tf-azurerm-module_reference-key_vault

module
v0.0.0-...-9331d26 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 14, 2024 License: Apache-2.0

README

tf-azurerm-module_reference-key_vault

License

Overview

This reference architecture module provisions a Key Vault in its own Resource Group. Based on the inputs provided, it can also provision a Private Key Vault with private endpoints in a provided subnet.

Pre-Commit hooks

.pre-commit-config.yaml file defines certain pre-commit hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.

commitlint hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:

  • fix: a commit of the type fix patches a bug in your codebase (this correlates with PATCH in Semantic Versioning).
  • feat: a commit of the type feat introduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning).
  • BREAKING CHANGE: a commit that has a footer BREAKING CHANGE:, or appends a ! after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type. footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format.
  • build: a commit of the type build adds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
  • chore: a commit of the type chore adds changes that don't modify src or test files
  • ci: a commit of the type ci adds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
  • docs: a commit of the type docs adds documentation only changes
  • perf: a commit of the type perf adds code change that improves performance
  • refactor: a commit of the type refactor adds code change that neither fixes a bug nor adds a feature
  • revert: a commit of the type revert reverts a previous commit
  • style: a commit of the type style adds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
  • test: a commit of the type test adds missing tests or correcting existing tests

Base configuration used for this project is commitlint-config-conventional (based on the Angular convention)

If you are a developer using vscode, this plugin may be helpful.

detect-secrets-hook prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS

In order for pre-commit hooks to work properly

  • You need to have the pre-commit package manager installed. Here are the installation instructions.
  • pre-commit would install all the hooks when commit message is added by default except for commitlint hook. commitlint hook would need to be installed manually using the command below
pre-commit install --hook-type commit-msg

To test the resource group module locally

  1. For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the configure target in the project's Makefile. Before you can run configure, familiarize yourself with the variables in the Makefile and ensure they're pointing to the right places.
make configure

This adds in several files and directories that are ignored by git. They expose many new Make targets.

  1. THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP. The first target you care about is env. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.

make configure command will bring down azure_env.sh file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.

These environment variables are used by terratest integration suit.

Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.

"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"

Then run this make target to set the environment variables on developer workstation.

make env
  1. The first target you care about is check.

Pre-requisites Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are azure specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.

  • A file named provider.tf with contents below
provider "azurerm" {
  features {}
}
  • A file named terraform.tfvars which contains key value pair of variables used.

Note that since these files are added in gitignore they would not be checked in into primitive/segment's git repo.

After creating these files, for running tests associated with the primitive/segment, run

make check

If make check target is successful, developer is good to commit the code to primitive/segment's git repo.

make check target

  • runs terraform commands to lint,validate and plan terraform code.
  • runs conftests. conftests make sure policy checks are successful.
  • runs terratest. This is integration test suit.
  • runs opa tests

Requirements

Name Version
terraform ~> 1.0
azurerm ~> 3.77

Providers

No providers.

Modules

Name Source Version
resource_names terraform.registry.launch.nttdata.com/module_library/resource_name/launch ~> 1.0
resource_group terraform.registry.launch.nttdata.com/module_primitive/resource_group/azurerm ~> 1.0
key_vault terraform.registry.launch.nttdata.com/module_primitive/key_vault/azurerm ~> 2.0
role_assignment terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm ~> 1.0
private_dns_zone terraform.registry.launch.nttdata.com/module_primitive/private_dns_zone/azurerm ~> 1.0
private_dns_zone_link_vnet terraform.registry.launch.nttdata.com/module_primitive/private_dns_vnet_link/azurerm ~> 1.0
additional_vnet_links terraform.registry.launch.nttdata.com/module_primitive/private_dns_vnet_link/azurerm ~> 1.0
private_endpoint terraform.registry.launch.nttdata.com/module_primitive/private_endpoint/azurerm ~> 1.0

Resources

No resources.

