-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathr-policies.tf
89 lines (78 loc) · 1.62 KB
/
r-policies.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
resource "azurerm_key_vault_access_policy" "readers" {
for_each = toset(var.rbac_authorization_enabled || var.managed_hardware_security_module_enabled ? [] : var.reader_objects_ids)
object_id = each.value
tenant_id = local.tenant_id
key_vault_id = one(azurerm_key_vault.main[*].id)
key_permissions = [
"Get",
"List",
]
secret_permissions = [
"Get",
"List",
]
certificate_permissions = [
"Get",
"List",
]
}
moved {
from = azurerm_key_vault_access_policy.readers_policy
to = azurerm_key_vault_access_policy.readers
}
resource "azurerm_key_vault_access_policy" "admins" {
for_each = toset(var.rbac_authorization_enabled || var.managed_hardware_security_module_enabled ? [] : var.admin_objects_ids)
object_id = each.value
tenant_id = local.tenant_id
key_vault_id = one(azurerm_key_vault.main[*].id)
key_permissions = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
]
secret_permissions = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
]
certificate_permissions = [
"Backup",
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"Recover",
"Restore",
"SetIssuers",
"Update",
]
}
moved {
from = azurerm_key_vault_access_policy.admin_policy
to = azurerm_key_vault_access_policy.admins
}