Thanks for your interest in Cloud Adoption Framework for Azure landing zones on Terraform. This module is now deprecated and no longer maintained.
As part of Cloud Adoption Framework landing zones for Terraform, we have migrated to a single module model, which you can find here: https://github.com/aztfmod/terraform-azurerm-caf and on the Terraform registry: https://registry.terraform.io/modules/aztfmod/caf/azurerm
In Terraform 0.13 you can now call directly submodules easily with the following syntax:
module "caf_keyvault" {
source = "aztfmod/caf/azurerm//modules/security/keyvault"
version = "0.4.18"
# insert the 5 required variables here
}
Creates an Azure Key Vault.
Supported features:
- AKV name is generated randomly based on (prefix+name)+randomly generated string to ensure WW uniqueness (created on 24 chars, which is max name length of AKV name)
- AKV main settings: enabled for deployment, disk encryption, template deployment
- AKV SKU: Premium or Standard
- AKV networks ACL
Non-supported features:
- Support for AKV policies is kept outside of this module in order to preserve consistency of policies. Ie: for each AKV creation, you should set your access policy tailored to the specific purpose (see AKV sample policy file - access_policy_sample.tf)
Reference the module to a specific version (recommended):
module "azurekevault" {
source = "aztfmod/caf-keyvault/azurerm"
version = "0.x.y"
prefix = var.prefix
location = var.location
resource_group_name = var.resource_group_name
akv_config = var.akv_config
tags = var.tags
diagnostics_settings = var.ipdiags
diagnostics_map = var.diagsmap
log_analytics_workspace = var.laworkspace
}
No requirements.
Name | Version |
---|---|
azurecaf | n/a |
azurerm | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
akv_config | (Required) Key Vault Configuration Object | any |
n/a | yes |
convention | (Required) Naming convention method to use | any |
n/a | yes |
diagnostics_map | (Required) Storage account and Event Hub for AKV | any |
n/a | yes |
diagnostics_settings | (Required) Map with the diagnostics settings for AKV | any |
n/a | yes |
location | (Required) Location of the AKV to be created | any |
n/a | yes |
log_analytics_workspace | (Required) Log Analytics workspace for AKV | any |
n/a | yes |
max_length | (Optional) You can speficy a maximum length to the name of the resource | string |
"" |
no |
postfix | (Optional) You can use a postfix to the name of the resource | string |
"" |
no |
prefix | (Optional) You can use a prefix to the name of the resource | string |
"" |
no |
resource_group_name | (Required) Resource group name of the AKV to be created | any |
n/a | yes |
tags | (Required) Tags to be applied to the AKV to be created | any |
n/a | yes |
Name | Description |
---|---|
id | returns the ID of Azure Key Vault |
name | returns the name of Azure Key Vault |
object | returns the full Azure Key Vault Object |
vault_uri | returns the vault URI of Azure Key Vault |
(Required) Key Vault Configuration Object"
variable "akv_config" {
description = "(Required) Key Vault Configuration Object"
}
Sample:
akv_config = {
name = "myakv"
akv_features = {
enabled_for_disk_encryption = true
enabled_for_deployment = false
enabled_for_template_deployment = true
soft_delete_enabled = true
purge_protection_enabled = true
}
#akv_features is optional
sku_name = "premium"
network_acls = {
bypass = "AzureServices"
default_action = "Deny"
}
#network_acls is optional
}
(Required) Log Analytics workspace for AKV
variable "log_analytics_workspace" {
description = "(Required) Log Analytics workspace for AKV"
}
Example
log_analytics_workspace = module.loganalytics.object
(Required) Map with the diagnostics repository information"
variable "diagnostics_map" {
description = "(Required) Map with the diagnostics repository information"
}
Example
diagnostics_map = {
diags_sa = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.Storage/storageAccounts/opslogskumowxv"
eh_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.EventHub/namespaces/opslogskumowxv"
eh_name = "opslogskumowxv"
}
(Required) Map with the diagnostics settings for AKV deployment. See the required structure in the following example or in the diagnostics module documentation.
variable "diagnostics_settings" {
description = "(Required) Map with the diagnostics settings for AKV deployment"
}
Example
diagnostics_settings = {
log = [
# ["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AuditEvent", true, true, 60],
]
metric = [
#["Category name", "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
["AllMetrics", true, true, 60],
]
}