Azure Key Vault Overlay Terraform Module

This Terraform Module creates a Key Vault also adds required access policies for azure AD users, groups and azure AD service principals. This also enables private endpoint and sends all logs to log analytic workspace or storage. This module can be used with an SCCA compliant Network.

SCCA Compliance

This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.

For more information, please read the SCCA documentation.

Contributing

If you want to contribute to this repository, feel free to to contribute to our Terraform module.

More details are available in the CONTRIBUTING.md file.

Resources Used

• Acess Polices for AD users, groups and SPN
• Key Vault Keys
• Secrets
• Certifiate Contacts
• Private Endpoints
• Private DNS zone for privatelink A records
• Azure Reource Locks

Overlay Module Usage

# Azurerm Provider configuration
provider "azurerm" {
  features {}
}

module "mod_key_vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # By default, this module will create a resource group and 
  # provide a name for an existing resource group. If you wish 
  # to use an existing resource group, change the option 
  # to "create_key_vault_resource_group = false." The location of the group 
  # will remain the same if you use the current resource.
  create_key_vault_resource_group = true
  location                        = module.mod_azure_region_lookup.location_cli
  environment                     = "public"
  deploy_environment              = "dev"
  org_name                        = "anoa"
  workload_name                   = "kv"

  # This is to enable the features of the key vault
  enabled_for_deployment          = false
  enabled_for_disk_encryption     = false
  enabled_for_template_deployment = false

  # This is to enable public access to the key vault, since we are using a private endpoint, we will disable it
  public_network_access_enabled = false
  
  # Creating Private Endpoint requires, VNet name to create a Private Endpoint
  # By default this will create a `privatelink.azurecr.io` DNS zone. if created in commercial cloud
  # To use existing subnet, specify `existing_subnet_id` with valid subnet id. 
  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
  # Private endpoints doesn't work If not using `existing_subnet_id` to create redis inside a specified VNet.
  enable_private_endpoint = false
  # existing_subnet_id      = "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/rg-anoa-dev-kv/providers/Microsoft.Network/virtualNetworks/vnet-anoa-dev-kv/subnets/snet-anoa-dev-kv"
  # virtual_network_name    = "vnet-anoa-dev-kv"
  # existing_private_dns_zone     = "demo.example.com"

  # Current user should be here to be able to create keys and secrets
  admin_objects_ids = [
    data.azuread_group.admin_group.id
  ]
  
  # This is to enable resource locks for the key vault. 
  enable_resource_locks = false

  # Tags for Azure Resources
  add_tags = {
    example = "basic deployment of key vault"
  }
}

Key Vault Advanced features

enabled_for_deployment

To use Key Vault with Azure Resource Manager virtual machines, the enabled_for_deployment property on Key Vault must be set to true. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_deployment = "false".

enabled_for_disk_encryption

We can configure Azure Disk Encryption to use Azure Key Vault to control and manage disk encryption keys and secrets. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_disk_encryption = "false".

Warning: The key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted.

enabled_for_template_deployment

When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. To access the Key Vault when deploying Managed Applications, you must grant access to the Appliance Resource Provider service principal. This access is enabled by default for this module. Incase you want to disable it set the argument enabled_for_template_deployment = "false".

Soft-Delete and Purge Protection

Soft-delete is enabled by default. When enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.

Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. It can be turned on using this module by setting the argument enable_purge_protection = true.

When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. Soft delete retention can be updated using soft_delete_retention_days argument with a valid days.

The default retention period is 90 days for the soft-delete and the purge protection retention policy uses the same interval. Once set, the retention policy interval cannot be changed.

Configure Azure Key Vault Keys

Configure Azure Key Vault keys to store cryptographic keys used by cloud applications and services. The keys block can be used to create a key in the key vault. The key_type can be RSA or EC. The key_size is required for RSA key type and curve is required for EC key type. The key_opts is an optional list of key operations. The not_before_date and expiration_date are optional and can be used to set the key activation and expiration dates.

module "key-vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # .... omitted

  keys = [
    {
      name            = "example-key"
      key_type        = "RSA"
      key_size        = 2048
      key_opts        = ["encrypt", "decrypt", "sign", "verify"]
      not_before_date = "2021-01-01"
      expiration_date = "2022-01-01"
    }
  ]

  # ....omitted

}

Configure Azure Key Vault Secrets

Configure Azure Key Vault secrets to store sensitive information such as passwords, connection strings, and other sensitive data. The secrets block can be used to create a secret in the key vault. The content_type is an optional content type of the secret. The not_before_date and expiration_date are optional and can be used to set the secret activation and expiration dates.

module "key-vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # .... omitted

  secrets = [
    {
      name            = "example-secret"
      value           = "example-value"
      content_type    = "text/plain"
      not_before_date = "2021-01-01"
      expiration_date = "2022-01-01"
    }
  ]

  # ....omitted

}

## Configure Azure Key Vault firewalls and virtual networks

Configure Azure Key Vault firewalls and virtual networks to restrict access to the key vault. The virtual network service endpoints for Key Vault (Microsoft.KeyVault) allow you to restrict access to a specified virtual network and set of IPv4 address ranges.

