql_managed_instances_secondary {
object_id = try(each.value.lz_key, null) == null ? var.mssql_managed_instances_secondary[var.client_config.landingzone_key][each.value.mssql_managed_instance_secondary_key].principal_id : var.mssql_managed_instances_secondary[each.value.lz_key][each.value.mssql_managed_instance_secondary_key].principal_id
}

module disk_encryption_set {
source = "./access_policy"
for_each = {
for key, access_policy in var.access_policies : key => access_policy
if try(access_policy.disk_encryption_set_key, null) != null
}

keyvault_id = var.keyvault_id == null ? try(var.keyvaults[var.client_config.landingzone_key][var.keyvault_key].id, var.keyvaults[each.value.lz_key][var.keyvault_key].id) : var.keyvault_id
access_policy = each.value
tenant_id = var.client_config.tenant_id
object_id = try(each.value.lz_key, null) == null ? var.disk_encryption_sets[var.client_config.landingzone_key][each.value.disk_encryption_set_key].principal_id : var.disk_encryption_sets[each.value.lz_key][each.value.disk_encryption_set_key].principal_id
}
3 changes: 3 additions & 0 deletions modules/security/keyvault_access_policies/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,7 @@ variable mssql_managed_instances {
}
variable mssql_managed_instances_secondary {
default = {}
}
variable disk_encryption_sets {
default = {}
}
1 change: 1 addition & 0 deletions virtual_machines.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ module virtual_machines {
base_tags = try(local.global_settings.inherit_tags, false) ? module.resource_groups[each.value.resource_group_key].tags : {}
availability_sets = local.combined_objects_availability_sets
proximity_placement_groups = local.combined_objects_proximity_placement_groups
disk_encryption_sets = local.combined_objects_disk_encryption_sets
}


Expand Down