Skip to content

schubergphilis/terraform-azure-mcaf-key-vault

BranchesTags

Repository files navigation

terraform-azure-mcaf-key-vault

Terraform module to deploy a key vault with defaults, and optionaly some customer managed keys keys.

Requirements

Name Version
terraform >= 1.7
azurerm >= 4

Providers

Name Version
azurerm 4.3.0

Modules

No modules.

Resources

Name Type
azurerm_key_vault.this resource
azurerm_key_vault_key.cmkrsa resource
azurerm_key_vault_key.this resource
azurerm_role_assignment.this resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
key_vault This object describes the configuration for an Azure Key Vault.

The following arguments are supported:

- name - (Required) The name of the Key Vault.
- tenant_id - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault.
- resource_group_name - (Required) The name of the resource group in which to create the Key Vault.
- location - (Optional) The location of the Key Vault. If not provided, the location of the calling module will be used.
- enabled_for_disk_encryption - (Optional) Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
- enabled_for_deployment - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.
- enabled_for_template_deployment - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.
- enable_rbac_authorization - (Optional) Specifies whether Azure RBAC is permitted to retrieve secrets from the vault.
- purge_protection - (Optional) Specifies whether protection against purge is enabled for this Key Vault.
- soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft deleted.
- default_action - (Optional) The default action to apply when no rules match from network_acls block.
- sku - (Optional) The SKU of the Key Vault. Default is standard.
- ip_rules - (Optional) List of IP addresses that are permitted to access the key vault.
- subnet_ids - (Optional) List of subnet IDs that are permitted to access the key vault.
- network_bypass - (Optional) Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.
- cmk_keys_create - (Optional) Specifies whether to create custom managed keys. Default is false.
- cmkrsa_key_name - (Optional) The name of the customer managed key with RSA algorithm to create. Default is cmkrsa.
- cmkec_key_name - (Optional) The name of the customer managed key with EC algorithm to create. Default is cmkec.
- cmk_rotation_period - (Optional) The time period after which the key should be rotated. Default is 18 months.
- cmk_expiry_period - (Optional) The time period after which the key should expire. Default is 2 years.

Example Inputs:
hcl
key_vault = {
  name                            = "my-key-vault"
  tenant_id                       = "00000000-0000-0000-0000-000000000000"
  enabled_for_disk_encryption     = true
  enabled_for_deployment          = true
  enabled_for_template_deployment = true
  enable_rbac_authorization       = true
  purge_protection                = true
  default_action                  = "Deny"
  soft_delete_retention_days      = 30
  sku                             = "standard"
  cmkrsa_key_name                  = "cmkrsa"
  cmkec_key_name                   = "cmkec"
  cmk_keys_create                 = true
 
object({
    name                            = string
    tenant_id                       = string
    resource_group_name             = string
    location                        = optional(string, null)
    enabled_for_disk_encryption     = optional(bool, false)
    enabled_for_deployment          = optional(bool, false)
    enabled_for_template_deployment = optional(bool, false)
    enable_rbac_authorization       = optional(bool, true)
    purge_protection                = optional(bool, true)
    soft_delete_retention_days      = optional(number, 30)
    public_network_access_enabled   = optional(bool, false)
    default_action                  = optional(string, "Deny")
    sku                             = optional(string, "standard")
    ip_rules                        = optional(list(string), [])
    subnet_ids                      = optional(list(string), [])
    network_bypass                  = optional(string, "None")
    cmk_keys_create                 = optional(bool, false)
    cmkrsa_key_name                 = optional(string, "cmkrsa")
    cmkec_key_name                  = optional(string, "cmkec")
    cmk_rotation_period             = optional(string, "P18M")
    cmk_expiry_period               = optional(string, "P2Y")
    cmk_notify_period               = optional(string, "P30D")
    cmk_expiration_date             = optional(string, null)
    tags                            = optional(map(string), {})
  })
 n/a yes
tags A mapping of tags to assign to the resources. map(string) n/a yes
key_vault_key This map describes the configuration for Azure Key Vault keys.

- key_vault_id - (Required) The ID of the Key Vault.
- key_type - (Required) The type of the key.
- key_size - (Required) The size of the key.
- key_opts - (Required) The key operations that are permitted.

Example Inputs:
hcl
  key_vault_key = {
    key_rsa = {
      type = "RSA"
      size = 4096
      opts = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
    }
    key_ec = {
      type = "EC"
      curve = "P-256"
      opts = ["sign", "verify"]
    }
  }
 
map(object({
    name            = optional(string, null)
    curve           = optional(string, null)
    size            = optional(number, null)
    type            = optional(string, null)
    opts            = optional(list(string), null)
    expiration_date = optional(string, null)
    not_before_date = optional(string, null)
    rotation_policy = optional(object({
      automatic = optional(object({
        time_after_creation = optional(string, null)
        time_before_expiry  = optional(string, null)
      }), null)
      expire_after         = optional(string, null)
      notify_before_expiry = optional(string, null)
    }), null)
    tags = optional(map(string), {})
  }))
 null no

Outputs

Name Description
cmkrsa_id CMK RSA Key ID
cmkrsa_key_name CMK RSA Key Name
cmkrsa_resource_resource_id CMK RSA Key Resource ID
cmkrsa_resource_versionless_id CMK RSA Key Versionless Resource ID
cmkrsa_versionless_id CMK RSA Key Versionless ID
key_vault_id n/a
key_vault_name n/a
key_vault_uri n/a

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

Terraform module to generate keys vault

Topics

azure terraform terraform-module

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

22 watching

Forks

0 forks
Report repository

Releases 8

v0.3.2 Latest
Jan 20, 2025
+ 7 releases

Packages

No packages published

Contributors 5

Languages