From 83045011050e34ba85e96e2ce8811b8e0bd3c873 Mon Sep 17 00:00:00 2001 From: Hauke Brandt Date: Mon, 19 Feb 2024 13:52:00 +0100 Subject: [PATCH] Additional ressource azurerm_key_vault_key with associated examples --- examples/apply_main.tf | 16 +++++++++++--- examples/full_main.tf | 24 +++++++++++++++++++++ examples/min_main.tf | 9 ++++++++ main.tf | 33 +++++++++++++++++++++++++++++ outputs.tf | 15 +++++++++++++ variables.tf | 48 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 142 insertions(+), 3 deletions(-) diff --git a/examples/apply_main.tf b/examples/apply_main.tf index 3cdb348..7762523 100644 --- a/examples/apply_main.tf +++ b/examples/apply_main.tf @@ -1,3 +1,7 @@ +provider "azurerm" { + features {} +} + data "azurerm_subscription" "current" {} resource "random_password" "password" { @@ -11,9 +15,10 @@ module "key_vault" { source = "registry.terraform.io/telekom-mms/key-vault/azurerm" key_vault = { kv-mms = { - location = "westeurope" - resource_group_name = "rg-mms-github" - tenant_id = data.azurerm_subscription.current.tenant_id + location = "westeurope" + resource_group_name = "rg-mms-github" + tenant_id = data.azurerm_subscription.current.tenant_id + purge_protection_enabled = false } } key_vault_secret = { @@ -22,4 +27,9 @@ module "key_vault" { key_vault_id = module.key_vault.key_vault["kv-mms"].id } } + key_vault_key = { + mms-key = { + key_vault_id = module.key_vault.key_vault["kv-mms"].id + } + } } diff --git a/examples/full_main.tf b/examples/full_main.tf index 277ac5d..3d7ea86 100644 --- a/examples/full_main.tf +++ b/examples/full_main.tf @@ -1,3 +1,7 @@ +provider "azurerm" { + features {} +} + data "azurerm_subscription" "current" {} resource "random_password" "password" { @@ -37,4 +41,24 @@ module "key_vault" { } } } + key_vault_key = { + mms-key = { + key_vault_id = module.key_vault.key_vault["kv-mms"].id + key_type = "EC" + key_size = null + curve = "P-384" + rotation_policy = { + expire_after = "P90D" + notify_before_expiry = "P29D" + automatic = { + time_before_expiry = "P30D" + } + } + tags = { + project = "mms-github" + environment = terraform.workspace + managed-by = "terraform" + } + } + } } diff --git a/examples/min_main.tf b/examples/min_main.tf index 3cdb348..953e33f 100644 --- a/examples/min_main.tf +++ b/examples/min_main.tf @@ -1,3 +1,7 @@ +provider "azurerm" { + features {} +} + data "azurerm_subscription" "current" {} resource "random_password" "password" { @@ -22,4 +26,9 @@ module "key_vault" { key_vault_id = module.key_vault.key_vault["kv-mms"].id } } + key_vault_key = { + mms-key = { + key_vault_id = module.key_vault.key_vault["kv-mms"].id + } + } } diff --git a/main.tf b/main.tf index 307f464..6c9d4c0 100644 --- a/main.tf +++ b/main.tf @@ -72,3 +72,36 @@ resource "azurerm_key_vault_secret" "key_vault_secret" { expiration_date = local.key_vault_secret[each.key].expiration_date tags = local.key_vault_secret[each.key].tags } + +resource "azurerm_key_vault_key" "key_vault_key" { + for_each = var.key_vault_key + + name = local.key_vault_key[each.key].name == "" ? each.key : local.key_vault_key[each.key].name + key_vault_id = local.key_vault_key[each.key].key_vault_id + key_type = local.key_vault_key[each.key].key_type + key_size = local.key_vault_key[each.key].key_size + curve = local.key_vault_key[each.key].curve + key_opts = local.key_vault_key[each.key].key_opts + not_before_date = local.key_vault_key[each.key].not_before_date + expiration_date = local.key_vault_key[each.key].expiration_date + + dynamic "rotation_policy" { + for_each = length(compact(concat([for key in