Skip to content
This repository has been archived by the owner on Nov 27, 2020. It is now read-only.

Azure Key Vault module for Cloud Adoption Framework for Azure landing zones

License

Notifications You must be signed in to change notification settings

aztfmod/terraform-azurerm-caf-keyvault

Repository files navigation

READ ME

Thanks for your interest in Cloud Adoption Framework for Azure landing zones on Terraform. This module is now deprecated and no longer maintained.

As part of Cloud Adoption Framework landing zones for Terraform, we have migrated to a single module model, which you can find here: https://github.com/aztfmod/terraform-azurerm-caf and on the Terraform registry: https://registry.terraform.io/modules/aztfmod/caf/azurerm

In Terraform 0.13 you can now call directly submodules easily with the following syntax:

module "caf_keyvault" {
  source  = "aztfmod/caf/azurerm//modules/security/keyvault"
  version = "0.4.18"
  # insert the 5 required variables here
}

VScodespaces Gitter

Deploys an Azure Key Vault

Creates an Azure Key Vault.

Supported features:

  1. AKV name is generated randomly based on (prefix+name)+randomly generated string to ensure WW uniqueness (created on 24 chars, which is max name length of AKV name)
  2. AKV main settings: enabled for deployment, disk encryption, template deployment
  3. AKV SKU: Premium or Standard
  4. AKV networks ACL

Non-supported features:

  1. Support for AKV policies is kept outside of this module in order to preserve consistency of policies. Ie: for each AKV creation, you should set your access policy tailored to the specific purpose (see AKV sample policy file - access_policy_sample.tf)

Reference the module to a specific version (recommended):

module "azurekevault" {
    source  = "aztfmod/caf-keyvault/azurerm"
    version = "0.x.y"

    prefix                            = var.prefix
    location                          = var.location
    resource_group_name               = var.resource_group_name
    akv_config                        = var.akv_config
    tags                              = var.tags
    diagnostics_settings              = var.ipdiags
    diagnostics_map                   = var.diagsmap
    log_analytics_workspace           = var.laworkspace
}

Requirements

No requirements.

Providers

Name Version
azurecaf n/a
azurerm n/a

Inputs

Name Description Type Default Required
akv_config (Required) Key Vault Configuration Object any n/a yes
convention (Required) Naming convention method to use any n/a yes
diagnostics_map (Required) Storage account and Event Hub for AKV any n/a yes
diagnostics_settings (Required) Map with the diagnostics settings for AKV any n/a yes
location (Required) Location of the AKV to be created any n/a yes
log_analytics_workspace (Required) Log Analytics workspace for AKV any n/a yes
max_length (Optional) You can speficy a maximum length to the name of the resource string "" no
postfix (Optional) You can use a postfix to the name of the resource string "" no
prefix (Optional) You can use a prefix to the name of the resource string "" no
resource_group_name (Required) Resource group name of the AKV to be created any n/a yes
tags (Required) Tags to be applied to the AKV to be created any n/a yes

Outputs

Name Description
id returns the ID of Azure Key Vault
name returns the name of Azure Key Vault
object returns the full Azure Key Vault Object
vault_uri returns the vault URI of Azure Key Vault

Parameters

akv_config

(Required) Key Vault Configuration Object"

variable "akv_config" {
  description = "(Required) Key Vault Configuration Object"
}

Sample:

akv_config = {
    name       = "myakv"

    akv_features = {
        enabled_for_disk_encryption = true
        enabled_for_deployment      = false
        enabled_for_template_deployment = true
        soft_delete_enabled = true
        purge_protection_enabled = true
    }
    #akv_features is optional

    sku_name = "premium"
    network_acls = {
         bypass = "AzureServices"
         default_action = "Deny"
    }
    #network_acls is optional
}

log_analytics_workspace

(Required) Log Analytics workspace for AKV

variable "log_analytics_workspace" {
  description = "(Required) Log Analytics workspace for AKV"
}

Example

log_analytics_workspace = module.loganalytics.object

diagnostics_map

(Required) Map with the diagnostics repository information"

variable "diagnostics_map" {
 description = "(Required) Map with the diagnostics repository information"
}

Example

  diagnostics_map = {
      diags_sa      = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.Storage/storageAccounts/opslogskumowxv"
      eh_id         = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/arnaud-hub-operations/providers/Microsoft.EventHub/namespaces/opslogskumowxv"
      eh_name       = "opslogskumowxv"
  }

diagnostics_settings

(Required) Map with the diagnostics settings for AKV deployment. See the required structure in the following example or in the diagnostics module documentation.

variable "diagnostics_settings" {
 description = "(Required) Map with the diagnostics settings for AKV deployment"
}

Example

diagnostics_settings = {
    log = [
                # ["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
                ["AuditEvent", true, true, 60],
        ]
    metric = [
                #["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
                  ["AllMetrics", true, true, 60],
    ]
}

About

Azure Key Vault module for Cloud Adoption Framework for Azure landing zones

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages