Feature: Terraform Moudle for Azure Key Vault and IAM Integration with AKS Workloads

[Lusengeri]

Add Terraform Module for Azure Key Vault and IAM Integration with AKS Workloads

Addresses #21

Description:
This PR introduces a new Terraform module that provisions an Azure Key Vault along with IAM identities, enabling AKS workloads to securely access secrets stored in the Key Vault. The module ensures that each application deployed on an AKS cluster can be integrated with its own isolated Key Vault, enhancing security and separation of concerns.

Module Usage:

module "some_app_resources" {
    source = "./app_resources"
    aks_config = {
        cluster_namespace = "<some_app_name>"
        cluster_oidc_issuer_url = module.resources.cluster_oidc_issuer_url
        service_account_name = "<some_service_account_name>"
    }
    app_name = "<some_app_name>"
    environment = var.environment
    resource_group
}

Parameters:

• aks_config: Configuration specific to the AKS cluster, including the namespace, OIDC issuer URL, and service account name.
• app_name: The name of the application, used for naming resources consistently.
• environment: The environment (e.g., sandbox, staging, production) where the application is deployed.
• resource_group_name: The Azure Resource Group where the resources will be created.

Key Features:

• Azure Key Vault Provisioning:
  Creates a dedicated Key Vault for each application, ensuring secrets are stored securely and access is restricted.

• IAM Integration:
  Configures IAM identities and permissions so that AKS workloads can authenticate with the Key Vault using Kubernetes service accounts and Azure AD identities.

• Extensible Design:
  The module is structured to allow for the future addition of other application-specific resources, such as:

  • Azure Storage Accounts
  • PostgreSQL Databases
  • Additional Azure services

Outputs:

The module provides outputs (key_vault_name, workload_id, and tenant_id) that will be used in the respective application Helm charts, enabling seamless integration with the provisioned Azure resources.

output "some_app_resource_details" {
  value = {
    key_vault_name = module.some_app_resources.key_vault_name
    workload_id    = module.some_app_resources.workload_id
    tenant_id      = module.some_app_resources.tenant_id
  } 
}

Justification:

This approach provides several benefits:

• Security Isolation:
  Each application has its own Key Vault, ensuring that secrets are managed centrally with access control granted for individual KeyVaults as required

• Synchronization:
  AKS pods are always synced with Key Vault contents, obviating the need to run CD pipelines whenever secret values need to be added or adjusted

• Consistency and Scalability:
  Standardizes the way resources are provisioned for applications on AKS, making it easier to scale and manage different application deployments across various environments.

• Future-Proof Design:
  The module's structure allows for easy extension to include additional resources, supporting evolving application needs without significant refactoring.

• Simplified Deployment:
  Outputs are tailored for easy consumption in Helm charts, reducing the complexity of managing secrets and identity configurations within Kubernetes.

Next Steps:

• Review the initial implementation for any environment-specific adjustments.
• Plan to add support for optional resources like Azure Storage and PostgreSQL in future iterations.

This PR ensures that AKS workloads can securely access Azure Key Vaults while laying the foundation for consistent and extensible application infrastructure management.

[sunu]

LGTM!