From 273257bf9cb8617026088e3d4ccd0f5a31c98aac Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 13:14:07 +0200 Subject: [PATCH 01/95] TC-5 Add module for private dns zone with vnet links --- src/_variables.resources.tf | 2 ++ .../_networking/private_dns_zone/_locals.tf | 29 +++++++++++++++++++ .../_networking/private_dns_zone/_outputs.tf | 4 +++ .../private_dns_zone/_variables.tf | 15 ++++++++++ .../private_dns_zone/private_dns_vnet_link.tf | 7 +++++ .../private_dns_zone_group.tf | 7 +++++ src/networking.tf | 12 ++++++++ 7 files changed, 76 insertions(+) create mode 100644 src/modules/_networking/private_dns_zone/_locals.tf create mode 100644 src/modules/_networking/private_dns_zone/_outputs.tf create mode 100644 src/modules/_networking/private_dns_zone/_variables.tf create mode 100644 src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf create mode 100644 src/modules/_networking/private_dns_zone/private_dns_zone_group.tf diff --git a/src/_variables.resources.tf b/src/_variables.resources.tf index a8ba337b..3ee09146 100644 --- a/src/_variables.resources.tf +++ b/src/_variables.resources.tf @@ -13,3 +13,5 @@ variable "virtual_network_gateways" { default = {} } variable "public_ips" { default = {} } variable "storage_accounts" { default = {} } + +variable "private_dns_zone" { default = {} } diff --git a/src/modules/_networking/private_dns_zone/_locals.tf b/src/modules/_networking/private_dns_zone/_locals.tf new file mode 100644 index 00000000..bb7ea943 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/_locals.tf @@ -0,0 +1,29 @@ +locals { + resource_group = var.resources.resource_groups[var.settings.resource_group_ref] + + resource_group_name = local.resource_group.name + location = local.resource_group.location + tags = merge( + var.global_settings.tags, + var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, + try(var.settings.tags, {}) + ) + vnet_ids = { + for vnet in var.settings.vnet_ref : + vnet => { + name = var.resources.virtual_networks[vnet].name + id = var.resources.virtual_networks[vnet].id + } +} +} +locals { + # local object used to map possible private dns zoone names + zone_names = { + "storage_blob" = "privatelink.blob.core.windows.net" + "storage_tables" = "privatelink.table.core.windows.net" + "storage_queues" = "privatelink.queue.core.windows.net" + "storage_files" = "privatelink.file.core.windows.net" + "function_apps" = "privatelink.azurewebsites.net" + "keyvaults" = "privatelink.vaultcore.azure.net" + } +} diff --git a/src/modules/_networking/private_dns_zone/_outputs.tf b/src/modules/_networking/private_dns_zone/_outputs.tf new file mode 100644 index 00000000..95b1d87b --- /dev/null +++ b/src/modules/_networking/private_dns_zone/_outputs.tf @@ -0,0 +1,4 @@ +output "id" { + value = azurerm_private_dns_zone.main.id +} + diff --git a/src/modules/_networking/private_dns_zone/_variables.tf b/src/modules/_networking/private_dns_zone/_variables.tf new file mode 100644 index 00000000..9391fd43 --- /dev/null +++ b/src/modules/_networking/private_dns_zone/_variables.tf @@ -0,0 +1,15 @@ +variable "global_settings" { + description = "Global settings for tinycaf" +} + +variable "settings" { + description = "All the configuration for this resource" +} + +variable "resources" { + type = object({ + resource_groups = map(any) + virtual_networks = map(any) + }) + description = "All required resources" +} diff --git a/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf new file mode 100644 index 00000000..57cc33fa --- /dev/null +++ b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf @@ -0,0 +1,7 @@ +resource "azurerm_private_dns_zone_virtual_network_link" "main" { + for_each = local.vnet_ids + name = "${each.value.name}-${azurerm_private_dns_zone.main.name}-link" + private_dns_zone_name = azurerm_private_dns_zone.main.name + resource_group_name = azurerm_private_dns_zone.main.resource_group_name + virtual_network_id = each.value.id +} \ No newline at end of file diff --git a/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf new file mode 100644 index 00000000..03cc3eff --- /dev/null +++ b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf @@ -0,0 +1,7 @@ +resource "azurerm_private_dns_zone" "main" { + name = try(local.zone_names[var.settings.resource_kind], var.settings.name) + resource_group_name = local.resource_group_name + tags = try(local.tags, null) +} + + diff --git a/src/networking.tf b/src/networking.tf index bd9aadde..53990dd3 100644 --- a/src/networking.tf +++ b/src/networking.tf @@ -59,3 +59,15 @@ module "local_network_gateways" { resource_groups = module.resource_groups } } + +module "private_dns_zones" { + source = "./modules/_networking/private_dns_zone" + for_each = var.private_dns_zone + + global_settings = var.global_settings + settings = each.value + resources = { + resource_groups = module.resource_groups + virtual_networks = module.virtual_networks + } +} From ede7387c8b21ab121977564fe76f21efcd8a51be Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 13:29:51 +0200 Subject: [PATCH 02/95] fix module name and variable name --- src/_variables.resources.tf | 2 +- src/networking.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/_variables.resources.tf b/src/_variables.resources.tf index df108160..51727857 100644 --- a/src/_variables.resources.tf +++ b/src/_variables.resources.tf @@ -16,4 +16,4 @@ variable "keyvaults" { default = {} } variable "storage_accounts" { default = {} } -variable "private_dns_zone" { default = {} } +variable "private_dns_zones" { default = {} } diff --git a/src/networking.tf b/src/networking.tf index ea1b80d2..cf0b08f0 100644 --- a/src/networking.tf +++ b/src/networking.tf @@ -62,7 +62,7 @@ module "local_network_gateways" { module "private_dns_zones" { source = "./modules/_networking/private_dns_zone" - for_each = var.private_dns_zone + for_each = var.private_dns_zones global_settings = var.global_settings settings = each.value From 692b9aa419e69d26855d373b5cf0756055553236 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 13:34:28 +0200 Subject: [PATCH 03/95] add example tfvars for private dns zone --- examples/private_dns_zones.tfvars | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 examples/private_dns_zones.tfvars diff --git a/examples/private_dns_zones.tfvars b/examples/private_dns_zones.tfvars new file mode 100644 index 00000000..256cb2bd --- /dev/null +++ b/examples/private_dns_zones.tfvars @@ -0,0 +1,44 @@ +private_dns_zones = { + storage_account_blob = { + resource_kind = "storage_blob" + resource_group_ref = "rg_test" + vnet_ref = ["vnet_test", "vnet_test2"] + } +} + + + +# pre-requisites +resource_groups = { + rg_test = { + name = "rg-test-dv-ne-01" + location = "northeurope" + } +} + +virtual_networks = { + vnet_test = { + name = "vnet-test-dv-ne-01" + resource_group_ref = "rg_test" + cidr = ["10.0.0.0/16"] + subnets = { + snet_app = { + name = "snet-app" + cidr = ["10.0.0.128/25"] + service_endpoints = ["Microsoft.Storage"] + } + } + } + vnet_test2 = { + name = "vnet-test-dv-ne-02" + resource_group_ref = "rg_test" + cidr = ["10.1.0.0/16"] + subnets = { + snet_app_02 = { + name = "snet-app" + cidr = ["10.1.0.128/25"] + service_endpoints = ["Microsoft.Storage"] + } + } + } +} \ No newline at end of file From 3b7622def3c8ae3522a1bea3873d0ebd661fe127 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 13:36:02 +0200 Subject: [PATCH 04/95] fix pre-commit --- examples/private_dns_zones.tfvars | 2 +- .../_networking/private_dns_zone/_locals.tf | 14 +++++++------- .../_networking/private_dns_zone/_outputs.tf | 1 - .../_networking/private_dns_zone/_variables.tf | 2 +- .../private_dns_zone/private_dns_vnet_link.tf | 6 +++--- .../private_dns_zone/private_dns_zone_group.tf | 6 ++---- src/networking.tf | 2 +- 7 files changed, 15 insertions(+), 18 deletions(-) diff --git a/examples/private_dns_zones.tfvars b/examples/private_dns_zones.tfvars index 256cb2bd..07744f46 100644 --- a/examples/private_dns_zones.tfvars +++ b/examples/private_dns_zones.tfvars @@ -41,4 +41,4 @@ virtual_networks = { } } } -} \ No newline at end of file +} diff --git a/src/modules/_networking/private_dns_zone/_locals.tf b/src/modules/_networking/private_dns_zone/_locals.tf index bb7ea943..53c86680 100644 --- a/src/modules/_networking/private_dns_zone/_locals.tf +++ b/src/modules/_networking/private_dns_zone/_locals.tf @@ -10,20 +10,20 @@ locals { ) vnet_ids = { for vnet in var.settings.vnet_ref : - vnet => { + vnet => { name = var.resources.virtual_networks[vnet].name - id = var.resources.virtual_networks[vnet].id + id = var.resources.virtual_networks[vnet].id + } } } -} locals { # local object used to map possible private dns zoone names zone_names = { - "storage_blob" = "privatelink.blob.core.windows.net" + "storage_blob" = "privatelink.blob.core.windows.net" "storage_tables" = "privatelink.table.core.windows.net" "storage_queues" = "privatelink.queue.core.windows.net" - "storage_files" = "privatelink.file.core.windows.net" - "function_apps" = "privatelink.azurewebsites.net" - "keyvaults" = "privatelink.vaultcore.azure.net" + "storage_files" = "privatelink.file.core.windows.net" + "function_apps" = "privatelink.azurewebsites.net" + "keyvaults" = "privatelink.vaultcore.azure.net" } } diff --git a/src/modules/_networking/private_dns_zone/_outputs.tf b/src/modules/_networking/private_dns_zone/_outputs.tf index 95b1d87b..0d4f3d12 100644 --- a/src/modules/_networking/private_dns_zone/_outputs.tf +++ b/src/modules/_networking/private_dns_zone/_outputs.tf @@ -1,4 +1,3 @@ output "id" { value = azurerm_private_dns_zone.main.id } - diff --git a/src/modules/_networking/private_dns_zone/_variables.tf b/src/modules/_networking/private_dns_zone/_variables.tf index 9391fd43..4ee12d7c 100644 --- a/src/modules/_networking/private_dns_zone/_variables.tf +++ b/src/modules/_networking/private_dns_zone/_variables.tf @@ -8,7 +8,7 @@ variable "settings" { variable "resources" { type = object({ - resource_groups = map(any) + resource_groups = map(any) virtual_networks = map(any) }) description = "All required resources" diff --git a/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf index 57cc33fa..08444fe8 100644 --- a/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf +++ b/src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf @@ -1,7 +1,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "main" { for_each = local.vnet_ids - name = "${each.value.name}-${azurerm_private_dns_zone.main.name}-link" + name = "${each.value.name}-${azurerm_private_dns_zone.main.name}-link" private_dns_zone_name = azurerm_private_dns_zone.main.name - resource_group_name = azurerm_private_dns_zone.main.resource_group_name + resource_group_name = azurerm_private_dns_zone.main.resource_group_name virtual_network_id = each.value.id -} \ No newline at end of file +} diff --git a/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf index 03cc3eff..69fc0fb5 100644 --- a/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf +++ b/src/modules/_networking/private_dns_zone/private_dns_zone_group.tf @@ -1,7 +1,5 @@ resource "azurerm_private_dns_zone" "main" { - name = try(local.zone_names[var.settings.resource_kind], var.settings.name) + name = try(local.zone_names[var.settings.resource_kind], var.settings.name) resource_group_name = local.resource_group_name - tags = try(local.tags, null) + tags = try(local.tags, null) } - - diff --git a/src/networking.tf b/src/networking.tf index cf0b08f0..c4b9ff86 100644 --- a/src/networking.tf +++ b/src/networking.tf @@ -67,7 +67,7 @@ module "private_dns_zones" { global_settings = var.global_settings settings = each.value resources = { - resource_groups = module.resource_groups + resource_groups = module.resource_groups virtual_networks = module.virtual_networks } } From 15d6c22cc539fc67fcc6d3715e694460d303a264 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 14:35:28 +0200 Subject: [PATCH 05/95] add changes for private endpoint inside keyvault --- src/modules/_security/keyvault/_locals.tf | 16 ++++++++++++++ src/modules/_security/keyvault/_variables.tf | 2 ++ .../_security/keyvault/private_endpoint.tf | 21 +++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 src/modules/_security/keyvault/private_endpoint.tf diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index 3d5dc992..a525702d 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -53,3 +53,19 @@ locals { "SetRotationPolicy", ] } + +locals { + subnet_id = var.resources.virtual_networks[ + split("/", var.settings.private_endpoint.subnet_ref)[0] + ].subnets[ + split("/", var.settings.private_endpoint.subnet_ref)[1] + ].id +} + + +locals { + dns_zone_ids = [ + for zone in var.settings.private_endpoint.dns_zones_ref : + var.resources.private_dns_zones[zone].id + ] +} \ No newline at end of file diff --git a/src/modules/_security/keyvault/_variables.tf b/src/modules/_security/keyvault/_variables.tf index 6edf68ec..e02d2ff8 100644 --- a/src/modules/_security/keyvault/_variables.tf +++ b/src/modules/_security/keyvault/_variables.tf @@ -11,6 +11,8 @@ variable "resources" { resource_groups = map(any) virtual_networks = map(any) managed_identities = map(any) + private_dns_zones = map(any) + }) description = "All required resources" } diff --git a/src/modules/_security/keyvault/private_endpoint.tf b/src/modules/_security/keyvault/private_endpoint.tf new file mode 100644 index 00000000..60ed23bd --- /dev/null +++ b/src/modules/_security/keyvault/private_endpoint.tf @@ -0,0 +1,21 @@ +resource "azurerm_private_endpoint" "main" { + name = "pe-${azurerm_key_vault.main.name}" + resource_group_name = azurerm_key_vault.main.resource_group_name + location = azurerm_key_vault.main.location + subnet_id = local.subnet_id + + tags = local.tags + + private_service_connection { + name = "psc-${azurerm_key_vault.main.name}" + private_connection_resource_id = azurerm_key_vault.main.id + + is_manual_connection = try(var.settings.private_endpoint.private_service_connection.is_manual_connection, false) + private_connection_resource_alias = try(var.settings.private_endpoint.private_service_connection.private_connection_resource_alias, null) + subresource_names = try(var.settings.private_endpoint.private_service_connection.subresource_names, null) + } + private_dns_zone_group { + name = try(var.settings.private_endpoint.dns_group_name, "default") + private_dns_zone_ids = local.dns_zone_ids + } +} From 86c94bec53f9e844c8cff4a3579460093e6519db Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 14:42:56 +0200 Subject: [PATCH 06/95] add local changes in locals.tf in keyvault --- src/modules/_security/keyvault/_locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index a525702d..fe36fec7 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -9,7 +9,7 @@ locals { var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id ) ] - + subnet_id = var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id tags = merge( var.global_settings.tags, var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, From 6c301f63ab5e35d163cab62723e46119b306b37d Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 14:47:34 +0200 Subject: [PATCH 07/95] fix duplicated locals --- src/modules/_security/keyvault/_locals.tf | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index fe36fec7..5b9e68ae 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -54,15 +54,6 @@ locals { ] } -locals { - subnet_id = var.resources.virtual_networks[ - split("/", var.settings.private_endpoint.subnet_ref)[0] - ].subnets[ - split("/", var.settings.private_endpoint.subnet_ref)[1] - ].id -} - - locals { dns_zone_ids = [ for zone in var.settings.private_endpoint.dns_zones_ref : From 88bc15d4a7ad0edd7d7fdbf633ae9295cebe48a2 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 14:50:27 +0200 Subject: [PATCH 08/95] add reference to private dns zones in keyvault --- src/keyvault.