[TC-18] Add module for keyvault secrets and private endpoint

examples/private_dns_zones.tfvars

@@ -0,0 +1,44 @@
+private_dns_zones = {
+  storage_account_blob = {
+    resource_kind      = "storage_blob"
+    resource_group_ref = "rg_test"
+    vnet_ref           = ["vnet_test", "vnet_test2"]
+  }
+}
+
+
+
+# pre-requisites
+resource_groups = {
+  rg_test = {
+    name     = "rg-test-dv-ne-01"
+    location = "northeurope"
+  }
+}
+
+virtual_networks = {
+  vnet_test = {
+    name               = "vnet-test-dv-ne-01"
+    resource_group_ref = "rg_test"
+    cidr               = ["10.0.0.0/16"]
+    subnets = {
+      snet_app = {
+        name              = "snet-app"
+        cidr              = ["10.0.0.128/25"]
+        service_endpoints = ["Microsoft.Storage"]
+      }
+    }
+  }
+  vnet_test2 = {
+    name               = "vnet-test-dv-ne-02"
+    resource_group_ref = "rg_test"
+    cidr               = ["10.1.0.0/16"]
+    subnets = {
+      snet_app_02 = {
+        name              = "snet-app"
+        cidr              = ["10.1.0.128/25"]
+        service_endpoints = ["Microsoft.Storage"]
+      }
+    }
+  }
+}

src/_variables.resources.tf

@@ -15,3 +15,5 @@ variable "public_ips" { default = {} }
 variable "keyvaults" { default = {} }
 
 variable "storage_accounts" { default = {} }
+
+variable "private_dns_zones" { default = {} }

src/keyvault.tf

@@ -1,5 +1,5 @@
 module "keyvaults" {
-  source   = "./modules/_security/keyvault"
+  source   = "./modules/keyvault"
   for_each = var.keyvaults
 
   settings        = each.value
@@ -8,5 +8,6 @@ module "keyvaults" {
     virtual_networks   = module.virtual_networks
     resource_groups    = module.resource_groups
     managed_identities = module.managed_identities
+    private_dns_zones  = module.private_dns_zones
   }
 }

src/modules/_networking/private_dns_zone/_locals.tf

@@ -0,0 +1,29 @@
+locals {
+  resource_group = var.resources.resource_groups[var.settings.resource_group_ref]
+
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+  tags = merge(
+    var.global_settings.tags,
+    var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {},
+    try(var.settings.tags, {})
+  )
+  vnet_ids = {
+    for vnet in var.settings.vnet_ref :
+    vnet => {
+      name = var.resources.virtual_networks[vnet].name
+      id   = var.resources.virtual_networks[vnet].id
+    }
+  }
+}
+locals {
+  # local object used to map possible private dns zoone names
+  zone_names = {
+    "storage_blob"   = "privatelink.blob.core.windows.net"
+    "storage_tables" = "privatelink.table.core.windows.net"
+    "storage_queues" = "privatelink.queue.core.windows.net"
+    "storage_files"  = "privatelink.file.core.windows.net"
+    "function_apps"  = "privatelink.azurewebsites.net"
+    "keyvaults"      = "privatelink.vaultcore.azure.net"
+  }
+}

src/modules/_networking/private_dns_zone/_outputs.tf

@@ -0,0 +1,3 @@
+output "id" {
+  value = azurerm_private_dns_zone.main.id
+}

src/modules/_networking/private_dns_zone/_variables.tf

@@ -0,0 +1,15 @@
+variable "global_settings" {
+  description = "Global settings for tinycaf"
+}
+
+variable "settings" {
+  description = "All the configuration for this resource"
+}
+
+variable "resources" {
+  type = object({
+    resource_groups  = map(any)
+    virtual_networks = map(any)
+  })
+  description = "All required resources"
+}

src/modules/_networking/private_dns_zone/private_dns_vnet_link.tf

@@ -0,0 +1,7 @@
+resource "azurerm_private_dns_zone_virtual_network_link" "main" {
+  for_each              = local.vnet_ids
+  name                  = "${each.value.name}-${azurerm_private_dns_zone.main.name}-link"
+  private_dns_zone_name = azurerm_private_dns_zone.main.name
+  resource_group_name   = azurerm_private_dns_zone.main.resource_group_name
+  virtual_network_id    = each.value.id
+}

src/modules/_networking/private_dns_zone/private_dns_zone_group.tf

@@ -0,0 +1,5 @@
+resource "azurerm_private_dns_zone" "main" {
+  name                = try(local.zone_names[var.settings.resource_kind], var.settings.name)
+  resource_group_name = local.resource_group_name
+  tags                = try(local.tags, null)
+}

src/modules/_security/keyvault/_locals.tf → src/modules/keyvault/_locals.tf

@@ -9,47 +9,13 @@ locals {
       var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id
     )
   ]
-
+  subnet_id = try(
+    var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id,
+    null
+  )
   tags = merge(
     var.global_settings.tags,
     var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {},
     try(var.settings.tags, {})
   )
 }
-
-
-locals {
-  all_secret_permissions = [
-    "Backup",
-    "Delete",
-    "Get",
-    "List",
-    "Purge",
-    "Recover",
-    "Restore",
-    "Set",
-  ]
-
-  all_key_permissions = [
-    "Backup",
-    "Create",
-    "Decrypt",
-    "Delete",
-    "Encrypt",
-    "Get",
-    "Import",
-    "List",
-    "Purge",
-    "Recover",
-    "Restore",
-    "Sign",
-    "UnwrapKey",
-    "Update",
-    "Verify",
-    "WrapKey",
-    "Release",
-    "Rotate",
-    "GetRotationPolicy",
-    "SetRotationPolicy",
-  ]
-}