Default action is set to `Allow` when no network rules matched. A `virtual_network_subnet_ids` or `ip_rules` can be added to `network_acls` block to allow request that is not Azure Services.

```hcl
module "key-vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # .... omitted

  network_acls = {
    bypass                     = "AzureServices"
    default_action             = "Deny"

    # One or more IP Addresses, or CIDR Blocks to access this Key Vault.
    ip_rules                   = ["123.201.18.148"]

    # One or more Subnet ID's to access this Key Vault.
    virtual_network_subnet_ids = []
  }
  
# ....omitted

}

Private Endpoint - Integrate Key Vault with Azure Private Link

Azure Private Endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet.

With Private Link, Microsoft offering the ability to associate a logical server to a specific private IP address (also known as private endpoint) within the VNet. Clients can connect to the Private endpoint from the same VNet, peered VNet in same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling.

By default, this feature not enabled on this module. To create private link with private endpoints set the variable enable_private_endpoint to true and provide virtual_network_name, private_subnet_address_prefix with a valid values. You can also use the existing private DNS zone to create DNS records. To use this feature, set the existing_private_dns_zone with a valid existing private DNS zone name.

module "key-vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # .... omitted

  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
  # By default this will create a `privatelink.vaultcore.azure.net` DNS zone. 
  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
  enable_private_endpoint       = true
  virtual_network_name          = "vnet-shared-hub-westeurope-001"
  private_subnet_address_prefix = ["10.1.5.0/27"]
  # existing_private_dns_zone     = "demo.example.com"

  # ....omitted

}

If you want to use eixsting VNet and Subnet to create a private endpoints, set a variable enable_private_endpoint to true and provide virtual_network_name, existing_subnet_id with a valid resource ids. You can also use the existing private DNS zone to create DNS records. To use this feature, set the existing_private_dns_zone with a valid existing private DNS zone name.

module "key-vault" {
  source  = "POps-Rox/tf-az-overlays-key-vault/azurerm"
  version = "x.x.x"

  # .... omitted

  # Creating Private Endpoint requires, VNet name and address prefix to create a subnet
  # By default this will create a `privatelink.vaultcore.azure.net` DNS zone. 
  # To use existing private DNS zone specify `existing_private_dns_zone` with valid zone name
  enable_private_endpoint      = true
  virtual_network_name         = data.azurerm_virtual_network.example.name
  existing_subnet_id           = data.azurerm_subnet.example.id
  # existing_private_dns_zone  = "demo.example.com"

  # ....omitted

}

For more details: Integrate Key Vault with Azure Private Link

Requirements

Name	Version
terraform	>= 1.9
popsrox-utils	~> 1.0.4
azurerm	~> 3.116

Providers

Name	Version
popsrox-utils	~> 1.0.4
azurerm	~> 3.116
azurerm.hub	~> 3.116

Modules

Name	Source	Version
mod_azure_region_lookup	POps-Rox/overlays-azregions-lookup/azurerm	~> 1.0.0
mod_key_vault_rg	POps-Rox/overlays-resource-group/azurerm	~> 1.0.1

Resources

Name	Type
azurerm_key_vault.this	resource
azurerm_key_vault_access_policy.admin_policy	resource
azurerm_key_vault_access_policy.readers_policy	resource
azurerm_key_vault_key.keys	resource
azurerm_key_vault_managed_hardware_security_module.keyvault_hsm	resource
azurerm_key_vault_secret.secrets	resource
azurerm_management_lock.key_vault_level_lock	resource
azurerm_private_dns_a_record.a_rec	resource
azurerm_private_dns_a_record.arecord-1	resource
azurerm_private_dns_zone.dns_zone	resource
azurerm_private_dns_zone_virtual_network_link.vent-link-1	resource
azurerm_private_dns_zone_virtual_network_link.vent-link-diff-subs	resource
azurerm_private_dns_zone_virtual_network_link.vnet_link	resource
azurerm_private_endpoint.pep	resource
azurerm_role_assignment.rbac_keyvault_administrator	resource
azurerm_role_assignment.rbac_keyvault_reader	resource
azurerm_role_assignment.rbac_keyvault_secrets_users	resource
popsrox_resource_name.keyvault	data source
popsrox_resource_name.keyvault_dns_a_record	data source
popsrox_resource_name.keyvault_hsm	data source
azurerm_client_config.current_config	data source
azurerm_private_endpoint_connection.pip	data source
azurerm_resource_group.rgrp	data source
azurerm_subnet.snet	data source
azurerm_virtual_network.vnet	data source

Inputs

Name	Description	Type	Default	Required
add_tags	Map of custom tags.	map(string)	{}	no
admin_objects_ids	IDs of the objects that can do all operations on all keys, secrets and certificates.	list(string)	[]	no
alias_subscription_id	Different subscription id for local provider(id of different sub in which DNS zone is present).	string	null	no
certificate_contacts	Contact information to send notifications triggered by certificate lifetime events	list(object({ email = string name = optional(string) phone = optional(string) }))	[]	no
connect_to_dns_in_hub_subscription	Flag to tell whether dns zone is in hub subscription or not.	bool	false	no
create_key_vault_resource_group	Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is true.	bool	false	no
custom_hsm_name	Name of the Key Vault HSM, generated if not set.	string	null	no
