Merge pull request #29 from using-system/features/2023_09_23

Features/2023 09 23
using-system · Sep 27, 2023 · a441088 · a441088
2 parents 8d89869 + da63520
commit a441088
Show file tree

Hide file tree

Showing 21 changed files with 351 additions and 93 deletions.
diff --git a/terraform/modules/az-des/main.tf b/terraform/modules/az-des/main.tf
@@ -0,0 +1,50 @@
+resource "azurerm_key_vault_key" "des" {
+  name         = var.name
+  key_vault_id = var.kv_id
+  key_type     = "RSA-HSM"
+  key_size     = var.key_size
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  rotation_policy {
+    automatic {
+      time_before_expiry = var.auto_rotation_time_before_expiry
+    }
+
+    expire_after         = var.rotation_expire_after
+    notify_before_expiry = var.rotation_notify_before_expiry
+  }
+
+  expiration_date = var.expiration_date
+}
+
+resource "azurerm_role_assignment" "des" {
+  scope                = var.kv_id
+  role_definition_name = "Key Vault Crypto Service Encryption User"
+  principal_id         = var.principal_id
+}
+
+resource "azurerm_disk_encryption_set" "des" {
+
+  depends_on = [azurerm_role_assignment.des]
+
+  name                = var.name
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  key_vault_key_id    = azurerm_key_vault_key.des.id
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [var.identity_id]
+  }
+
+  tags = var.tags
+}
+
diff --git a/terraform/modules/az-des/ouputs.tf b/terraform/modules/az-des/ouputs.tf
@@ -0,0 +1,3 @@
+output "id" {
+  value = azurerm_disk_encryption_set.des.id
+}
diff --git a/terraform/modules/az-des/variables.tf b/terraform/modules/az-des/variables.tf
@@ -0,0 +1,64 @@
+variable "location" {
+  description = "The Azure Region in which all resources in this example should be created."
+  type        = string
+}
+
+variable "resource_group_name" {
+  description = "The name of the resource group in which all resources in this example should be created."
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the disk encryption set."
+  type        = string
+}
+
+variable "kv_id" {
+  description = "The ID of the Key Vault to use for encryption."
+  type        = string
+}
+
+variable "key_size" {
+  description = "The size of the key to use for encryption."
+  type        = number
+  default     = 4096
+}
+
+variable "auto_rotation_time_before_expiry" {
+  description = "The time before expiry to automatically rotate the key."
+  type        = string
+  default     = "P7D"
+}
+
+variable "rotation_expire_after" {
+  description = "The time after which the key expires."
+  type        = string
+  default     = "P30D"
+}
+
+variable "rotation_notify_before_expiry" {
+  description = "The time before expiry to notify that the key is expiring."
+  type        = string
+  default     = "P7D"
+}
+
+variable "expiration_date" {
+  description = "The date after which the key expires."
+  type        = string
+  default     = null
+}
+
+variable "identity_id" {
+  description = "The ID of the identity to assign to the disk encryption set."
+  type        = string
+}
+
+variable "principal_id" {
+  description = "The ID of the principal to assign to the disk encryption set."
+  type        = string
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to the resource."
+  type        = map(string)
+}
diff --git a/terraform/modules/az-disk-encryption-set/main.tf b/terraform/modules/az-disk-encryption-set/main.tf
diff --git a/terraform/modules/az-disk-encryption-set/ouputs.tf b/terraform/modules/az-disk-encryption-set/ouputs.tf
diff --git a/terraform/modules/az-disk-encryption-set/variables.tf b/terraform/modules/az-disk-encryption-set/variables.tf
diff --git a/terraform/modules/az-kv-cust-key/main.tf b/terraform/modules/az-kv-cust-key/main.tf
diff --git a/terraform/modules/az-kv-cust-key/outputs.tf b/terraform/modules/az-kv-cust-key/outputs.tf
diff --git a/terraform/modules/az-kv-cust-key/variables.tf b/terraform/modules/az-kv-cust-key/variables.tf
diff --git a/terraform/modules/az-kv-key/main.tf b/terraform/modules/az-kv-key/main.tf
@@ -0,0 +1,41 @@
+resource "azurerm_key_vault_key" "key" {
+  name         = var.name
+  key_vault_id = var.kv_id
+  key_type     = "RSA-HSM"
+  key_size     = var.key_size
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  dynamic "rotation_policy" {
+    for_each = var.rotation.expire_after == null ? [] : ["rotation_policy"]
+
+    content {
+      automatic {
+        time_before_expiry = var.rotation.auto_rotatation_time_before_expiry
+      }
+
+      expire_after         = var.rotation.expire_after
+      notify_before_expiry = var.rotation.notify_before_expiry
+    }
+  }
+
+  expiration_date = var.static_expiration_date
+
+  lifecycle {
+    precondition {
+      condition     = (var.rotation.expire_after != null && var.rotation.auto_rotatation_time_before_expiry != null) || var.rotation.expire_after == null
+      error_message = "If rotation.expire_after is set, rotation.auto_rotatation_time_before_expiry must be set"
+    }
+    precondition {
+      condition     = (var.static_expiration_date != null && var.rotation.expire_after == null) || (var.static_expiration_date == null && var.rotation.expire_after != null) || (var.static_expiration_date == null && var.rotation.expire_after == null)
+      error_message = "If static_expiration_date is set, rotation.expire_after must be null"
+    }
+  }
+}
diff --git a/terraform/modules/az-kv-key/outputs.tf b/terraform/modules/az-kv-key/outputs.tf
@@ -0,0 +1,20 @@
+output "id" {
+  description = "The ID of the Key Vault Key."
+  value       = azurerm_key_vault_key.key.id
+}
+
+output "name" {
+  value = var.name
+}
+
+output "public_key_pem" {
+  description = "The public key of the Key Vault Key in PEM format."
+  value       = azurerm_key_vault_key.key.public_key_pem
+  sensitive   = true
+}
+
+output "public_key_openssh" {
+  description = "The public key of the Key Vault Key in OpenSSH format."
+  value       = azurerm_key_vault_key.key.public_key_openssh
+  sensitive   = true
+}
diff --git a/terraform/modules/az-kv-key/variables.tf b/terraform/modules/az-kv-key/variables.tf
@@ -0,0 +1,31 @@
+variable "name" {
+  description = "The name of the kv customer key"
+  type        = string
+}
+
+variable "kv_id" {
+  description = "The ID of the Key Vault in which the Key Vault Key for the ctomer managed key be created."
+  type        = string
+}
+
+variable "key_size" {
+  description = "The size of the key to create in the Key Vault."
+  type        = number
+  default     = 4096
+}
+
+variable "rotation" {
+  description = "The rotation policy of the managed key"
+  type = object({
+    auto_rotatation_time_before_expiry = optional(string, "P30D")
+    expire_after                       = optional(string, "P90D")
+    notify_before_expiry               = optional(string, "P29D")
+  })
+}
+
+variable "static_expiration_date" {
+  description = "The static expiration date of the managed key"
+  type        = string
+  default     = null
+}
+
diff --git a/terraform/modules/az-pep/main.tf b/terraform/modules/az-pep/main.tf
@@ -6,9 +6,12 @@ resource "azurerm_private_endpoint" "pep" {
 