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/keyvault.tf b/src/keyvault.tf index 7a0d8da6..66ad8e57 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -8,5 +8,6 @@ module "keyvaults" { virtual_networks = module.virtual_networks resource_groups = module.resource_groups managed_identities = module.managed_identities + private_dns_zones = module.private_dns_zones } } From 57e44c8ba2f98413059908f7bacb6f69f5667082 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 14:59:51 +0200 Subject: [PATCH 09/95] fix to not fail in not have private endpoint --- src/modules/_security/keyvault/_locals.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index 5b9e68ae..56fce4ed 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -9,7 +9,10 @@ locals { var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id ) ] - subnet_id = var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id + subnet_id = try( + var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id, + null + ) tags = merge( var.global_settings.tags, var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, From 7eac750f81a6c8328563ce9ad58b616e9a0f11a9 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 15:02:42 +0200 Subject: [PATCH 10/95] private endpoint not required --- src/modules/_security/keyvault/private_endpoint.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/modules/_security/keyvault/private_endpoint.tf b/src/modules/_security/keyvault/private_endpoint.tf index 60ed23bd..f4c0abcf 100644 --- a/src/modules/_security/keyvault/private_endpoint.tf +++ b/src/modules/_security/keyvault/private_endpoint.tf @@ -1,4 +1,5 @@ resource "azurerm_private_endpoint" "main" { + count = var.settings.private_endpoint != null ? 1 : 0 name = "pe-${azurerm_key_vault.main.name}" resource_group_name = azurerm_key_vault.main.resource_group_name location = azurerm_key_vault.main.location From 0d7377a4c2cf5ecbe4cec43200cfa74e36ee6497 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 15:05:04 +0200 Subject: [PATCH 11/95] fix not required values --- src/modules/_security/keyvault/_locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index 56fce4ed..8f82a9e1 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -58,8 +58,8 @@ locals { } locals { - dns_zone_ids = [ + dns_zone_ids = try([ for zone in var.settings.private_endpoint.dns_zones_ref : var.resources.private_dns_zones[zone].id - ] + ], []) } \ No newline at end of file From 8c9640a94a761694fea11eba75ca1eff7af0cb8a Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 15:08:48 +0200 Subject: [PATCH 12/95] check for existing private endpoint --- src/modules/_security/keyvault/private_endpoint.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/_security/keyvault/private_endpoint.tf b/src/modules/_security/keyvault/private_endpoint.tf index f4c0abcf..9fc5df78 100644 --- a/src/modules/_security/keyvault/private_endpoint.tf +++ b/src/modules/_security/keyvault/private_endpoint.tf @@ -1,5 +1,5 @@ resource "azurerm_private_endpoint" "main" { - count = var.settings.private_endpoint != null ? 1 : 0 + count = try(var.settings.private_endpoint, null) != null ? 1 : 0 name = "pe-${azurerm_key_vault.main.name}" resource_group_name = azurerm_key_vault.main.resource_group_name location = azurerm_key_vault.main.location From 16c1890032452e1144a38101888421f907f87689 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 15:17:33 +0200 Subject: [PATCH 13/95] add keyvault secrets --- .../_security/keyvault/keyvault_secrets.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 src/modules/_security/keyvault/keyvault_secrets.tf diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/_security/keyvault/keyvault_secrets.tf new file mode 100644 index 00000000..87771d0c --- /dev/null +++ b/src/modules/_security/keyvault/keyvault_secrets.tf @@ -0,0 +1,15 @@ +resource "azurerm_key_vault_secret" "main" { + depends_on = [azurerm_key_vault_access_policy.logged_in_user] + + for_each = { + for key, value in try(var.settings.secrets, {}) : key => value + if try(value.ignore_changes, false) == false + } + name = each.value.name + value = "" + key_vault_id = azurerm_key_vault.main.id + + lifecycle { + ignore_changes = [value] + } +} From 8f05e5b55905e5423a3b284dcd7652fcac14822e Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 15:58:32 +0200 Subject: [PATCH 14/95] secret changes --- src/modules/_security/keyvault/keyvault_secrets.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/_security/keyvault/keyvault_secrets.tf index 87771d0c..bb584483 100644 --- a/src/modules/_security/keyvault/keyvault_secrets.tf +++ b/src/modules/_security/keyvault/keyvault_secrets.tf @@ -1,6 +1,4 @@ resource "azurerm_key_vault_secret" "main" { - depends_on = [azurerm_key_vault_access_policy.logged_in_user] - for_each = { for key, value in try(var.settings.secrets, {}) : key => value if try(value.ignore_changes, false) == false From 9568b69a5075782c5b2fcc81c03db532901aa817 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 16:02:13 +0200 Subject: [PATCH 15/95] add default value --- src/modules/_security/keyvault/keyvault_secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/_security/keyvault/keyvault_secrets.tf index bb584483..b3fd4a48 100644 --- a/src/modules/_security/keyvault/keyvault_secrets.tf +++ b/src/modules/_security/keyvault/keyvault_secrets.tf @@ -4,7 +4,7 @@ resource "azurerm_key_vault_secret" "main" { if try(value.ignore_changes, false) == false } name = each.value.name - value = "" + value = "default" key_vault_id = azurerm_key_vault.main.id lifecycle { From d2367cb9c18d7d70ee81d52284c2265847dc3451 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 16:16:05 +0200 Subject: [PATCH 16/95] add key vault secret --- src/modules/_security/keyvault/keyvault_secrets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/_security/keyvault/keyvault_secrets.tf index b3fd4a48..ea13d427 100644 --- a/src/modules/_security/keyvault/keyvault_secrets.tf +++ b/src/modules/_security/keyvault/keyvault_secrets.tf @@ -1,10 +1,10 @@ resource "azurerm_key_vault_secret" "main" { for_each = { - for key, value in try(var.settings.secrets, {}) : key => value - if try(value.ignore_changes, false) == false + for key, value in try(var.settings.secrets, {}) : + key => value } name = each.value.name - value = "default" + value = each.value.value key_vault_id = azurerm_key_vault.main.id lifecycle { From 091f8b46af65766cee050dd1623d48a939519085 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Fri, 17 Jan 2025 16:20:56 +0200 Subject: [PATCH 17/95] fix pre commit --- src/keyvault.tf | 2 +- src/modules/_security/keyvault/_locals.tf | 6 +++--- src/modules/_security/keyvault/_variables.tf | 2 +- src/modules/_security/keyvault/keyvault_secrets.tf | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 66ad8e57..df5055e7 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -8,6 +8,6 @@ module "keyvaults" { virtual_networks = module.virtual_networks resource_groups = module.resource_groups managed_identities = module.managed_identities - private_dns_zones = module.private_dns_zones + private_dns_zones = module.private_dns_zones } } diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/_security/keyvault/_locals.tf index 8f82a9e1..d15bfc86 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/_security/keyvault/_locals.tf @@ -10,8 +10,8 @@ locals { ) ] subnet_id = try( - var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id, - null + var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id, + null ) tags = merge( var.global_settings.tags, @@ -62,4 +62,4 @@ locals { for zone in var.settings.private_endpoint.dns_zones_ref : var.resources.private_dns_zones[zone].id ], []) -} \ No newline at end of file +} diff --git a/src/modules/_security/keyvault/_variables.tf b/src/modules/_security/keyvault/_variables.tf index e02d2ff8..2eb44baa 100644 --- a/src/modules/_security/keyvault/_variables.tf +++ b/src/modules/_security/keyvault/_variables.tf @@ -11,7 +11,7 @@ variable "resources" { resource_groups = map(any) virtual_networks = map(any) managed_identities = map(any) - private_dns_zones = map(any) + private_dns_zones = map(any) }) description = "All required resources" diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/_security/keyvault/keyvault_secrets.tf index ea13d427..68135cde 100644 --- a/src/modules/_security/keyvault/keyvault_secrets.tf +++ b/src/modules/_security/keyvault/keyvault_secrets.tf @@ -1,10 +1,10 @@ resource "azurerm_key_vault_secret" "main" { for_each = { - for key, value in try(var.settings.secrets, {}) : + for key, value in try(var.settings.secrets, {}) : key => value } name = each.value.name - value = each.value.value + value = each.value.value key_vault_id = azurerm_key_vault.main.id lifecycle { From fea956654ff4878923e76bbe7b3496baeea3c2db Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:00:48 +0200 Subject: [PATCH 18/95] test TC-18 --- src/modules/_security/keyvault/_outputs.tf | 7 --- .../{_security => }/keyvault/_locals.tf | 44 ------------------- src/modules/keyvault/_outputs.tf | 19 ++++++++ .../{_security => }/keyvault/_variables.tf | 0 .../{_security => }/keyvault/keyvault.tf | 0 .../keyvault_access_policy/_locals.tf | 35 +++++++++++++++ .../keyvault_access_policy/_variables.tf | 18 ++++++++ .../access_policies.tf | 4 +- .../keyvault_private_endpoint/_locals.tf | 23 ++++++++++ .../keyvault_private_endpoint/_variables.tf | 18 ++++++++ .../private_endpoint.tf | 16 ++++--- .../keyvault_secret/main.tf} | 9 +++- 12 files changed, 133 insertions(+), 60 deletions(-) delete mode 100644 src/modules/_security/keyvault/_outputs.tf rename src/modules/{_security => }/keyvault/_locals.tf (55%) create mode 100644 src/modules/keyvault/_outputs.tf rename src/modules/{_security => }/keyvault/_variables.tf (100%) rename src/modules/{_security => }/keyvault/keyvault.tf (100%) create mode 100644 src/modules/keyvault/keyvault_access_policy/_locals.tf create mode 100644 src/modules/keyvault/keyvault_access_policy/_variables.tf rename src/modules/{_security/keyvault => keyvault/keyvault_access_policy}/access_policies.tf (91%) create mode 100644 src/modules/keyvault/keyvault_private_endpoint/_locals.tf create mode 100644 src/modules/keyvault/keyvault_private_endpoint/_variables.tf rename src/modules/{_security/keyvault => keyvault/keyvault_private_endpoint}/private_endpoint.tf (63%) rename src/modules/{_security/keyvault/keyvault_secrets.tf => keyvault/keyvault_secret/main.tf} (74%) diff --git a/src/modules/_security/keyvault/_outputs.tf b/src/modules/_security/keyvault/_outputs.tf deleted file mode 100644 index fda15d89..00000000 --- a/src/modules/_security/keyvault/_outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "id" { - value = azurerm_key_vault.main.id -} - -output "vault_uri" { - value = azurerm_key_vault.main.vault_uri -} diff --git a/src/modules/_security/keyvault/_locals.tf b/src/modules/keyvault/_locals.tf similarity index 55% rename from src/modules/_security/keyvault/_locals.tf rename to src/modules/keyvault/_locals.tf index d15bfc86..6b55ec36 100644 --- a/src/modules/_security/keyvault/_locals.tf +++ b/src/modules/keyvault/_locals.tf @@ -19,47 +19,3 @@ locals { try(var.settings.tags, {}) ) } - - -locals { - all_secret_permissions = [ - "Backup", - "Delete", - "Get", - "List", - "Purge", - "Recover", - "Restore", - "Set", - ] - - all_key_permissions = [ - "Backup", - "Create", - "Decrypt", - "Delete", - "Encrypt", - "Get", - "Import", - "List", - "Purge", - "Recover", - "Restore", - "Sign", - "UnwrapKey", - "Update", - "Verify", - "WrapKey", - "Release", - "Rotate", - "GetRotationPolicy", - "SetRotationPolicy", - ] -} - -locals { - dns_zone_ids = try([ - for zone in var.settings.private_endpoint.dns_zones_ref : - var.resources.private_dns_zones[zone].id - ], []) -} diff --git a/src/modules/keyvault/_outputs.tf b/src/modules/keyvault/_outputs.tf new file mode 100644 index 00000000..a6b440d4 --- /dev/null +++ b/src/modules/keyvault/_outputs.tf @@ -0,0 +1,19 @@ +output "id" { + value = azurerm_key_vault.main.id +} + +output "vault_uri" { + value = azurerm_key_vault.main.vault_uri +} + +output "resource_group_name" { + value = azurerm_key_vault.main.resource_group_name +} + +output "location" { + value = azurerm_key_vault.main.location +} + +output "name" { + value = azurerm_key_vault.main.name +} diff --git a/src/modules/_security/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf similarity index 100% rename from src/modules/_security/keyvault/_variables.tf rename to src/modules/keyvault/_variables.tf diff --git a/src/modules/_security/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf similarity index 100% rename from src/modules/_security/keyvault/keyvault.tf rename to src/modules/keyvault/keyvault.tf diff --git a/src/modules/keyvault/keyvault_access_policy/_locals.tf b/src/modules/keyvault/keyvault_access_policy/_locals.tf new file mode 100644 index 00000000..939e99fd --- /dev/null +++ b/src/modules/keyvault/keyvault_access_policy/_locals.tf @@ -0,0 +1,35 @@ +locals { + all_secret_permissions = [ + "Backup", + "Delete", + "Get", + "List", + "Purge", + "Recover", + "Restore", + "Set", + ] + + all_key_permissions = [ + "Backup", + "Create", + "Decrypt", + "Delete", + "Encrypt", + "Get", + "Import", + "List", + "Purge", + "Recover", + "Restore", + "Sign", + "UnwrapKey", + "Update", + "Verify", + "WrapKey", + "Release", + "Rotate", + "GetRotationPolicy", + "SetRotationPolicy", + ] +} diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf new file mode 100644 index 00000000..d5fbb872 --- /dev/null +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -0,0 +1,18 @@ +variable "global_settings" { + description = "Global settings for tinycaf" +} + +variable "settings" { + description = "All the configuration for this resource" +} + +variable "resources" { + type = object({ + keyvaults = map(any) + virtual_networks = map(any) + managed_identities = map(any) + private_dns_zones = map(any) + + }) + description = "All required resources" +} diff --git a/src/modules/_security/keyvault/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf similarity index 91% rename from src/modules/_security/keyvault/access_policies.tf rename to src/modules/keyvault/keyvault_access_policy/access_policies.tf index a12b6381..7e19f8b4 100644 --- a/src/modules/_security/keyvault/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,5 +1,5 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { - key_vault_id = azurerm_key_vault.main.id + key_vault_id = var.resources.keyvaults[each.key].id tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id @@ -13,7 +13,7 @@ resource "azurerm_key_vault_access_policy" "managed_identity" { access_policy_ref => config if can(config.managed_identity_ref) } - key_vault_id = azurerm_key_vault.main.id + key_vault_id = var.resources.keyvaults[each.key].id tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id diff --git a/src/modules/keyvault/keyvault_private_endpoint/_locals.tf b/src/modules/keyvault/keyvault_private_endpoint/_locals.tf new file mode 100644 index 00000000..7eef42b0 --- /dev/null +++ b/src/modules/keyvault/keyvault_private_endpoint/_locals.tf @@ -0,0 +1,23 @@ +locals { + subnet_ids = [ + for network_rule_ref, config in try(var.settings.network_rules.subnets, {}) : ( + var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id + ) + ] + subnet_id = try( + var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id, + null + ) + tags = merge( + var.global_settings.tags, + var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {}, + try(var.settings.tags, {}) + ) +} + +locals { + dns_zone_ids = try([ + for zone in var.settings.private_endpoint.dns_zones_ref : + var.resources.private_dns_zones[zone].id + ], []) +} diff --git a/src/modules/keyvault/keyvault_private_endpoint/_variables.tf b/src/modules/keyvault/keyvault_private_endpoint/_variables.tf new file mode 100644 index 00000000..d5fbb872 --- /dev/null +++ b/src/modules/keyvault/keyvault_private_endpoint/_variables.tf @@ -0,0 +1,18 @@ +variable "global_settings" { + description = "Global settings for tinycaf" +} + +variable "settings" { + description = "All the configuration for this resource" +} + +variable "resources" { + type = object({ + keyvaults = map(any) + virtual_networks = map(any) + managed_identities = map(any) + private_dns_zones = map(any) + + }) + description = "All required resources" +} diff --git a/src/modules/_security/keyvault/private_endpoint.tf b/src/modules/keyvault/keyvault_private_endpoint/private_endpoint.tf similarity index 63% rename from src/modules/_security/keyvault/private_endpoint.tf rename to src/modules/keyvault/keyvault_private_endpoint/private_endpoint.tf index 9fc5df78..23cf3359 100644 --- a/src/modules/_security/keyvault/private_endpoint.tf +++ b/src/modules/keyvault/keyvault_private_endpoint/private_endpoint.tf @@ -1,15 +1,19 @@ resource "azurerm_private_endpoint" "main" { - count = try(var.settings.private_endpoint, null) != null ? 