Deploy a Key Vault to hold tfvars in (#24)

DFE-Digital · Apr 8, 2024 · acce10e · acce10e
1 parent f4c70b7
commit acce10e
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 53 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -137,6 +137,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.5.2 |
+| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.1 |
 | <a name="module_statuscake-tls-monitor"></a> [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.3 |
 
 ## Resources
@@ -177,6 +178,7 @@ No resources.
 | <a name="input_existing_network_watcher_resource_group_name"></a> [existing\_network\_watcher\_resource\_group\_name](#input\_existing\_network\_watcher\_resource\_group\_name) | Existing network watcher resource group. | `string` | n/a | yes |
 | <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Image name | `string` | n/a | yes |
 | <a name="input_image_tag"></a> [image\_tag](#input\_image\_tag) | Default image tag for the primary container | `string` | `"web-latest"` | no |
+| <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
 | <a name="input_monitor_email_receivers"></a> [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that should be notified by monitoring alerts | `list(string)` | n/a | yes |
 | <a name="input_monitor_endpoint_healthcheck"></a> [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |
@@ -189,6 +191,7 @@ No resources.
 | <a name="input_statuscake_contact_group_name"></a> [statuscake\_contact\_group\_name](#input\_statuscake\_contact\_group\_name) | Name of the contact group in StatusCake | `string` | `""` | no |
 | <a name="input_statuscake_monitored_resource_addresses"></a> [statuscake\_monitored\_resource\_addresses](#input\_statuscake\_monitored\_resource\_addresses) | The URLs to perform TLS checks on | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to all resources | `map(string)` | n/a | yes |
+| <a name="input_tfvars_filename"></a> [tfvars\_filename](#input\_tfvars\_filename) | tfvars filename. This ensures that tfvars are kept up to date in Key Vault. | `string` | n/a | yes |
 | <a name="input_virtual_network_address_space"></a> [virtual\_network\_address\_space](#input\_virtual\_network\_address\_space) | Virtual network address space CIDR | `string` | n/a | yes |
 
 ## Outputs

diff --git a/terraform/key-vault-tfvars-secrets.tf b/terraform/key-vault-tfvars-secrets.tf
@@ -1,15 +1,15 @@
-# module "azurerm_key_vault" {
-#   source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
+module "azurerm_key_vault" {
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
 
