From 01e1de3fa93e8689990fe3203425c0148a8d2cc7 Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Tue, 20 Feb 2024 15:41:34 +0000
Subject: [PATCH] Update to version 0.4.0 of Key Vault module

Switch to using RBAC authorisation for Key Vault
---
 terraform/README.md                   |  5 ++---
 terraform/key-vault-tfvars-secrets.tf | 23 ++++++++++++-----------
 terraform/locals.tf                   |  1 -
 terraform/variables.tf                |  5 -----
 4 files changed, 14 insertions(+), 20 deletions(-)

diff --git a/terraform/README.md b/terraform/README.md
index 41b925cb3..0f2d561b1 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -134,14 +134,14 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.88.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.91.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.4.9 |
-| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.3.0 |
+| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.0 |
 | <a name="module_statuscake-tls-monitor"></a> [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.2 |
 
 ## Resources
@@ -199,7 +199,6 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
 | <a name="input_existing_network_watcher_resource_group_name"></a> [existing\_network\_watcher\_resource\_group\_name](#input\_existing\_network\_watcher\_resource\_group\_name) | Existing network watcher resource group. | `string` | n/a | yes |
 | <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Image name | `string` | n/a | yes |
 | <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
-| <a name="input_key_vault_access_users"></a> [key\_vault\_access\_users](#input\_key\_vault\_access\_users) | List of users that require access to the Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform | `list(string)` | n/a | yes |
 | <a name="input_monitor_email_receivers"></a> [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that will receive alerts from App Insights | `list(string)` | n/a | yes |
 | <a name="input_monitor_endpoint_healthcheck"></a> [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
 | <a name="input_mssql_database_name"></a> [mssql\_database\_name](#input\_mssql\_database\_name) | The name of the MSSQL database to create. Must be set if `enable_mssql_database` is true | `string` | n/a | yes |
diff --git a/terraform/key-vault-tfvars-secrets.tf b/terraform/key-vault-tfvars-secrets.tf
index 0b8a5a008..dad3faf4a 100644
--- a/terraform/key-vault-tfvars-secrets.tf
+++ b/terraform/key-vault-tfvars-secrets.tf
@@ -1,14 +1,15 @@
 module "azurerm_key_vault" {
-  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.3.0"
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.0"
 
-  environment                           = local.environment
-  project_name                          = local.project_name
-  existing_resource_group               = module.azure_container_apps_hosting.azurerm_resource_group_default.name
-  azure_location                        = local.azure_location
-  key_vault_access_users                = local.key_vault_access_users
-  key_vault_access_ipv4                 = local.key_vault_access_ipv4
-  tfvars_filename                       = local.tfvars_filename
-  diagnostic_log_analytics_workspace_id = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
-  diagnostic_eventhub_name              = local.enable_event_hub ? module.azure_container_apps_hosting.azurerm_eventhub_container_app.name : ""
-  tags                                  = local.tags
+  environment                             = local.environment
+  project_name                            = local.project_name
+  existing_resource_group                 = module.azure_container_apps_hosting.azurerm_resource_group_default.name
+  azure_location                          = local.azure_location
+  key_vault_access_use_rbac_authorization = true
+  key_vault_access_users                  = []
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  diagnostic_log_analytics_workspace_id   = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
+  diagnostic_eventhub_name                = local.enable_event_hub ? module.azure_container_apps_hosting.azurerm_eventhub_container_app.name : ""
+  tags                                    = local.tags
 }
diff --git a/terraform/locals.tf b/terraform/locals.tf
index 8342fa988..e699f4966 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -50,7 +50,6 @@ locals {
   existing_logic_app_workflow                  = var.existing_logic_app_workflow
   existing_network_watcher_name                = var.existing_network_watcher_name
   existing_network_watcher_resource_group_name = var.existing_network_watcher_resource_group_name
-  key_vault_access_users                       = var.key_vault_access_users
   key_vault_access_ipv4                        = var.key_vault_access_ipv4
   tfvars_filename                              = var.tfvars_filename
   statuscake_monitored_resource_addresses      = var.statuscake_monitored_resource_addresses
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 2e8c9ef3a..50ac8f074 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -289,11 +289,6 @@ variable "mssql_database_name" {
   type        = string
 }
 
-variable "key_vault_access_users" {
-  description = "List of users that require access to the Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform"
-  type        = list(string)
-}
-
 variable "key_vault_access_ipv4" {
   description = "List of IPv4 Addresses that are permitted to access the Key Vault"
   type        = list(string)