62 lines
1.7 KiB
HCL
62 lines
1.7 KiB
HCL
# Azure Key Vault Module
|
|
# Main resources
|
|
|
|
terraform {
|
|
required_providers {
|
|
azurerm = {
|
|
source = "hashicorp/azurerm"
|
|
version = "~> 3.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Key Vault
|
|
resource "azurerm_key_vault" "main" {
|
|
name = var.keyvault_name
|
|
location = var.location
|
|
resource_group_name = var.resource_group_name
|
|
tenant_id = var.tenant_id
|
|
sku_name = var.sku_name
|
|
|
|
enabled_for_deployment = var.enabled_for_deployment
|
|
enabled_for_disk_encryption = var.enabled_for_disk_encryption
|
|
enabled_for_template_deployment = var.enabled_for_template_deployment
|
|
|
|
network_acls {
|
|
default_action = var.network_acls.default_action
|
|
bypass = var.network_acls.bypass
|
|
ip_rules = var.network_acls.ip_rules
|
|
virtual_network_subnet_ids = var.network_acls.virtual_network_subnet_ids
|
|
}
|
|
|
|
tags = var.tags
|
|
|
|
lifecycle {
|
|
create_before_destroy = true
|
|
}
|
|
}
|
|
|
|
# Access Policies
|
|
resource "azurerm_key_vault_access_policy" "policies" {
|
|
for_each = { for idx, policy in var.access_policies : idx => policy }
|
|
|
|
key_vault_id = azurerm_key_vault.main.id
|
|
tenant_id = var.tenant_id
|
|
object_id = each.value.object_id
|
|
|
|
key_permissions = each.value.key_permissions
|
|
secret_permissions = each.value.secret_permissions
|
|
certificate_permissions = each.value.certificate_permissions
|
|
storage_permissions = each.value.storage_permissions
|
|
}
|
|
|
|
# RBAC (if enabled)
|
|
resource "azurerm_role_assignment" "rbac" {
|
|
for_each = var.enable_rbac ? var.rbac_assignments : {}
|
|
|
|
scope = azurerm_key_vault.main.id
|
|
role_definition_name = each.value.role_definition_name
|
|
principal_id = each.value.principal_id
|
|
}
|
|
|