diff --git a/terraform/subscriptions/modules/key-vault/main.tf b/terraform/subscriptions/modules/key-vault/main.tf index 911381419..da1e7f24e 100644 --- a/terraform/subscriptions/modules/key-vault/main.tf +++ b/terraform/subscriptions/modules/key-vault/main.tf @@ -3,6 +3,10 @@ data "azuread_group" "this" { security_enabled = true } +data "azurerm_role_definition" "this" { + name = "Key Vault Secrets User" +} + resource "azurerm_key_vault" "this" { name = var.vault_name location = var.location @@ -24,6 +28,12 @@ resource "azurerm_key_vault" "this" { sku_name = "standard" } +resource "azurerm_role_assignment" "this" { + for_each = var.enable_rbac_authorization && length(var.kv_secrets_user_id) > 0 ? { "${var.vault_name}" : true } : {} + scope = azurerm_key_vault.this.id + role_definition_id = data.azurerm_role_definition.this.role_definition_id + principal_id = var.kv_secrets_user_id +} data "azurerm_subnet" "subnet" { name = "private-links" @@ -32,7 +42,7 @@ data "azurerm_subnet" "subnet" { } resource "azurerm_key_vault_access_policy" "this" { - for_each = var.enable_rbac_authorization == false ? { "${var.vault_name}" : true } : {} + for_each = var.enable_rbac_authorization == false ? { "${var.vault_name}" : true } : {} key_vault_id = azurerm_key_vault.this.id tenant_id = var.tenant_id object_id = data.azuread_group.this.object_id diff --git a/terraform/subscriptions/modules/key-vault/variables.tf b/terraform/subscriptions/modules/key-vault/variables.tf index c3879899e..25f175a5f 100644 --- a/terraform/subscriptions/modules/key-vault/variables.tf +++ b/terraform/subscriptions/modules/key-vault/variables.tf @@ -48,6 +48,12 @@ variable "enable_rbac_authorization" { default = true } +variable "kv_secrets_user_id" { + description = "The ID of the App that got Key Vault Secrets user permission?" + type = string + default = "" +} + variable "public_network_access_enabled" { description = "Should public network access be enabled for this Key Vault?" type = bool diff --git a/terraform/subscriptions/modules/mssqldatabase/main.tf b/terraform/subscriptions/modules/mssqldatabase/main.tf index 4d2cb2fc4..a39bcc5f6 100644 --- a/terraform/subscriptions/modules/mssqldatabase/main.tf +++ b/terraform/subscriptions/modules/mssqldatabase/main.tf @@ -17,7 +17,7 @@ resource "azurerm_mssql_server" "sqlserver" { } identity { - type = "SystemAssigned" + type = "SystemAssigned" } lifecycle { diff --git a/terraform/subscriptions/s941/dev/key-vault/main.tf b/terraform/subscriptions/s941/dev/key-vault/main.tf index 0ac73e5f3..a1d70ad4e 100644 --- a/terraform/subscriptions/s941/dev/key-vault/main.tf +++ b/terraform/subscriptions/s941/dev/key-vault/main.tf @@ -19,6 +19,7 @@ module "keyvault" { # log_analytics_workspace_id = local.external_outputs.common.workspace_id soft_delete_retention_days = each.value.soft_delete_retention_days enable_rbac_authorization = each.value.enable_rbac_authorization + kv_secrets_user_id = each.value.kv_secrets_user_id purge_protection_enabled = each.value.purge_protection_enabled network_acls_default_action = each.value.network_acls_default_action vnet_resource_group = module.config.vnet_resource_group diff --git a/terraform/subscriptions/s941/dev/key-vault/variables.tf b/terraform/subscriptions/s941/dev/key-vault/variables.tf index d1e91cb06..c39d98112 100644 --- a/terraform/subscriptions/s941/dev/key-vault/variables.tf +++ b/terraform/subscriptions/s941/dev/key-vault/variables.tf @@ -6,6 +6,7 @@ variable "keyvaults" { enable_rbac_authorization = optional(bool, false) purge_protection_enabled = optional(bool, true) network_acls_default_action = optional(string, "Allow") + kv_secrets_user_id = optional(string, "") })) default = { radix-vault-dev = { @@ -14,6 +15,8 @@ variable "keyvaults" { radix-keyv-dev = { resource_group = "common-dev" enable_rbac_authorization = true + kv_secrets_user_id = "e1cab00e-9c12-4ce1-9882-842a57e89643" + } }