1 : 0 - name = "pe-${azurerm_key_vault.main.name}" - resource_group_name = azurerm_key_vault.main.resource_group_name - location = azurerm_key_vault.main.location + for_each = { + for key, value in var.resources.keyvaults : + key => value + if try(var.settings.private_endpoint, null) != null + } + name = "pe-${each.value.name}.name}" + resource_group_name = each.value.resource_group_name + location = each.value.location subnet_id = local.subnet_id tags = local.tags private_service_connection { - name = "psc-${azurerm_key_vault.main.name}" - private_connection_resource_id = azurerm_key_vault.main.id + name = "psc-${each.value.name}" + private_connection_resource_id = each.value.id is_manual_connection = try(var.settings.private_endpoint.private_service_connection.is_manual_connection, false) private_connection_resource_alias = try(var.settings.private_endpoint.private_service_connection.private_connection_resource_alias, null) diff --git a/src/modules/_security/keyvault/keyvault_secrets.tf b/src/modules/keyvault/keyvault_secret/main.tf similarity index 74% rename from src/modules/_security/keyvault/keyvault_secrets.tf rename to src/modules/keyvault/keyvault_secret/main.tf index 68135cde..84caee31 100644 --- a/src/modules/_security/keyvault/keyvault_secrets.tf +++ b/src/modules/keyvault/keyvault_secret/main.tf @@ -1,3 +1,10 @@ + +module "keyvault" { + source = "../keyvault" +} + + + resource "azurerm_key_vault_secret" "main" { for_each = { for key, value in try(var.settings.secrets, {}) : @@ -5,7 +12,7 @@ resource "azurerm_key_vault_secret" "main" { } name = each.value.name value = each.value.value - key_vault_id = azurerm_key_vault.main.id + key_vault_id = module.keyvault.id lifecycle { ignore_changes = [value] From a70b3a29e336a7339323310b312b42415f22a112 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:03:04 +0200 Subject: [PATCH 19/95] fix source folder --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index df5055e7..2aa9e48e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -1,5 +1,5 @@ module "keyvaults" { - source = "./modules/_security/keyvault" + source = "./modules/keyvault" for_each = var.keyvaults settings = each.value From 05df4df4fed7591331b40b729a3e099def811176 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:10:40 +0200 Subject: [PATCH 20/95] add access policies inside keyvault --- src/modules/keyvault/keyvault.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 57f21dfa..0b284e62 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -19,3 +19,17 @@ resource "azurerm_key_vault" "main" { virtual_network_subnet_ids = local.subnet_ids } } + + +module "access_policies" { + source = "./keyvault_access_policy" + for_each = var.settings.access_policies != null ? var.settings.access_policies : {} + settings = each.value + global_settings = var.global_settings + resources = { + virtual_networks = module.virtual_networks + resource_groups = module.resource_groups + managed_identities = module.managed_identities + private_dns_zones = module.private_dns_zones + } +} From 733488e14692cc59f64d3f4fede82620cd4fe84b Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:21:22 +0200 Subject: [PATCH 21/95] test folder structure --- src/modules/keyvault/keyvault.tf | 13 ++++--------- .../keyvault/keyvault_access_policy/_variables.tf | 1 + 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 0b284e62..21dd4930 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -22,14 +22,9 @@ resource "azurerm_key_vault" "main" { module "access_policies" { - source = "./keyvault_access_policy" - for_each = var.settings.access_policies != null ? var.settings.access_policies : {} - settings = each.value + source = "./keyvault_access_policies" + for_each = try(var.settings.access_policies, {}) + settings = var.settings global_settings = var.global_settings - resources = { - virtual_networks = module.virtual_networks - resource_groups = module.resource_groups - managed_identities = module.managed_identities - private_dns_zones = module.private_dns_zones - } + resources = var.resources } diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index d5fbb872..9c6ca54c 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -11,6 +11,7 @@ variable "resources" { keyvaults = map(any) virtual_networks = map(any) managed_identities = map(any) + resource_groups = map(any) private_dns_zones = map(any) }) From 801b39ae25ca4e40035bfdd81ee1b7cf605ea2f5 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:25:15 +0200 Subject: [PATCH 22/95] test fix of keyvault variable --- src/modules/keyvault/keyvault.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 21dd4930..9285f9a9 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -21,8 +21,8 @@ resource "azurerm_key_vault" "main" { } -module "access_policies" { - source = "./keyvault_access_policies" +module "access_policy" { + source = "./keyvault_access_policy" for_each = try(var.settings.access_policies, {}) settings = var.settings global_settings = var.global_settings From 588a159d37a91b18925dda8e775c0f42f553cfcf Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:28:25 +0200 Subject: [PATCH 23/95] test module access_policy_ --- src/modules/keyvault/keyvault.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 9285f9a9..e4a4a1b8 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -26,5 +26,11 @@ module "access_policy" { for_each = try(var.settings.access_policies, {}) settings = var.settings global_settings = var.global_settings - resources = var.resources + resources = { + keyvaults = { (var.settings.name) = azurerm_key_vault.main } + virtual_networks = var.resources.virtual_networks + managed_identities = var.resources.managed_identities + resource_groups = var.resources.resource_groups + private_dns_zones = var.resources.private_dns_zones + } } From 2e331011f7187ffa2f3a8f89efa6219a7d926e96 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:28:44 +0200 Subject: [PATCH 24/95] change module name --- src/modules/keyvault/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index e4a4a1b8..611409d0 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -21,7 +21,7 @@ resource "azurerm_key_vault" "main" { } -module "access_policy" { +module "access_policies" { source = "./keyvault_access_policy" for_each = try(var.settings.access_policies, {}) settings = var.settings From 9a0becd9c4235e866f84885266516a288ecb60ba Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:29:51 +0200 Subject: [PATCH 25/95] test --- src/modules/keyvault/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 611409d0..6c0fcb52 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -27,7 +27,7 @@ module "access_policies" { settings = var.settings global_settings = var.global_settings resources = { - keyvaults = { (var.settings.name) = azurerm_key_vault.main } + keyvaults = azurerm_key_vault.main virtual_networks = var.resources.virtual_networks managed_identities = var.resources.managed_identities resource_groups = var.resources.resource_groups From 585b51b5c42a01587f05279b3ae077b75746fcd6 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:31:07 +0200 Subject: [PATCH 26/95] test keyvault id --- .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 7e19f8b4..4d6f1e47 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,5 +1,5 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { - key_vault_id = var.resources.keyvaults[each.key].id + key_vault_id = var.resources.keyvaults.id tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id @@ -13,7 +13,7 @@ resource "azurerm_key_vault_access_policy" "managed_identity" { access_policy_ref => config if can(config.managed_identity_ref) } - key_vault_id = var.resources.keyvaults[each.key].id + key_vault_id = var.resources.keyvaults.id tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id From 8a231b59f3f3532df190eceaefa51286fb3674dd Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:32:49 +0200 Subject: [PATCH 27/95] test key vault id --- .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 4d6f1e47..69814274 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,5 +1,5 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { - key_vault_id = var.resources.keyvaults.id + key_vault_id = var.resources.keyvaults[var.settings.name].id tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id @@ -13,7 +13,7 @@ resource "azurerm_key_vault_access_policy" "managed_identity" { access_policy_ref => config if can(config.managed_identity_ref) } - key_vault_id = var.resources.keyvaults.id + key_vault_id = var.resources.keyvaults[var.settings.name].id tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id From 52b2a4fb2b38bd162f62f36b28c7c50f92000ac5 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:36:13 +0200 Subject: [PATCH 28/95] test --- src/modules/keyvault/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 6c0fcb52..2198e3d9 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -27,7 +27,7 @@ module "access_policies" { settings = var.settings global_settings = var.global_settings resources = { - keyvaults = azurerm_key_vault.main + keyvaults = { var.settings.name => azurerm_key_vault.main } virtual_networks = var.resources.virtual_networks managed_identities = var.resources.managed_identities resource_groups = var.resources.resource_groups From a4f8d84b973e4e4fc7465fd678c12794fe60d67d Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:51:10 +0200 Subject: [PATCH 29/95] test --- src/modules/keyvault/_variables.tf | 21 ++++++++++++++++ src/modules/keyvault/keyvault.tf | 24 ++++++++++--------- .../keyvault_access_policy/_variables.tf | 9 +++---- .../keyvault_access_policy/access_policies.tf | 2 +- 4 files changed, 40 insertions(+), 16 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 2eb44baa..98e6e372 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -12,7 +12,28 @@ variable "resources" { virtual_networks = map(any) managed_identities = map(any) private_dns_zones = map(any) + keyvaults = map(any) }) description = "All required resources" } +variable "client_config" { + description = "Client configuration object (see module README.md)." +} + +variable "keyvaults" { + default = {} +} +variable "keyvault_key" { + default = null +} +variable "keyvault_id" { + default = null +} + +variable "access_policies" { + validation { + condition = length(var.access_policies) <= 16 + error_message = "A maximun of 16 access policies can be set." + } +} diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 2198e3d9..03dd44ce 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -21,16 +21,18 @@ resource "azurerm_key_vault" "main" { } -module "access_policies" { - source = "./keyvault_access_policy" - for_each = try(var.settings.access_policies, {}) - settings = var.settings - global_settings = var.global_settings - resources = { - keyvaults = { var.settings.name => azurerm_key_vault.main } - virtual_networks = var.resources.virtual_networks - managed_identities = var.resources.managed_identities - resource_groups = var.resources.resource_groups - private_dns_zones = var.resources.private_dns_zones +module "logged_in_user" { + source = "./keyvault_access_policy" + for_each = { + for key, access_policy in var.access_policies : key => access_policy + if key == "logged_in_user" && var.global_settings.object_id != null } + + keyvault_id = var.keyvault_id == null ? var.resources.keyvaults[var.keyvault_key].id : var.keyvault_id + + access_policy = each.value + tenant_id = var.global_settings.tenant_id + object_id = var.global_settings.object_id + settings = var.settings + resources = var.resources } diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index 9c6ca54c..dc067242 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -1,7 +1,3 @@ -variable "global_settings" { - description = "Global settings for tinycaf" -} - variable "settings" { description = "All the configuration for this resource" } @@ -17,3 +13,8 @@ variable "resources" { }) description = "All required resources" } + +variable "keyvault_id" {} +variable "tenant_id" {} +variable "object_id" {} +variable "access_policy" {} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 69814274..3c8d6d08 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -13,7 +13,7 @@ resource "azurerm_key_vault_access_policy" "managed_identity" { access_policy_ref => config if can(config.managed_identity_ref) } - key_vault_id = var.resources.keyvaults[var.settings.name].id + key_vault_id = var.key_vault_id tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id From 7a32f288f9a3f241ba1318f8c4b64b63966e5d8c Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:53:41 +0200 Subject: [PATCH 30/95] remove client config --- src/modules/keyvault/_variables.