padok-team/terraform-azurerm-keyvault

Terraform module which creates a Key vault resources on Azure

Table of Contents generated with DocToc

• Azure Key Vault Terraform module
  • User Stories for this module
  • Usage
  • Examples
  • Modules
  • Inputs
  • Outputs
  • License

Azure Key Vault Terraform module

Terraform module which creates a Key Vault resource on Azure.

User Stories for this module

• AAOPS I have a Key Vault that allows me to store secrets
• AAOPS I have a Key Vault that allows me to store certificates

Usage

module "key_vault" {
  source = "git@github.com/padok-team/terraform-azurerm-keyvault"

  name                = "my_key_vault"
  resource_group_name = "my_rg"
  sku_name            = "standard"

  tags = {
    terraform = "true"
    padok     = "library"
  }
}

Examples

• Example of simple secure keyvault
• Example of keyvault with tags and nacls
• Example of keyvault without an ACL
• Example of keyvault with a private endpoint

Modules

Name	Source	Version
logger	git@github.com:padok-team/terraform-azurerm-logger.git	v0.5.0

Inputs

Name	Description	Type	Default	Required
name	Specifies the name of the Key Vault. Vault names are globaly unique. Changing this forces a new resource to be created.	string	n/a	yes
resource_group	Resource group configuration.	object({ name = string location = string })	n/a	yes
sku_name	The Name of the SKU used for this Key Vault. Possible values are standard and premium.	string	n/a	yes
tenant_id	The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.	string	n/a	yes
access_policy	List of policies to access the Key Vault.	map(object({ application_id = optional(string) certificate_permissions = optional(list(string)) key_permissions = optional(list(string)) secret_permissions = optional(list(string)) storage_permissions = optional(list(string)) }))	{}	no
enable_network_acl	Boolean flag to enable or not network acl.	bool	true	no
enable_rbac_authorization	Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.	bool	false	no
enabled_for_deployment	Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.	bool	false	no
enabled_for_disk_encryption	Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.	bool	false	no
enabled_for_template_deployment	Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.	bool	false	no
logging	The logging configuration	object({ enabled = bool, log_analytics_workspace_id = string })	{ "enabled": false, "log_analytics_workspace_id": null }	no
network_acls	Network acls to deploy on the key vault. ip_rules is a list of IP or CIDR blocks.	object({ ip_rules = list(string) virtual_network_subnet_ids = list(string) })	{ "ip_rules": [], "virtual_network_subnet_ids": [] }	no
private_endpoint	The private endpoint configuration.	object({ enable = bool, subnet_id = string private_dns_zone_id = string, })	{ "enable": false, "private_dns_zone_id": null, "subnet_id": null }	no
soft_delete_retention_days	The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.	string	"90"	no
tags	A mapping of tags to assign to the resource.	map(string)	{}	no

Outputs

Name	Description
id	The key vault ID.
name	The key vault name.
private_endpoint	The private endpoint instance.
this	The key vault.

License