setsubtract(keys(local.key_vault_key[each.key].rotation_policy), ["automatic"]) : local.key_vault_key[each.key].rotation_policy[key]], values(local.key_vault_key[each.key].rotation_policy["automatic"])))) > 0 ? [0] : [] + + content { + expire_after = local.key_vault_key[each.key].rotation_policy.expire_after + notify_before_expiry = local.key_vault_key[each.key].rotation_policy.notify_before_expiry + + dynamic "automatic" { + for_each = length(compact(values(local.key_vault_key[each.key].rotation_policy.automatic))) > 0 ? [0] : [] + + content { + time_after_creation = local.key_vault_key[each.key].rotation_policy.automatic.time_after_creation + time_before_expiry = local.key_vault_key[each.key].rotation_policy.automatic.time_before_expiry + } + } + } + } + + tags = local.key_vault_key[each.key].tags +} diff --git a/outputs.tf b/outputs.tf index 5965224..e51852d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -20,6 +20,17 @@ output "key_vault_secret" { } } +output "key_vault_key" { + description = "Outputs all attributes of resource_type." + value = { + for key_vault_key in keys(azurerm_key_vault_key.key_vault_key) : + key_vault_key => { + for key, value in azurerm_key_vault_key.key_vault_key[key_vault_key] : + key => value + } + } +} + output "variables" { description = "Displays all configurable variables passed by the module. __default__ = predefined values per module. __merged__ = result of merging the default values and custom values passed to the module" value = { @@ -36,6 +47,10 @@ output "variables" { for key in keys(var.key_vault_secret) : key => local.key_vault_secret[key] } + key_vault_key = { + for key in keys(var.key_vault_key) : + key => local.key_vault_key[key] + } } } } diff --git a/variables.tf b/variables.tf index 243c3b8..57a63f6 100644 --- a/variables.tf +++ b/variables.tf @@ -8,6 +8,11 @@ variable "key_vault_secret" { default = {} description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)." } +variable "key_vault_key" { + type = any + default = {} + description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)." +} locals { default = { @@ -48,6 +53,29 @@ locals { expiration_date = null tags = {} } + key_vault_key = { + name = "" + key_type = "RSA" // defined default + key_size = 4096 // defined default + curve = null + key_opts = [ + "decrypt", + "encrypt", + "sign", + "verify", + "wrapKey", + "unwrapKey" + ] // defined default + not_before_date = null + expiration_date = null + rotation_policy = { + automatic = { + time_after_creation = null + time_before_expiry = null + } + } + tags = {} + } } // compare and merge custom and default values @@ -55,6 +83,10 @@ locals { for key_vault in keys(var.key_vault) : key_vault => merge(local.default.key_vault, var.key_vault[key_vault]) } + key_vault_key_values = { + for key_vault_key in keys(var.key_vault_key) : + key_vault_key => merge(local.default.key_vault_key, var.key_vault_key[key_vault_key]) + } // deep merge of all custom and default values key_vault = { @@ -78,4 +110,20 @@ locals { for key_vault_secret in keys(var.key_vault_secret) : key_vault_secret => merge(local.default.key_vault_secret, var.key_vault_secret[key_vault_secret]) } + key_vault_key = { + for key_vault_key in keys(var.key_vault_key) : + key_vault_key => merge( + local.key_vault_key_values[key_vault_key], + { + for config in ["rotation_policy"] : + config => merge( + merge(local.default.key_vault_key[config], local.key_vault_key_values[key_vault_key][config]), + { + for subconfig in ["automatic"] : + subconfig => merge(local.default.key_vault_key[config][subconfig], lookup(local.key_vault_key_values[key_vault_key][config], subconfig, {})) + } + ) + } + ) + } }