Update Azure AD apps to keyvault

aztfmod · Sep 24, 2020 · 50dfd4f · 50dfd4f
1 parent 3e57edc
commit 50dfd4f
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 13 deletions.
diff --git a/azuread_roles.tf b/azuread_roles.tf
@@ -3,14 +3,14 @@ module azuread_roles_applications {
   source   = "./modules/azuread/roles"
   for_each = try(var.azuread_roles.azuread_apps, {})
 
-  object_id         = module.azuread_applications[each.key].azuread_service_principal.object_id
+  object_id     = module.azuread_applications[each.key].azuread_service_principal.object_id
   azuread_roles = each.value.roles
 }
 
 module azuread_roles_msi {
   source   = "./modules/azuread/roles"
   for_each = try(var.azuread_roles.managed_identities, {})
 
-  object_id         = module.managed_identities[each.key].principal_id
+  object_id     = module.managed_identities[each.key].principal_id
   azuread_roles = each.value.roles
 }
diff --git a/modules/azuread/applications/keyvault_secrets.tf b/modules/azuread/applications/keyvault_secrets.tf
@@ -15,11 +15,6 @@
 #   }
 #
 
-locals {
-  keyvault_id = try(var.keyvaults[var.settings.keyvault.keyvault_key].id, "")
-}
-
-
 data "terraform_remote_state" "keyvaults" {
   for_each = {
     for key, value in try(var.settings.keyvaults, {}) : key => value
@@ -44,7 +39,7 @@ resource "azurerm_key_vault_secret" "client_id" {
 
   name         = format("%s-client-id", each.value.secret_prefix)
   value        = azuread_application.app.application_id
-  key_vault_id = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, local.keyvault_id)
+  key_vault_id = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, var.keyvaults[each.key].id)
 
   lifecycle {
     ignore_changes = [
@@ -55,10 +50,10 @@ resource "azurerm_key_vault_secret" "client_id" {
 }
 
 resource "azurerm_key_vault_secret" "client_secret" {
-  for_each = try(var.settings.keyvaults, {})
+  for_each        = try(var.settings.keyvaults, {})
   name            = format("%s-client-secret", each.value.secret_prefix)
   value           = azuread_service_principal_password.app.value
-  key_vault_id    = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, local.keyvault_id)
+  key_vault_id    = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, var.keyvaults[each.key].id)
   expiration_date = timeadd(timestamp(), format("%sh", try(var.settings.password_expire_in_days, 180) * 24))
 
   lifecycle {
@@ -69,8 +64,8 @@ resource "azurerm_key_vault_secret" "client_secret" {
 }
 
 resource "azurerm_key_vault_secret" "tenant_id" {
-  for_each = try(var.settings.keyvaults, {})
+  for_each     = try(var.settings.keyvaults, {})
   name         = format("%s-tenant-id", each.value.secret_prefix)
   value        = var.client_config.tenant_id
-  key_vault_id = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, local.keyvault_id)
+  key_vault_id = try(data.terraform_remote_state.keyvaults[each.key].outputs[each.value.remote_tfstate.output_key][each.value.remote_tfstate.lz_key][each.key].id, var.keyvaults[each.key].id)
 }
diff --git a/modules/azuread/applications/output.tf b/modules/azuread/applications/output.tf
@@ -22,7 +22,7 @@ output azuread_service_principal {
   sensitive = true
 }
 
-output keyvault {
+output keyvaults {
   value = {
     for key, value in try(var.settings.keyvaults, {}) : key => {
       id                        = azurerm_key_vault_secret.client_id[key].key_vault_id