-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathkey-vault.tf
66 lines (58 loc) · 2.45 KB
/
key-vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#
# Shared KeyVault & policy to allow Azure DevOps SP to access
#
resource "azurerm_key_vault" "shared_kv" {
name = "${var.prefix}keyvault"
location = azurerm_resource_group.mgmt.location
resource_group_name = azurerm_resource_group.mgmt.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_enabled = true
soft_delete_retention_days = 30
sku_name = "standard"
}
# Add the AzDO SP to an access policy so it can read and list secrets
resource "azurerm_key_vault_access_policy" "azdo_keyvault_access_policy" {
key_vault_id = azurerm_key_vault.shared_kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azuread_service_principal.azdo_keyvault_sp.id
secret_permissions = [
"get", "list"
]
}
# Add running user and give full rights to secrets
resource "azurerm_key_vault_access_policy" "user_keyvault_access_policy" {
key_vault_id = azurerm_key_vault.shared_kv.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"get", "list", "set", "delete", "purge", "recover", "restore"
]
}
# Store the Pipeline SP details as secrets in KeyVault
resource "azurerm_key_vault_secret" "pipeline-sp-secret" {
name = "pipeline-sp-secret"
value = random_password.azdo_pipeline_password.result
key_vault_id = azurerm_key_vault.shared_kv.id
depends_on = [azurerm_key_vault_access_policy.user_keyvault_access_policy]
}
resource "azurerm_key_vault_secret" "pipeline-sp-clientid" {
name = "pipeline-sp-clientid"
value = azuread_service_principal.azdo_pipeline_sp.application_id
key_vault_id = azurerm_key_vault.shared_kv.id
depends_on = [azurerm_key_vault_access_policy.user_keyvault_access_policy]
}
resource "azurerm_key_vault_secret" "azure-tenant" {
name = "azure-tenant-id"
value = data.azurerm_client_config.current.tenant_id
key_vault_id = azurerm_key_vault.shared_kv.id
depends_on = [azurerm_key_vault_access_policy.user_keyvault_access_policy]
}
resource "azurerm_key_vault_secret" "azure-subid" {
name = "azure-sub-id"
value = data.azurerm_client_config.current.subscription_id
key_vault_id = azurerm_key_vault.shared_kv.id
depends_on = [azurerm_key_vault_access_policy.user_keyvault_access_policy]
}
output "keyvault_name" {
value = azurerm_key_vault.shared_kv.name
}