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 98e6e372..69a5b3e6 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -17,9 +17,6 @@ variable "resources" { }) description = "All required resources" } -variable "client_config" { - description = "Client configuration object (see module README.md)." -} variable "keyvaults" { default = {} From 42e3438145837a210e790a33b645399e2e87f014 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 13:57:04 +0200 Subject: [PATCH 31/95] test access policies --- src/modules/keyvault/_variables.tf | 7 ++--- src/modules/keyvault/keyvault.tf | 2 +- .../keyvault_access_policy/access_policies.tf | 28 +++++++++---------- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 69a5b3e6..58f2631e 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -29,8 +29,7 @@ variable "keyvault_id" { } variable "access_policies" { - validation { - condition = length(var.access_policies) <= 16 - error_message = "A maximun of 16 access policies can be set." - } + description = "Map of access policies for the Key Vault" + type = map(any) + default = {} } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 03dd44ce..8c5bf0a7 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -28,7 +28,7 @@ module "logged_in_user" { if key == "logged_in_user" && var.global_settings.object_id != null } - keyvault_id = var.keyvault_id == null ? var.resources.keyvaults[var.keyvault_key].id : var.keyvault_id + keyvault_id = var.keyvault_id != null ? var.keyvault_id : var.resources.keyvaults[var.keyvault_key].id access_policy = each.value tenant_id = var.global_settings.tenant_id diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 3c8d6d08..ab538255 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -7,18 +7,18 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { key_permissions = local.all_key_permissions } -resource "azurerm_key_vault_access_policy" "managed_identity" { - for_each = { - for access_policy_ref, config in var.settings.access_policies : - access_policy_ref => config - if can(config.managed_identity_ref) - } - key_vault_id = var.key_vault_id - tenant_id = var.global_settings.tenant_id - object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id +# resource "azurerm_key_vault_access_policy" "managed_identity" { +# for_each = { +# for access_policy_ref, config in var.settings.access_policies : +# access_policy_ref => config +# if can(config.managed_identity_ref) +# } +# key_vault_id = var.key_vault_id +# tenant_id = var.global_settings.tenant_id +# object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id - # this is a bit of a hack to allow `secret_permissions` to be a string when "All" and otherwise a list - # the tfvars allows it, but the module needs us to convert it to list explicitly to get around the type errors - secret_permissions = try(each.value.secret_permissions, null) == "All" ? local.all_secret_permissions : try(tolist(each.value.secret_permissions), []) - key_permissions = try(each.value.key_permissions, null) == "All" ? local.all_key_permissions : try(tolist(each.value.key_permissions), []) -} +# # this is a bit of a hack to allow `secret_permissions` to be a string when "All" and otherwise a list +# # the tfvars allows it, but the module needs us to convert it to list explicitly to get around the type errors +# secret_permissions = try(each.value.secret_permissions, null) == "All" ? local.all_secret_permissions : try(tolist(each.value.secret_permissions), []) +# key_permissions = try(each.value.key_permissions, null) == "All" ? local.all_key_permissions : try(tolist(each.value.key_permissions), []) +# } From cbb5dd7ba344ce2cf3f0f0297585e0438170c15f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:02:25 +0200 Subject: [PATCH 32/95] add keyvault each key --- src/keyvault.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/keyvault.tf b/src/keyvault.tf index 2aa9e48e..e181d7af 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,5 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones + keyvaults = each.key } } From b9909b590e16897a12b313cdfc6f7a262d033d0d Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:08:33 +0200 Subject: [PATCH 33/95] add module update keyvaults --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index e181d7af..04e16942 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = each.key + keyvaults = { for k in var.keyvaults: k => azurerm_key_vault.main } } } From d88b2f755b2b57aea60f9dd1a16faa88d00a9655 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:11:52 +0200 Subject: [PATCH 34/95] fix module --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 04e16942..2c621ac2 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = { for k in var.keyvaults: k => azurerm_key_vault.main } + keyvaults = { for key, value in var.keyvaults : key => azurerm_key_vault.main[key] } } } From 75fd4922c2af7a06a12adb48798d493e30c8f9d2 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:14:31 +0200 Subject: [PATCH 35/95] try for each in keyvault module --- src/keyvault.tf | 2 +- src/modules/keyvault/keyvault.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 2c621ac2..e22e536e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = { for key, value in var.keyvaults : key => azurerm_key_vault.main[key] } + keyvaults = { for key, kv in azurerm_key_vault.main : key => kv } } } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 8c5bf0a7..ed83b21b 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -1,4 +1,5 @@ resource "azurerm_key_vault" "main" { + for_each = var.keyvaults name = var.settings.name resource_group_name = local.resource_group_name location = local.location From d234e917a1faeca03f98ca2b4dd047ed467904ea Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:16:29 +0200 Subject: [PATCH 36/95] try to fix keyvault --- src/keyvault.tf | 2 +- src/modules/keyvault/_outputs.tf | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index e22e536e..a8a3aefb 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = { for key, kv in azurerm_key_vault.main : key => kv } + keyvaults = module.keyvaults[each.key].key_vaults } } diff --git a/src/modules/keyvault/_outputs.tf b/src/modules/keyvault/_outputs.tf index a6b440d4..939bf362 100644 --- a/src/modules/keyvault/_outputs.tf +++ b/src/modules/keyvault/_outputs.tf @@ -17,3 +17,7 @@ output "location" { output "name" { value = azurerm_key_vault.main.name } + +output "key_vaults" { + value = { for key, kv in azurerm_key_vault.main : key => kv } +} From 065533712f9e48173cfe0c49860e403eb1c8d9b2 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:17:33 +0200 Subject: [PATCH 37/95] try to fix keyvault module --- src/keyvault.tf | 2 +- src/modules/keyvault/keyvault.tf | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index a8a3aefb..51a8059e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults[each.key].key_vaults + keyvaults = module.keyvaults.key_vault } } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index ed83b21b..8c5bf0a7 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -1,5 +1,4 @@ resource "azurerm_key_vault" "main" { - for_each = var.keyvaults name = var.settings.name resource_group_name = local.resource_group_name location = local.location From 76f7413f0c0f57f91fe2391c89760a9ccbe00813 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:19:59 +0200 Subject: [PATCH 38/95] fix global settings --- src/modules/keyvault/keyvault_access_policy/_variables.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index dc067242..1c3a69f9 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -18,3 +18,6 @@ variable "keyvault_id" {} variable "tenant_id" {} variable "object_id" {} variable "access_policy" {} +variable "global_settings" { + description = "Global settings for tinycaf" +} From 643e7db10a5be3749756ebad21cbccdb5de988f6 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:27:52 +0200 Subject: [PATCH 39/95] test var global settings --- src/modules/keyvault/keyvault.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 8c5bf0a7..9148e9c0 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -35,4 +35,5 @@ module "logged_in_user" { object_id = var.global_settings.object_id settings = var.settings resources = var.resources + global_settings = var.global_settings } From 312e496fec13594c51441d84ecff4fbd8c2092f6 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:30:39 +0200 Subject: [PATCH 40/95] fix keyvaults resource --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 51a8059e..a8a3aefb 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults.key_vault + keyvaults = module.keyvaults[each.key].key_vaults } } From 23f73d137f8c3be660a41c2dfa70906f3569cb08 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:33:27 +0200 Subject: [PATCH 41/95] test --- src/modules/keyvault/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 9148e9c0..c33f1eda 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -28,7 +28,7 @@ module "logged_in_user" { if key == "logged_in_user" && var.global_settings.object_id != null } - keyvault_id = var.keyvault_id != null ? var.keyvault_id : var.resources.keyvaults[var.keyvault_key].id + keyvault_id = azurerm_key_vault.main.id access_policy = each.value tenant_id = var.global_settings.tenant_id From 16277fab653679f3432cd671943116ecdfbf6f65 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:38:49 +0200 Subject: [PATCH 42/95] fix keyvault module --- src/keyvault.tf | 2 +- src/modules/keyvault/keyvault.tf | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index a8a3aefb..c9de3394 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults[each.key].key_vaults + keyvaults = module.keyvaults[each.key].key_vault } } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index c33f1eda..0fe77bed 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -1,4 +1,5 @@ resource "azurerm_key_vault" "main" { + for_each = var.keyvaults name = var.settings.name resource_group_name = local.resource_group_name location = local.location @@ -28,7 +29,7 @@ module "logged_in_user" { if key == "logged_in_user" && var.global_settings.object_id != null } - keyvault_id = azurerm_key_vault.main.id + keyvault_id = azurerm_key_vault.main[each.key].id access_policy = each.value tenant_id = var.global_settings.tenant_id From 469ba63f2e6be9a5ba4468e7f4873771edc10512 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:46:10 +0200 Subject: [PATCH 43/95] test some minor changes --- src/keyvault.tf | 2 +- src/modules/keyvault/keyvault.tf | 4 ++-- .../keyvault/keyvault_access_policy/access_policies.tf | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index c9de3394..9e20647e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,6 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults[each.key].key_vault + keyvaults = module.keyvaults[each.key].key_vaults } } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 0fe77bed..2ff8a121 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -1,6 +1,6 @@ resource "azurerm_key_vault" "main" { for_each = var.keyvaults - name = var.settings.name + name = each.value.name resource_group_name = local.resource_group_name location = local.location tags = local.tags @@ -29,7 +29,7 @@ module "logged_in_user" { if key == "logged_in_user" && var.global_settings.object_id != null } - keyvault_id = azurerm_key_vault.main[each.key].id + keyvault_id = var.resources.keyvaults[each.key].id access_policy = each.value tenant_id = var.global_settings.tenant_id diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index ab538255..4bd5bc61 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,5 +1,5 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { - key_vault_id = var.resources.keyvaults[var.settings.name].id + key_vault_id = var.resources.keyvaults[each.key].id tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id From 547b7cb16b77c712559b586c571485d907e24486 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:48:42 +0200 Subject: [PATCH 44/95] test --- src/modules/keyvault/keyvault.tf | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 2ff8a121..6ccf9403 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -24,17 +24,19 @@ resource "azurerm_key_vault" "main" { module "logged_in_user" { source = "./keyvault_access_policy" + for_each = { for key, access_policy in var.access_policies : key => access_policy if key == "logged_in_user" && var.global_settings.object_id != null } - keyvault_id = var.resources.keyvaults[each.key].id + # ✅ Directly reference the Key Vault without using outputs + keyvault_id = azurerm_key_vault.main[each.key].id - access_policy = each.value - tenant_id = var.global_settings.tenant_id - object_id = var.global_settings.object_id - settings = var.settings - resources = var.resources + access_policy = each.value + tenant_id = var.global_settings.tenant_id + object_id = var.global_settings.object_id + settings = var.settings + resources = var.resources global_settings = var.global_settings } From b720801067cd70f3e7e8d30363abcdcaf4c0a784 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:56:11 +0200 Subject: [PATCH 45/95] format keyvault module --- src/keyvault.tf | 19 +++++++++++++++++- src/modules/keyvault/keyvault.tf | 20 ------------------- .../keyvault_access_policy/access_policies.tf | 15 +++++++------- 3 files changed, 26 insertions(+), 28 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 9e20647e..7ddedc48 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,23 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults[each.key].key_vaults } } + +module "keyvault_access_policies" { + source = "./modules/keyvault_access_policy" + + for_each = { + for key, kv in var.keyvaults : key => kv.access_policies + if length(kv.access_policies) > 0 + } + + keyvault_id = module.keyvaults[each.key].id + access_policy = each.value + tenant_id = var.global_settings.tenant_id + + # ✅ Conditionally set the object_id + object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : var.resources.managed_identities[each.value.managed_identity_ref].principal_id + + global_settings = var.global_settings +} diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 6ccf9403..958dc4b5 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -20,23 +20,3 @@ resource "azurerm_key_vault" "main" { virtual_network_subnet_ids = local.subnet_ids } } - - -module "logged_in_user" { - source = "./keyvault_access_policy" - - for_each = { - for key, access_policy in var.access_policies : key => access_policy - if key == "logged_in_user" && var.global_settings.object_id != null - } - - # ✅ Directly reference the Key Vault without using outputs - keyvault_id = azurerm_key_vault.main[each.key].id - - access_policy = each.value - tenant_id = var.global_settings.tenant_id - object_id = var.global_settings.object_id - settings = var.settings - resources = var.resources - global_settings = var.global_settings -} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 4bd5bc61..839bac7a 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,12 +1,13 @@ -resource "azurerm_key_vault_access_policy" "logged_in_user" { - key_vault_id = var.resources.keyvaults[each.key].id - tenant_id = var.global_settings.tenant_id - object_id = var.global_settings.object_id +resource "azurerm_key_vault_access_policy" "this" { + key_vault_id = var.keyvault_id + tenant_id = var.tenant_id + object_id = var.object_id - secret_permissions = local.all_secret_permissions - key_permissions = local.all_key_permissions + secret_permissions = try(var.access_policy.secret_permissions, []) + key_permissions = try(var.access_policy.key_permissions, []) + certificate_permissions = try(var.access_policy.certificate_permissions, []) + storage_permissions = try(var.access_policy.storage_permissions, []) } - # resource "azurerm_key_vault_access_policy" "managed_identity" { # for_each = { # for access_policy_ref, config in var.settings.access_policies : From 3264008b8e0d9460ee50f818b496c98abdc46256 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 14:58:28 +0200 Subject: [PATCH 46/95] test --- src/keyvault.tf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 7ddedc48..102323e1 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -13,7 +13,7 @@ module "keyvaults" { } module "keyvault_access_policies" { - source = "./modules/keyvault_access_policy" + source = "./modules/keyvault/keyvault_access_policy" for_each = { for key, kv in var.keyvaults : key => kv.access_policies @@ -26,6 +26,12 @@ module "keyvault_access_policies" { # ✅ Conditionally set the object_id object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : var.resources.managed_identities[each.value.managed_identity_ref].principal_id - global_settings = var.global_settings + settings = each.value + resources = { + virtual_networks = module.virtual_networks + resource_groups = module.resource_groups + managed_identities = module.managed_identities + private_dns_zones = module.private_dns_zones + } } From 6d5d42c63b6eb73bd3f07cd137de77147111378c Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:04:44 +0200 Subject: [PATCH 47/95] test access policies --- src/keyvault.