efellowsbg · BorislavRaynov · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025 · Jan 21, 2025
@@ -1,19 +1,40 @@
 keyvaults = {
-  kv_test = {
-    name               = "kv-test-dv-ne-01"
-    resource_group_ref = "rg_test"
+  kv-test = {
+    name                          = "kv-test-dev-01"
+    resource_group_ref            = "rg-test"
+    public_network_access_enabled = true
     network_rules = {
-      default_action = "Deny"
-      allowed_ips    = ["10.10.10.10", "20.20.20.20"]
+      default_action = "Allow"
+      allowed_ips    = ["10.10.10.10"]
       subnets = {
-        allow_app1 = {
-          subnet_ref = "vnet_test/snet_app1"
-        }
-        allow_private_endpoints = {
+        subnet1 = {
           subnet_ref = "vnet_test/snet_private_endpoints"
         }
       }
     }
+    access_policies = {
+      managed_identity = {
+        managed_identity_refs = ["id_test"]
+        secret_permissions    = "All"
+        key_permissions       = ["Get", "List"]
+      }
+      logged_in_user = {
+        secret_permissions = "All"
+        key_permissions    = "All"
+      }
+      object_ids = {
+        object_ids         = ["xxxxxxxxxxx-xxxxxxxxxxxxxxx"]
+        secret_permissions = "All"
+        key_permissions    = "All"
+      }
+    }
+    secrets = {
+      secret-skey = {
+        name           = "SecretKey"
+        value          = "default"
+        ignore_changes = true
+      }
+    }
   }
 }
 
@@ -44,3 +65,10 @@ resource_groups = {
     location = "northeurope"
   }
 }
+
+managed_identities = {
+  id_test = {
+    name   = "id-test-dv-ne-01"
+    rg_ref = "rg_test"
+  }
+}
@@ -8,5 +8,6 @@ module "keyvaults" {
     virtual_networks   = module.virtual_networks
     resource_groups    = module.resource_groups
     managed_identities = module.managed_identities
+    private_dns_zones  = module.private_dns_zones
   }
 }
@@ -9,47 +9,13 @@ locals {
       var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id
     )
   ]
-
+  subnet_id = try(
+    var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id,
+    null
+  )
   tags = merge(
     var.global_settings.tags,
     var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {},
     try(var.settings.tags, {})
   )
 }
-
-
-locals {
-  all_secret_permissions = [
-    "Backup",
-    "Delete",
-    "Get",
-    "List",
-    "Purge",
-    "Recover",
-    "Restore",
-    "Set",
-  ]
-
-  all_key_permissions = [
-    "Backup",
-    "Create",
-    "Decrypt",
-    "Delete",
-    "Encrypt",
-    "Get",
-    "Import",
-    "List",
-    "Purge",
-    "Recover",
-    "Restore",
-    "Sign",
-    "UnwrapKey",
-    "Update",
-    "Verify",
-    "WrapKey",
-    "Release",
-    "Rotate",
-    "GetRotationPolicy",
-    "SetRotationPolicy",
-  ]
-}
@@ -5,3 +5,15 @@ output "id" {
 output "vault_uri" {
   value = azurerm_key_vault.main.vault_uri
 }
+
+output "resource_group_name" {
+  value = azurerm_key_vault.main.resource_group_name
+}
+
+output "location" {
+  value = azurerm_key_vault.main.location
+}
+
+output "name" {
+  value = azurerm_key_vault.main.name
+}
@@ -6,11 +6,14 @@ variable "settings" {
   description = "All the configuration for this resource"
 }
 
+
+
 variable "resources" {
   type = object({
     resource_groups    = map(any)
     virtual_networks   = map(any)
     managed_identities = map(any)
+    private_dns_zones  = map(any)
   })
   description = "All required resources"
 }
@@ -1,24 +1,11 @@
-resource "azurerm_key_vault_access_policy" "logged_in_user" {
-  key_vault_id = azurerm_key_vault.main.id
-  tenant_id    = var.global_settings.tenant_id
-  object_id    = var.global_settings.object_id
+module "initial_policy" {
+  source   = "./keyvault_access_policy"
+  for_each = try(var.settings.access_policies, {})
 
