Skip to content

claranet/terraform-azurerm-keyvault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Azure Key Vault feature

Changelog Notice Apache V2 License OpenTofu Registry

This Terraform module creates an Azure Key Vault with "reader" and "admin" pre-configured Access policies and Diagnostic settings enabled.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

data "azuread_group" "admin_group" {
  display_name = "Admin"
}

module "key_vault" {
  source  = "claranet/keyvault/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.name
  stack               = var.stack

  logs_destinations_ids = [
    # module.logs.storage_account_id,
    # module.logs.log_analytics_workspace_id,
  ]

  reader_objects_ids = var.readers_object_ids

  # Current user should be here to be able to create keys and secrets
  admin_objects_ids = [
    data.azuread_group.admin_group.id
  ]

  # Specify Network ACLs
  network_acls = {
    bypass         = "None"
    default_action = "Deny"
    ip_rules       = ["10.10.0.0/26", "1.2.3.4/32"]

    virtual_network_subnet_ids = var.subnet_ids
  }
}

Providers

Name Version
azurecaf ~> 1.2.28
azurerm ~> 4.0

Modules

Name Source Version
diagnostics claranet/diagnostic-settings/azurerm ~> 8.0.0

Resources

Name Type
azurerm_key_vault.main resource
azurerm_key_vault_access_policy.admins resource
azurerm_key_vault_access_policy.readers resource
azurerm_key_vault_managed_hardware_security_module.main resource
azurerm_role_assignment.key_vault_administrator resource
azurerm_role_assignment.key_vault_reader resource
azurerm_role_assignment.key_vault_secrets_users resource
azurecaf_name.key_vault data source
azurecaf_name.key_vault_hsm data source
azurerm_client_config.current_config data source

Inputs

Name Description Type Default Required
admin_objects_ids IDs of the objects that can do all operations on all keys, secrets and certificates. list(string) [] no
client_name Client name string n/a yes
custom_name Name of the Key Vault, generated if not set. string "" no
default_tags_enabled Option to enable or disable default tags. bool true no
diagnostic_settings_custom_name Custom name of the diagnostics settings, name will be 'default' if not set. string "default" no
enabled_for_deployment Whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the Key Vault. bool false no
enabled_for_disk_encryption Whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool false no
enabled_for_template_deployment Whether Azure Resource Manager is permitted to retrieve secrets from the Key Vault. bool false no
environment Environment name string n/a yes
extra_tags Extra tags to add. map(string) {} no
hsm_security_domain_certificates List of keyvault certificates ids to be used as security domain certificates. list(string) null no
hsm_security_domain_quorum Number of security domain certificates needed to perform operations. number null no
location Azure location for Key Vault. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.
list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
managed_hardware_security_module_enabled Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created. bool false no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
network_acls Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. Set to null to disable. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more information.
object({
bypass = optional(string, "None"),
default_action = optional(string, "Deny"),
ip_rules = optional(list(string)),
virtual_network_subnet_ids = optional(list(string)),
})
{} no
public_network_access_enabled Whether the Key Vault is available from public network. bool false no
purge_protection_enabled Whether to activate purge protection. bool true no
rbac_authorization_enabled Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies. bool false no
reader_objects_ids IDs of the objects that can read all keys, secrets and certificates. list(string) [] no
resource_group_name Resource Group the resources will belong to string n/a yes
sku_name The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". string "standard" no
soft_delete_retention_days The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. number 7 no
stack Stack name string n/a yes
tenant_id The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one. string "" no

Outputs

Name Description
hsm_security_domain The security domain of the Key Vault Managed Hardware Security Module.
id Key Vault ID.
module_diagnostics Diagnostics module output.
name Key Vault name.
resource Key Vault resource object.
resource_key_vault_access_policy_admin_policy Key Vault admin access policy.
resource_key_vault_access_policy_readers_policy Key Vault readers access policy.
resource_role_assignment_rbac_keyvault_administrator Role assignment for Key Vault Administrator.
resource_role_assignment_rbac_keyvault_reader Role assignment for Key Vault Reader.
resource_role_assignment_rbac_keyvault_secrets_users Role assignment for Key Vault Secrets User.
uri URI of the Key Vault

Related documentation

Microsoft Azure documentation: docs.microsoft.com/en-us/azure/key-vault/

About

Terraform module composition (feature) for Azure KeyVault

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages