-
Notifications
You must be signed in to change notification settings - Fork 3
/
key_vault.tf
57 lines (45 loc) · 1.34 KB
/
key_vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
resource "azurerm_key_vault" "hub" {
name = substr(replace("${var.hub}-${random_string.hub.result}", "/[^0-9A-Za-z\\-]+/", ""), 0, 24) // 3-24 lowercase alnum only
resource_group_name = azurerm_resource_group.hub.name
location = azurerm_resource_group.hub.location
tags = azurerm_resource_group.hub.tags
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
enabled_for_deployment = false
enabled_for_template_deployment = false
enabled_for_disk_encryption = false
}
resource "azurerm_key_vault_access_policy" "service_principal" {
key_vault_id = azurerm_key_vault.hub.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Get",
"List",
"Update",
"Delete",
]
secret_permissions = [
"Get",
"List",
"Set",
"Delete"
]
}
resource "azurerm_key_vault_access_policy" "managed_identity" {
key_vault_id = azurerm_key_vault.hub.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_user_assigned_identity.hub.principal_id
key_permissions = [
"Get",
"List",
]
secret_permissions = [
"Get",
"List",
]
}
output "key_vault" {
value = azurerm_key_vault.hub
}