This module creates and manages an Azure Key Vault and stores your Terraform variable files as Secrets within it.
Example module usage:
module "azure_key_vault_tfvars" {
source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.1"
environment = "Dev"
project_name = "myproject"
existing_resource_group = "my-rg-name"
enable_resource_group_lock = false
azure_location = "uk-south"
# (legacy) Grant access to Key Vault using Access Policy
# key_vault_access_users = [
# "my_email.address.suffix#EXT#@platformidentity.onmicrosoft.com",
# ]
# (Preferred) Leverage Azure RBAC to grant access to Key Vault
key_vault_access_use_rbac_authorization = true
# List of IPV4 Addresses that are permitted to access the Key Vault
key_vault_access_ipv4 = [
"8.8.8.8"
]
## Specify a list of Azure Subnet Resource IDs that can access this Key Vault
# key_vault_access_subnet_ids = [
# "/my/azure/subnet/id"
# ]
tfvars_filename = "dev.tfvars"
secret_expiry_years = 5
# enable_diagnostic_setting = true
# enable_log_analytics_workspace = false
# diagnostic_log_analytics_workspace_id = "my-log-analytics"
# diagnostic_eventhub_name = "my-eventhub-name"
# enable_diagnostic_storage_account = false
# diagnostic_storage_account_id = "my-storage-account-id"
tags = {
"My Tag" = "My Value!"
}
}
| Name | Version |
|---|---|
| terraform | >= 1.4.5 |
| azuread | >= 2.37.1 |
| azurerm | >= 3.52.0 |
| null | >= 3.2.1 |
| Name | Version |
|---|---|
| azuread | 2.48.0 |
| azurerm | 3.101.0 |
| null | 3.2.2 |
| Name | Type |
|---|---|
| azurerm_key_vault.tfvars | resource |
| azurerm_key_vault_secret.tfvars | resource |
| azurerm_log_analytics_workspace.key_vault | resource |
| azurerm_management_lock.default | resource |
| azurerm_monitor_diagnostic_setting.tfvars | resource |
| azurerm_resource_group.default | resource |
| azurerm_storage_account.logs | resource |
| azurerm_storage_account_network_rules.logs | resource |
| null_resource.check_key_vault_secret_age_against_local_tfvars | resource |
| azuread_user.key_vault_access | data source |
| azurerm_client_config.current | data source |
| azurerm_resource_group.existing_resource_group | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| azure_location | Azure location in which to launch resources. | string |
n/a | yes |
| diagnostic_eventhub_name | Specify an Event Hub name to send Diagnostic information to | string |
"" |
no |
| diagnostic_log_analytics_workspace_id | Specify a Log Analytics Workspace ID to send Diagnostic information to | string |
"" |
no |
| diagnostic_storage_account_id | Specify a Storage Account ID to send Diagnostic information to | string |
"" |
no |
| enable_diagnostic_setting | Enable Azure Diagnostics setting for the Key Vault | bool |
true |
no |
| enable_diagnostic_storage_account | When enabled, creates a Storage Account for the diagnostic logs, if one hasn't been specified for diagnostic_storage_account_id |
bool |
false |
no |
| enable_log_analytics_workspace | When enabled, creates a Log Analyics Workspace, if one hasn't been specified for diagnostic_log_analytics_workspace_id |
bool |
false |
no |
| enable_resource_group_lock | Enabling this will add a Resource Lock to the Resource Group preventing any resources from being deleted. | bool |
false |
no |
| enable_tfvars_file_age_check | Compares the file age of the tfvars file with the updated time of the Key Vault Secret, and prevents and older tfvars file updating a newer secret. | bool |
true |
no |
| environment | Environment name. Will be used along with project_name as a prefix for all resources. |
string |
n/a | yes |
| existing_resource_group | Name of an existing Resource Group to create the Key Vault within. If left empty, one will be created. | string |
"" |
no |
| key_vault_access_ipv4 | List of IPv4 Addresses that are permitted to access the Key Vault | list(string) |
n/a | yes |
| key_vault_access_subnet_ids | List of Azure Subnet IDs that are permitted to access the Key Vault | list(string) |
[] |
no |
| key_vault_access_use_rbac_authorization | Use RBAC to handle access controls for the Key Vault | bool |
false |
no |
| key_vault_access_users | List of users that require access to the Key Vault. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform | list(string) |
n/a | yes |
| project_name | Project name. Will be used along with environment as a prefix for all resources. |
string |
n/a | yes |
| secret_expiry_years | Number of years from now when the Key Vault secret should be considered expired | number |
5 |
no |
| tags | Tags to be applied to all resources | map(string) |
{} |
no |
| tfvars_filename | tfvars filename. This file is uploaded and stored encrupted within Key Vault, to ensure that the latest tfvars are stored in a shared place. | string |
n/a | yes |
No outputs.