Skip to content

Commit

Permalink
feat: Implement support for KMS arguments
Browse files Browse the repository at this point in the history
  • Loading branch information
@mkilchhofer
mkilchhofer committed Jan 8, 2023
1 parent 6b3a878 commit fc2b23f
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 0 deletions.
4 changes: 4 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,10 @@ No modules.
| <a name="input_ingress_application_gateway_name"></a> [ingress\_application\_gateway\_name](#input\_ingress\_application\_gateway\_name) | The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
| <a name="input_ingress_application_gateway_subnet_cidr"></a> [ingress\_application\_gateway\_subnet\_cidr](#input\_ingress\_application\_gateway\_subnet\_cidr) | The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
| <a name="input_ingress_application_gateway_subnet_id"></a> [ingress\_application\_gateway\_subnet\_id](#input\_ingress\_application\_gateway\_subnet\_id) | The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. | `string` | `null` | no |
| <a name="input_key_vault_kms_enabled"></a> [key\_vault\_kms\_enabled](#input\_key\_vault\_kms\_enabled) | (Optional) Enable Azure KeyVault Key Management Service. | `bool` | `false` | no |
| <a name="input_key_vault_kms_key_id"></a> [key\_vault\_kms\_key\_id](#input\_key\_vault\_kms\_key\_id) | (Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. | `string` | `null` | no |
| <a name="input_key_vault_kms_network_access"></a> [key\_vault\_kms\_network\_access](#input\_key\_vault\_kms\_network\_access) | (Optional) Network Access of Azure Key Vault. Possible values are: `Private` and `Public`. If not set, defaults to type `Public`. | `string` | `null` | no |
| <a name="input_key_vault_kms_resource_id"></a> [key\_vault\_kms\_resource\_id](#input\_key\_vault\_kms\_resource\_id) | (Optional) Resource ID of Azure Key Vault. When `key_vault_kms_network_access` is `Private`, this field is required and must be a valid resource ID. When `key_vault_kms_network_access` is `Public`, leave the field empty. | `string` | `null` | no |
| <a name="input_key_vault_secrets_provider_enabled"></a> [key\_vault\_secrets\_provider\_enabled](#input\_key\_vault\_secrets\_provider\_enabled) | (Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver | `bool` | `false` | no |
| <a name="input_kubernetes_version"></a> [kubernetes\_version](#input\_kubernetes\_version) | Specify which Kubernetes release to use. The default used is the latest Kubernetes version available in the region | `string` | `null` | no |
| <a name="input_load_balancer_profile_enabled"></a> [load\_balancer\_profile\_enabled](#input\_load\_balancer\_profile\_enabled) | (Optional) Enable a load\_balancer\_profile block. This can only be used when load\_balancer\_sku is set to `standard`. | `bool` | `false` | no |
Expand Down
10 changes: 10 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,16 @@ resource "azurerm_kubernetes_cluster" "main" {
subnet_id = var.ingress_application_gateway_subnet_id
}
}
dynamic "key_vault_kms" {
for_each = var.key_vault_kms_enabled ? ["key_vault_kms"] : []

content {
enabled = var.key_vault_kms_enabled
key_id = var.key_vault_kms_key_id
key_vault_network_access = var.key_vault_kms_network_access
key_vault_resource_id = var.key_vault_kms_resource_id
}
}
dynamic "key_vault_secrets_provider" {
for_each = var.key_vault_secrets_provider_enabled ? ["key_vault_secrets_provider"] : []

Expand Down
24 changes: 24 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,30 @@ variable "ingress_application_gateway_subnet_id" {
default = null
}

variable "key_vault_kms_enabled" {
type = bool
description = "(Optional) Enable Azure KeyVault Key Management Service."
default = false
}

variable "key_vault_kms_key_id" {
type = string
description = "(Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier."
default = null
}

variable "key_vault_kms_network_access" {
type = string
description = "(Optional) Network Access of Azure Key Vault. Possible values are: `Private` and `Public`. If not set, defaults to type `Public`."
default = null
}

variable "key_vault_kms_resource_id" {
type = string
description = "(Optional) Resource ID of Azure Key Vault. When `key_vault_kms_network_access` is `Private`, this field is required and must be a valid resource ID. When `key_vault_kms_network_access` is `Public`, leave the field empty."
default = null
}

variable "key_vault_secrets_provider_enabled" {
type = bool
description = "(Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver"
Expand Down

0 comments on commit fc2b23f

Please sign in to comment.