Terraform module for Azure Key Vault
➡️ Terraform module for AWS Parameterstore
➡️ Terraform module for Google Secret Manager
- Module tested for Terraform 1.0.1.
- Azure provider version 2.98
main
branch: Provider versions not pinned to keep up with Terraform releasestags
releases: Tags are pinned with versions (usein your releases)
terrafrom init
terraform plan -var='teamid=tryme' -var='prjid=project1'
terraform apply -var='teamid=tryme' -var='prjid=project1'
terraform destroy -var='teamid=tryme' -var='prjid=project1'
Note: With this option please take care of remote state storage
Recommended method (stores remote state in S3 using prjid
and teamid
to create directory structure):
- Create python 3.8+ virtual environment
python3 -m venv <venv name>
- Install package:
pip install tfremote --upgrade
- Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export TF_AWS_PROFILE=<profile from ~/.ws/credentials>
or
- Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
-
Updated
examples
directory with required values. -
Run and verify the output before deploying:
tf -c=aws plan -var='teamid=foo' -var='prjid=bar'
- Run below to deploy:
tf -c=aws apply -var='teamid=foo' -var='prjid=bar'
- Run below to destroy:
tf -c=aws destroy -var='teamid=foo' -var='prjid=bar'
Note: Read more on tfremote
terraform {
required_version = ">= 1.0.1"
required_providers {
azurerm = {
version = "~> 2.98"
}
}
}
provider "azurerm" {
features {}
}
module "key_vault" {
source = "../../"
resource_group_name = "test-rg"
location = var.location
secrets = {
hello = "hello"
foo = "bar"
}
user_object_id_list = ["12345-1234-1234-1234-1234567"]
#-----------------------------------------------
# Note: Do not change teamid and prjid once set.
teamid = var.teamid
prjid = var.prjid
}
Note: If no user_object_id_list
is specified, the service account creating the key-vault will get access to the key.
Please refer to examples directory link for references.
Name | Version |
---|---|
terraform | >= 1.0.1 |
azurerm | ~> 2.98 |
Name | Version |
---|---|
azurerm | ~> 2.98 |
Name | Source | Version |
---|---|---|
global | git::git@github.com:tomarv2/terraform-global.git//common | v0.0.1 |
Name | Type |
---|---|
azurerm_key_vault.kv | resource |
azurerm_key_vault_secret.main | resource |
azurerm_client_config.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
enabled_for_disk_encryption | Allow Disk Encryption to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
extra_tags | Additional tags to associate | map(string) |
{} |
no |
key_premissions | Key permissions | list(string) |
[ |
no |
location | Specifies the supported Azure location where the resource exists | string |
"westus2" |
no |
network_default_action | Network default action | string |
"Deny" |
no |
prjid | Name of the project/stack. NOTE: DONOT CHANGE ONCE SET | string |
n/a | yes |
purge_protection_enabled | Purge protection enabled | bool |
false |
no |
resource_group_name | The name of the Resource group | string |
n/a | yes |
secret_permissions | Secret permissions | list(string) |
[ |
no |
secrets | A map of secrets for the Key Vault. | map(string) |
{} |
no |
sku | The name of the SKU used for the Key Vault. The options are: standard , premium . |
string |
"standard" |
no |
storage_permissions | Storage permissions | list(string) |
[ |
no |
teamid | Name of the team/group e.g. devops, dataengineering. Should not be changed after running 'tf apply' | string |
n/a | yes |
user_object_id_list | User object Id list | list(string) |
[] |
no |
Name | Description |
---|---|
id | The ID of the Key Vault. |
name | The name of the Key Vault. |
references | A mapping of Key Vault references for App Service and Azure Functions. |
secrets | A mapping of secret names and URIs. |
uri | The URI of the Key Vault. |