-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain-keyvault.tf
75 lines (67 loc) · 2.77 KB
/
main-keyvault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
locals {
azure_active_directory_id = "${
var.azure_active_directory_id != null
? var.azure_active_directory_id
: data.azurerm_client_config.this.tenant_id
}"
#Nested Loop Strategy: https://serverfault.com/questions/833810/terraform-use-nested-loops-with-count/968309#968309
secret_count = "${
var.azurerm_key_vault_secrets != null
? length(var.azurerm_key_vault_secrets) * local.location_count
: 0
}"
}
data "azurerm_subscription" "this" {}
data "azurerm_client_config" "this" {}
data "external" "this_az_account" {
count = var.azurerm_key_vault ? 1 : 0
program = [
"az",
"ad",
"signed-in-user",
"show",
"--query",
"{displayName: displayName,objectId: objectId,objectType: objectType,odata_metadata: \"odata.metadata\"}"
]
}
resource "azurerm_key_vault" "this" {
count = var.azurerm_key_vault ? local.location_count : 0
name = length(local.default_name[count.index]) <= 24 ? local.default_name[count.index] : local.storage_account_short_name[count.index]
location = azurerm_resource_group.this[count.index].location
resource_group_name = azurerm_resource_group.this[count.index].name
tenant_id = local.azure_active_directory_id
sku_name = "standard"
tags = local.global_tags
}
resource "azurerm_key_vault_access_policy" "terraformuser" {
count = var.azurerm_key_vault ? local.location_count : 0
key_vault_id = azurerm_key_vault.this[count.index].id
tenant_id = local.azure_active_directory_id
object_id = tostring(data.external.this_az_account[0].result.objectId)
secret_permissions = [
"get",
"set",
"delete"
]
}
resource "azurerm_key_vault_access_policy" "this" {
count = var.azurerm_key_vault ? local.location_count : 0
key_vault_id = azurerm_key_vault.this[count.index].id
tenant_id = azurerm_function_app.this[count.index].identity[0].tenant_id
object_id = azurerm_function_app.this[count.index].identity[0].principal_id
secret_permissions = [
"get"
]
}
#Nested Loop Strategy: https://serverfault.com/questions/833810/terraform-use-nested-loops-with-count/968309#968309
resource "azurerm_key_vault_secret" "this" {
count = local.secret_count
key_vault_id = azurerm_key_vault.this[count.index % local.location_count].id
name = keys(var.azurerm_key_vault_secrets)[floor(count.index / length(var.location))]
value = var.azurerm_key_vault_secrets[keys(var.azurerm_key_vault_secrets)[floor(count.index / length(var.location))]]
#Key Vault doesn't grant sufficient rights by default
depends_on = [
azurerm_key_vault_access_policy.terraformuser
]
tags = local.global_tags
}