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 102323e1..201ea96f 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -11,9 +11,8 @@ module "keyvaults" { private_dns_zones = module.private_dns_zones } } - module "keyvault_access_policies" { - source = "./modules/keyvault/keyvault_access_policy" + source = "./modules/keyvault/keyvault_access_policy" for_each = { for key, kv in var.keyvaults : key => kv.access_policies @@ -21,17 +20,18 @@ module "keyvault_access_policies" { } keyvault_id = module.keyvaults[each.key].id + access_policy = each.value - tenant_id = var.global_settings.tenant_id - # ✅ Conditionally set the object_id - object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : var.resources.managed_identities[each.value.managed_identity_ref].principal_id - global_settings = var.global_settings + tenant_id = var.global_settings.tenant_id settings = each.value + # ✅ Conditionally set the object_id based on the policy type + object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : var.resources.managed_identities[each.value.managed_identity_ref].principal_id resources = { virtual_networks = module.virtual_networks resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones } + global_settings = var.global_settings } From 2d15ab814d074928d75b76134bcc66e32debf1d5 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:10:10 +0200 Subject: [PATCH 48/95] fix keyvault module --- src/keyvault.tf | 1 + src/modules/keyvault/_variables.tf | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 201ea96f..8ab2d33e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,6 +9,7 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones + keyvaults = { for key, kv in azurerm_key_vault.main : key => kv } } } module "keyvault_access_policies" { diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 58f2631e..9e781214 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -18,9 +18,6 @@ variable "resources" { description = "All required resources" } -variable "keyvaults" { - default = {} -} variable "keyvault_key" { default = null } From 6a77256092bacea919bf0c95c44c7845929bc7c2 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:17:14 +0200 Subject: [PATCH 49/95] test access policies --- src/keyvault.tf | 2 +- src/modules/keyvault/_variables.tf | 4 ++++ src/modules/keyvault/keyvault.tf | 3 +-- .../keyvault_access_policy/access_policies.tf | 18 ++++++++++++------ 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 8ab2d33e..267cc779 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,7 +9,7 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = { for key, kv in azurerm_key_vault.main : key => kv } + keyvaults = var.keyvaults } } module "keyvault_access_policies" { diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 9e781214..39cd802a 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -18,6 +18,10 @@ variable "resources" { description = "All required resources" } +variable "keyvault_key" { + default = null +} + variable "keyvault_key" { default = null } diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 958dc4b5..57f21dfa 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -1,6 +1,5 @@ resource "azurerm_key_vault" "main" { - for_each = var.keyvaults - name = each.value.name + name = var.settings.name resource_group_name = local.resource_group_name location = local.location tags = local.tags diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 839bac7a..10974ef6 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,12 +1,18 @@ resource "azurerm_key_vault_access_policy" "this" { - key_vault_id = var.keyvault_id - tenant_id = var.tenant_id + for_each = { + for key, value in var.resources.keyvaults : + key => value.access_policies + if contains(keys(value), "access_policies") + } + + key_vault_id = var.resources.keyvaults[each.key].id + tenant_id = var.global_settings.tenant_id object_id = var.object_id - secret_permissions = try(var.access_policy.secret_permissions, []) - key_permissions = try(var.access_policy.key_permissions, []) - certificate_permissions = try(var.access_policy.certificate_permissions, []) - storage_permissions = try(var.access_policy.storage_permissions, []) + secret_permissions = try(each.value.secret_permissions, []) + key_permissions = try(each.value.key_permissions, []) + certificate_permissions = try(each.value.certificate_permissions, []) + storage_permissions = try(each.value.storage_permissions, []) } # resource "azurerm_key_vault_access_policy" "managed_identity" { # for_each = { From d1af87046c43bb3cfaae396cc62a990cd269d99f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:18:48 +0200 Subject: [PATCH 50/95] Test --- src/modules/keyvault/_variables.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 39cd802a..9e781214 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -18,10 +18,6 @@ variable "resources" { description = "All required resources" } -variable "keyvault_key" { - default = null -} - variable "keyvault_key" { default = null } From 7ea5c35b53d918299a4d06aa9cc8d22fb980ab58 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:23:00 +0200 Subject: [PATCH 51/95] test --- src/keyvault.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 267cc779..dcc5bde1 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -27,12 +27,13 @@ module "keyvault_access_policies" { tenant_id = var.global_settings.tenant_id settings = each.value # ✅ Conditionally set the object_id based on the policy type - object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : var.resources.managed_identities[each.value.managed_identity_ref].principal_id + object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : module.managed_identities[each.value.managed_identity_ref].principal_id resources = { virtual_networks = module.virtual_networks resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones + keyvaults = module.keyvaults } global_settings = var.global_settings } From 0308be3e1e5799e8b731125ce5294979ba50f87f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:26:44 +0200 Subject: [PATCH 52/95] fix global settings --- src/keyvault.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index dcc5bde1..59c83f45 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -24,7 +24,7 @@ module "keyvault_access_policies" { access_policy = each.value - tenant_id = var.global_settings.tenant_id + tenant_id = local.global_settings.tenant_id settings = each.value # ✅ Conditionally set the object_id based on the policy type object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : module.managed_identities[each.value.managed_identity_ref].principal_id @@ -35,5 +35,5 @@ module "keyvault_access_policies" { private_dns_zones = module.private_dns_zones keyvaults = module.keyvaults } - global_settings = var.global_settings + global_settings = local.global_settings } From 32e92d89a70c5c4d7cf455cd07570482435d64f1 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:35:33 +0200 Subject: [PATCH 53/95] test access policies --- .../keyvault_access_policy/access_policies.tf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 10974ef6..ff59013f 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,16 +1,22 @@ -resource "azurerm_key_vault_access_policy" "this" { +resource "azurerm_key_vault_access_policy" "main" { for_each = { for key, value in var.resources.keyvaults : - key => value.access_policies + "${key}-${lookup(value.access_policies, "managed_identity_ref", "logged_in_user")}" => value.access_policies if contains(keys(value), "access_policies") } key_vault_id = var.resources.keyvaults[each.key].id tenant_id = var.global_settings.tenant_id - object_id = var.object_id - secret_permissions = try(each.value.secret_permissions, []) - key_permissions = try(each.value.key_permissions, []) + object_id = try( + each.value.managed_identity_ref != null + ? var.resources.managed_identities[each.value.managed_identity_ref].principal_id + : var.global_settings.object_id, + var.global_settings.object_id + ) + + secret_permissions = try(each.value.secret_permissions == "All" ? local.all_secret_permissions : tolist(each.value.secret_permissions), []) + key_permissions = try(each.value.key_permissions == "All" ? local.all_key_permissions : tolist(each.value.key_permissions), []) certificate_permissions = try(each.value.certificate_permissions, []) storage_permissions = try(each.value.storage_permissions, []) } From 91fc225e9d83bfa1944c843402643829082aa8bf Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:42:07 +0200 Subject: [PATCH 54/95] Test --- .../keyvault_access_policy/access_policies.tf | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index ff59013f..fd4d79b9 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,13 +1,14 @@ -resource "azurerm_key_vault_access_policy" "main" { +resource "azurerm_key_vault_access_policy" "this" { for_each = { - for key, value in var.resources.keyvaults : - "${key}-${lookup(value.access_policies, "managed_identity_ref", "logged_in_user")}" => value.access_policies - if contains(keys(value), "access_policies") + for kv_name, kv in var.resources.keyvaults : + kv_name => kv.access_policies + if length(try(kv.access_policies, {})) > 0 } - key_vault_id = var.resources.keyvaults[each.key].id + key_vault_id = each.value.key_vault_id tenant_id = var.global_settings.tenant_id + # ✅ Correct object_id handling for managed identity object_id = try( each.value.managed_identity_ref != null ? var.resources.managed_identities[each.value.managed_identity_ref].principal_id @@ -15,10 +16,10 @@ resource "azurerm_key_vault_access_policy" "main" { var.global_settings.object_id ) - secret_permissions = try(each.value.secret_permissions == "All" ? local.all_secret_permissions : tolist(each.value.secret_permissions), []) - key_permissions = try(each.value.key_permissions == "All" ? local.all_key_permissions : tolist(each.value.key_permissions), []) - certificate_permissions = try(each.value.certificate_permissions, []) - storage_permissions = try(each.value.storage_permissions, []) + secret_permissions = try(each.value.policy_details.secret_permissions == "All" ? local.all_secret_permissions : tolist(each.value.policy_details.secret_permissions), []) + key_permissions = try(each.value.policy_details.key_permissions == "All" ? local.all_key_permissions : tolist(each.value.policy_details.key_permissions), []) + certificate_permissions = try(each.value.policy_details.certificate_permissions, []) + storage_permissions = try(each.value.policy_details.storage_permissions, []) } # resource "azurerm_key_vault_access_policy" "managed_identity" { # for_each = { From 4caac31593e4ed68742c62d48d6527f9d4337b2f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 15:48:14 +0200 Subject: [PATCH 55/95] test --- .../keyvault/keyvault_access_policy/access_policies.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index fd4d79b9..32445012 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -9,12 +9,7 @@ resource "azurerm_key_vault_access_policy" "this" { tenant_id = var.global_settings.tenant_id # ✅ Correct object_id handling for managed identity - object_id = try( - each.value.managed_identity_ref != null - ? var.resources.managed_identities[each.value.managed_identity_ref].principal_id - : var.global_settings.object_id, - var.global_settings.object_id - ) + object_id = each.value.policy_name == "managed_identity" && try(each.value.policy_details.managed_identity_ref, null) != null ? var.resources.managed_identities[each.value.policy_details.managed_identity_ref].principal_id : var.global_settings.object_id secret_permissions = try(each.value.policy_details.secret_permissions == "All" ? local.all_secret_permissions : tolist(each.value.policy_details.secret_permissions), []) key_permissions = try(each.value.policy_details.key_permissions == "All" ? local.all_key_permissions : tolist(each.value.policy_details.key_permissions), []) From 0d82632b82569829b578477b28aacdd606cd834f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:15:43 +0200 Subject: [PATCH 56/95] test --- src/modules/keyvault/_outputs.tf | 4 --- src/modules/keyvault/access_policies.tf | 12 +++++++ .../keyvault_access_policy/_variables.tf | 14 +++++--- .../keyvault_access_policy/access_policies.tf | 36 +++++-------------- .../access_policy/_variables.tf | 4 +++ .../access_policy/access_policy.tf | 14 ++++++++ 6 files changed, 48 insertions(+), 36 deletions(-) create mode 100644 src/modules/keyvault/access_policies.tf create mode 100644 src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf create mode 100644 src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf diff --git a/src/modules/keyvault/_outputs.tf b/src/modules/keyvault/_outputs.tf index 939bf362..a6b440d4 100644 --- a/src/modules/keyvault/_outputs.tf +++ b/src/modules/keyvault/_outputs.tf @@ -17,7 +17,3 @@ output "location" { output "name" { value = azurerm_key_vault.main.name } - -output "key_vaults" { - value = { for key, kv in azurerm_key_vault.main : key => kv } -} diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf new file mode 100644 index 00000000..23e3fce3 --- /dev/null +++ b/src/modules/keyvault/access_policies.tf @@ -0,0 +1,12 @@ +# Initial policy is used to address a a bootstrap condition during the launchpad deployment +module "initial_policy" { + source = "./keyvault_access_policy" + count = try(var.settings.access_policies, null) == null ? 