This terraform module simplifies the creation and management of azure key vault resources, providing customizable options for access policies, key and secret management, and auditing, all managed through code.
Capability to handle keys, secrets, and certificates.
Includes support for certificate issuers.
Utilization of terratest for robust validation.
Supports key rotation policy for enhanced security and compliance.
Integrates seamlessly with private endpoint capabilities for direct and secure connectivity.
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
- azurerm_key_vault.keyvault (resource)
- azurerm_key_vault_access_policy.policy (resource)
- azurerm_key_vault_certificate.cert (resource)
- azurerm_key_vault_certificate_contacts.contact (resource)
- azurerm_key_vault_certificate_issuer.issuer (resource)
- azurerm_key_vault_key.kv_keys (resource)
- azurerm_key_vault_secret.secrets (resource)
- azurerm_key_vault_secret.tls_secrets (resource)
- azurerm_role_assignment.admins (resource)
- random_password.password (resource)
- tls_private_key.tls_key (resource)
- azurerm_client_config.current (data source)
The following input variables are required:
Description: describes key vault related configuration
Type:
object({
name = string
location = optional(string, null)
resource_group_name = optional(string, null)
enable_rbac_authorization = optional(bool, true)
tenant_id = optional(string)
sku_name = optional(string, "standard")
tags = optional(map(string))
enabled_for_deployment = optional(bool, true)
enabled_for_disk_encryption = optional(bool, true)
enabled_for_template_deployment = optional(bool, true)
purge_protection_enabled = optional(bool, true)
public_network_access_enabled = optional(bool, true)
soft_delete_retention_days = optional(number, 90)
delegated_managed_identity_resource_id = optional(string)
skip_service_principal_aad_check = optional(bool)
condition = optional(string)
condition_version = optional(string)
principal_type = optional(string)
role_definition_id = optional(string)
admins = optional(list(string))
enable_role_assignment = optional(bool, true)
network_acls = optional(object({
bypass = optional(string, "AzureServices")
default_action = optional(string, "Deny")
ip_rules = optional(list(string), [])
virtual_network_subnet_ids = optional(list(string), [])
}), null)
issuers = optional(map(object({
name = optional(string)
provider_name = optional(string)
account_id = optional(string, null)
password = optional(string, null)
org_id = optional(string, null)
})), {})
contacts = optional(map(object({
email = string
name = optional(string, null)
phone = optional(string, null)
})))
keys = optional(map(object({
name = optional(string)
key_type = string
key_size = optional(number, null)
key_opts = optional(list(string))
curve = optional(string, null)
not_before_date = optional(string, null)
expiration_date = optional(string, null)
tags = optional(map(string))
rotation_policy = optional(object({
expire_after = optional(string, null)
notify_before_expiry = optional(string, null)
automatic = optional(object({
time_after_creation = optional(string, null)
time_before_expiry = optional(string, null)
}))
}))
})), {})
secrets = optional(object({
predefined_string = optional(map(object({
value = optional(string)
name = optional(string)
tags = optional(map(string))
content_type = optional(string, null)
expiration_date = optional(string, null)
not_before_date = optional(string, null)
})), {})
random_string = optional(map(object({
name = optional(string)
length = number
special = optional(bool, true)
min_lower = optional(number, 5)
min_upper = optional(number, 7)
min_special = optional(number, 4)
min_numeric = optional(number, 5)
override_special = optional(string, null)
keepers = optional(map(string))
tags = optional(map(string))
content_type = optional(string, null)
expiration_date = optional(string, null)
not_before_date = optional(string, null)
})), {})
tls_keys = optional(map(object({
name = optional(string)
algorithm = string
rsa_bits = optional(number, 2048)
tags = optional(map(string))
content_type = optional(string, null)
expiration_date = optional(string, null)
not_before_date = optional(string, null)
})), {})
}), {})
certs = optional(map(object({
name = optional(string)
tags = optional(map(string))
certificate = optional(object({
contents = string
password = optional(string, null)
}))
issuer = optional(string, "Self")
key_type = optional(string, "RSA")
key_size = optional(number, 2048)
reuse_key = optional(bool, false)
curve = optional(string, null)
content_type = optional(string, "application/x-pkcs12")
subject = string
validity_in_months = number
key_usage = list(string)
extended_key_usage = optional(list(string), [])
subject_alternative_names = optional(object({
dns_names = optional(list(string), [])
upns = optional(list(string), [])
emails = optional(list(string), [])
}))
lifetime_actions = optional(map(object({
action_type = string
days_before_expiry = optional(number, null)
lifetime_percentage = optional(number, null)
})))
})), {})
access_policies = optional(map(object({
object_id = optional(string)
tenant_id = optional(string)
application_id = optional(string, null)
key_permissions = optional(list(string))
secret_permissions = optional(list(string))
certificate_permissions = optional(list(string))
storage_permissions = optional(list(string))
})), {})
})The following input variables are optional (have default values):
Description: default azure region to be used.
Type: string
Default: null
Description: contains naming convention
Type:
object({
key_vault_key = optional(string)
key_vault_secret = optional(string)
key_vault_certificate = optional(string)
})Default: {}
Description: default resource group to be used.
Type: string
Default: null
Description: tags to be added to the resources
Type: map(string)
Default: {}
The following outputs are exported:
Description: contains all certificates
Description: contains all keys
Description: contains all key vault access policies
Description: contains all secrets
Description: contains all tls private keys
Description: contains all tls public keys
Description: contains all key vault config
For more information, please see our goals and non-goals.
For more information, please see our testing guidelines
Using a dedicated module, we've developed a naming convention for resources that's based on specific regular expressions for each type, ensuring correct abbreviations and offering flexibility with multiple prefixes and suffixes.
Full examples detailing all usages, along with integrations with dependency modules, are located in the examples directory.
To update the module's documentation run make doc
Module is maintained by these awesome contributors.
We welcome contributions from the community! Whether it's reporting a bug, suggesting a new feature, or submitting a pull request, your input is highly valued.
For more information, please see our contribution guidelines.
MIT Licensed. See LICENSE for full details.