Skip to content

Commit

Permalink
Add msi to keyvault policies (#27)
Browse files Browse the repository at this point in the history 
Co-authored-by: lolorol <[email protected]>
  • Loading branch information
@LaurentLesle
LaurentLesle and LaurentLesle authored Sep 22, 2020
1 parent 66dbbe5 commit f16bf96
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 2 deletions.
2 changes: 1 addition & 1 deletion keyvault.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ module "keyvault_access_policies" {
azuread_groups = module.azuread_groups
logged_user_objectId = local.client_config.logged_user_objectId
logged_aad_app_objectId = local.client_config.logged_aad_app_objectId
managed_identities = module.managed_identities
}

# Need to separate keyvault policies from azure AD apps to get the keyvault with the default policies.
Expand All @@ -44,7 +45,6 @@ module "keyvault_access_policies_azuread_apps" {
}



output keyvaults {
value = module.keyvaults
}
15 changes: 14 additions & 1 deletion modules/security/keyvault_access_policies/policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,24 @@ module object_id {
source = "./access_policy"
for_each = {
for key, access_policy in var.access_policies : key => access_policy
if key == "object_id" && var.logged_aad_app_objectId != null
if try(access_policy.object_id, null) != null && var.logged_aad_app_objectId != null
}

keyvault_id = var.keyvault_id
access_policy = each.value
tenant_id = try(each.value.tenant_id, var.tenant_id)
object_id = each.value.object_id
}

module managed_identity {
source = "./access_policy"
for_each = {
for key, access_policy in var.access_policies : key => access_policy
if try(access_policy.managed_identity_key, null) != null && var.managed_identities != {}
}

keyvault_id = var.keyvault_id
access_policy = each.value
tenant_id = var.tenant_id
object_id = var.managed_identities[each.value.managed_identity_key].principal_id
}
3 changes: 3 additions & 0 deletions modules/security/keyvault_access_policies/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@ variable azuread_groups {
variable azuread_apps {
default = {}
}
variable managed_identities {
default = {}
}

0 comments on commit f16bf96

Please sign in to comment.