unity-builder/dist/platforms/azure/modules/environment-base/keyvault.tf

##############################
# Azure Keyvault and Secrets #
##############################

# make up a name for the keyvault
resource "random_pet" "key_vault" {
  length    = 2
  separator = "x"
}

# create the keyvault
resource "azurerm_key_vault" "key_vault" {

  name                       = random_pet.key_vault.id
  location                   = azurerm_resource_group.resource_group.location
  resource_group_name        = azurerm_resource_group.resource_group.name
  tenant_id                  = azurerm_user_assigned_identity.admin_identity.tenant_id
  sku_name                   = var.kv_sku_ame
  soft_delete_retention_days = 7
  purge_protection_enabled   = false


  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = var.allowed_ips
  }

  depends_on = [
    random_pet.key_vault
  ]
  lifecycle {
    ignore_changes = [
      network_acls
    ]
  }
}

# squash our list of users and list of generated ids into a single list
locals {
  generated_users = tolist(["${azurerm_user_assigned_identity.admin_identity.principal_id}", "${var.runner_object_id}"])
  all_users       = concat(var.admin_users, local.generated_users)
}

# grant pemrissions to all in the list so we can access the vault we just created
resource "azurerm_key_vault_access_policy" "admins" {
  count = length(local.all_users)

  key_vault_id = azurerm_key_vault.key_vault.id
  tenant_id    = var.tenant_id
  object_id    = local.all_users[count.index]

  certificate_permissions = [
    "Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"
  ]

  key_permissions = [
    "Get", "Backup", "Create", "Delete", "Decrypt", "Encrypt", "List", "Import", "Purge", "Recover", "Restore", "Sign", "Update", "Verify"
  ]

  secret_permissions = [
    "Get", "Delete", "Backup", "List", "Set", "Purge", "Restore", "Recover"
  ]

  depends_on = [
    azurerm_key_vault.key_vault, azurerm_user_assigned_identity.admin_identity
  ]
}
initial layout for azure hosted ephmeral runners 2022-09-28 07:32:03 +00:00			`##############################`
			`# Azure Keyvault and Secrets #`
			`##############################`

			`# make up a name for the keyvault`
			`resource "random_pet" "key_vault" {`
			`length = 2`
			`separator = "x"`
			`}`

			`# create the keyvault`
			`resource "azurerm_key_vault" "key_vault" {`

			`name = random_pet.key_vault.id`
			`location = azurerm_resource_group.resource_group.location`
			`resource_group_name = azurerm_resource_group.resource_group.name`
			`tenant_id = azurerm_user_assigned_identity.admin_identity.tenant_id`
			`sku_name = var.kv_sku_ame`
			`soft_delete_retention_days = 7`
			`purge_protection_enabled = false`


			`network_acls {`
			`default_action = "Deny"`
			`bypass = "AzureServices"`
			`ip_rules = var.allowed_ips`
			`}`

			`depends_on = [`
			`random_pet.key_vault`
			`]`
			`lifecycle {`
			`ignore_changes = [`
			`network_acls`
			`]`
			`}`
			`}`

			`# squash our list of users and list of generated ids into a single list`
			`locals {`
			`generated_users = tolist(["${azurerm_user_assigned_identity.admin_identity.principal_id}", "${var.runner_object_id}"])`
			`all_users = concat(var.admin_users, local.generated_users)`
			`}`

			`# grant pemrissions to all in the list so we can access the vault we just created`
			`resource "azurerm_key_vault_access_policy" "admins" {`
			`count = length(local.all_users)`

			`key_vault_id = azurerm_key_vault.key_vault.id`
			`tenant_id = var.tenant_id`
			`object_id = local.all_users[count.index]`

			`certificate_permissions = [`
			`"Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"`
			`]`

			`key_permissions = [`
			`"Get", "Backup", "Create", "Delete", "Decrypt", "Encrypt", "List", "Import", "Purge", "Recover", "Restore", "Sign", "Update", "Verify"`
			`]`

			`secret_permissions = [`
			`"Get", "Delete", "Backup", "List", "Set", "Purge", "Restore", "Recover"`
			`]`

			`depends_on = [`
			`azurerm_key_vault.key_vault, azurerm_user_assigned_identity.admin_identity`
			`]`
			`}`