generated from Azure/terraform-azurerm-avm-template
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathmain.tf
127 lines (104 loc) · 3.47 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
terraform {
required_version = "~> 1.5"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.14"
}
random = {
source = "hashicorp/random"
version = "~> 3.6"
}
time = {
source = "hashicorp/time"
version = "~> 0.11"
}
}
}
provider "azurerm" {
features {
resource_group {
prevent_deletion_if_contains_resources = false
}
}
}
data "azurerm_client_config" "current" {}
locals {
prefix = "cmk-auto"
}
module "regions" {
source = "Azure/regions/azurerm"
version = ">= 0.3.0"
recommended_regions_only = true
}
resource "random_integer" "region_index" {
max = length(module.regions.regions) - 1
min = 0
}
module "naming" {
source = "Azure/naming/azurerm"
version = ">= 0.3.0"
}
resource "azurerm_resource_group" "example" {
location = module.regions.regions[random_integer.region_index.result].name
name = "${module.naming.resource_group.name_unique}-${local.prefix}"
}
resource "azurerm_user_assigned_identity" "example" {
location = azurerm_resource_group.example.location
name = "example-${local.prefix}"
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_key_vault" "example" {
location = azurerm_resource_group.example.location
name = "${module.naming.key_vault.name_unique}${local.prefix}"
resource_group_name = azurerm_resource_group.example.name
sku_name = "standard"
tenant_id = data.azurerm_client_config.current.tenant_id
enable_rbac_authorization = true
purge_protection_enabled = true
soft_delete_retention_days = 7
}
resource "azurerm_key_vault_key" "example" {
key_opts = [
"wrapKey",
"unwrapKey"
]
key_type = "RSA"
key_vault_id = azurerm_key_vault.example.id
name = "customermanagedkey"
key_size = 4096
depends_on = [time_sleep.wait_for_rbac_before_key_operations]
}
resource "azurerm_role_assignment" "crypto_officer" {
principal_id = data.azurerm_client_config.current.object_id
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Officer"
}
resource "azurerm_role_assignment" "crypto_service_encryption_user" {
principal_id = azurerm_user_assigned_identity.example.principal_id
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Service Encryption User"
}
resource "time_sleep" "wait_for_rbac_before_key_operations" {
create_duration = "90s"
depends_on = [azurerm_role_assignment.crypto_officer, azurerm_role_assignment.crypto_service_encryption_user]
}
module "servicebus" {
source = "../../"
infrastructure_encryption_enabled = true
sku = "Premium"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
name = "${module.naming.servicebus_namespace.name_unique}-${local.prefix}"
managed_identities = {
user_assigned_resource_ids = [azurerm_user_assigned_identity.example.id]
}
customer_managed_key = {
key_vault_resource_id = azurerm_key_vault.example.id
key_name = azurerm_key_vault_key.example.name
user_assigned_identity = {
resource_id = azurerm_user_assigned_identity.example.id
}
}
depends_on = [time_sleep.wait_for_rbac_before_key_operations]
}