Skip to content

Commit

Permalink
Add network_acls back to KeyVault
Browse files Browse the repository at this point in the history
  • Loading branch information
@lonegunmanb
lonegunmanb committed Jun 22, 2022
1 parent e923ad8 commit 6a5411f
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 12 deletions.
19 changes: 17 additions & 2 deletions test/fixture/disk_encryption_set.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,17 @@ resource "random_string" "key_vault_prefix" {
number = false
}

#tfsec:ignore:azure-keyvault-specify-network-acl
data "curl" "public_ip" {
count = var.key_vault_firewall_bypass_ip_cidr == null ? 1 : 0
http_method = "GET"
uri = "https://api.ipify.org?format=json"
}

locals {
# We cannot use coalesce here because it's not short-circuit and public_ip's index will cause error
public_ip = var.key_vault_firewall_bypass_ip_cidr == null ? jsondecode(data.curl.public_ip[0].response).ip : var.key_vault_firewall_bypass_ip_cidr
}

resource "azurerm_key_vault" "des_vault" {
name = "${random_string.key_vault_prefix.result}-des-keyvault"
location = azurerm_resource_group.main.location
Expand All @@ -17,7 +27,12 @@ resource "azurerm_key_vault" "des_vault" {
soft_delete_retention_days = 7
enabled_for_disk_encryption = true
purge_protection_enabled = true
#checkov:skip=CKV_AZURE_109:We don't know how to get caller's ip so our request to create key will be blocked by the firewall.

network_acls {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = [local.public_ip]
}
}

resource "azurerm_key_vault_key" "des_key" {
Expand Down
10 changes: 0 additions & 10 deletions test/fixture/main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,3 @@
provider "azurerm" {
features {
key_vault {
recover_soft_deleted_key_vaults = false
purge_soft_delete_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
}
}
}

resource "random_id" "prefix" {
byte_length = 8
}
Expand Down
5 changes: 5 additions & 0 deletions test/fixture/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@ variable "location" {

variable "client_id" {}
variable "client_secret" {}

variable "key_vault_firewall_bypass_ip_cidr" {
type = string
default = null
}
27 changes: 27 additions & 0 deletions test/fixture/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.3"
}
curl = {
source = "anschoewe/curl"
version = "1.0.2"
}
}
}

provider "curl" {}

provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
key_vault {
recover_soft_deleted_key_vaults = false
purge_soft_delete_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
}
}
}

0 comments on commit 6a5411f

Please sign in to comment.