This Terraform module creates an Azure Key Vault with "reader" and "admin" pre-configured Access policies and Diagnostic settings enabled.
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
data "azuread_group" "admin_group" {
display_name = "Admin"
}
module "key_vault" {
source = "claranet/keyvault/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.name
stack = var.stack
logs_destinations_ids = [
# module.logs.storage_account_id,
# module.logs.log_analytics_workspace_id,
]
reader_objects_ids = var.readers_object_ids
# Current user should be here to be able to create keys and secrets
admin_objects_ids = [
data.azuread_group.admin_group.id
]
# Specify Network ACLs
network_acls = {
bypass = "None"
default_action = "Deny"
ip_rules = ["10.10.0.0/26", "1.2.3.4/32"]
virtual_network_subnet_ids = var.subnet_ids
}
}
Name | Version |
---|---|
azurecaf | ~> 1.2.28 |
azurerm | ~> 4.0 |
Name | Source | Version |
---|---|---|
diagnostics | claranet/diagnostic-settings/azurerm | ~> 8.0.0 |
Name | Type |
---|---|
azurerm_key_vault.main | resource |
azurerm_key_vault_access_policy.admins | resource |
azurerm_key_vault_access_policy.readers | resource |
azurerm_key_vault_managed_hardware_security_module.main | resource |
azurerm_role_assignment.key_vault_administrator | resource |
azurerm_role_assignment.key_vault_reader | resource |
azurerm_role_assignment.key_vault_secrets_users | resource |
azurecaf_name.key_vault | data source |
azurecaf_name.key_vault_hsm | data source |
azurerm_client_config.current_config | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_objects_ids | IDs of the objects that can do all operations on all keys, secrets and certificates. | list(string) |
[] |
no |
client_name | Client name | string |
n/a | yes |
custom_name | Name of the Key Vault, generated if not set. | string |
"" |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
diagnostic_settings_custom_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
enabled_for_deployment | Whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the Key Vault. | bool |
false |
no |
enabled_for_disk_encryption | Whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
enabled_for_template_deployment | Whether Azure Resource Manager is permitted to retrieve secrets from the Key Vault. | bool |
false |
no |
environment | Environment name | string |
n/a | yes |
extra_tags | Extra tags to add. | map(string) |
{} |
no |
hsm_security_domain_certificates | List of keyvault certificates ids to be used as security domain certificates. | list(string) |
null |
no |
hsm_security_domain_quorum | Number of security domain certificates needed to perform operations. | number |
null |
no |
location | Azure location for Key Vault. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character. |
list(string) |
n/a | yes |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
managed_hardware_security_module_enabled | Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created. | bool |
false |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
network_acls | Object with attributes: bypass , default_action , ip_rules , virtual_network_subnet_ids . Set to null to disable. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more information. |
object({ |
{} |
no |
public_network_access_enabled | Whether the Key Vault is available from public network. | bool |
false |
no |
purge_protection_enabled | Whether to activate purge protection. | bool |
true |
no |
rbac_authorization_enabled | Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies. | bool |
false |
no |
reader_objects_ids | IDs of the objects that can read all keys, secrets and certificates. | list(string) |
[] |
no |
resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
sku_name | The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". | string |
"standard" |
no |
soft_delete_retention_days | The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. |
number |
7 |
no |
stack | Stack name | string |
n/a | yes |
tenant_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one. | string |
"" |
no |
Name | Description |
---|---|
hsm_security_domain | The security domain of the Key Vault Managed Hardware Security Module. |
id | Key Vault ID. |
module_diagnostics | Diagnostics module output. |
name | Key Vault name. |
resource | Key Vault resource object. |
resource_key_vault_access_policy_admin_policy | Key Vault admin access policy. |
resource_key_vault_access_policy_readers_policy | Key Vault readers access policy. |
resource_role_assignment_rbac_keyvault_administrator | Role assignment for Key Vault Administrator. |
resource_role_assignment_rbac_keyvault_reader | Role assignment for Key Vault Reader. |
resource_role_assignment_rbac_keyvault_secrets_users | Role assignment for Key Vault Secrets User. |
uri | URI of the Key Vault |
Microsoft Azure documentation: docs.microsoft.com/en-us/azure/key-vault/