Setting up keyvault settings and adding permissions to app (#1276)

* Setting up keyvault settings and adding permissions to app Co-authored-by: halprin <halprin@users.noreply.github.com> * Fixing tf lint issues Co-authored-by: halprin <halprin@users.noreply.github.com> * Adding extra TF resources Co-authored-by: halprin <halprin@users.noreply.github.com> * Remove incorrect permission Co-authored-by: halprin <halprin@users.noreply.github.com> * Adding missing field * Fixing account key value * Adding vault access policy key permissions * Adding keys * Adding more perms * removing bad options * Adding depends on * adding permissions * No regeneration key * wait for permissions for the key vault managed storate account thing * See what Terraform tell us * Use azurerm_storage_account_customer_managed_key * storage account also depends on key vault permissions * Depend on just github deployer * Removing depends on * Modify access policy to be resource instead of data * Reverting data change for account wrapping * Always use P1v3 for testing * Go back to P0v3 for lower environments * Give deployer recover permission for our secrets in the key vault * Fix terraform format * Clean-up commented out Terraform * Adding custom identity * Removing deprecated flags * Adding depends on for access policy * Adding bracket for object id * Trying a third way for user creation * Use terraform data now * Adding our own identity for docs * making doc identity system assigned * Re-add user id for docs * go back to system id for docs * Also do encryption for the storage storage account * Use better names for resources * Use the correct rename --------- Co-authored-by: halprin <halprin@users.noreply.github.com>
CDCgov · Aug 29, 2024 · 3f1f655 · 3f1f655
1 parent b0ef2d6
commit 3f1f655
Show file tree

Hide file tree

Showing 9 changed files with 114 additions and 3 deletions.
diff --git a/operations/environments/dev/main.tf b/operations/environments/dev/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/internal/main.tf b/operations/environments/internal/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/pr/main.tf b/operations/environments/pr/main.tf
@@ -19,6 +19,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/prd/main.tf b/operations/environments/prd/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/stg/main.tf b/operations/environments/stg/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -3,7 +3,19 @@ resource "azurerm_container_registry" "registry" {
   name                = "cdcti${var.environment}containerregistry"
   resource_group_name = data.azurerm_resource_group.group.name
   location            = data.azurerm_resource_group.group.location
-  sku                 = "Standard"
+  sku                 = "Premium"
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [
+      azurerm_user_assigned_identity.key_vault_identity.id
+    ]
+  }
+
+  encryption {
+    key_vault_key_id   = azurerm_key_vault_key.customer_managed_key.id
+    identity_client_id = azurerm_user_assigned_identity.key_vault_identity.client_id
+  }
 
   #   below tags are managed by CDC
   lifecycle {
@@ -24,6 +36,13 @@ resource "azurerm_container_registry" "registry" {
   }
 }
 
+resource "azurerm_user_assigned_identity" "key_vault_identity" {
+  resource_group_name = data.azurerm_resource_group.group.name
+  location            = data.azurerm_resource_group.group.location
+
+  name = "key-vault-identity-${var.environment}"
+}
+
 resource "azurerm_role_assignment" "allow_app_to_pull_from_registry" {
   principal_id         = azurerm_linux_web_app.api.identity.0.principal_id
   role_definition_name = "AcrPull"

diff --git a/operations/template/docs.tf b/operations/template/docs.tf
@@ -27,7 +27,23 @@ resource "azurerm_storage_account" "docs" {
       tags["support_group"],
       tags["system"],
       tags["technical_steward"],
-      tags["zone"]
+      tags["zone"],
+      customer_managed_key,
     ]
   }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_storage_account_customer_managed_key" "docs_storage_account_customer_key" {
+  storage_account_id = azurerm_storage_account.docs.id
+  key_vault_id       = azurerm_key_vault.key_storage.id
+  key_name           = azurerm_key_vault_key.customer_managed_key.name
+
+  depends_on = [
+    azurerm_key_vault_access_policy.allow_github_deployer,
+    azurerm_key_vault_access_policy.allow_docs_storage_account_wrapping
+  ] //wait for the permission that allows our deployer to write the secret
 }
diff --git a/operations/template/key.tf b/operations/template/key.tf
@@ -7,7 +7,7 @@ resource "azurerm_key_vault" "key_storage" {
   sku_name  = "standard"
   tenant_id = data.azurerm_client_config.current.tenant_id
 
-  purge_protection_enabled = false
+  purge_protection_enabled = true
 
   #   below tags are managed by CDC
   lifecycle {
@@ -38,6 +38,18 @@ resource "azurerm_key_vault_access_policy" "allow_github_deployer" {
     "Get",
     "Delete",
     "Purge",
+    "Recover",
+  ]
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "Purge",
+    "Recover",
+    "Update",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
   ]
 }
 
@@ -52,6 +64,30 @@ resource "azurerm_key_vault_access_policy" "allow_api_read" {
   ]
 }
 
+resource "azurerm_key_vault_access_policy" "allow_docs_storage_account_wrapping" {
+  key_vault_id = azurerm_key_vault.key_storage.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azurerm_storage_account.docs.identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "allow_storage_storage_account_wrapping" {
+  key_vault_id = azurerm_key_vault.key_storage.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azurerm_storage_account.storage.identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
+
 resource "azurerm_key_vault_secret" "report_stream_public_key" {
   name  = "organization-report-stream-public-key-${var.environment}"
   value = "dogcow"
@@ -99,3 +135,23 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" {
   }
   depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
 }
+
+
+resource "azurerm_key_vault_key" "customer_managed_key" {
+  name         = "customer-managed-key-${var.environment}"
+  key_vault_id = azurerm_key_vault.key_storage.id
+
+  key_type = "RSA"
+  key_size = 4096
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey"
+  ]
+
+  depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
+}
diff --git a/operations/template/storage.tf b/operations/template/storage.tf
@@ -26,6 +26,21 @@ resource "azurerm_storage_account" "storage" {
       tags["zone"]
     ]
   }
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+resource "azurerm_storage_account_customer_managed_key" "storage_storage_account_customer_key" {
+  storage_account_id = azurerm_storage_account.storage.id
+  key_vault_id       = azurerm_key_vault.key_storage.id
+  key_name           = azurerm_key_vault_key.customer_managed_key.name
+
+  depends_on = [
+    azurerm_key_vault_access_policy.allow_github_deployer,
+    azurerm_key_vault_access_policy.allow_storage_storage_account_wrapping
+  ] //wait for the permission that allows our deployer to write the secret
 }
 
 resource "azurerm_storage_container" "metadata" {