src/modules/keyvault/_outputs.tf

@@ -0,0 +1,23 @@
+output "id" {
+  value = azurerm_key_vault.main.id
+}
+
+output "vault_uri" {
+  value = azurerm_key_vault.main.vault_uri
+}
+
+output "resource_group_name" {
+  value = azurerm_key_vault.main.resource_group_name
+}
+
+output "location" {
+  value = azurerm_key_vault.main.location
+}
+
+output "name" {
+  value = azurerm_key_vault.main.name
+}
+
+output "resources" {
+  value = var.resources
+}

src/modules/_security/keyvault/_variables.tf → src/modules/keyvault/_variables.tf

@@ -6,11 +6,13 @@ variable "settings" {
   description = "All the configuration for this resource"
 }
 
+
 variable "resources" {
   type = object({
     resource_groups    = map(any)
     virtual_networks   = map(any)
     managed_identities = map(any)
+    private_dns_zones  = map(any)
   })
   description = "All required resources"
 }

src/modules/keyvault/access_policies.tf

@@ -0,0 +1,11 @@
+module "initial_policy" {
+  source          = "./keyvault_access_policy"
+  for_each        = try(var.settings.access_policies, {})
+
+  settings        = var.settings
+  keyvault_id     = azurerm_key_vault.main.id
+  access_policies = each.value
+  policy_name =     each.key
+  global_settings = var.global_settings
+  resources = var.resources
+}

src/modules/keyvault/keyvault_access_policy/_locals.tf

@@ -0,0 +1,55 @@
+locals {
+  all_secret_permissions = [
+    "Backup",
+    "Delete",
+    "Get",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Set",
+  ]
+
+  all_key_permissions = [
+    "Backup",
+    "Create",
+    "Decrypt",
+    "Delete",
+    "Encrypt",
+    "Get",
+    "Import",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Sign",
+    "UnwrapKey",
+    "Update",
+    "Verify",
+    "WrapKey",
+    "Release",
+    "Rotate",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+locals {
+  effective_key_permissions = (
+    var.access_policies.key_permissions == "All" ?
+    local.all_key_permissions :
+    tolist(try(var.access_policies.key_permissions, []))
+  )
+
+  effective_secret_permissions = (
+    var.access_policies.secret_permissions == "All" ?
+    local.all_secret_permissions :
+    tolist(try(var.access_policies.secret_permissions, []))
+  )
+}
+
+
+locals {
+  debug_settings = var.settings
+  has_logged_in_key = contains(keys(var.settings), "managed_identity")
+}

src/modules/keyvault/keyvault_access_policy/_outputs.tf

@@ -0,0 +1,3 @@
+output "debug" {
+  value = local.debug_settings
+}

src/modules/keyvault/keyvault_access_policy/_variables.tf

@@ -0,0 +1,26 @@
+variable "settings" {
+  description = "All the configuration for this resource"
+}
+
+variable "keyvault_id" {
+  description = "keyvault id"
+}
+
+variable "access_policies" {
+  validation {
+    condition     = length(var.access_policies) <= 16
+    error_message = "A maximun of 16 access policies can be set."
+  }
+}
+variable "global_settings" {
+  description = "Global settings for tinycaf"
+}
+
+variable "policy_name" {
+  description = "The key of the access policy."
+  type        = string
+}
+
+variable "resources" {
+  description = "All the configuration for this resource"
+}

src/modules/keyvault/keyvault_access_policy/access_policies.tf

@@ -0,0 +1,23 @@
+module "logged_in_user" {
+  source = "./access_policy"
+  count = var.policy_name == "logged_in_user" ? 1 : 0
+  keyvault_id = var.keyvault_id == null
+  tenant_id     = var.global_settings.tenant_id
+  access_policies = try(var.access_policies,null)
+  object_id     = var.global_settings.object_id
+  key_permissions = local.all_key_permissions
+  secret_permissions = local.all_secret_permissions
+}
+
+
+module "managed_identities" {
+  source = "./access_policy"
+  for_each = var.policy_name == "managed_identity" && length(try(var.access_policies.managed_identity_refs, [])) > 0 ? { for idx, ref in try(var.access_policies.managed_identity_refs, []) : idx => ref } : {}
+
+  keyvault_id = var.keyvault_id
+  access_policies = var.access_policies
+  tenant_id     = var.global_settings.tenant_id
+  object_id     = var.resources.managed_identities[each.value].id
+  key_permissions = local.effective_key_permissions
+  secret_permissions = local.effective_secret_permissions
+}

src/modules/keyvault/keyvault_access_policy/access_policy/_variables.tf

@@ -0,0 +1,6 @@
+variable "keyvault_id" {}
+variable "tenant_id" {}
+variable "object_id" {}
+variable "key_permissions" {}
+variable "secret_permissions" {}
+variable "access_policies" {}

src/modules/keyvault/keyvault_access_policy/access_policy/access_policy.tf

@@ -0,0 +1,9 @@
+resource "azurerm_key_vault_access_policy" "main" { # Using the policy key in the resource name
+  key_vault_id = var.keyvault_id
+
+  tenant_id    = var.tenant_id
+  object_id    = var.object_id
+
+  key_permissions    = var.key_permissions
+  secret_permissions = var.secret_permissions
+}