Ll integration pipeline (#30)

* Update keyvault secrets lifecycles * Update keyvault secrets Fix formating * Azure AD Role - Add msi support
aztfmod · Sep 23, 2020 · fb4fad6 · fb4fad6
1 parent f499ef9
commit fb4fad6
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 15 deletions.
diff --git a/azuread.tf b/azuread.tf
@@ -22,15 +22,6 @@ output aad_apps {
   sensitive = true
 }
 
-
-module azuread_app_roles {
-  source   = "./modules/azuread/roles"
-  for_each = var.azuread_app_roles
-
-  object_id         = module.azuread_applications[each.key].azuread_service_principal.object_id
-  azuread_app_roles = each.value.roles
-}
-
 #
 # Azure Active Directory Groups
 #

diff --git a/azuread_roles.tf b/azuread_roles.tf
@@ -0,0 +1,16 @@
+
+module azuread_roles_applications {
+  source   = "./modules/azuread/roles"
+  for_each = try(var.azuread_roles.azuread_apps, {})
+
+  object_id         = module.azuread_applications[each.key].azuread_service_principal.object_id
+  azuread_roles = each.value.roles
+}
+
+module azuread_roles_msi {
+  source   = "./modules/azuread/roles"
+  for_each = try(var.azuread_roles.managed_identities, {})
+
+  object_id         = module.managed_identities[each.key].principal_id
+  azuread_roles = each.value.roles
+}
diff --git a/modules/azuread/applications/keyvault.tf b/modules/azuread/applications/keyvault.tf
@@ -1,9 +1,10 @@
 module keyvault_secret_policy {
-  count = try(var.settings.keyvault, null) != null ? 1 : 0
+  count = try(var.keyvaults[var.settings.keyvault.keyvault_key].id, null) != null ? 1 : 0
+  # for_each = try(var.settings.keyvault.keyvault_key, {})
 
   source                  = "./keyvault"
   settings                = var.settings.keyvault
-  keyvault_id             = try(var.keyvaults[var.settings.keyvault.keyvault_key].id, "")
+  keyvault_id             = var.keyvaults[var.settings.keyvault.keyvault_key].id
   password_expire_in_days = try(var.settings.password_expire_in_days, 180)
 
   # Used by the az cli client id and ARM_CLIENT_ID

diff --git a/modules/azuread/applications/keyvault/keyvault_secrets.tf b/modules/azuread/applications/keyvault/keyvault_secrets.tf
@@ -34,7 +34,8 @@ data "terraform_remote_state" "keyvaults" {
 resource "azurerm_key_vault_secret" "client_id" {
   name         = format("%s-client-id", var.settings.secret_prefix)
   value        = var.application_id
-  key_vault_id = try(data.terraform_remote_state.keyvaults["remote_tfstate"].outputs[var.settings.remote_tfstate.output_key][var.settings.remote_tfstate.lz_key][var.settings.keyvault_key].id, var.keyvault_id)
+  key_vault_id = try(var.settings.remote_tfstate.tfstate_key, null) == null ? var.keyvault_id : data.terraform_remote_state.keyvaults["remote_tfstate"].outputs[var.settings.remote_tfstate.output_key][var.settings.remote_tfstate.lz_key][var.settings.keyvault_key].id
+  # key_vault_id = try(data.terraform_remote_state.keyvaults["remote_tfstate"].outputs[var.settings.remote_tfstate.output_key][var.settings.remote_tfstate.lz_key][var.settings.keyvault_key].id, var.keyvault_id)
 
   lifecycle {
     ignore_changes = [

diff --git a/modules/azuread/roles/roles.tf b/modules/azuread/roles/roles.tf
@@ -5,7 +5,7 @@ resource "null_resource" "set_azure_ad_roles" {
   }
 
   for_each = {
-    for key in var.azuread_app_roles : key => key
+    for key in var.azuread_roles : key => key
   }
 
   provisioner "local-exec" {

diff --git a/modules/azuread/roles/variables.tf b/modules/azuread/roles/variables.tf
@@ -1,2 +1,2 @@
 variable object_id {}
-variable azuread_app_roles {}
+variable azuread_roles {}
diff --git a/documentation/coding_cec.md → modules/documentation/coding_cec.md b/documentation/coding_cec.md → modules/documentation/coding_cec.md
diff --git a/variables.tf b/variables.tf
@@ -79,7 +79,7 @@ variable azuread_groups {
   default = {}
 }
 
-variable azuread_app_roles {
+variable azuread_roles {
   default = {}
 }