Merge pull request #4 from schubergphilis/add_public_network_access_e…

…nabled feat: adding public_network_access_enabled as well
schubergphilis · Nov 25, 2024 · 3148282 · 3148282
2 parents b4ba265 + ed60bc6
commit 3148282
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object describes the configuration for an Azure Key Vault.<br><br>The following arguments are supported:<br><br>- `name` - (Required) The name of the Key Vault.<br>- `tenant_id` - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault.<br>- `resource_group_name` - (Required) The name of the resource group in which to create the Key Vault.<br>- `location` - (Optional) The location of the Key Vault. If not provided, the location of the calling module will be used.<br>- `enabled_for_disk_encryption` - (Optional) Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.<br>- `enabled_for_deployment` - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.<br>- `enabled_for_template_deployment` - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.<br>- `enable_rbac_authorization` - (Optional) Specifies whether Azure RBAC is permitted to retrieve secrets from the vault.<br>- `purge_protection` - (Optional) Specifies whether protection against purge is enabled for this Key Vault.<br>- `soft_delete_retention_days` - (Optional) The number of days that items should be retained for once soft deleted.<br>- `default_action` - (Optional) The default action to apply when no rules match from network\_acls block.<br>- `sku` - (Optional) The SKU of the Key Vault.<br>- `ip_rules` - (Optional) List of IP addresses that are permitted to access the key vault.<br>- `subnet_ids` - (Optional) List of subnet IDs that are permitted to access the key vault.<br>- `network_bypass` - (Optional) Specifies which traffic can bypass the network rules.<br>- `cmk_keys_create` - (Optional) Specifies whether to create custom managed keys.<br>- `cmkrsa_key_name` - (Optional) The name of the customer managed key with RSA algorithm to create.<br>- `cmkec_key_name` - (Optional) The name of the customer managed key with EC algorithm to create.<br><br>Example Inputs:<pre>hcl<br>key_vault = {<br>  name                            = "my-key-vault"<br>  tenant_id                       = "00000000-0000-0000-0000-000000000000"<br>  enabled_for_disk_encryption     = true<br>  enabled_for_deployment          = true<br>  enabled_for_template_deployment = true<br>  enable_rbac_authorization       = true<br>  purge_protection                = true<br>  default_action                  = "Deny"<br>  soft_delete_retention_days      = 30<br>  sku                             = "standard"<br>  cmkrsa_key_name                  = "cmkrsa"<br>  cmkec_key_name                   = "cmkec"<br>  cmk_keys_create                 = true</pre> | <pre>object({<br>    name                            = string<br>    tenant_id                       = string<br>    resource_group_name             = string<br>    location                        = optional(string, null)<br>    enabled_for_disk_encryption     = optional(bool, false)<br>    enabled_for_deployment          = optional(bool, false)<br>    enabled_for_template_deployment = optional(bool, false)<br>    enable_rbac_authorization       = optional(bool, true)<br>    purge_protection                = optional(bool, true)<br>    soft_delete_retention_days      = optional(number, 30)<br>    default_action                  = optional(string, "Deny")<br>    sku                             = optional(string, "standard")<br>    ip_rules                        = optional(list(string), [])<br>    subnet_ids                      = optional(list(string), [])<br>    network_bypass                  = optional(string, "None")<br>    cmk_keys_create                 = optional(bool, false)<br>    cmkrsa_key_name                 = optional(string, "cmkrsa")<br>    cmkec_key_name                  = optional(string, "cmkec")<br>    cmk_rotation_period             = optional(string, "P90D")<br>    tags                            = optional(map(string), {})<br>  })</pre> | n/a | yes |
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | This object describes the configuration for an Azure Key Vault.<br><br>The following arguments are supported:<br><br>- `name` - (Required) The name of the Key Vault.<br>- `tenant_id` - (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault.<br>- `resource_group_name` - (Required) The name of the resource group in which to create the Key Vault.<br>- `location` - (Optional) The location of the Key Vault. If not provided, the location of the calling module will be used.<br>- `enabled_for_disk_encryption` - (Optional) Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.<br>- `enabled_for_deployment` - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.<br>- `enabled_for_template_deployment` - (Optional) Specifies whether Azure Resource Manager is permitted to retrieve secrets from the vault.<br>- `enable_rbac_authorization` - (Optional) Specifies whether Azure RBAC is permitted to retrieve secrets from the vault.<br>- `purge_protection` - (Optional) Specifies whether protection against purge is enabled for this Key Vault.<br>- `soft_delete_retention_days` - (Optional) The number of days that items should be retained for once soft deleted.<br>- `default_action` - (Optional) The default action to apply when no rules match from network\_acls block.<br>- `sku` - (Optional) The SKU of the Key Vault.<br>- `ip_rules` - (Optional) List of IP addresses that are permitted to access the key vault.<br>- `subnet_ids` - (Optional) List of subnet IDs that are permitted to access the key vault.<br>- `network_bypass` - (Optional) Specifies which traffic can bypass the network rules.<br>- `cmk_keys_create` - (Optional) Specifies whether to create custom managed keys.<br>- `cmkrsa_key_name` - (Optional) The name of the customer managed key with RSA algorithm to create.<br>- `cmkec_key_name` - (Optional) The name of the customer managed key with EC algorithm to create.<br><br>Example Inputs:<pre>hcl<br>key_vault = {<br>  name                            = "my-key-vault"<br>  tenant_id                       = "00000000-0000-0000-0000-000000000000"<br>  enabled_for_disk_encryption     = true<br>  enabled_for_deployment          = true<br>  enabled_for_template_deployment = true<br>  enable_rbac_authorization       = true<br>  purge_protection                = true<br>  default_action                  = "Deny"<br>  soft_delete_retention_days      = 30<br>  sku                             = "standard"<br>  cmkrsa_key_name                  = "cmkrsa"<br>  cmkec_key_name                   = "cmkec"<br>  cmk_keys_create                 = true</pre> | <pre>object({<br>    name                            = string<br>    tenant_id                       = string<br>    resource_group_name             = string<br>    location                        = optional(string, null)<br>    enabled_for_disk_encryption     = optional(bool, false)<br>    enabled_for_deployment          = optional(bool, false)<br>    enabled_for_template_deployment = optional(bool, false)<br>    enable_rbac_authorization       = optional(bool, true)<br>    purge_protection                = optional(bool, true)<br>    soft_delete_retention_days      = optional(number, 30)<br>    public_network_access_enabled   = optional(bool, false)<br>    default_action                  = optional(string, "Deny")<br>    sku                             = optional(string, "standard")<br>    ip_rules                        = optional(list(string), [])<br>    subnet_ids                      = optional(list(string), [])<br>    network_bypass                  = optional(string, "None")<br>    cmk_keys_create                 = optional(bool, false)<br>    cmkrsa_key_name                 = optional(string, "cmkrsa")<br>    cmkec_key_name                  = optional(string, "cmkec")<br>    cmk_rotation_period             = optional(string, "P90D")<br>    tags                            = optional(map(string), {})<br>  })</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resources. | `map(string)` | n/a | yes |
 | <a name="input_key_vault_key"></a> [key\_vault\_key](#input\_key\_vault\_key) | This map describes the configuration for Azure Key Vault keys.<br><br>- `key_vault_id` - (Required) The ID of the Key Vault.<br>- `key_type` - (Required) The type of the key.<br>- `key_size` - (Required) The size of the key.<br>- `key_opts` - (Required) The key operations that are permitted.<br><br>Example Inputs:<pre>hcl<br>  key_vault_key = {<br>    key_rsa = {<br>      type = "RSA"<br>      size = 4096<br>      opts = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]<br>    }<br>    key_ec = {<br>      type = "EC"<br>      curve = "P-256"<br>      opts = ["sign", "verify"]<br>    }<br>  }</pre> | <pre>map(object({<br>    name            = optional(string, null)<br>    curve           = optional(string, null)<br>    size            = optional(number, null)<br>    type            = optional(string, null)<br>    opts            = optional(list(string), null)<br>    expiration_date = optional(string, null)<br>    not_before_date = optional(string, null)<br>    rotation_policy = optional(object({<br>      automatic = optional(object({<br>        time_after_creation = optional(string, null)<br>        time_before_expiry  = optional(string, null)<br>      }), null)<br>      expire_after         = optional(string, null)<br>      notify_before_expiry = optional(string, null)<br>    }), null)<br>    tags = optional(map(string), {})<br>  }))</pre> | `null` | no |
 

