feat: First release

.terraform-docs.yml

@@ -0,0 +1,5 @@
+formatter: markdown document
+output:
+  file: "README.md"
+settings:
+  anchor: false

README.md

@@ -0,0 +1,114 @@
+# Azure Keyvault management
+
+## Introduction
+
+This module manages a keyvault resource in Azure with the required permissions.
+
+## Usage
+
+Instantiate the module by calling it from Terraform like this:
+
+```hcl
+module "azure-keyvault" {
+  source = "dodevops/keyvault/azure"
+  version = "<version>" 
+  (...)
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+The following providers are used by this module:
+
+- azurerm
+
+## Modules
+
+No modules.
+
+## Resources
+
+The following resources are used by this module:
+
+- [azurerm_key_vault.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectid-apps](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+- [azurerm_key_vault_access_policy.keyvault-access-policy-objectids](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) (resource)
+
+## Required Inputs
+
+The following input variables are required:
+
+### azure\_tenant\_id
+
+Description: The tenant id used for azure
+
+Type: `string`
+
+### location
+
+Description: The azure location used for azure
+
+Type: `string`
+
+### project
+
+Description: Three letter project key
+
+Type: `string`
+
+### resource\_group
+
+Description: Azure Resource Group to use
+
+Type: `string`
+
+### stage
+
+Description: Stage for this ressource group
+
+Type: `string`
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### allowed\_objectid\_apps
+
+Description: A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to access the keyvault
+
+Type: `list(string)`
+
+Default: `[]`
+
+### allowed\_objectids
+
+Description: A list of object IDs that are allowed to access the keyvault
+
+Type: `list(string)`
+
+Default: `[]`
+
+### sku
+
+Description: Keyvault sku
+
+Type: `string`
+
+Default: `"standard"`
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
+
+## Development
+
+Use [terraform-docs](https://terraform-docs.io/) to generate the API documentation by running
+
+    terraform fmt .
+    terraform-docs .

access_policy.tf

@@ -0,0 +1,71 @@
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectids" {
+  count        = length(var.allowed_objectids)
+  object_id    = element(var.allowed_objectids, count.index)
+  tenant_id    = var.azure_tenant_id
+  key_vault_id = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "get",
+    "list",
+    "delete",
+    "create",
+    "update",
+    "import",
+    "backup",
+    "recover"
+  ]
+
+  secret_permissions = [
+    "get",
+    "list",
+    "delete",
+    "set",
+    "backup",
+    "recover",
+    "restore"
+  ]
+
+  certificate_permissions = [
+    "get",
+    "list",
+    "update",
+    "create",
+    "import",
+    "delete",
+    "backup",
+    "recover"
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault-access-policy-objectid-apps" {
+  count          = length(var.allowed_objectid_apps)
+  object_id      = element(split(":", element(var.allowed_objectid_apps, count.index)), 0)
+  application_id = element(split(":", element(var.allowed_objectid_apps, count.index)), 1)
+  tenant_id      = var.azure_tenant_id
+  key_vault_id   = azurerm_key_vault.keyvault.id
+
+  key_permissions = [
+    "get",
+    "list",
+    "delete",
+    "create",
+    "update",
+    "import"
+  ]
+
+  secret_permissions = [
+    "get",
+    "list",
+    "delete",
+    "set"
+  ]
+
+  certificate_permissions = [
+    "get",
+    "list",
+    "update",
+    "create",
+    "import",
+    "delete"
+  ]
+}

main.tf

@@ -0,0 +1,11 @@
+# Configure a common keyvault to store secrets
+
+resource "azurerm_key_vault" "keyvault" {
+  name                = "${lower(var.project)}${lower(var.stage)}keyvault"
+  location            = var.location
+  resource_group_name = var.resource_group
+  tenant_id           = var.azure_tenant_id
+  sku_name            = var.sku
+
+  purge_protection_enabled = false
+}

vars.tf

@@ -0,0 +1,42 @@
+variable "location" {
+  type        = string
+  description = "The azure location used for azure"
+}
+
+variable "project" {
+  type        = string
+  description = "Three letter project key"
+}
+
+variable "stage" {
+  type        = string
+  description = "Stage for this ressource group"
+}
+
+variable "resource_group" {
+  type        = string
+  description = "Azure Resource Group to use"
+}
+
+variable "sku" {
+  type        = string
+  description = "Keyvault sku"
+  default     = "standard"
+}
+
+variable "azure_tenant_id" {
+  type        = string
+  description = "The tenant id used for azure"
+}
+
+variable "allowed_objectids" {
+  type        = list(string)
+  description = "A list of object IDs that are allowed to access the keyvault"
+  default     = []
+}
+
+variable "allowed_objectid_apps" {
+  type        = list(string)
+  description = "A list of object IDs with allowed apps (in the form of <objectid>:<app>) that are allowed to access the keyvault"
+  default     = []
+}