Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix key vault creation in Azure allowing the terraform run to upload certs #29

Merged
merged 10 commits into from
Dec 11, 2019
Merged

Fix key vault creation in Azure allowing the terraform run to upload certs #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
eba4a83
Add the Service Principal Application id to the access policy.
lhaig Sep 27, 2019
27be825
Merge pull request #1 from lhaig/master
ausfestivus Nov 6, 2019
e17be74
add tf authed user to keyvault access list
Nov 7, 2019
b46f3c8
fix duped name on new access_policy resource
Nov 7, 2019
568ee74
Merge pull request #2 from hashicorp/master
ausfestivus Nov 7, 2019
73c48f9
moved kv access policies to kv resource
Nov 7, 2019
9d75152
add kv suffix to keyvault
Nov 12, 2019
de64d2b
add key vault id output
Nov 28, 2019
80891ec
Revert "add key vault id output"
Nov 30, 2019
a3b84ee
Merge pull request #3 from Diaxion/develop-ausfestivus
ausfestivus Nov 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions examples/bootstrap-azure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ The only required inputs are a object-id and tenant-id to give access to the key
|------|-------------|:----:|:-----:|:-----:|
| key\_vault\_object\_id | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. | string | n/a | yes |
| key\_vault\_tenant\_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string | n/a | yes |
| application\_id | The application ID of the service principal for the vault. | string | n/a | yes |
| additional\_tags | A map of additional tags to attach to all resources created. | map | `{}` | no |
| address\_space | CIDR block range to use for the network. | string | `"10.0.0.0/16"` | no |
| address\_space\_allowlist | CIDR block range to use to allow traffic from | string | `"*"` | no |
Expand Down
93 changes: 87 additions & 6 deletions examples/bootstrap-azure/key_vault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,115 @@
# read in current AzureRM client config so we can give it some permissions wrt the Keyvault.
data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "new" {
name = "${local.prefix}"
name = "${local.prefix}-kv"
resource_group_name = "${azurerm_resource_group.new.name}"
location = "${var.location}"
sku_name = "standard"
tenant_id = "${var.key_vault_tenant_id}"
tenant_id = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
tags = "${local.tags}"
enabled_for_deployment = true
enabled_for_template_deployment = true

access_policy {
access_policy { # access policy for the current signed in user building the vault.
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
key_permissions = [
"backup",
"create",
"decrypt",
"delete",
"encrypt",
"get",
"import",
"list",
"purge",
"recover",
"restore",
"sign",
"unwrapKey",
"update",
"verify",
"wrapKey",
]
secret_permissions = [
"backup",
"delete",
"get",
"list",
"purge",
"recover",
"restore",
"set",
]
certificate_permissions = [
"create",
"delete",
"deleteissuers",
"get",
"getissuers",
"import",
"list",
"listissuers",
"managecontacts",
"manageissuers",
"setissuers",
"update",
]
}

access_policy { # access policy for the required/created/dedicated/selected keyvault SP user
tenant_id = "${var.key_vault_tenant_id}"
object_id = "${var.key_vault_object_id}"

certificate_permissions = [
key_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
secret_permissions = [
"get",
"list",
"set",
"delete",
]
certificate_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
}

access_policy { # access policy for the required/created/dedicated/selected keyvault SP user
tenant_id = "${var.key_vault_tenant_id}"
object_id = "${var.key_vault_object_id}"
application_id = "${var.application_id}"
key_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]

secret_permissions = [
"get",
"list",
"set",
"delete",
]
certificate_permissions = [
"get",
"list",
"update",
"create",
"import",
"delete",
]
}
}
6 changes: 5 additions & 1 deletion examples/bootstrap-azure/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,11 @@ variable "key_vault_tenant_id" {
}

variable "key_vault_object_id" {
description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault."
description = "The object ID of the service principal for the vault."
}

variable "application_id" {
description = "The application ID of the service principal for the vault."
}

locals {
Expand Down