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -10,6 +10,7 @@ module "key_vault" {
     tenant_id                       = "your-tenant-id"
     resource_group_name             = "resource-group-name"
     enabled_for_disk_encryption     = true
+    public_network_access_enabled   = false
     enabled_for_deployment          = false
     enabled_for_template_deployment = false
     enable_rbac_authorization       = true

diff --git a/main.tf b/main.tf
@@ -12,6 +12,7 @@ resource "azurerm_key_vault" "this" {
   enable_rbac_authorization       = var.key_vault.enable_rbac_authorization
   purge_protection_enabled        = var.key_vault.purge_protection
   soft_delete_retention_days      = var.key_vault.soft_delete_retention_days
+  public_network_access_enabled   = var.key_vault.public_network_access_enabled
 
   network_acls {
     default_action             = length(var.key_vault.ip_rules) == 0 && length(var.key_vault.subnet_ids) == 0 ? var.key_vault.default_action : "Deny"

diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,7 @@ variable "key_vault" {
     enable_rbac_authorization       = optional(bool, true)
     purge_protection                = optional(bool, true)
     soft_delete_retention_days      = optional(number, 30)
+    public_network_access_enabled   = optional(bool, false)
     default_action                  = optional(string, "Deny")
     sku                             = optional(string, "standard")
     ip_rules                        = optional(list(string), [])