0 : 1 + settings = each.value + keyvault_id = azurerm_key_vault.main.id + access_policies = var.settings.access_policies + resources = { + managed_identities = module.managed_identities + } + global_settings = var.global_settings +} diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index 1c3a69f9..ef9d3d9a 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -2,6 +2,10 @@ variable "settings" { description = "All the configuration for this resource" } +variable "keyvault_id" { + description = "keyvault id" +} + variable "resources" { type = object({ keyvaults = map(any) @@ -14,10 +18,12 @@ variable "resources" { description = "All required resources" } -variable "keyvault_id" {} -variable "tenant_id" {} -variable "object_id" {} -variable "access_policy" {} +variable "access_policies" { + validation { + condition = length(var.access_policies) <= 16 + error_message = "A maximun of 16 access policies can be set." + } +} variable "global_settings" { description = "Global settings for tinycaf" } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 32445012..a29f4ba0 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,33 +1,13 @@ -resource "azurerm_key_vault_access_policy" "this" { +module "logged_in_user" { + source = "./access_policy" for_each = { - for kv_name, kv in var.resources.keyvaults : - kv_name => kv.access_policies - if length(try(kv.access_policies, {})) > 0 + for key, access_policy in var.access_policies : key => access_policy + if key == "logged_in_user" && local.var.global_settings.object_id != null } - key_vault_id = each.value.key_vault_id - tenant_id = var.global_settings.tenant_id + keyvault_id = var.keyvault_id == null - # ✅ Correct object_id handling for managed identity - object_id = each.value.policy_name == "managed_identity" && try(each.value.policy_details.managed_identity_ref, null) != null ? var.resources.managed_identities[each.value.policy_details.managed_identity_ref].principal_id : var.global_settings.object_id - - secret_permissions = try(each.value.policy_details.secret_permissions == "All" ? local.all_secret_permissions : tolist(each.value.policy_details.secret_permissions), []) - key_permissions = try(each.value.policy_details.key_permissions == "All" ? local.all_key_permissions : tolist(each.value.policy_details.key_permissions), []) - certificate_permissions = try(each.value.policy_details.certificate_permissions, []) - storage_permissions = try(each.value.policy_details.storage_permissions, []) + access_policy = each.value + tenant_id = local.global_settings.tenant_id + object_id = local.global_settings.object_id } -# resource "azurerm_key_vault_access_policy" "managed_identity" { -# for_each = { -# for access_policy_ref, config in var.settings.access_policies : -# access_policy_ref => config -# if can(config.managed_identity_ref) -# } -# key_vault_id = var.key_vault_id -# tenant_id = var.global_settings.tenant_id -# object_id = var.resources.managed_identities[each.value.managed_identity_ref].principal_id - -# # this is a bit of a hack to allow `secret_permissions` to be a string when "All" and otherwise a list -# # the tfvars allows it, but the module needs us to convert it to list explicitly to get around the type errors -# secret_permissions = try(each.value.secret_permissions, null) == "All" ? local.all_secret_permissions : try(tolist(each.value.secret_permissions), []) -# key_permissions = try(each.value.key_permissions, null) == "All" ? local.all_key_permissions : try(tolist(each.value.key_permissions), []) -# } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf new file mode 100644 index 00000000..d7d9631b --- /dev/null +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf @@ -0,0 +1,4 @@ +variable "keyvault_id" {} +variable "tenant_id" {} +variable "object_id" {} +variable "access_policy" {} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf new file mode 100644 index 00000000..90a77dff --- /dev/null +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -0,0 +1,14 @@ +resource "azurerm_key_vault_access_policy" "policy" { + + key_vault_id = var.keyvault_id + tenant_id = var.tenant_id + object_id = var.object_id + key_permissions = try(var.access_policy.key_permissions, null) + secret_permissions = try(var.access_policy.secret_permissions, null) + certificate_permissions = try(var.access_policy.certificate_permissions, null) + storage_permissions = try(var.access_policy.storage_permissions, null) + + timeouts { + delete = "60m" + } +} From 88413b9c5e8100938fbbde297559d99a4303635d Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:18:29 +0200 Subject: [PATCH 57/95] test keyvault module --- src/keyvault.tf | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 59c83f45..df5055e7 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -1,5 +1,5 @@ module "keyvaults" { - source = "./modules/keyvault" + source = "./modules/_security/keyvault" for_each = var.keyvaults settings = each.value @@ -9,31 +9,5 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = var.keyvaults } } -module "keyvault_access_policies" { - source = "./modules/keyvault/keyvault_access_policy" - - for_each = { - for key, kv in var.keyvaults : key => kv.access_policies - if length(kv.access_policies) > 0 - } - - keyvault_id = module.keyvaults[each.key].id - - access_policy = each.value - - tenant_id = local.global_settings.tenant_id - settings = each.value - # ✅ Conditionally set the object_id based on the policy type - object_id = contains(keys(each.value), "logged_in_user") ? var.global_settings.object_id : module.managed_identities[each.value.managed_identity_ref].principal_id - resources = { - virtual_networks = module.virtual_networks - resource_groups = module.resource_groups - managed_identities = module.managed_identities - private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults - } - global_settings = local.global_settings -} From b21ce9856266fe41408fbbc803d52801154a5a5e Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:19:47 +0200 Subject: [PATCH 58/95] move source outside security --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index df5055e7..2aa9e48e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -1,5 +1,5 @@ module "keyvaults" { - source = "./modules/_security/keyvault" + source = "./modules/keyvault" for_each = var.keyvaults settings = each.value From 5193b9b556c944f6fb5066f1c5bffc530457d882 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:21:32 +0200 Subject: [PATCH 59/95] remove var ffrom local --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index a29f4ba0..44bed32e 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -2,7 +2,7 @@ module "logged_in_user" { source = "./access_policy" for_each = { for key, access_policy in var.access_policies : key => access_policy - if key == "logged_in_user" && local.var.global_settings.object_id != null + if key == "logged_in_user" && local.global_settings.object_id != null } keyvault_id = var.keyvault_id == null From 158bfc5ee9e12f38d6804fd8cd97847eb7185762 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:30:02 +0200 Subject: [PATCH 60/95] test managed idenitties --- src/keyvault.tf | 3 +++ src/modules/keyvault/_variables.tf | 4 ++++ src/modules/keyvault/access_policies.tf | 2 +- .../keyvault/keyvault_access_policy/access_policies.tf | 2 +- 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 2aa9e48e..1de05c35 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -9,5 +9,8 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones + keyvaults = { + for key, kv in azurerm_key_vault.main : key => kv + } } } diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 9e781214..4ca0ca3f 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -6,6 +6,10 @@ variable "settings" { description = "All the configuration for this resource" } +variable "managed_identities" { + description = "All the configuration for this resource" +} + variable "resources" { type = object({ resource_groups = map(any) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 23e3fce3..723b587b 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -6,7 +6,7 @@ module "initial_policy" { keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies resources = { - managed_identities = module.managed_identities + managed_identities = var.managed_identities } global_settings = var.global_settings } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 44bed32e..8b04f7d3 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -2,7 +2,7 @@ module "logged_in_user" { source = "./access_policy" for_each = { for key, access_policy in var.access_policies : key => access_policy - if key == "logged_in_user" && local.global_settings.object_id != null + if key == "logged_in_user" && var.global_settings.object_id != null } keyvault_id = var.keyvault_id == null From 76f16748dbc3c148aa01fef46e42cffc5bbb9887 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:31:38 +0200 Subject: [PATCH 61/95] test --- src/keyvault.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/keyvault.tf b/src/keyvault.tf index 1de05c35..5c10242b 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -4,6 +4,7 @@ module "keyvaults" { settings = each.value global_settings = local.global_settings + managed_identities = var.managed_identities resources = { virtual_networks = module.virtual_networks resource_groups = module.resource_groups From 8132ba12eb4940bcd6edc5b7d26865acd9011903 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:31:57 +0200 Subject: [PATCH 62/95] test --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 5c10242b..cb003e3e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -4,7 +4,7 @@ module "keyvaults" { settings = each.value global_settings = local.global_settings - managed_identities = var.managed_identities + managed_identities = module.managed_identities resources = { virtual_networks = module.virtual_networks resource_groups = module.resource_groups From fc22f122c0bc29fd9d7b1bb68b8b46b9d9835a16 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:34:19 +0200 Subject: [PATCH 63/95] test --- src/modules/keyvault/access_policies.tf | 4 +--- .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 723b587b..c87a1b00 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -5,8 +5,6 @@ module "initial_policy" { settings = each.value keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies - resources = { - managed_identities = var.managed_identities - } + resources = var.resources global_settings = var.global_settings } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 8b04f7d3..fc8a59de 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -8,6 +8,6 @@ module "logged_in_user" { keyvault_id = var.keyvault_id == null access_policy = each.value - tenant_id = local.global_settings.tenant_id - object_id = local.global_settings.object_id + tenant_id = var.global_settings.tenant_id + object_id = var.global_settings.object_id } From 99fd85adc6b33d2f9afc2d6d8c0aa6c25f810a93 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:35:57 +0200 Subject: [PATCH 64/95] test --- src/keyvault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index cb003e3e..48673253 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -11,7 +11,7 @@ module "keyvaults" { managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones keyvaults = { - for key, kv in azurerm_key_vault.main : key => kv + for key, kv in keyvualts : key => kv } } } From d1a951f8fccd3f016ad29c23524163850c9234c9 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:37:39 +0200 Subject: [PATCH 65/95] test --- src/keyvault.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 48673253..44b45da4 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -10,8 +10,5 @@ module "keyvaults" { resource_groups = module.resource_groups managed_identities = module.managed_identities private_dns_zones = module.private_dns_zones - keyvaults = { - for key, kv in keyvualts : key => kv - } } } From 72eb9a58e37d5c2c80b169ad0775c14eff0eec42 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 16:44:31 +0200 Subject: [PATCH 66/95] test --- src/modules/keyvault/_variables.tf | 5 +++-- src/modules/keyvault/access_policies.tf | 10 ++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 4ca0ca3f..d4eee827 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -16,8 +16,6 @@ variable "resources" { virtual_networks = map(any) managed_identities = map(any) private_dns_zones = map(any) - keyvaults = map(any) - }) description = "All required resources" } @@ -28,6 +26,9 @@ variable "keyvault_key" { variable "keyvault_id" { default = null } +output "keyvaults" { + value = { for kv, data in azurerm_key_vault.main : kv => data } +} variable "access_policies" { description = "Map of access policies for the Key Vault" diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index c87a1b00..40a178cd 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -3,8 +3,14 @@ module "initial_policy" { source = "./keyvault_access_policy" count = try(var.settings.access_policies, null) == null ? 0 : 1 settings = each.value - keyvault_id = azurerm_key_vault.main.id + keyvault_id = module.keyvaults[each.key].id access_policies = var.settings.access_policies - resources = var.resources + resources = { + virtual_networks = module.virtual_networks + resource_groups = module.resource_groups + managed_identities = module.managed_identities + private_dns_zones = module.private_dns_zones + keyvaults = module.keyvaults + } global_settings = var.global_settings } From ef6b713837448acaea2d3103d03d2771ce0dfbd8 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:06:03 +0200 Subject: [PATCH 67/95] test --- src/modules/keyvault/_outputs.tf | 4 ++++ src/modules/keyvault/access_policies.tf | 10 ++-------- .../keyvault/keyvault_access_policy/_variables.tf | 12 ------------ .../keyvault_access_policy/access_policies.tf | 2 +- 4 files changed, 7 insertions(+), 21 deletions(-) diff --git a/src/modules/keyvault/_outputs.tf b/src/modules/keyvault/_outputs.tf index a6b440d4..6348558b 100644 --- a/src/modules/keyvault/_outputs.tf +++ b/src/modules/keyvault/_outputs.tf @@ -17,3 +17,7 @@ output "location" { output "name" { value = azurerm_key_vault.main.name } + +output "resources" { + value = var.resources +} diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 40a178cd..0e313798 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -3,14 +3,8 @@ module "initial_policy" { source = "./keyvault_access_policy" count = try(var.settings.access_policies, null) == null ? 0 : 1 settings = each.value - keyvault_id = module.keyvaults[each.key].id + keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies - resources = { - virtual_networks = module.virtual_networks - resource_groups = module.resource_groups - managed_identities = module.managed_identities - private_dns_zones = module.private_dns_zones - keyvaults = module.keyvaults - } global_settings = var.global_settings + resources = var.resources } diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index ef9d3d9a..c9cc3217 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -6,18 +6,6 @@ variable "keyvault_id" { description = "keyvault id" } -variable "resources" { - type = object({ - keyvaults = map(any) - virtual_networks = map(any) - managed_identities = map(any) - resource_groups = map(any) - private_dns_zones = map(any) - - }) - description = "All required resources" -} - variable "access_policies" { validation { condition = length(var.access_policies) <= 16 diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index fc8a59de..a178ba94 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,7 +1,7 @@ module "logged_in_user" { source = "./access_policy" for_each = { - for key, access_policy in var.access_policies : key => access_policy + for key, access_policy in azurerm_key_vault.main.access_policies : key => access_policy if key == "logged_in_user" && var.global_settings.object_id != null } From 32babc754ecd829e69bc8a9bfe7534b3f8fff33b Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:08:06 +0200 Subject: [PATCH 68/95] test resources output --- src/modules/keyvault/access_policies.