custom_kv_name	Name of the Key Vault, generated if not set.	string	null	no
custom_private_dns_a_record_name	Name of the Key Vault Private DNS A Record, generated if not set.	string	null	no
custom_resource_group_name	The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
deploy_environment	The environment to deploy. It defaults to dev.	string	"dev"	no
diagnostic_setting_enable	n/a	bool	false	no
enable_private_endpoint	Manages a Private Endpoint to Azure Container Registry. Default is false.	bool	false	no
enable_purge_protection	Is Purge Protection enabled for this Key Vault?	bool	false	no
enable_resource_locks	(Optional) Enable resource locks	bool	false	no
enabled_for_deployment	Whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the Key Vault.	bool	false	no
enabled_for_disk_encryption	Whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.	bool	false	no
enabled_for_template_deployment	Whether Azure Resource Manager is permitted to retrieve secrets from the Key Vault.	bool	false	no
environment	The Terraform backend environment e.g. public or usgovernment	string	null	no
eventhub_authorization_rule_id	Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data.	string	null	no
eventhub_name	Specifies the name of the Event Hub where Diagnostics Data should be sent.	string	null	no
existing_private_dns_zone	Name of the existing private DNS zone	any	null	no
existing_private_dns_zone_resource_group_name	The name of the existing resource group	string	""	no
existing_private_subnet_name	Name of the existing private subnet for the private endpoint	any	null	no
existing_resource_group_name	The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables.	string	null	no
existing_virtual_network_name	Name of the virtual network for the private endpoint	any	null	no
hub_subscription_vnet_link	Flag to control creation of vnet link for dns zone in hub subscription	bool	false	no
hub_virtual_network_name	Name of the hub virtual network for the private endpoint. This is used when the dns is in a hub subscription.	string	null	no
keys	List of objects that represent the configuration of each key.	list(object({ name = string key_type = string key_size = optional(number) curve = optional(string) key_opts = optional(list(string), []) not_before_date = optional(string) expiration_date = optional(string) }))	[]	no
kv_logs	n/a	object({ enabled = bool category = optional(list(string)) category_group = optional(list(string)) })	{ "category_group": [ "AllLogs" ], "enabled": true }	no
location	The location/region to keep all your network resources. To get the list of all locations with table format from azure cli, run 'az account list-locations -o table'	string	n/a	yes
lock_level	(Optional) id locks are enabled, Specifies the Level to be used for this Lock.	string	"CanNotDelete"	no
log_analytics_destination_type	Possible values are AzureDiagnostics and Dedicated, default to AzureDiagnostics. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table.	string	"AzureDiagnostics"	no
log_analytics_workspace_id	n/a	string	null	no
managed_hardware_security_module_enabled	Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created.	bool	false	no
metric_enabled	Is this Diagnostic Metric enabled? Defaults to true.	bool	true	no
name_prefix	Optional prefix for the generated name	string	""	no
name_suffix	Optional suffix for the generated name	string	""	no
network_acls	Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. Set to null to disable. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more information.	object({ bypass = optional(string, "None"), default_action = optional(string, "Deny"), ip_rules = optional(list(string)), virtual_network_subnet_ids = optional(list(string)), })	{}	no
org_name	A name for the organization. It defaults to anoa.	string	"anoa"	no
public_network_access_enabled	Whether the Key Vault is available from public network.	bool	false	no
rbac_authorization_enabled	Whether the Key Vault uses Role Based Access Control (RBAC) for authorization of data actions instead of access policies.	bool	false	no
reader_objects_ids	IDs of the objects that can read all keys, secrets and certificates.	list(string)	[]	no
secrets	List of objects that represent the configuration of each secrect.	list(object({ name = string value = string content_type = optional(string) not_before_date = optional(string) expiration_date = optional(string) }))	[]	no
sku_name	The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium".	string	"standard"	no
soft_delete_retention_days	The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days.	number	7	no
storage_account_id	The ID of the Storage Account where logs should be sent.	string	null	no
tenant_id	The Azure Active Directory tenant ID that should be used for authenticating requests to the Key Vault. Default is the current one.	string	""	no
use_location_short_name	Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored.	bool	true	no
use_naming	Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false.	bool	true	no
workload_name	A name for the workload. It defaults to fd-cdn.	string	"fd-cdn"	no

Outputs

Name	Description
contacts	Blocks containing each contact.
key_vault_hsm_uri	The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys.
key_vault_id	ID of the Key Vault.
key_vault_name	Name of the Key Vault.
key_vault_uri	URI of the Key Vault
keys	Blocks containing configuration of each key.
secrets	Blocks containing configuration of each secret.