-  secret_permissions = local.all_secret_permissions
-  key_permissions    = local.all_key_permissions
-}
-
-resource "azurerm_key_vault_access_policy" "managed_identity" {
-  for_each = {
-    for access_policy_ref, config in var.settings.access_policies :
-    access_policy_ref => config
-    if can(config.managed_identity_ref)
-  }
-  key_vault_id = azurerm_key_vault.main.id
-  tenant_id    = var.global_settings.tenant_id
-  object_id    = var.resources.managed_identities[each.value.managed_identity_ref].principal_id
-
-  # this is a bit of a hack to allow `secret_permissions` to be a string when "All" and otherwise a list
-  # the tfvars allows it, but the module needs us to convert it to list explicitly to get around the type errors
-  secret_permissions = try(each.value.secret_permissions, null) == "All" ? local.all_secret_permissions : try(tolist(each.value.secret_permissions), [])
-  key_permissions    = try(each.value.key_permissions, null) == "All" ? local.all_key_permissions : try(tolist(each.value.key_permissions), [])
+  settings        = var.settings
+  keyvault_id     = azurerm_key_vault.main.id
+  access_policies = each.value
+  policy_name     = each.key
+  global_settings = var.global_settings
+  resources       = var.resources
 }
@@ -7,10 +7,11 @@ resource "azurerm_key_vault" "main" {
   tenant_id = var.global_settings.tenant_id
   sku_name  = try(var.settings.sku_name, "standard")
 
-  enabled_for_disk_encryption = try(var.settings.enabled_for_disk_encryption, null)
-  soft_delete_retention_days  = try(var.settings.soft_delete_retention_days, null)
-  purge_protection_enabled    = try(var.settings.purge_protection_enabled, null)
-  enable_rbac_authorization   = try(var.settings.enable_rbac_authorization, false)
+  enabled_for_disk_encryption   = try(var.settings.enabled_for_disk_encryption, null)
+  soft_delete_retention_days    = try(var.settings.soft_delete_retention_days, null)
+  purge_protection_enabled      = try(var.settings.purge_protection_enabled, null)
+  enable_rbac_authorization     = try(var.settings.enable_rbac_authorization, false)
+  public_network_access_enabled = try(var.settings.public_network_access_enabled, false)
 
   network_acls {
     default_action             = try(var.settings.network_rules.default_action, "Deny")

