/terraform-azure-keyvault

Highly opinionaged management of keyvault resources in Azure

Primary LanguageHCLMIT LicenseMIT

Azure Keyvault management

Introduction

This module manages a keyvault resource in Azure with the required permissions.

Usage

Instantiate the module by calling it from Terraform like this:

module "azure-keyvault" {
  source = "dodevops/keyvault/azure"
  version = "<version>" 
  (...)
}

Requirements

No requirements.

Providers

The following providers are used by this module:

  • azurerm

Modules

No modules.

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

azure_tenant_id

Description: The tenant id used for azure

Type: string

location

Description: The azure location used for azure

Type: string

network_acls_ip_rules

Description: List of one or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault. If default action is Allow this can be an empty list

Type: list(string)

network_acls_virtual_network_subnet_ids

Description: List of one or more Subnet IDs which should be able to access this Key Vault. If default action is Allow this can be an empty list

Type: list(string)

project

Description: Three letter project key

Type: string

resource_group

Description: Azure Resource Group to use

Type: string

stage

Description: Stage for this ressource group

Type: string

Optional Inputs

The following input variables are optional (have default values):

allowed_objectid_app_tuples_createonly

Description: A list of object IDs with allowed apps (in the form of :) that are allowed to create (but not read or change) elements the keyvault

Type: list(string)

Default: []

allowed_objectid_app_tuples_fullaccess

Description: A list of object IDs with allowed apps (in the form of :) that are allowed to fully access the keyvault

Type: list(string)

Default: []

allowed_objectid_app_tuples_readonly

Description: A list of object IDs with allowed apps (in the form of :) that are allowed to read elements the keyvault

Type: list(string)

Default: []

allowed_objectids_createonly

Description: A list of object IDs that are allowed to create (but not read or change) elements in the keyvault

Type: list(string)

Default: []

allowed_objectids_fullaccess

Description: A list of object IDs that are allowed to fully access the keyvault elements (with all operations)

Type: list(string)

Default: []

allowed_objectids_readonly

Description: A list of object IDs that are allowed to read elements in the keyvault

Type: list(string)

Default: []

audit_retention_period

Description: Sets number of days to keep audit records, if audit is enabled

Type: number

Default: 365

enable_audit

Description: Enable audit of keyvault changes

Type: bool

Default: false

network_acls_bypass

Description: Specifies which traffic can bypass the network rules. Possible values are AzureServices and None.

Type: string

Default: "None"

network_acls_default_action

Description: The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny.

Type: string

Default: "Deny"

sku

Description: Keyvault sku

Type: string

Default: "standard"

soft_delete_retention_days

Description: The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days

Type: number

Default: 14

tags

Description: Map of tags for the resources

Type: map(any)

Default: {}

Outputs

The following outputs are exported:

vault_id

Description: n/a

Development

Use terraform-docs to generate the API documentation by running

terraform fmt .
terraform-docs .