Merge pull request #1 from dodevops/feature/te/DO-779-add-audit-and-m…

…ore-access-policies feat(DO-779): Adding more access policies and a toggle-able audit log
dodevops · Aug 26, 2021 · c496381 · c496381
2 parents 4f8d40a + f119625
commit c496381
Show file tree

Hide file tree

Showing 5 changed files with 272 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -36,8 +36,14 @@ No modules.
 The following resources are used by this module:
 
 - [azurerm_key_vault.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) (resource)
-- [azurerm_key_vault_access_policy.keyvault-access-policy-objectid-apps](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
-- [azurerm_key_vault_access_policy.keyvault-access-policy-objectids](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectid-apps-createonly](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectid-apps-fullaccess](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectid-apps-readonly](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectids-createonly](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectids-fullaccess](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectids-readonly](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_monitor_diagnostic_setting.keyvaultaudit](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) (resource)
+- [azurerm_storage_account.storageaccountkeyvaultaudit](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) (resource)
 
 ## Required Inputs
 
@@ -77,22 +83,70 @@ Type: `string`
 
 The following input variables are optional (have default values):
 
-### allowed\_objectid\_apps
+### allowed\_objectid\_app\_tuples\_createonly
 
-Description: A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to access the keyvault
+Description: A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to create (but not read or change) elements the keyvault
 
 Type: `list(string)`
 
 Default: `[]`
 
-### allowed\_objectids
+### allowed\_objectid\_app\_tuples\_fullaccess
 
-Description: A list of object IDs that are allowed to access the keyvault
+Description: A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to fully access the keyvault
 
 Type: `list(string)`
 
 Default: `[]`
 
+### allowed\_objectid\_app\_tuples\_readonly
+
+Description: A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to read elements the keyvault
+
+Type: `list(string)`
+
+Default: `[]`
+
+### allowed\_objectids\_createonly
+
+Description: A list of object IDs that are allowed to create (but not read or change) elements in the keyvault
+
+Type: `list(string)`
+
+Default: `[]`
+
+### allowed\_objectids\_fullaccess
+
+Description: A list of object IDs that are allowed to fully access the keyvault elements (with all operations)
+
+Type: `list(string)`
+
+Default: `[]`
+
+### allowed\_objectids\_readonly
+
+Description: A list of object IDs that are allowed to read elements in the keyvault
+
+Type: `list(string)`
+
+Default: `[]`
+
+### audit\_retention\_period
+
+Description: Sets number of days to keep audit records, if audit is enabled
+
+Type: `number`
+
+Default: `365`
+
+### enable\_audit
+
+Description: Enable audit of keyvault changes
+
+Type: `bool`
+
+Default: `false`
+
 ### sku
 
 Description: Keyvault sku
@@ -101,9 +155,21 @@ Type: `string`
 
 Default: `"standard"`
 
+### soft\_delete\_enabled
+
+Description: Toggles if soft delete is enabled
+
+Type: `bool`
+
+Default: `false`
+
 ## Outputs
 
-No outputs.
+The following outputs are exported:
+
+### vault\_id
+
+Description: n/a
 <!-- END_TF_DOCS -->
 
 ## Development

diff --git a/access_policy.tf b/access_policy.tf
@@ -1,6 +1,6 @@
-resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids" {
-  count        = length(var.allowed_objectids)
-  object_id    = element(var.allowed_objectids, count.index)
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids-fullaccess" {
+  count        = length(var.allowed_objectids_fullaccess)
+  object_id    = element(var.allowed_objectids_fullaccess, count.index)
   tenant_id    = var.azure_tenant_id
   key_vault_id = azurerm_key_vault.keyvault.id
 
@@ -12,7 +12,8 @@ resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids" {
     "Update",
     "Import",
     "Backup",
-    "Recover"
+    "Recover",
+    "Restore"
   ]
 
   secret_permissions = [
@@ -33,16 +34,17 @@ resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids" {
     "Import",
     "Delete",
     "Backup",
-    "Recover"
+    "Recover",
+    "Restore"
   ]
 
   storage_permissions = []
 }
 
-resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps" {
-  count          = length(var.allowed_objectid_apps)
-  object_id      = element(split(":", element(var.allowed_objectid_apps, count.index)), 0)
-  application_id = element(split(":", element(var.allowed_objectid_apps, count.index)), 1)
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps-fullaccess" {
+  count          = length(var.allowed_objectid_app_tuples_fullaccess)
+  object_id      = element(split(":", element(var.allowed_objectid_app_tuples_fullaccess, count.index)), 0)
+  application_id = element(split(":", element(var.allowed_objectid_app_tuples_fullaccess, count.index)), 1)
   tenant_id      = var.azure_tenant_id
   key_vault_id   = azurerm_key_vault.keyvault.id
 