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 0e313798..ca33fae1 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -6,5 +6,4 @@ module "initial_policy" { keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies global_settings = var.global_settings - resources = var.resources } From 86312772ae18b93f3630f3bfbc1294746a513001 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:10:48 +0200 Subject: [PATCH 69/95] fix access policies --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index a178ba94..fc8a59de 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,7 +1,7 @@ module "logged_in_user" { source = "./access_policy" for_each = { - for key, access_policy in azurerm_key_vault.main.access_policies : key => access_policy + for key, access_policy in var.access_policies : key => access_policy if key == "logged_in_user" && var.global_settings.object_id != null } From 7750f13ef3af7b3381ccbe9ae5786473394b3abf Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:17:56 +0200 Subject: [PATCH 70/95] Test --- src/modules/keyvault/_variables.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index d4eee827..30f4a615 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -20,16 +20,6 @@ variable "resources" { description = "All required resources" } -variable "keyvault_key" { - default = null -} -variable "keyvault_id" { - default = null -} -output "keyvaults" { - value = { for kv, data in azurerm_key_vault.main : kv => data } -} - variable "access_policies" { description = "Map of access policies for the Key Vault" type = map(any) From 6d17fc87f606a2ddebed34eb6f1a5a49cef214b5 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:24:21 +0200 Subject: [PATCH 71/95] test --- src/keyvault.tf | 1 - src/modules/keyvault/_variables.tf | 4 ---- 2 files changed, 5 deletions(-) diff --git a/src/keyvault.tf b/src/keyvault.tf index 44b45da4..2aa9e48e 100644 --- a/src/keyvault.tf +++ b/src/keyvault.tf @@ -4,7 +4,6 @@ module "keyvaults" { settings = each.value global_settings = local.global_settings - managed_identities = module.managed_identities resources = { virtual_networks = module.virtual_networks resource_groups = module.resource_groups diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 30f4a615..82f8cad8 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -6,10 +6,6 @@ variable "settings" { description = "All the configuration for this resource" } -variable "managed_identities" { - description = "All the configuration for this resource" -} - variable "resources" { type = object({ resource_groups = map(any) From b614e8699b81b278c09c36c8519260c51078b679 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:29:57 +0200 Subject: [PATCH 72/95] view settings --- src/modules/keyvault/keyvault.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 57f21dfa..7edb4244 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -19,3 +19,10 @@ resource "azurerm_key_vault" "main" { virtual_network_subnet_ids = local.subnet_ids } } + + +resource "null_resource" "debug_settings" { + provisioner "local-exec" { + command = "echo ${jsonencode(var.settings)}" + } +} From c3527310fcd8b44e3f5c954913340434d7bce23c Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:37:07 +0200 Subject: [PATCH 73/95] test --- src/modules/keyvault/access_policies.tf | 2 +- src/modules/keyvault/keyvault.tf | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index ca33fae1..074631e7 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -1,7 +1,7 @@ # Initial policy is used to address a a bootstrap condition during the launchpad deployment module "initial_policy" { source = "./keyvault_access_policy" - count = try(var.settings.access_policies, null) == null ? 0 : 1 + for_each = try(var.settings.access_policies, {}) != {} ? var.settings.access_policies : {} settings = each.value keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies diff --git a/src/modules/keyvault/keyvault.tf b/src/modules/keyvault/keyvault.tf index 7edb4244..57f21dfa 100644 --- a/src/modules/keyvault/keyvault.tf +++ b/src/modules/keyvault/keyvault.tf @@ -19,10 +19,3 @@ resource "azurerm_key_vault" "main" { virtual_network_subnet_ids = local.subnet_ids } } - - -resource "null_resource" "debug_settings" { - provisioner "local-exec" { - command = "echo ${jsonencode(var.settings)}" - } -} From ca19489934f6d83f0dd8b5bc7e50d1855fb2c0a7 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:40:11 +0200 Subject: [PATCH 74/95] test --- src/modules/keyvault/access_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 074631e7..61a02b3c 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -1,7 +1,7 @@ # Initial policy is used to address a a bootstrap condition during the launchpad deployment module "initial_policy" { source = "./keyvault_access_policy" - for_each = try(var.settings.access_policies, {}) != {} ? var.settings.access_policies : {} + for_each = try(var.keyvaults.access_policies, {}) != {} ? var.keyvaults.access_policies : {} settings = each.value keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies From 7a78c1cfc0ed4b67eb049af21a506d089bd412f4 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:42:57 +0200 Subject: [PATCH 75/95] test --- src/modules/keyvault/_variables.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 82f8cad8..515263c9 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -6,6 +6,10 @@ variable "settings" { description = "All the configuration for this resource" } +variable "keyvaults" { + description = "All the configuration for this resource" +} + variable "resources" { type = object({ resource_groups = map(any) From 94cfbb55883c145e937b36870efe8f8e32347e59 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:47:40 +0200 Subject: [PATCH 76/95] test --- src/modules/keyvault/_variables.tf | 9 --------- src/modules/keyvault/access_policies.tf | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/src/modules/keyvault/_variables.tf b/src/modules/keyvault/_variables.tf index 515263c9..571a0d89 100644 --- a/src/modules/keyvault/_variables.tf +++ b/src/modules/keyvault/_variables.tf @@ -6,9 +6,6 @@ variable "settings" { description = "All the configuration for this resource" } -variable "keyvaults" { - description = "All the configuration for this resource" -} variable "resources" { type = object({ @@ -19,9 +16,3 @@ variable "resources" { }) description = "All required resources" } - -variable "access_policies" { - description = "Map of access policies for the Key Vault" - type = map(any) - default = {} -} diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 61a02b3c..074631e7 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -1,7 +1,7 @@ # Initial policy is used to address a a bootstrap condition during the launchpad deployment module "initial_policy" { source = "./keyvault_access_policy" - for_each = try(var.keyvaults.access_policies, {}) != {} ? var.keyvaults.access_policies : {} + for_each = try(var.settings.access_policies, {}) != {} ? var.settings.access_policies : {} settings = each.value keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies From 3dd975b16ac27a793dfef8ffa91a9cc28dfb8e38 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:53:17 +0200 Subject: [PATCH 77/95] test --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index fc8a59de..e187cff2 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,7 +1,7 @@ module "logged_in_user" { source = "./access_policy" for_each = { - for key, access_policy in var.access_policies : key => access_policy + for key, access_policy in var.settings : key => access_policy if key == "logged_in_user" && var.global_settings.object_id != null } From e789ac95cc0a26c8dcb250e35b20dcb35ded510a Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 17:56:02 +0200 Subject: [PATCH 78/95] debug --- src/modules/keyvault/keyvault_access_policy/_locals.tf | 4 ++++ src/modules/keyvault/keyvault_access_policy/_outputs.tf | 3 +++ 2 files changed, 7 insertions(+) create mode 100644 src/modules/keyvault/keyvault_access_policy/_outputs.tf diff --git a/src/modules/keyvault/keyvault_access_policy/_locals.tf b/src/modules/keyvault/keyvault_access_policy/_locals.tf index 939e99fd..5a02df2a 100644 --- a/src/modules/keyvault/keyvault_access_policy/_locals.tf +++ b/src/modules/keyvault/keyvault_access_policy/_locals.tf @@ -33,3 +33,7 @@ locals { "SetRotationPolicy", ] } + +locals { + debug_settings = var.settings +} diff --git a/src/modules/keyvault/keyvault_access_policy/_outputs.tf b/src/modules/keyvault/keyvault_access_policy/_outputs.tf new file mode 100644 index 00000000..3adbdac8 --- /dev/null +++ b/src/modules/keyvault/keyvault_access_policy/_outputs.tf @@ -0,0 +1,3 @@ +output "debug" { + value = local.debug_settings +} From f9df1553cce55f2d7202eeb97d09899f5f1e39e1 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 18:01:37 +0200 Subject: [PATCH 79/95] test --- .../keyvault/keyvault_access_policy/access_policies.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index e187cff2..14d1ecdf 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,9 +1,6 @@ module "logged_in_user" { source = "./access_policy" - for_each = { - for key, access_policy in var.settings : key => access_policy - if key == "logged_in_user" && var.global_settings.object_id != null - } + for_each = var.settings keyvault_id = var.keyvault_id == null From ce48bd8d37d5602a064d7373b7b01e2fa3eeae5e Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 18:16:02 +0200 Subject: [PATCH 80/95] test --- src/modules/keyvault/keyvault_access_policy/_locals.tf | 1 + .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/_locals.tf b/src/modules/keyvault/keyvault_access_policy/_locals.tf index 5a02df2a..73ca717e 100644 --- a/src/modules/keyvault/keyvault_access_policy/_locals.tf +++ b/src/modules/keyvault/keyvault_access_policy/_locals.tf @@ -36,4 +36,5 @@ locals { locals { debug_settings = var.settings + has_logged_in_key = contains(keys(var.settings), "managed_identity") } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 14d1ecdf..c51c916d 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,6 +1,6 @@ -module "logged_in_user" { +module "managed_identity" { source = "./access_policy" - for_each = var.settings + count = local.has_logged_in_key ? 1 : 0 keyvault_id = var.keyvault_id == null From 05a7f5e7179dca6940b8f1605dcd8a1ad839bf7f Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:27:12 +0200 Subject: [PATCH 81/95] test two new policies --- src/modules/keyvault/access_policies.tf | 2 +- .../keyvault_access_policy/access_policies.tf | 13 ++++++++++--- .../access_policy/_variables.tf | 1 - .../access_policy/access_policy.tf | 16 +++++++++++++++- 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 074631e7..3853945f 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -2,7 +2,7 @@ module "initial_policy" { source = "./keyvault_access_policy" for_each = try(var.settings.access_policies, {}) != {} ? var.settings.access_policies : {} - settings = each.value + settings = var.settings keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies global_settings = var.global_settings diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index c51c916d..eadcac9d 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,10 +1,17 @@ -module "managed_identity" { +module "logged_in_user" { source = "./access_policy" - count = local.has_logged_in_key ? 1 : 0 + keyvault_id = var.keyvault_id == null + tenant_id = var.global_settings.tenant_id + object_id = var.global_settings.object_id +} + + +module "managed_identities" { + source = "./access_policy" + for_each = var.settings.access_policies.managed_identities keyvault_id = var.keyvault_id == null - access_policy = each.value tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf index d7d9631b..fef8f5d7 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf @@ -1,4 +1,3 @@ variable "keyvault_id" {} variable "tenant_id" {} variable "object_id" {} -variable "access_policy" {} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf index 90a77dff..f5ea6c45 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -1,4 +1,4 @@ -resource "azurerm_key_vault_access_policy" "policy" { +resource "azurerm_key_vault_access_policy" "logged_in_user" { key_vault_id = var.keyvault_id tenant_id = var.tenant_id @@ -12,3 +12,17 @@ resource "azurerm_key_vault_access_policy" "policy" { delete = "60m" } } + + +resource "azurerm_key_vault_access_policy" "example" { + for_each = { + for idx, mi in var.settings.access_policies.managed_identity.managed_identity_refs : "${idx}" => mi + } + + key_vault_id = var.keyvault_id + tenant_id = var.tenant_id + object_id = var.resources.managed_identities[each.value].id + + key_permissions = try(var.settings.access_policies.managed_identity.key_permissions,null) + secret_permissions = try(var.settings.access_policies.managed_identity.secret_permissions,null) +} From 9aa70e3d89ed5b3d07cdd746ab5188cd06125e5a Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:31:20 +0200 Subject: [PATCH 82/95] test --- src/modules/keyvault/access_policies.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 3853945f..aa9fcffc 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -1,7 +1,7 @@ -# Initial policy is used to address a a bootstrap condition during the launchpad deployment module "initial_policy" { - source = "./keyvault_access_policy" - for_each = try(var.settings.access_policies, {}) != {} ? var.settings.access_policies : {} + source = "./keyvault_access_policy" + count = try(length(var.settings.access_policies), 0) > 0 ? 1 : 0 + settings = var.settings keyvault_id = azurerm_key_vault.main.id access_policies = var.settings.access_policies From 63bbfb70bb45006c72295288d7a8b136296aee66 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:49:52 +0200 Subject: [PATCH 83/95] test --- src/modules/keyvault/access_policies.tf | 5 +++-- .../keyvault/keyvault_access_policy/_variables.tf | 9 +++++++++ .../keyvault_access_policy/access_policies.tf | 12 ++++++++++-- .../access_policy/_variables.tf | 2 ++ .../access_policy/access_policy.tf | 13 +++++-------- 5 files changed, 29 insertions(+), 12 deletions(-) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index aa9fcffc..9567f9db 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -1,9 +1,10 @@ module "initial_policy" { source = "./keyvault_access_policy" - count = try(length(var.settings.access_policies), 0) > 0 ? 