forked from Azure/osdu-infrastructure
-
Notifications
You must be signed in to change notification settings - Fork 0
/
keyvault.tf
112 lines (103 loc) · 4.08 KB
/
keyvault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
// Copyright © Microsoft Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
resource "random_id" "entitlement_key" {
byte_length = 18
}
module "keyvault" {
source = "../../modules/providers/azure/keyvault"
keyvault_name = local.kv_name
resource_group_name = azurerm_resource_group.app_rg.name
}
locals {
secrets_map = {
# AAD Application Secrets
aad-client-id = module.ad_application.id
# App Insights Secrets
appinsights-key = module.app_insights.app_insights_instrumentation_key
# Service Bus Namespace Secrets
sb-connection = module.service_bus.service_bus_namespace_default_connection_string
# Elastic Search Cluster Secrets
elastic-endpoint = var.elasticsearch_endpoint
elastic-username = var.elasticsearch_username
elastic-password = var.elasticsearch_password
# Cosmos Cluster Secrets
cosmos-endpoint = module.cosmosdb_account.properties.cosmosdb.endpoint
cosmos-primary-key = module.cosmosdb_account.properties.cosmosdb.primary_master_key
cosmos-connection = module.cosmosdb_account.properties.cosmosdb.connection_strings[0]
# App Service Auth Related Secrets
entitlement-key = random_id.entitlement_key.hex
# Storage Account Secrets
storage-account-key = module.storage_account.primary_access_key
# Service Principal Secrets
app-dev-sp-username = module.app_management_service_principal.client_id
app-dev-sp-password = module.app_management_service_principal.client_secret
app-dev-sp-tenant-id = data.azurerm_client_config.current.tenant_id
}
output_secret_map = {
for secret in module.keyvault_secrets.keyvault_secret_attributes :
secret.name => secret.id
}
app_setting_kv_format = "@Microsoft.KeyVault(SecretUri=%s)"
}
module "keyvault_secrets" {
source = "../../modules/providers/azure/keyvault-secret"
keyvault_id = module.keyvault.keyvault_id
secrets = local.secrets_map
}
/* Acccess for `authn_app_service` */
module "authn_app_service_keyvault_access_policy" {
source = "../../modules/providers/azure/keyvault-policy"
vault_id = module.keyvault.keyvault_id
tenant_id = module.authn_app_service.app_service_identity_tenant_id
object_ids = module.authn_app_service.app_service_identity_object_ids
key_permissions = ["get", "list"]
secret_permissions = ["get", "list"]
certificate_permissions = ["get", "list"]
}
/* Acccess for `function_app` */
module "function_app_keyvault_access_policy" {
source = "../../modules/providers/azure/keyvault-policy"
vault_id = module.keyvault.keyvault_id
tenant_id = module.function_app.identity_tenant_id
object_ids = module.function_app.identity_object_ids
key_permissions = ["get", "list"]
secret_permissions = ["get", "list"]
certificate_permissions = ["get", "list"]
}
/* Acccess for `app_management_service_principal`
Assumes that SP is within the same AZ tenant as
the `authn_app_service` also deployed by this
template */
module "app_management_service_principal_keyvault_access_policy" {
source = "../../modules/providers/azure/keyvault-policy"
vault_id = module.keyvault.keyvault_id
tenant_id = module.authn_app_service.app_service_identity_tenant_id
object_ids = [
module.app_management_service_principal.id]
key_permissions = [
"update",
"delete",
"get",
"list"]
secret_permissions = [
"set",
"delete",
"get",
"list"]
certificate_permissions = [
"update",
"delete",
"get",
"list"]
}