@@ -73,3 +75,101 @@ resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps
 
   storage_permissions = []
 }
+
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids-readonly" {
+  count        = length(var.allowed_objectids_readonly)
+  object_id    = element(var.allowed_objectids_readonly, count.index)
+  tenant_id    = var.azure_tenant_id
+  key_vault_id = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "Get",
+    "List",
+  ]
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Get",
+    "List",
+  ]
+
+  storage_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps-readonly" {
+  count          = length(var.allowed_objectid_app_tuples_readonly)
+  object_id      = element(split(":", element(var.allowed_objectid_app_tuples_readonly, count.index)), 0)
+  application_id = element(split(":", element(var.allowed_objectid_app_tuples_readonly, count.index)), 1)
+  tenant_id      = var.azure_tenant_id
+  key_vault_id   = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "Get",
+    "List",
+  ]
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Get",
+    "List",
+  ]
+
+  storage_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids-createonly" {
+  count        = length(var.allowed_objectids_createonly)
+  object_id    = element(var.allowed_objectids_createonly, count.index)
+  tenant_id    = var.azure_tenant_id
+  key_vault_id = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "Create",
+    "List",
+  ]
+
+  secret_permissions = [
+    "Set",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Create",
+    "List",
+  ]
+
+  storage_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps-createonly" {
+  count          = length(var.allowed_objectid_app_tuples_createonly)
+  object_id      = element(split(":", element(var.allowed_objectid_app_tuples_createonly, count.index)), 0)
+  application_id = element(split(":", element(var.allowed_objectid_app_tuples_createonly, count.index)), 1)
+  tenant_id      = var.azure_tenant_id
+  key_vault_id   = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "Create",
+    "List",
+  ]
+
+  secret_permissions = [
+    "Set",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Create",
+    "List",
+  ]
+
+  storage_permissions = []
+}
diff --git a/main.tf b/main.tf
@@ -1,11 +1,44 @@
-# Configure a common keyvault to store secrets
-
 resource "azurerm_key_vault" "keyvault" {
-  name                = "${lower(var.project)}${lower(var.stage)}keyvault"
-  location            = var.location
-  resource_group_name = var.resource_group
-  tenant_id           = var.azure_tenant_id
-  sku_name            = var.sku
-
+  name                     = "${lower(var.project)}${lower(var.stage)}keyvault"
+  location                 = var.location
+  resource_group_name      = var.resource_group
+  tenant_id                = var.azure_tenant_id
+  sku_name                 = var.sku
   purge_protection_enabled = false
+  soft_delete_enabled      = var.soft_delete_enabled
 }
+
+resource "azurerm_storage_account" "storageaccountkeyvaultaudit" {
+  count                    = var.enable_audit ? 1 : 0
+  name                     = "${lower(var.project)}${lower(var.stage)}keyvaultaudit"
+  resource_group_name      = var.resource_group
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_monitor_diagnostic_setting" "keyvaultaudit" {
+  count              = var.enable_audit ? 1 : 0
+  name               = "${lower(var.project)}${lower(var.stage)}keyvaultaudit"
+  target_resource_id = azurerm_key_vault.keyvault.id
+  storage_account_id = azurerm_storage_account.storageaccountkeyvaultaudit.id
+
+  log {
+    category = "AuditEvent"
+    enabled  = true
+
+    retention_policy {
+      enabled = true
+      days    = var.audit_retention_period
+    }
+  }
+
+  metric {
+    category = "AllMetrics"
+    enabled  = false
+
+    retention_policy {
+      enabled = false
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,3 @@
+output "vault_id" {
+  value = azurerm_key_vault.keyvault.id
+}
diff --git a/vars.tf b/vars.tf
@@ -29,14 +29,56 @@ variable "azure_tenant_id" {
   description = "The tenant id used for azure"
 }
 
-variable "allowed_objectids" {
+variable "allowed_objectids_fullaccess" {
   type        = list(string)
-  description = "A list of object IDs that are allowed to access the keyvault"
+  description = "A list of object IDs that are allowed to fully access the keyvault elements (with all operations)"
   default     = []
 }
 
-variable "allowed_objectid_apps" {
+variable "allowed_objectid_app_tuples_fullaccess" {
   type        = list(string)
-  description = "A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to access the keyvault"
+  description = "A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to fully access the keyvault"
   default     = []
 }
+
+variable "allowed_objectids_readonly" {
+  type        = list(string)
+  description = "A list of object IDs that are allowed to read elements in the keyvault"
+  default     = []
+}
+
+variable "allowed_objectid_app_tuples_readonly" {
+  type        = list(string)
+  description = "A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to read elements the keyvault"
+  default     = []
+}
+
+variable "allowed_objectids_createonly" {
+  type        = list(string)
+  description = "A list of object IDs that are allowed to create (but not read or change) elements in the keyvault"
+  default     = []
+}
+
+variable "allowed_objectid_app_tuples_createonly" {
+  type        = list(string)
+  description = "A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to create (but not read or change) elements the keyvault"
+  default     = []
+}
+
+variable "soft_delete_enabled" {
+  type        = bool
+  description = "Toggles if soft delete is enabled"
+  default     = false
+}
+
+variable "enable_audit" {
+  type        = bool
+  description = "Enable audit of keyvault changes"
+  default     = false
+}
+
+variable "audit_retention_period" {
+  type        = number
+  description = "Sets number of days to keep audit records, if audit is enabled"
+  default     = 365
+}