-#   environment                             = local.environment
-#   project_name                            = local.project_name
-#   existing_resource_group                 = module.azure_container_apps_hosting.azurerm_resource_group_default.name
-#   azure_location                          = local.azure_location
-#   key_vault_access_use_rbac_authorization = true
-#   key_vault_access_users                  = []
-#   key_vault_access_ipv4                   = local.key_vault_access_ipv4
-#   tfvars_filename                         = local.tfvars_filename
-#   diagnostic_log_analytics_workspace_id   = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
-#   diagnostic_eventhub_name                = ""
-#   tags                                    = local.tags
-# }
+  environment                             = local.environment
+  project_name                            = local.project_name
+  existing_resource_group                 = module.azure_container_apps_hosting.azurerm_resource_group_default.name
+  azure_location                          = local.azure_location
+  key_vault_access_use_rbac_authorization = true
+  key_vault_access_users                  = []
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  diagnostic_log_analytics_workspace_id   = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
+  diagnostic_eventhub_name                = ""
+  tags                                    = local.tags
+}
diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -1,34 +1,34 @@
 locals {
-  environment                               = var.environment
-  project_name                              = var.project_name
-  azure_location                            = var.azure_location
-  tags                                      = var.tags
-  virtual_network_address_space             = var.virtual_network_address_space
-  enable_container_registry                 = var.enable_container_registry
-  registry_admin_enabled                    = var.registry_admin_enabled
-  registry_use_managed_identity             = var.registry_use_managed_identity
-  registry_managed_identity_assign_role     = var.registry_managed_identity_assign_role
-  image_name                                = var.image_name
-  image_tag                                 = var.image_tag
-  container_command                         = var.container_command
-  container_secret_environment_variables    = var.container_secret_environment_variables
-  container_scale_http_concurrency          = var.container_scale_http_concurrency
-  container_health_probe_protocol           = var.container_health_probe_protocol
-  enable_dns_zone                           = var.enable_dns_zone
-  dns_zone_domain_name                      = var.dns_zone_domain_name
-  dns_ns_records                            = var.dns_ns_records
-  dns_txt_records                           = var.dns_txt_records
-  enable_cdn_frontdoor                      = var.enable_cdn_frontdoor
-  container_apps_allow_ips_inbound          = var.container_apps_allow_ips_inbound
-  cdn_frontdoor_enable_rate_limiting        = var.cdn_frontdoor_enable_rate_limiting
-  cdn_frontdoor_host_add_response_headers   = var.cdn_frontdoor_host_add_response_headers
-  cdn_frontdoor_custom_domains              = var.cdn_frontdoor_custom_domains
-  cdn_frontdoor_origin_fqdn_override        = var.cdn_frontdoor_origin_fqdn_override
-  cdn_frontdoor_origin_host_header_override = var.cdn_frontdoor_origin_host_header_override
-  cdn_frontdoor_forwarding_protocol         = var.cdn_frontdoor_forwarding_protocol
-  enable_cdn_frontdoor_health_probe         = var.enable_cdn_frontdoor_health_probe
-  # key_vault_access_ipv4                        = var.key_vault_access_ipv4
-  # tfvars_filename                              = var.tfvars_filename
+  environment                                  = var.environment
+  project_name                                 = var.project_name
+  azure_location                               = var.azure_location
+  tags                                         = var.tags
+  virtual_network_address_space                = var.virtual_network_address_space
+  enable_container_registry                    = var.enable_container_registry
+  registry_admin_enabled                       = var.registry_admin_enabled
+  registry_use_managed_identity                = var.registry_use_managed_identity
+  registry_managed_identity_assign_role        = var.registry_managed_identity_assign_role
+  image_name                                   = var.image_name
+  image_tag                                    = var.image_tag
+  container_command                            = var.container_command
+  container_secret_environment_variables       = var.container_secret_environment_variables
+  container_scale_http_concurrency             = var.container_scale_http_concurrency
+  container_health_probe_protocol              = var.container_health_probe_protocol
+  enable_dns_zone                              = var.enable_dns_zone
+  dns_zone_domain_name                         = var.dns_zone_domain_name
+  dns_ns_records                               = var.dns_ns_records
+  dns_txt_records                              = var.dns_txt_records
+  enable_cdn_frontdoor                         = var.enable_cdn_frontdoor
+  container_apps_allow_ips_inbound             = var.container_apps_allow_ips_inbound
+  cdn_frontdoor_enable_rate_limiting           = var.cdn_frontdoor_enable_rate_limiting
+  cdn_frontdoor_host_add_response_headers      = var.cdn_frontdoor_host_add_response_headers
+  cdn_frontdoor_custom_domains                 = var.cdn_frontdoor_custom_domains
+  cdn_frontdoor_origin_fqdn_override           = var.cdn_frontdoor_origin_fqdn_override
+  enable_cdn_frontdoor_health_probe            = var.enable_cdn_frontdoor_health_probe
+  cdn_frontdoor_origin_host_header_override    = var.cdn_frontdoor_origin_host_header_override
+  cdn_frontdoor_forwarding_protocol            = var.cdn_frontdoor_forwarding_protocol
+  key_vault_access_ipv4                        = var.key_vault_access_ipv4
+  tfvars_filename                              = var.tfvars_filename
   enable_monitoring                            = var.enable_monitoring
   monitor_email_receivers                      = var.monitor_email_receivers
   enable_container_health_probe                = var.enable_container_health_probe

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -3,15 +3,15 @@ variable "environment" {
   type        = string
 }
 
-# variable "key_vault_access_ipv4" {
-#   description = "List of IPv4 Addresses that are permitted to access the Key Vault"
-#   type        = list(string)
-# }
-
-# variable "tfvars_filename" {
-#   description = "tfvars filename. This ensures that tfvars are kept up to date in Key Vault."
-#   type        = string
-# }
+variable "key_vault_access_ipv4" {
+  description = "List of IPv4 Addresses that are permitted to access the Key Vault"
+  type        = list(string)
+}
+
+variable "tfvars_filename" {
+  description = "tfvars filename. This ensures that tfvars are kept up to date in Key Vault."
+  type        = string
+}
 
 variable "project_name" {
   description = "Project name. Will be used along with `environment` as a prefix for all resources."