actions
/
unity-builder
mirror of https://github.com/game-ci/unity-builder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
unity-builder/dist/platforms/azure/modules/environment-base/keyvault.tf

70 lines
2.0 KiB
HCL
Executable File
Raw Blame History

##############################
# Azure Keyvault and Secrets #
##############################
# make up a name for the keyvault
resource "random_pet" "key_vault" {
length = 2
separator = "x"
}
# create the keyvault
resource "azurerm_key_vault" "key_vault" {
name = random_pet.key_vault.id
location = azurerm_resource_group.resource_group.location
resource_group_name = azurerm_resource_group.resource_group.name
tenant_id = azurerm_user_assigned_identity.admin_identity.tenant_id
sku_name = var.kv_sku_ame
soft_delete_retention_days = 7
purge_protection_enabled = false
network_acls {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = var.allowed_ips
}
depends_on = [
random_pet.key_vault
]
lifecycle {
ignore_changes = [
network_acls
]
}
}
# squash our list of users and list of generated ids into a single list
locals {
generated_users = tolist(["${azurerm_user_assigned_identity.admin_identity.principal_id}", "${var.runner_object_id}"])
all_users = concat(var.admin_users, local.generated_users)
}
# grant pemrissions to all in the list so we can access the vault we just created
resource "azurerm_key_vault_access_policy" "admins" {
count = length(local.all_users)
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = var.tenant_id
object_id = local.all_users[count.index]
certificate_permissions = [
"Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update"
]
key_permissions = [
"Get", "Backup", "Create", "Delete", "Decrypt", "Encrypt", "List", "Import", "Purge", "Recover", "Restore", "Sign", "Update", "Verify"
]
secret_permissions = [
"Get", "Delete", "Backup", "List", "Set", "Purge", "Restore", "Recover"
]
depends_on = [
azurerm_key_vault.key_vault, azurerm_user_assigned_identity.admin_identity
]
}
Reference in New Issue View Git Blame Copy Permalink