@@ -0,0 +1,55 @@
+locals {
+  all_secret_permissions = [
+    "Backup",
+    "Delete",
+    "Get",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Set",
+  ]
+
+  all_key_permissions = [
+    "Backup",
+    "Create",
+    "Decrypt",
+    "Delete",
+    "Encrypt",
+    "Get",
+    "Import",
+    "List",
+    "Purge",
+    "Recover",
+    "Restore",
+    "Sign",
+    "UnwrapKey",
+    "Update",
+    "Verify",
+    "WrapKey",
+    "Release",
+    "Rotate",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
+}
+
+locals {
+  effective_key_permissions = (
+    var.access_policies.key_permissions == "All" ?
+    local.all_key_permissions :
+    tolist(try(var.access_policies.key_permissions, []))
+  )
+
+  effective_secret_permissions = (
+    var.access_policies.secret_permissions == "All" ?
+    local.all_secret_permissions :
+    tolist(try(var.access_policies.secret_permissions, []))
+  )
+}
+
+
+locals {
+  debug_settings    = var.settings
+  has_logged_in_key = contains(keys(var.settings), "managed_identity")
+}
@@ -0,0 +1,26 @@
+variable "settings" {
+  description = "All the configuration for this resource"
+}
+
+variable "keyvault_id" {
+  description = "keyvault id"
+}
+
+variable "access_policies" {
+  validation {
+    condition     = length(var.access_policies) <= 16
+    error_message = "A maximun of 16 access policies can be set."
+  }
+}
+variable "global_settings" {
+  description = "Global settings for tinycaf"
+}
+
+variable "policy_name" {
+  description = "The key of the access policy."
+  type        = string
+}
+
+variable "resources" {
+  description = "All the configuration for this resource"
+}
@@ -0,0 +1,35 @@
+module "logged_in_user" {
+  source             = "./access_policy"
+  count              = var.policy_name == "logged_in_user" ? 1 : 0
+  keyvault_id        = var.keyvault_id
+  tenant_id          = var.global_settings.tenant_id
+  access_policies    = try(var.access_policies, null)
+  object_id          = var.global_settings.object_id
+  key_permissions    = local.all_key_permissions
+  secret_permissions = local.all_secret_permissions
+}
+
+
+module "managed_identities" {
+  source   = "./access_policy"
+  for_each = var.policy_name == "managed_identity" && length(try(var.access_policies.managed_identity_refs, [])) > 0 ? { for idx, ref in try(var.access_policies.managed_identity_refs, []) : idx => ref } : {}
+
+  keyvault_id        = var.keyvault_id
+  access_policies    = var.access_policies
+  tenant_id          = var.global_settings.tenant_id
+  object_id          = var.resources.managed_identities[each.value].principal_id
+  key_permissions    = local.effective_key_permissions
+  secret_permissions = local.effective_secret_permissions
+}
+
+module "object_ids" {
+  source   = "./access_policy"
+  for_each = var.policy_name == "object_ids" && length(try(var.access_policies.object_ids, [])) > 0 ? { for idx, obj_id in try(var.access_policies.object_ids, []) : idx => obj_id } : {}
+
+  keyvault_id        = var.keyvault_id
+  access_policies    = var.access_policies
+  tenant_id          = var.global_settings.tenant_id
+  object_id          = each.value
+  key_permissions    = local.effective_key_permissions
+  secret_permissions = local.effective_secret_permissions
+}
@@ -0,0 +1,6 @@
+variable "keyvault_id" {}
+variable "tenant_id" {}
+variable "object_id" {}
+variable "key_permissions" {}
+variable "secret_permissions" {}
+variable "access_policies" {}
@@ -0,0 +1,9 @@
+resource "azurerm_key_vault_access_policy" "main" { # Using the policy key in the resource name
+  key_vault_id = var.keyvault_id
+
+  tenant_id = var.tenant_id
+  object_id = var.object_id
+
+  key_permissions    = var.key_permissions
+  secret_permissions = var.secret_permissions
+}
@@ -0,0 +1,28 @@
+locals {
+  subnet_ids = [
+    for network_rule_ref, config in try(var.settings.network_rules.subnets, {}) : (
+      var.resources.virtual_networks[split("/", config.subnet_ref)[0]].subnets[split("/", config.subnet_ref)[1]].id
+    )
+  ]
+  subnet_id = try(
+    var.resources.virtual_networks[split("/", var.settings.private_endpoint.subnet_ref)[0]].subnets[split("/", var.settings.private_endpoint.subnet_ref)[1]].id,
+    null
+  )
+  tags = merge(
+    var.global_settings.tags,
+    var.global_settings.inherit_resource_group_tags ? local.resource_group.tags : {},
+    try(var.settings.tags, {})
+  )
+
+  resource_group = var.resources.resource_groups[var.settings.resource_group_ref]
+
+  resource_group_name = local.resource_group.name
+  location            = local.resource_group.location
+}
+
+locals {
+  dns_zone_ids = try([
+    for zone in var.settings.private_endpoint.dns_zones_ref :
+    var.resources.private_dns_zones[zone].id
+  ], [])
+}
@@ -0,0 +1,3 @@
+output "id" {
+  value = azurerm_private_endpoint.main.id
+}
@@ -0,0 +1,23 @@
+variable "global_settings" {
+  description = "Global settings for tinycaf"
+}
+
+variable "settings" {
+  description = "All the configuration for this resource"
+}
+
+variable "keyvault_id" {
+  description = "id of the keyvault"
+}
+
+variable "resources" {
+  description = "All the configuration for this resource"
+}
+
+variable "subnet_ref" {
+  description = "All the configuration for this resource"
+}
+
+variable "dns_zones_ref" {
+  description = "All the configuration for this resource"
+}