Skip to content

tomarv2/terraform-azure-key-vault

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
.github/workflows
.github/workflows
 
 
examples/key_vault
examples/key_vault
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
providers.tf
providers.tf
 
 
secret.tf
secret.tf
 
 
tags.tf
tags.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Terraform module for Azure Key Vault

➡️ Terraform module for AWS Parameterstore

➡️ Terraform module for Google Secret Manager

Versions

  • Module tested for Terraform 1.0.1.
  • Azure provider version 2.98
  • main branch: Provider versions not pinned to keep up with Terraform releases
  • tags releases: Tags are pinned with versions (use in your releases)

Usage

Option 1:

terrafrom init
terraform plan -var='teamid=tryme' -var='prjid=project1'
terraform apply -var='teamid=tryme' -var='prjid=project1'
terraform destroy -var='teamid=tryme' -var='prjid=project1'

Note: With this option please take care of remote state storage

Option 2:

Recommended method (stores remote state in S3 using prjid and teamid to create directory structure):
  • Create python 3.8+ virtual environment
python3 -m venv <venv name>
  • Install package:
pip install tfremote --upgrade
  • Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export TF_AWS_PROFILE=<profile from ~/.ws/credentials>

or

  • Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>

  • Updated examples directory with required values.

  • Run and verify the output before deploying:

tf -c=aws plan -var='teamid=foo' -var='prjid=bar'
  • Run below to deploy:
tf -c=aws apply -var='teamid=foo' -var='prjid=bar'
  • Run below to destroy:
tf -c=aws destroy -var='teamid=foo' -var='prjid=bar'

Note: Read more on tfremote

Azure Key Vault
terraform {
  required_version = ">= 1.0.1"
  required_providers {
    azurerm = {
      version = "~> 2.98"
    }
  }
}

provider "azurerm" {
  features {}
}

module "key_vault" {
  source = "../../"

  resource_group_name = "test-rg"
  location            = var.location
  secrets = {
    hello = "hello"
    foo   = "bar"
  }
  user_object_id_list = ["12345-1234-1234-1234-1234567"]
  #-----------------------------------------------
  # Note: Do not change teamid and prjid once set.
  teamid = var.teamid
  prjid  = var.prjid
}

Note: If no user_object_id_list is specified, the service account creating the key-vault will get access to the key.

Please refer to examples directory link for references.

Requirements

Name Version
terraform >= 1.0.1
azurerm ~> 2.98

Providers

Name Version
azurerm ~> 2.98

Modules

Name Source Version
global git::git@github.com:tomarv2/terraform-global.git//common v0.0.1

Resources

Name Type
azurerm_key_vault.kv resource
azurerm_key_vault_secret.main resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
enabled_for_disk_encryption Allow Disk Encryption to retrieve secrets from the vault and unwrap keys. bool false no
extra_tags Additional tags to associate map(string) {} no
key_premissions Key permissions list(string) 
[
  "list",
  "get",
  "delete",
  "recover",
  "update",
  "backup",
  "purge",
  "import",
  "create",
  "verify",
  "restore"
]
 no
location Specifies the supported Azure location where the resource exists string "westus2" no
network_default_action Network default action string "Deny" no
prjid Name of the project/stack. NOTE: DONOT CHANGE ONCE SET string n/a yes
purge_protection_enabled Purge protection enabled bool false no
resource_group_name The name of the Resource group string n/a yes
secret_permissions Secret permissions list(string) 
[
  "set",
  "list",
  "get",
  "delete",
  "recover",
  "backup",
  "purge",
  "restore"
]
 no
secrets A map of secrets for the Key Vault. map(string) {} no
sku The name of the SKU used for the Key Vault. The options are: standard, premium. string "standard" no
storage_permissions Storage permissions list(string) 
[
  "set",
  "list",
  "get"
]
 no
teamid Name of the team/group e.g. devops, dataengineering. Should not be changed after running 'tf apply' string n/a yes
user_object_id_list User object Id list list(string) [] no

Outputs

Name Description
id The ID of the Key Vault.
name The name of the Key Vault.
references A mapping of Key Vault references for App Service and Azure Functions.
secrets A mapping of secret names and URIs.
uri The URI of the Key Vault.

About

Terraform module for Azure Key Vault

Topics

azure terraform azure-key-vault terraform-module

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases 7

Release v0.0.7 Latest
Mar 28, 2022
+ 6 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages