-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
115 lines (94 loc) · 3.08 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
data "azurerm_client_config" "current" {}
data "azurerm_key_vault" "secret-rickylab" {
name = azurerm_key_vault.kv-rickylab.name
resource_group_name = azurerm_resource_group.rg-rickylab.name
}
resource "azurerm_resource_group" "rg-rickylab" {
location = var.location
name = var.resource_group_name
}
resource "azurerm_service_plan" "asp-simple" {
name = var.app_serviceplan_name
resource_group_name = var.resource_group_name
location = var.location
os_type = "Linux"
sku_name = var.asp_sku_name
depends_on = [
azurerm_resource_group.rg-rickylab
]
}
resource "azurerm_linux_web_app" "app-simple" {
name = var.linux_web_app_name
resource_group_name = var.resource_group_name
location = var.location
service_plan_id = azurerm_service_plan.asp-simple.id
app_settings = {
APP_SECRET = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.kv-rickylab.vault_uri}secrets/${azurerm_key_vault_secret.secret-rickylab.name}/${azurerm_key_vault_secret.secret-rickylab.version})"
}
identity {
type = "SystemAssigned"
}
site_config {
application_stack {
java_server = "JAVA"
java_version = "java17"
java_server_version = "17"
}
}
}
resource "random_password" "kv_app_secret" {
length = 12
special = true
}
resource "azurerm_key_vault" "kv-rickylab" {
name = var.key_vault_name
location = var.location
resource_group_name = var.resource_group_name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
enabled_for_template_deployment = true
depends_on = [
azurerm_resource_group.rg-rickylab
]
}
resource "azurerm_key_vault_access_policy" "ap02-rickylab" {
key_vault_id = azurerm_key_vault.kv-rickylab.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id #"026b5ff1-a720-4c34-a8cf-8981550f97b4"
secret_permissions = [
"Get",
"Set",
"Recover",
"Delete",
"Purge"
]
}
resource "azurerm_key_vault_access_policy" "ap01-rickylab" {
key_vault_id = azurerm_key_vault.kv-rickylab.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_linux_web_app.app-simple.identity.0.principal_id
secret_permissions = [
"Get",
]
}
resource "azurerm_key_vault_access_policy" "ap03-rickylab" {
key_vault_id = azurerm_key_vault.kv-rickylab.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = "322964b9-c289-48a8-815c-78ccbd73e4e0"
count = var.asp_sku_name == "S1" ? 1 : 0
secret_permissions = [
"Get",
"List"
]
}
resource "azurerm_key_vault_secret" "secret-rickylab" {
name = var.secret_name
value = random_password.kv_app_secret.result
key_vault_id = azurerm_key_vault.kv-rickylab.id
depends_on = [
azurerm_key_vault_access_policy.ap02-rickylab
]
}