Skip to content

Commit

Permalink
chore: Update examples with KMS
Browse files Browse the repository at this point in the history
  • Loading branch information
mkilchhofer committed Jan 23, 2023
1 parent 25c45a7 commit 2058adc
Show file tree
Hide file tree
Showing 12 changed files with 266 additions and 147 deletions.
49 changes: 0 additions & 49 deletions examples/named_cluster/disk_encryption_set.tf
Original file line number Diff line number Diff line change
@@ -1,41 +1,3 @@
data "azurerm_client_config" "current" {}

resource "random_string" "key_vault_prefix" {
length = 6
special = false
upper = false
numeric = false
}

data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0

http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
location = local.resource_group.location
name = "${random_string.key_vault_prefix.result}-des-keyvault"
resource_group_name = local.resource_group.name
sku_name = "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_key" "des_key" {
key_opts = [
"decrypt",
Expand Down Expand Up @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
"UnwrapKey"
]
}

resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
tenant_id = data.azurerm_client_config.current.tenant_id
key_permissions = [
"Get",
"Create",
"Delete",
]
}
48 changes: 48 additions & 0 deletions examples/named_cluster/key_vault.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
data "azurerm_client_config" "current" {}

resource "random_string" "key_vault_prefix" {
length = 6
special = false
upper = false
numeric = false
}

data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0

http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
location = local.resource_group.location
name = "${random_string.key_vault_prefix.result}-des-keyvault"
resource_group_name = local.resource_group.name
sku_name = "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
tenant_id = data.azurerm_client_config.current.tenant_id
key_permissions = [
"Get",
"Create",
"Delete",
]
}
29 changes: 29 additions & 0 deletions examples/named_cluster/kms.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "azurerm_key_vault_key" "kms" {
name = "etcd-encryption"
key_vault_id = azurerm_key_vault.des_vault.id
key_type = "RSA"
key_size = 2048

key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]

depends_on = [
azurerm_key_vault_access_policy.current_user
]
}

resource "azurerm_key_vault_access_policy" "kms" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = azurerm_user_assigned_identity.test.id
tenant_id = azurerm_user_assigned_identity.test.tenant_id
key_permissions = [
"Decrypt",
"Encrypt",
]
}
13 changes: 13 additions & 0 deletions examples/named_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ resource "azurerm_log_analytics_workspace" "main" {
sku = "PerGB2018"
}

resource "azurerm_user_assigned_identity" "test" {
location = local.resource_group.location
name = "${random_id.prefix.hex}-control-plane"
resource_group_name = local.resource_group.name
}

module "aks_cluster_name" {
source = "../.."

Expand Down Expand Up @@ -77,4 +83,11 @@ module "aks_cluster_name" {
rbac_aad = true
rbac_aad_managed = true
role_based_access_control_enabled = true

# KMS encrption
identity_type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.test.id]
key_vault_kms_enabled = true
key_vault_kms_key_id = azurerm_key_vault_key.kms.id

}
49 changes: 0 additions & 49 deletions examples/startup/disk_encryption_set.tf
Original file line number Diff line number Diff line change
@@ -1,41 +1,3 @@
data "azurerm_client_config" "current" {}

resource "random_string" "key_vault_prefix" {
length = 6
special = false
upper = false
numeric = false
}

data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0

http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
location = local.resource_group.location
name = "${random_string.key_vault_prefix.result}-des-keyvault"
resource_group_name = local.resource_group.name
sku_name = "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_key" "des_key" {
key_opts = [
"decrypt",
Expand Down Expand Up @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
"UnwrapKey"
]
}

resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
tenant_id = data.azurerm_client_config.current.tenant_id
key_permissions = [
"Get",
"Create",
"Delete",
]
}
49 changes: 49 additions & 0 deletions examples/startup/key_vault.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
data "azurerm_client_config" "current" {}

resource "random_string" "key_vault_prefix" {
length = 6
special = false
upper = false
numeric = false
}

data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0

http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
location = local.resource_group.location
name = "${random_string.key_vault_prefix.result}-des-keyvault"
resource_group_name = local.resource_group.name
sku_name = "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7
enable_rbac_authorization = true

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
tenant_id = data.azurerm_client_config.current.tenant_id
key_permissions = [
"Get",
"Create",
"Delete",
]
}
27 changes: 27 additions & 0 deletions examples/startup/kms.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
resource "azurerm_key_vault_key" "kms" {
name = "${var.cluster_name}-etcd-encryption"
key_vault_id = azurerm_key_vault.kv_storage_byok.id
key_type = "RSA"
key_size = 2048

key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]

depends_on = [azurerm_role_assignment.kv_admin]
}

resource "azurerm_key_vault_access_policy" "kms" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = azurerm_user_assigned_identity.test.id
tenant_id = azurerm_user_assigned_identity.test.tenant_id
key_permissions = [
"Decrypt",
"Encrypt",
]
}
12 changes: 12 additions & 0 deletions examples/startup/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ resource "azurerm_subnet" "test" {
enforce_private_link_endpoint_network_policies = true
}

resource "azurerm_user_assigned_identity" "test" {
location = local.resource_group.location
name = "${random_id.prefix.hex}-control-plane"
resource_group_name = local.resource_group.name
}

module "aks" {
source = "../.."

Expand Down Expand Up @@ -84,6 +90,12 @@ module "aks" {
sku_tier = "Paid"
vnet_subnet_id = azurerm_subnet.test.id

# KMS encrption
identity_type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.test.id]
key_vault_kms_enabled = true
key_vault_kms_key_id = azurerm_key_vault_key.kms.id

agents_labels = {
"node1" : "label1"
}
Expand Down
49 changes: 0 additions & 49 deletions examples/without_monitor/disk_encryption_set.tf
Original file line number Diff line number Diff line change
@@ -1,41 +1,3 @@
data "azurerm_client_config" "current" {}

resource "random_string" "key_vault_prefix" {
length = 6
special = false
upper = false
numeric = false
}

data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0

http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
location = local.resource_group.location
name = "${random_string.key_vault_prefix.result}-des-keyvault"
resource_group_name = local.resource_group.name
sku_name = "premium"
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_key" "des_key" {
key_opts = [
"decrypt",
Expand Down Expand Up @@ -81,14 +43,3 @@ resource "azurerm_key_vault_access_policy" "des" {
"UnwrapKey"
]
}

resource "azurerm_key_vault_access_policy" "current_user" {
key_vault_id = azurerm_key_vault.des_vault.id
object_id = coalesce(var.managed_identity_principal_id, data.azurerm_client_config.current.object_id)
tenant_id = data.azurerm_client_config.current.tenant_id
key_permissions = [
"Get",
"Create",
"Delete",
]
}
Loading

0 comments on commit 2058adc

Please sign in to comment.