Skip to content
This repository has been archived by the owner on Apr 26, 2022. It is now read-only.

Commit

Permalink
add tf authed user to keyvault access list
Browse files Browse the repository at this point in the history
  • Loading branch information
ausfestivus committed Nov 7, 2019
1 parent 27be825 commit e17be74
Showing 1 changed file with 57 additions and 2 deletions.
59 changes: 57 additions & 2 deletions examples/bootstrap-azure/key_vault.tf
Original file line number Diff line number Diff line change
@@ -1,15 +1,68 @@
# read in current AzureRM client config so we can give it some permissions wrt the Keyvault.
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "new" {
name = "${local.prefix}"
resource_group_name = "${azurerm_resource_group.new.name}"
location = "${var.location}"
sku_name = "standard"
tenant_id = "${var.key_vault_tenant_id}"
tenant_id = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
tags = "${local.tags}"
enabled_for_deployment = true
enabled_for_template_deployment = true
}

# access policy for the ecurrent signed in user building the vault.
resource "azurerm_key_vault_access_policy" "new-user" {
key_vault_id = "${azurerm_key_vault.new.id}"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]

secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
}

# access policy for the required/created/dedicated/selected keyvault SP user
resource "azurerm_key_vault_access_policy" "new-user" {
key_vault_id = "${azurerm_key_vault.new.id}"
tenant_id = "${var.key_vault_tenant_id}"
Expand Down Expand Up @@ -38,6 +91,7 @@ resource "azurerm_key_vault_access_policy" "new-user" {
]
}

# access policy for the required/created/dedicated/selected keyvault SP user
resource "azurerm_key_vault_access_policy" "new-app" {
key_vault_id = "${azurerm_key_vault.new.id}"
tenant_id = "${var.key_vault_tenant_id}"
Expand Down Expand Up @@ -65,4 +119,5 @@ resource "azurerm_key_vault_access_policy" "new-app" {
"import",
"delete",
]
}
}

0 comments on commit e17be74

Please sign in to comment.