Add certificate access to kv access policy (#934)

XenitAB · Feb 13, 2023 · d76bfc0 · d76bfc0
1 parent ce76020
commit d76bfc0
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Added
 
+- [#934](https://github.com/XenitAB/terraform-modules/pull/934) Add certificate permissions for resource group AAD group.
+
 - [#906](https://github.com/XenitAB/terraform-modules/pull/906) Add support for kubernetes 1.25 in Azure.
 
 ### Changed

diff --git a/modules/azure/governance-regional/delegate-kv.tf b/modules/azure/governance-regional/delegate-kv.tf
@@ -36,11 +36,12 @@ resource "azurerm_key_vault_access_policy" "ap_rg_aad_group" {
     if rg.delegate_key_vault == true
   }
 
-  key_vault_id       = azurerm_key_vault.delegate_kv[each.key].id
-  tenant_id          = data.azurerm_client_config.current.tenant_id
-  object_id          = var.azuread_groups.rg_contributor[each.key].id
-  key_permissions    = local.key_vault_default_permissions.key_permissions
-  secret_permissions = local.key_vault_default_permissions.secret_permissions
+  key_vault_id            = azurerm_key_vault.delegate_kv[each.key].id
+  tenant_id               = data.azurerm_client_config.current.tenant_id
+  object_id               = var.azuread_groups.rg_contributor[each.key].id
+  key_permissions         = local.key_vault_default_permissions.key_permissions
+  secret_permissions      = local.key_vault_default_permissions.secret_permissions
+  certificate_permissions = local.key_vault_default_permissions.certificate_permissions
 }
 
 resource "azurerm_key_vault_access_policy" "ap_rg_sp" {