terraform-azure-mcaf-key-vault

Terraform module to deploy a key vault with defaults, and optionaly some customer managed keys keys.

Requirements

Name	Version
terraform	>= 1.7
azurerm	>= 4

Providers

Name	Version
azurerm	4.3.0

Modules

No modules.

Resources

Name	Type
azurerm_key_vault.this	resource
azurerm_key_vault_key.cmkrsa	resource
azurerm_key_vault_key.this	resource
azurerm_role_assignment.this	resource
azurerm_client_config.current	data source

Inputs

Name	Description	Type	Default	Required
key_vault	This object describes the configuration for an Azure Key Vault. The following arguments are supported: - name - (Required) The name of the Key Vault. - tenant_id - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. - resource_group_name - (Optional) The name of the resource group in which to create the Key Vault. If not provided, the resource group of the calling module will be used. - location - (Optional) The location of the Key Vault. If not provided, the location of the calling module will be used. - enabled_for_disk_encryption - (Optional) Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. - enabled_for_deployment - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault. - enabled_for_template_deployment - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault. - enable_rbac_authorization - (Optional) Specifies whether Azure RBAC is permitted to retrieve secrets from the vault. - purge_protection - (Optional) Specifies whether protection against purge is enabled for this Key Vault. - soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft deleted. - sku - (Optional) The SKU of the Key Vault. - ip_rules - (Optional) List of IP addresses that are permitted to access the key vault. - subnet_id - (Optional) List of subnet IDs that are permitted to access the key vault. - network_bypass - (Optional) Specifies which traffic can bypass the network rules. - cmkrsa_keyname - (Optional) The name of the customer managed key with RSA algorithm to create. - cmkec_keyname - (Optional) The name of the customer managed key with EC algorithm to create. - cmk_keys_create - (Optional) Specifies whether to create custom managed keys. Example Inputs: hcl key_vault = { name = "my-key-vault" tenant_id = "00000000-0000-0000-0000-000000000000" enabled_for_disk_encryption = true enabled_for_deployment = true enabled_for_template_deployment = true enable_rbac_authorization = true purge_protection = true soft_delete_retention_days = 30 sku = "standard" cmkrsa_keyname = "cmkrsa" cmkec_keyname = "cmkec" cmk_keys_create = true	object({ name = string tenant_id = string resource_group_name = optional(string, null) location = optional(string, null) enabled_for_disk_encryption = optional(bool, false) enabled_for_deployment = optional(bool, false) enabled_for_template_deployment = optional(bool, false) enable_rbac_authorization = optional(bool, true) purge_protection = optional(bool, true) soft_delete_retention_days = optional(number, 30) sku = optional(string, "standard") ip_rules = optional(list(string), []) subnet_id = optional(list(string), []) network_bypass = optional(string, "None") cmkrsa_keyname = optional(string, "cmkrsa") cmkec_keyname = optional(string, "cmkec") cmk_keys_create = optional(bool, false) cmk_rotation_period = optional(string, "P90D") tags = optional(map(string), {}) })	n/a	yes
tags	A mapping of tags to assign to the resources.	map(string)	n/a	yes
key_vault_key	This map describes the configuration for Azure Key Vault keys. - key_vault_id - (Required) The ID of the Key Vault. - key_type - (Required) The type of the key. - key_size - (Required) The size of the key. - key_opts - (Required) The key operations that are permitted. Example Inputs: hcl key_vault_key = { key_name = { type = "RSA" size = 4096 opts = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"] } key_ec = { type = "EC" curve = "P-256" opts = ["sign", "verify"] } }	map(object({ name = optional(string, null) curve = optional(string, null) size = optional(number, null) type = optional(string, null) opts = optional(list(string), null) expiration_date = optional(string, null) not_before_date = optional(string, null) rotation_policy = optional(object({ automatic = optional(object({ time_after_creation = optional(string, null) time_before_expiry = optional(string, null) }), null) expire_after = optional(string, null) notify_before_expiry = optional(string, null) }), null) tags = optional(map(string), {}) }))	null	no

Outputs

Name	Description
key_vault_cmkrsa_id	CMK RSA Key ID
key_vault_cmkrsa_keyname	CMK RSA Key Name
key_vault_id	n/a
key_vault_name	n/a
key_vault_uri	n/a

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.