forked from aztfmod/terraform-azurerm-caf
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkeyvault.tf
64 lines (51 loc) · 2.62 KB
/
keyvault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
module "keyvaults" {
source = "./modules/security/keyvault"
for_each = var.keyvaults
global_settings = local.global_settings
client_config = local.client_config
settings = each.value
diagnostics = local.combined_diagnostics
vnets = local.combined_objects_networking
virtual_subnets = local.combined_objects_virtual_subnets
azuread_groups = local.combined_objects_azuread_groups
managed_identities = local.combined_objects_managed_identities
private_dns = local.combined_objects_private_dns
base_tags = local.global_settings.inherit_tags
resource_group = local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][try(each.value.resource_group_key, each.value.resource_group.key)]
resource_group_name = can(each.value.resource_group.name) || can(each.value.resource_group_name) ? try(each.value.resource_group.name, each.value.resource_group_name) : null
location = try(local.global_settings.regions[each.value.region], null)
}
#
# Keyvault access policies
#-
module "keyvault_access_policies" {
source = "./modules/security/keyvault_access_policies"
for_each = var.keyvault_access_policies
keyvault_key = each.key
keyvaults = local.combined_objects_keyvaults
access_policies = each.value
azuread_groups = local.combined_objects_azuread_groups
client_config = local.client_config
resources = {
azuread_service_principals = local.combined_objects_azuread_service_principals
diagnostic_storage_accounts = local.combined_objects_diagnostic_storage_accounts
managed_identities = local.combined_objects_managed_identities
mssql_managed_instances = local.combined_objects_mssql_managed_instances
mssql_managed_instances_secondary = local.combined_objects_mssql_managed_instances_secondary
storage_accounts = local.combined_objects_storage_accounts
}
}
# Need to separate keyvault policies from azure AD apps to get the keyvault with the default policies.
# Reason - Azure AD apps passwords are stored into keyvault secrets and combining would create a circular reference
module "keyvault_access_policies_azuread_apps" {
source = "./modules/security/keyvault_access_policies"
for_each = var.keyvault_access_policies_azuread_apps
keyvault_key = each.key
keyvaults = local.combined_objects_keyvaults
access_policies = each.value
client_config = local.client_config
azuread_apps = local.combined_objects_azuread_apps
}
output "keyvaults" {
value = module.keyvaults
}