github.com/darmach/terratest@v0.34.8-0.20210517103231-80931f95e3ff/examples/azure/terraform-azure-keyvault-example/main.tf (about) 1 # --------------------------------------------------------------------------------------------------------------------- 2 # DEPLOY AN AZURE KEY VAULT 3 # This is an example of how to deploy a Key Vault 4 # --------------------------------------------------------------------------------------------------------------------- 5 # See test/azure/terraform_azure_keyvault_example_test.go for how to write automated tests for this code. 6 # --------------------------------------------------------------------------------------------------------------------- 7 8 provider "azurerm" { 9 version = "~>2.20" 10 features { 11 key_vault { 12 purge_soft_delete_on_destroy = false 13 } 14 } 15 } 16 17 # --------------------------------------------------------------------------------------------------------------------- 18 # PIN TERRAFORM VERSION TO >= 0.12 19 # The examples have been upgraded to 0.12 syntax 20 # --------------------------------------------------------------------------------------------------------------------- 21 22 terraform { 23 # This module is now only being tested with Terraform 0.13.x. However, to make upgrading easier, we are setting 24 # 0.12.26 as the minimum version, as that version added support for required_providers with source URLs, making it 25 # forwards compatible with 0.13.x code. 26 required_version = ">= 0.12.26" 27 } 28 29 # --------------------------------------------------------------------------------------------------------------------- 30 # DEPLOY A RESOURCE GROUP 31 # --------------------------------------------------------------------------------------------------------------------- 32 33 resource "azurerm_resource_group" "resource_group" { 34 name = "terratest-kv-rg-${var.postfix}" 35 location = var.location 36 } 37 38 # --------------------------------------------------------------------------------------------------------------------- 39 # CONFIGURE A CLIENT FOR KEY VAULT ACCESS 40 # --------------------------------------------------------------------------------------------------------------------- 41 42 data "azurerm_client_config" "current" {} 43 44 # --------------------------------------------------------------------------------------------------------------------- 45 # CONFIGURE AN ACCESS POLICY TO MANAGE THE SECRET, KEY, AND CERTIFICATE 46 # --------------------------------------------------------------------------------------------------------------------- 47 48 data "azurerm_key_vault_access_policy" "contributor" { 49 name = "Key, Secret, & Certificate Management" 50 } 51 52 # --------------------------------------------------------------------------------------------------------------------- 53 # DEPLOY A KEY VAULT 54 # --------------------------------------------------------------------------------------------------------------------- 55 56 resource "azurerm_key_vault" "key_vault" { 57 name = "keyvault-${var.postfix}" 58 location = azurerm_resource_group.resource_group.location 59 resource_group_name = azurerm_resource_group.resource_group.name 60 enabled_for_disk_encryption = true 61 tenant_id = data.azurerm_client_config.current.tenant_id 62 63 soft_delete_retention_days = 7 64 purge_protection_enabled = false 65 66 sku_name = "standard" 67 68 access_policy { 69 tenant_id = data.azurerm_client_config.current.tenant_id 70 object_id = data.azurerm_client_config.current.object_id 71 72 key_permissions = [ 73 "create", 74 "get", 75 "list", 76 "delete", 77 "purge", 78 ] 79 80 secret_permissions = [ 81 "set", 82 "get", 83 "list", 84 "delete", 85 "purge", 86 ] 87 88 certificate_permissions = [ 89 "create", 90 "delete", 91 "deleteissuers", 92 "get", 93 "getissuers", 94 "import", 95 "list", 96 "listissuers", 97 "managecontacts", 98 "manageissuers", 99 "setissuers", 100 "update", 101 "purge", 102 ] 103 } 104 } 105 106 # --------------------------------------------------------------------------------------------------------------------- 107 # DEPLOY A SECRET TO THE KEY VAULT 108 # --------------------------------------------------------------------------------------------------------------------- 109 110 resource "azurerm_key_vault_secret" "key_vault_secret" { 111 name = "${var.secret_name}-${var.postfix}" 112 value = "mysecret" 113 key_vault_id = azurerm_key_vault.key_vault.id 114 } 115 116 # --------------------------------------------------------------------------------------------------------------------- 117 # DEPLOY A KEY TO THE KEY VAULT 118 # --------------------------------------------------------------------------------------------------------------------- 119 120 resource "azurerm_key_vault_key" "key_vault_key" { 121 name = "${var.key_name}-${var.postfix}" 122 key_vault_id = azurerm_key_vault.key_vault.id 123 key_type = "RSA" 124 key_size = 2048 125 126 key_opts = [ 127 "decrypt", 128 "encrypt", 129 "sign", 130 "unwrapKey", 131 "verify", 132 "wrapKey", 133 ] 134 } 135 136 # --------------------------------------------------------------------------------------------------------------------- 137 # DEPLOY A CERTIFICATE TO THE KEY VAULT 138 # The example uses a sample pfx file with plain text password to make it easier to test. However, in production modules 139 # should use a more secure mechanisms for transferring these files. 140 # --------------------------------------------------------------------------------------------------------------------- 141 resource "azurerm_key_vault_certificate" "key_vault_certificate" { 142 name = "${var.certificate_name}-${var.postfix}" 143 key_vault_id = azurerm_key_vault.key_vault.id 144 145 certificate { 146 contents = filebase64("example.pfx") 147 password = "password" 148 } 149 150 certificate_policy { 151 issuer_parameters { 152 name = "Self" 153 } 154 155 key_properties { 156 exportable = true 157 key_size = 2048 158 key_type = "RSA" 159 reuse_key = false 160 } 161 162 secret_properties { 163 content_type = "application/x-pkcs12" 164 } 165 } 166 }