Skip to content

Commit

Permalink
Merge pull request #29 from Diaxion/master
Browse files Browse the repository at this point in the history
Fix key vault creation in Azure allowing the terraform run to upload certs
  • Loading branch information
bnferguson authored Dec 11, 2019
2 parents c53f691 + a3b84ee commit 0583c2b
Show file tree
Hide file tree
Showing 3 changed files with 93 additions and 7 deletions.
1 change: 1 addition & 0 deletions examples/bootstrap-azure/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ The only required inputs are a object-id and tenant-id to give access to the key
|------|-------------|:----:|:-----:|:-----:|
| key\_vault\_object\_id | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. | string | n/a | yes |
| key\_vault\_tenant\_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string | n/a | yes |
| application\_id | The application ID of the service principal for the vault. | string | n/a | yes |
| additional\_tags | A map of additional tags to attach to all resources created. | map | `{}` | no |
| address\_space | CIDR block range to use for the network. | string | `"10.0.0.0/16"` | no |
| address\_space\_allowlist | CIDR block range to use to allow traffic from | string | `"*"` | no |
Expand Down
93 changes: 87 additions & 6 deletions examples/bootstrap-azure/key_vault.tf
Original file line number Diff line number Diff line change
@@ -1,34 +1,115 @@
# read in current AzureRM client config so we can give it some permissions wrt the Keyvault.
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "new" {
name = "${local.prefix}"
name = "${local.prefix}-kv"
resource_group_name = "${azurerm_resource_group.new.name}"
location = "${var.location}"
sku_name = "standard"
tenant_id = "${var.key_vault_tenant_id}"
tenant_id = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
tags = "${local.tags}"
enabled_for_deployment = true
enabled_for_template_deployment = true

access_policy {
access_policy { # access policy for the current signed in user building the vault.
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
}

access_policy { # access policy for the required/created/dedicated/selected keyvault SP user
tenant_id = "${var.key_vault_tenant_id}"
object_id = "${var.key_vault_object_id}"

certificate_permissions = [
key_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
secret_permissions = [
"get",
"list",
"set",
"delete",
]
certificate_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
}

access_policy { # access policy for the required/created/dedicated/selected keyvault SP user
tenant_id = "${var.key_vault_tenant_id}"
object_id = "${var.key_vault_object_id}"
application_id = "${var.application_id}"
key_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]

secret_permissions = [
"get",
"list",
"set",
"delete",
]
certificate_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
}
}
6 changes: 5 additions & 1 deletion examples/bootstrap-azure/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,11 @@ variable "key_vault_tenant_id" {
}

variable "key_vault_object_id" {
description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault."
description = "The object ID of the service principal for the vault."
}

variable "application_id" {
description = "The application ID of the service principal for the vault."
}

locals {
Expand Down

0 comments on commit 0583c2b

Please sign in to comment.