diff --git a/examples/bootstrap-azure/README.md b/examples/bootstrap-azure/README.md index 1bfb3fb..8cecd4b 100644 --- a/examples/bootstrap-azure/README.md +++ b/examples/bootstrap-azure/README.md @@ -11,6 +11,7 @@ The only required inputs are a object-id and tenant-id to give access to the key |------|-------------|:----:|:-----:|:-----:| | key\_vault\_object\_id | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. | string | n/a | yes | | key\_vault\_tenant\_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string | n/a | yes | +| application\_id | The application ID of the service principal for the vault. | string | n/a | yes | | additional\_tags | A map of additional tags to attach to all resources created. | map | `{}` | no | | address\_space | CIDR block range to use for the network. | string | `"10.0.0.0/16"` | no | | address\_space\_allowlist | CIDR block range to use to allow traffic from | string | `"*"` | no | diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index 593e2a6..26001a0 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -1,34 +1,115 @@ +# read in current AzureRM client config so we can give it some permissions wrt the Keyvault. +data "azurerm_client_config" "current" {} + resource "azurerm_key_vault" "new" { - name = "${local.prefix}" + name = "${local.prefix}-kv" resource_group_name = "${azurerm_resource_group.new.name}" location = "${var.location}" sku_name = "standard" - tenant_id = "${var.key_vault_tenant_id}" + tenant_id = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. tags = "${local.tags}" enabled_for_deployment = true enabled_for_template_deployment = true - access_policy { + access_policy { # access policy for the current signed in user building the vault. + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + key_permissions = [ + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "import", + "list", + "purge", + "recover", + "restore", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey", + ] + secret_permissions = [ + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set", + ] + certificate_permissions = [ + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "setissuers", + "update", + ] + } + + access_policy { # access policy for the required/created/dedicated/selected keyvault SP user tenant_id = "${var.key_vault_tenant_id}" object_id = "${var.key_vault_object_id}" - - certificate_permissions = [ + key_permissions = [ "get", "list", + "update", "create", + "import", + "delete", + ] + secret_permissions = [ + "get", + "list", + "set", "delete", ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + } + access_policy { # access policy for the required/created/dedicated/selected keyvault SP user + tenant_id = "${var.key_vault_tenant_id}" + object_id = "${var.key_vault_object_id}" + application_id = "${var.application_id}" key_permissions = [ "get", "list", + "update", "create", + "import", + "delete", ] - secret_permissions = [ "get", "list", "set", + "delete", + ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", ] } } diff --git a/examples/bootstrap-azure/variables.tf b/examples/bootstrap-azure/variables.tf index 47bde30..9bd8814 100644 --- a/examples/bootstrap-azure/variables.tf +++ b/examples/bootstrap-azure/variables.tf @@ -34,7 +34,11 @@ variable "key_vault_tenant_id" { } variable "key_vault_object_id" { - description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault." + description = "The object ID of the service principal for the vault." +} + +variable "application_id" { + description = "The application ID of the service principal for the vault." } locals {