Inputs

Name Description Type Default Required
location Location of the resource group and other services in this module. string n/a yes
key_vault_name (Optional) If specified, this module will use this name for key vault else the naming module will create a name.
Length must be less than 24 characters		 string null no
enabled_for_deployment If Azure VM is permitted to retrieve secrets bool false no
enabled_for_template_deployment If Azure RM is permitted to retrieve secrets bool false no
soft_delete_retention_days Number of retention days for soft delete number 7 no
purge_protection_enabled If purge_protection is enabled bool false no
sku_name SKU for the key vault - standard or premium string "standard" no
access_policies Additional Access policies for the vault except the current user which are added by default.
Required only when enable_rbac_authorization is set to false.		 
map(object({
    object_id               = string
    tenant_id               = string
    key_permissions         = list(string)
    certificate_permissions = list(string)
    secret_permissions      = list(string)
    storage_permissions     = list(string)
  }))
 {} no
enable_rbac_authorization Enable RBAC authorization for the key vault bool false no
network_acls Network ACLs for the key vault 
object({
    bypass                     = string
    default_action             = string
    ip_rules                   = optional(list(string))
    virtual_network_subnet_ids = optional(list(string))
  })
 
{
  "bypass": "AzureServices",
  "default_action": "Allow",
  "ip_rules": [],
  "virtual_network_subnet_ids": []
}
 no
public_network_access_enabled (Optional) Whether public network access is allowed for this Key Vault. Defaults to true. If false, then only private
endpoints can access the Key Vault.		 bool true no
resource_names_map A map of key to resource_name that will be used by tf-launch-module_library-resource_name to generate resource names 
map(object({
    name       = string
    max_length = optional(number, 60)
  }))
 
{
  "key_vault": {
    "max_length": 24,
    "name": "kv"
  },
  "private_endpoint": {
    "max_length": 80,
    "name": "pe"
  },
  "private_service_connection": {
    "max_length": 80,
    "name": "pesc"
  },
  "resource_group": {
    "max_length": 80,
    "name": "rg"
  }
}
 no
environment Environment in which the resource should be provisioned like dev, qa, prod etc. string n/a yes
environment_number The environment count for the respective environment. Defaults to 000. Increments in value of 1 string "000" no
resource_number The resource count for the respective resource. Defaults to 000. Increments in value of 1 string "000" no
logical_product_family (Required) Name of the product family for which the resource is created.
Example: org_name, department_name.		 string n/a yes
logical_product_service (Required) Name of the product service for which the resource is created.
For example, backend, frontend, middleware etc.		 string n/a yes
use_azure_region_abbr Use Azure region abbreviation in the resource name bool true no
role_assignments A map of role assignments to be created. Required only when enable_rbac_authorization is set to true. 
map(object({
    role_definition_name = string
    principal_id         = string
  }))
 {} no
zone_name Name of the private dns zone. For public cloud, the default value is privatelink.vaultcore.azure.net and for sovereign clouds, the default value is privatelink.vaultcore.usgovcloudapi.net string "privatelink.vaultcore.azure.net" no
soa_record n/a 
object({
    email        = string
    expire_time  = number
    minimum_ttl  = number
    refresh_time = number
    retry_time   = number
    ttl          = number
    tags         = map(string)
  })
 null no
additional_vnet_links The list of Virtual Network ids that should be linked to the DNS Zone. Changing this forces a new resource to be created. map(string) {} no
subnet_id The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint.
Changing this forces a new resource to be created.		 string null no
private_dns_zone_group_name Specifies the Name of the Private DNS Zone Group. string "vault" no
is_manual_connection Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource
to be created.		 bool false no
subresource_names A list of subresource names which the Private Endpoint is able to connect to. subresource_names corresponds to group_id.
Possible values are detailed in the product documentation in the Subresources column.
https://docs.microsoft.com/azure/private-link/private-endpoint-overview#private-link-resource		 list(string) 
[
  "vault"
]
 no
request_message A message passed to the owner of the remote resource when the private endpoint attempts to establish the connection
to the remote resource. The request message can be a maximum of 140 characters in length.
Only valid if is_manual_connection=true		 string "" no
tags A map of tags to be associated with the resources map(string) {} no

Outputs

Name Description
resource_group_id ID of the Resource Group
resource_group_name Name of the Resource Group
key_vault_id ID of the Key Vault
vault_uri URI of the Key Vault
access_policies_object_ids Object IDs of the Key Vault Access Policies
key_vault_name Name of the Key Vault
private_dns_zone_id ID of the Private DNS Zone
private_endpoint_id ID of the Private Endpoint

Directories

Path Synopsis
tests
testimpl

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.