1 : 0 + for_each = try(var.settings.access_policies, {}) settings = var.settings keyvault_id = azurerm_key_vault.main.id - access_policies = var.settings.access_policies + access_policies = each.value + policy_name = each.key global_settings = var.global_settings } diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index c9cc3217..7cdd7b31 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -15,3 +15,12 @@ variable "access_policies" { variable "global_settings" { description = "Global settings for tinycaf" } + +variable "policy_name" { + description = "The name of the access policy (e.g., policy1, policy2)" + type = string +} + +variable "resources" { + description = "All the configuration for this resource" +} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index eadcac9d..8a9f2400 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -4,14 +4,22 @@ module "logged_in_user" { tenant_id = var.global_settings.tenant_id object_id = var.global_settings.object_id + key_permissions = local.all_key_permissions + secret_permissions = local.all_secret_permissions } module "managed_identities" { source = "./access_policy" - for_each = var.settings.access_policies.managed_identities + for_each = ( + contains(keys(var.access_policies), "managed_identity_refs") && length(var.access_policies.managed_identity_refs) > 0 + ? var.access_policies.managed_identity_refs + : {} + ) keyvault_id = var.keyvault_id == null tenant_id = var.global_settings.tenant_id - object_id = var.global_settings.object_id + object_id = var.resources.managed_identities[each.value].id + key_permissions = try(var.access.key_permissions,null) + secret_permissions = try(var.access.key_permissions,null) } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf index fef8f5d7..b5986e4c 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf @@ -1,3 +1,5 @@ variable "keyvault_id" {} variable "tenant_id" {} variable "object_id" {} +variable "key_permissions" {} +variable "secret_permissions" {} diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf index f5ea6c45..fb11406a 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -14,15 +14,12 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { } -resource "azurerm_key_vault_access_policy" "example" { - for_each = { - for idx, mi in var.settings.access_policies.managed_identity.managed_identity_refs : "${idx}" => mi - } - +resource "azurerm_key_vault_access_policy" "main" { # Using the policy key in the resource name key_vault_id = var.keyvault_id + tenant_id = var.tenant_id - object_id = var.resources.managed_identities[each.value].id + object_id = var.object_id - key_permissions = try(var.settings.access_policies.managed_identity.key_permissions,null) - secret_permissions = try(var.settings.access_policies.managed_identity.secret_permissions,null) + key_permissions = var.access_policies.key_permissions + secret_permissions = var.access_policies.secret_permissions } From bb4a6732bc542efad528375acf370f48960579a7 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:51:11 +0200 Subject: [PATCH 84/95] test --- src/modules/keyvault/access_policies.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/modules/keyvault/access_policies.tf b/src/modules/keyvault/access_policies.tf index 9567f9db..75c0f161 100644 --- a/src/modules/keyvault/access_policies.tf +++ b/src/modules/keyvault/access_policies.tf @@ -7,4 +7,5 @@ module "initial_policy" { access_policies = each.value policy_name = each.key global_settings = var.global_settings + resources = var.resources } From dbe154a3b73c0e3589f0df5399b440bc7919b508 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:53:34 +0200 Subject: [PATCH 85/95] check --- .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- .../keyvault_access_policy/access_policy/_variables.tf | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 8a9f2400..426e9e4c 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,8 +1,8 @@ module "logged_in_user" { source = "./access_policy" keyvault_id = var.keyvault_id == null - tenant_id = var.global_settings.tenant_id + access_policies = try(var.access_policies,null) object_id = var.global_settings.object_id key_permissions = local.all_key_permissions secret_permissions = local.all_secret_permissions @@ -17,7 +17,7 @@ module "managed_identities" { : {} ) keyvault_id = var.keyvault_id == null - + access_policies = var.access_policies tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value].id key_permissions = try(var.access.key_permissions,null) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf index b5986e4c..4a859544 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf @@ -3,3 +3,4 @@ variable "tenant_id" {} variable "object_id" {} variable "key_permissions" {} variable "secret_permissions" {} +variable "access_policies" {} From 69c448000d566ddb980d139c1d46c9df524ddd58 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:56:16 +0200 Subject: [PATCH 86/95] test --- .../keyvault_access_policy/access_policy/access_policy.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf index fb11406a..49481f00 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -3,10 +3,10 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { key_vault_id = var.keyvault_id tenant_id = var.tenant_id object_id = var.object_id - key_permissions = try(var.access_policy.key_permissions, null) - secret_permissions = try(var.access_policy.secret_permissions, null) - certificate_permissions = try(var.access_policy.certificate_permissions, null) - storage_permissions = try(var.access_policy.storage_permissions, null) + key_permissions = try(var.access_policies.key_permissions, null) + secret_permissions = try(var.access_policies.secret_permissions, null) + certificate_permissions = try(var.access_policies.certificate_permissions, null) + storage_permissions = try(var.access_policies.storage_permissions, null) timeouts { delete = "60m" From e0da84e2613f1f774b98956174d2ba5676399cb2 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 21:58:02 +0200 Subject: [PATCH 87/95] Test --- .../keyvault/keyvault_access_policy/access_policies.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 426e9e4c..6614a65e 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -20,6 +20,6 @@ module "managed_identities" { access_policies = var.access_policies tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value].id - key_permissions = try(var.access.key_permissions,null) - secret_permissions = try(var.access.key_permissions,null) + key_permissions = try(var.access_policies.key_permissions,null) + secret_permissions = try(var.access_policies.key_permissions,null) } From 6de9b09cb65c550ffbcdabfa4b4107ed1b9a5765 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:04:34 +0200 Subject: [PATCH 88/95] test --- .../keyvault/keyvault_access_policy/_locals.tf | 14 ++++++++++++++ .../keyvault_access_policy/access_policies.tf | 10 +++------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/_locals.tf b/src/modules/keyvault/keyvault_access_policy/_locals.tf index 73ca717e..f3953fbe 100644 --- a/src/modules/keyvault/keyvault_access_policy/_locals.tf +++ b/src/modules/keyvault/keyvault_access_policy/_locals.tf @@ -34,6 +34,20 @@ locals { ] } +locals { +effective_key_permissions = ( + var.access_policies.key_permissions == "All" ? + local.all_key_permissions : + try(var.access_policies.key_permissions, []) + ) +effective_secret_permissions = ( + var.access_policies.secret_permissions == "All" ? + local.all_secret_permissions : + try(var.access_policies.secret_permissions, []) + ) +} + + locals { debug_settings = var.settings has_logged_in_key = contains(keys(var.settings), "managed_identity") diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 6614a65e..8ae0ee6f 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -11,15 +11,11 @@ module "logged_in_user" { module "managed_identities" { source = "./access_policy" - for_each = ( - contains(keys(var.access_policies), "managed_identity_refs") && length(var.access_policies.managed_identity_refs) > 0 - ? var.access_policies.managed_identity_refs - : {} - ) + for_each = length(try(var.access_policies.managed_identity_refs, [])) > 0 ? var.access_policies.managed_identity_refs : {} keyvault_id = var.keyvault_id == null access_policies = var.access_policies tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value].id - key_permissions = try(var.access_policies.key_permissions,null) - secret_permissions = try(var.access_policies.key_permissions,null) + key_permissions = local.effective_key_permissions + secret_permissions = local.effective_secret_permissions } From f2df5aa877b1e53fd82806b413e5bca8edb449fa Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:09:02 +0200 Subject: [PATCH 89/95] test --- src/modules/keyvault/keyvault_access_policy/_locals.tf | 9 +++++---- .../keyvault/keyvault_access_policy/access_policies.tf | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/_locals.tf b/src/modules/keyvault/keyvault_access_policy/_locals.tf index f3953fbe..8f902e38 100644 --- a/src/modules/keyvault/keyvault_access_policy/_locals.tf +++ b/src/modules/keyvault/keyvault_access_policy/_locals.tf @@ -35,15 +35,16 @@ locals { } locals { -effective_key_permissions = ( + effective_key_permissions = ( var.access_policies.key_permissions == "All" ? local.all_key_permissions : - try(var.access_policies.key_permissions, []) + tolist(try(var.access_policies.key_permissions, [])) ) -effective_secret_permissions = ( + + effective_secret_permissions = ( var.access_policies.secret_permissions == "All" ? local.all_secret_permissions : - try(var.access_policies.secret_permissions, []) + tolist(try(var.access_policies.secret_permissions, [])) ) } diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 8ae0ee6f..b97138fb 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -11,7 +11,7 @@ module "logged_in_user" { module "managed_identities" { source = "./access_policy" - for_each = length(try(var.access_policies.managed_identity_refs, [])) > 0 ? var.access_policies.managed_identity_refs : {} + for_each = length(try(var.access_policies.managed_identity_refs, [])) > 0 ? { for idx, ref in var.access_policies.managed_identity_refs : idx => ref } : {} keyvault_id = var.keyvault_id == null access_policies = var.access_policies tenant_id = var.global_settings.tenant_id From a71109b639981e41332ad38114a3c3c7ec62cc36 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:13:03 +0200 Subject: [PATCH 90/95] test --- .../access_policy/access_policy.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf index 49481f00..3b76296c 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -3,10 +3,8 @@ resource "azurerm_key_vault_access_policy" "logged_in_user" { key_vault_id = var.keyvault_id tenant_id = var.tenant_id object_id = var.object_id - key_permissions = try(var.access_policies.key_permissions, null) - secret_permissions = try(var.access_policies.secret_permissions, null) - certificate_permissions = try(var.access_policies.certificate_permissions, null) - storage_permissions = try(var.access_policies.storage_permissions, null) + key_permissions = try(var.key_permissions, null) + secret_permissions = try(var.secret_permissions, null) timeouts { delete = "60m" @@ -20,6 +18,6 @@ resource "azurerm_key_vault_access_policy" "main" { # Using the policy key in th tenant_id = var.tenant_id object_id = var.object_id - key_permissions = var.access_policies.key_permissions - secret_permissions = var.access_policies.secret_permissions + key_permissions = var.key_permissions + secret_permissions = var.secret_permissions } From ab10e611a21ec0dcc91a2dfbf37392c4e8dcb3bd Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:20:22 +0200 Subject: [PATCH 91/95] test --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index b97138fb..12a47cf4 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -1,5 +1,6 @@ module "logged_in_user" { source = "./access_policy" + count = var.policy_name == "logged_in_user" ? 1 : 0 keyvault_id = var.keyvault_id == null tenant_id = var.global_settings.tenant_id access_policies = try(var.access_policies,null) From 023074c2ef645a1a2132169d5a021e2348bdc388 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:31:31 +0200 Subject: [PATCH 92/95] test --- .../keyvault_access_policy/access_policies.tf | 4 ++-- .../access_policy/access_policy.tf | 14 -------------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 12a47cf4..0d307fab 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -12,8 +12,8 @@ module "logged_in_user" { module "managed_identities" { source = "./access_policy" - for_each = length(try(var.access_policies.managed_identity_refs, [])) > 0 ? { for idx, ref in var.access_policies.managed_identity_refs : idx => ref } : {} - keyvault_id = var.keyvault_id == null + for_each = { for idx, ref in try(var.access_policies.managed_identity.managed_identity_refs, []) : idx => ref } + keyvault_id = var.keyvault_id access_policies = var.access_policies tenant_id = var.global_settings.tenant_id object_id = var.resources.managed_identities[each.value].id diff --git a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf index 3b76296c..b962091f 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf @@ -1,17 +1,3 @@ -resource "azurerm_key_vault_access_policy" "logged_in_user" { - - key_vault_id = var.keyvault_id - tenant_id = var.tenant_id - object_id = var.object_id - key_permissions = try(var.key_permissions, null) - secret_permissions = try(var.secret_permissions, null) - - timeouts { - delete = "60m" - } -} - - resource "azurerm_key_vault_access_policy" "main" { # Using the policy key in the resource name key_vault_id = var.keyvault_id From dd6cae748b47ba129243c03b432e8447f568449c Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:35:50 +0200 Subject: [PATCH 93/95] test --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 0d307fab..84d52dcc 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -12,7 +12,7 @@ module "logged_in_user" { module "managed_identities" { source = "./access_policy" - for_each = { for idx, ref in try(var.access_policies.managed_identity.managed_identity_refs, []) : idx => ref } + for_each = var.policy_name == "managed_identity" ? { for idx, ref in var.access_policies.managed_identity_refs : idx => ref } : {} keyvault_id = var.keyvault_id access_policies = var.access_policies tenant_id = var.global_settings.tenant_id From f364741cc31c0c0e012c18f0f538b3f19127d441 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:38:45 +0200 Subject: [PATCH 94/95] test with try on managed_identity_refs --- src/modules/keyvault/keyvault_access_policy/access_policies.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/access_policies.tf b/src/modules/keyvault/keyvault_access_policy/access_policies.tf index 84d52dcc..97a2673d 100644 --- a/src/modules/keyvault/keyvault_access_policy/access_policies.tf +++ b/src/modules/keyvault/keyvault_access_policy/access_policies.tf @@ -12,7 +12,8 @@ module "logged_in_user" { module "managed_identities" { source = "./access_policy" - for_each = var.policy_name == "managed_identity" ? { for idx, ref in var.access_policies.managed_identity_refs : idx => ref } : {} + for_each = var.policy_name == "managed_identity" && length(try(var.access_policies.managed_identity_refs, [])) > 0 ? { for idx, ref in try(var.access_policies.managed_identity_refs, []) : idx => ref } : {} + keyvault_id = var.keyvault_id access_policies = var.access_policies tenant_id = var.global_settings.tenant_id From 27825512d49b189a030921af0eb33ce138efc953 Mon Sep 17 00:00:00 2001 From: Lyudmil Ilchev Date: Sat, 18 Jan 2025 22:42:00 +0200 Subject: [PATCH 95/95] 100 percent working version about access policies in different folder structure --- src/modules/keyvault/keyvault_access_policy/_variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/keyvault/keyvault_access_policy/_variables.tf b/src/modules/keyvault/keyvault_access_policy/_variables.tf index 7cdd7b31..bd4ad120 100644 --- a/src/modules/keyvault/keyvault_access_policy/_variables.tf +++ b/src/modules/keyvault/keyvault_access_policy/_variables.tf @@ -17,7 +17,7 @@ variable "global_settings" { } variable "policy_name" { - description = "The name of the access policy (e.g., policy1, policy2)" + description = "The key of the access policy." type = string }