-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkeyvault.tf
75 lines (63 loc) · 2.39 KB
/
keyvault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
resource "azurerm_key_vault" "example" {
name = "poc-kv675674475675"
location = azurerm_resource_group.poc-vnet.location
resource_group_name = azurerm_resource_group.poc-vnet.name
enabled_for_disk_encryption = false
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
//enable_rbac_authorization = true
}
resource "azurerm_key_vault_access_policy" "uami" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.fw-uami.principal_id
secret_permissions = [
"Get", "List"
]
}
resource "azurerm_key_vault_access_policy" "appgw-uami" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.appgw-uami.principal_id
secret_permissions = [
"Get", "List"
]
}
# access policy for the current terraform user
resource "azurerm_key_vault_access_policy" "tf_user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
secret_permissions = [
"Get", "List", "Set", "Delete", "purge", "recover", "restore", "backup"
]
}
# access policy for a human user (if using a SP to run TF)
resource "azurerm_key_vault_access_policy" "human_user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = var.me_object_id
secret_permissions = [
"Get", "List", "Set", "Delete", "purge", "recover", "restore", "backup"
]
}
resource "azurerm_key_vault_secret" "azfw-cert" {
name = "azfw-imported-cert"
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_key_vault_access_policy.tf_user
]
value = filebase64("interCA.pfx")
}
# convert letsencrypt cert to .pfx using:
# openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
resource "azurerm_key_vault_secret" "appgw-cert" {
name = "appgw-cert"
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_key_vault_access_policy.tf_user
]
value = filebase64("certs/fwpoctimw.pfx")
}