   subnet_id = var.subnet_id
 
-  private_dns_zone_group {
-    name                 = "${var.name}-dzg"
-    private_dns_zone_ids = var.private_dns_zone_ids
+  dynamic "private_dns_zone_group" {
+    for_each = length(var.private_dns_zone_ids) > 0 ? [1] : []
+    content {
+      name                 = "${var.name}-dzg"
+      private_dns_zone_ids = var.private_dns_zone_ids
+    }
   }
 
   private_service_connection {

diff --git a/terraform/modules/az-pep/variables.tf b/terraform/modules/az-pep/variables.tf
@@ -17,6 +17,7 @@ variable "subnet_id" {
 variable "private_dns_zone_ids" {
   description = "Ids of the private dns zones to use for the pep"
   type        = list(string)
+  default     = []
 }
 
 variable "private_connection_resource_id" {

diff --git a/terraform/modules/az-vm-linux/main.tf b/terraform/modules/az-vm-linux/main.tf
@@ -0,0 +1,57 @@
+resource "azurerm_network_interface" "vm" {
+
+  name                = "${var.name}-nic"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  ip_configuration {
+    name                          = "${var.name}-nic-ipconfig"
+    subnet_id                     = var.subnet_id
+    private_ip_address_allocation = "Dynamic"
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_linux_virtual_machine" "vm" {
+  name                = "${var.name}-vm"
+  resource_group_name = var.resource_group_name
+  location            = var.location
+  size                = var.size
+  admin_username      = var.admin_username
+  network_interface_ids = [
+    azurerm_network_interface.vm.id,
+  ]
+
+  admin_ssh_key {
+    username   = var.admin_username
+    public_key = var.public_key_openssh
+  }
+
+  os_disk {
+    caching                = "ReadOnly"
+    storage_account_type   = var.storage_account_type
+    disk_encryption_set_id = var.disk_encryption_set_id
+
+    diff_disk_settings {
+      option    = "Local"
+      placement = "CacheDisk"
+    }
+  }
+
+  source_image_reference {
+    publisher = var.image.publisher
+    offer     = var.image.offer
+    sku       = var.image.sku
+    version   = var.image.version
+  }
+
+  identity {
+    type         = "UserAssigned"
+    identity_ids = var.identity_ids
+  }
+
+  allow_extension_operations = var.allow_extension_operations
+
+  tags = var.tags
+}