feat: update keyvault version (#4)

Update Keyvault Module
schubergphilis · Dec 12, 2024 · 54bc30d · 54bc30d
1 parent 6dd2787
commit 54bc30d
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@ Terraform module to create the Core component of each workload, currently only i
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_keyvault_with_cmk"></a> [keyvault\_with\_cmk](#module\_keyvault\_with\_cmk) | github.com/schubergphilis/terraform-azure-mcaf-key-vault.git | n/a |
+| <a name="module_keyvault_with_cmk"></a> [keyvault\_with\_cmk](#module\_keyvault\_with\_cmk) | github.com/schubergphilis/terraform-azure-mcaf-key-vault.git | v0.3.1 |
 
 ## Resources
 
@@ -32,7 +32,7 @@ Terraform module to create the Core component of each workload, currently only i
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | n/a | <pre>object({<br>    name                            = string<br>    enabled_for_disk_encryption     = optional(bool, false)<br>    enabled_for_deployment          = optional(bool, false)<br>    enabled_for_template_deployment = optional(bool, false)<br>    enable_rbac_authorization       = optional(bool, true)<br>    purge_protection                = optional(bool, true)<br>    soft_delete_retention_days      = optional(number, 30)<br>    sku                             = optional(string, "standard")<br>    ip_rules                        = optional(list(string), [])<br>    subnet_ids                      = optional(list(string), [])<br>    network_bypass                  = optional(string, "None")<br>    cmk_keys_create                 = optional(bool, true)<br>    cmkrsa_key_name                 = optional(string, "cmkrsa")<br>    cmkec_key_name                  = optional(string, "cmkec")<br>    cmk_rotation_period             = optional(string, "P90D")<br>  })</pre> | n/a | yes |
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | n/a | <pre>object({<br>    name                            = string<br>    enabled_for_disk_encryption     = optional(bool, false)<br>    enabled_for_deployment          = optional(bool, false)<br>    enabled_for_template_deployment = optional(bool, false)<br>    enable_rbac_authorization       = optional(bool, true)<br>    purge_protection                = optional(bool, true)<br>    soft_delete_retention_days      = optional(number, 30)<br>    sku                             = optional(string, "standard")<br>    ip_rules                        = optional(list(string), [])<br>    subnet_ids                      = optional(list(string), [])<br>    network_bypass                  = optional(string, "None")<br>    cmk_keys_create                 = optional(bool, true)<br>    cmkrsa_key_name                 = optional(string, "cmkrsa")<br>    cmkec_key_name                  = optional(string, "cmkec")<br>    cmk_rotation_period             = optional(string, "P18M")<br>    cmk_expiry_period               = optional(string, "P2Y")<br>    cmk_notify_period               = optional(string, "P30D")<br>  })</pre> | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Location of the resources to create | `string` | n/a | yes |
 | <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | The name of the resource group in which to create the resources. | <pre>object({<br>    name = string<br>  })</pre> | <pre>{<br>  "name": null<br>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `{}` | no |
@@ -41,8 +41,11 @@ Terraform module to create the Core component of each workload, currently only i
 
 | Name | Description |
 |------|-------------|
-| <a name="output_key_vault_cmkrsa_id"></a> [key\_vault\_cmkrsa\_id](#output\_key\_vault\_cmkrsa\_id) | CMK RSA Key ID |
-| <a name="output_key_vault_cmkrsa_key_name"></a> [key\_vault\_cmkrsa\_key\_name](#output\_key\_vault\_cmkrsa\_key\_name) | CMK RSA Key Name |
+| <a name="output_cmkrsa_id"></a> [cmkrsa\_id](#output\_cmkrsa\_id) | CMK RSA Key ID |
+| <a name="output_cmkrsa_key_name"></a> [cmkrsa\_key\_name](#output\_cmkrsa\_key\_name) | CMK RSA Key Name |
+| <a name="output_cmkrsa_resource_resource_id"></a> [cmkrsa\_resource\_resource\_id](#output\_cmkrsa\_resource\_resource\_id) | CMK RSA Key Resource ID |
+| <a name="output_cmkrsa_resource_versionless_id"></a> [cmkrsa\_resource\_versionless\_id](#output\_cmkrsa\_resource\_versionless\_id) | CMK RSA Key ID |
+| <a name="output_cmkrsa_verionsless_id"></a> [cmkrsa\_verionsless\_id](#output\_cmkrsa\_verionsless\_id) | CMK RSA Key ID |
 | <a name="output_key_vault_id"></a> [key\_vault\_id](#output\_key\_vault\_id) | n/a |
 | <a name="output_key_vault_name"></a> [key\_vault\_name](#output\_key\_vault\_name) | n/a |
 | <a name="output_key_vault_uri"></a> [key\_vault\_uri](#output\_key\_vault\_uri) | n/a |

diff --git a/main.tf b/main.tf
@@ -12,7 +12,7 @@ resource "azurerm_resource_group" "this" {
 }
 
 module "keyvault_with_cmk" {
-  source = "github.com/schubergphilis/terraform-azure-mcaf-key-vault.git?ref=v0.1.1"
+  source = "github.com/schubergphilis/terraform-azure-mcaf-key-vault.git?ref=v0.3.1"
 
   key_vault = {
     name                            = var.key_vault.name
@@ -25,11 +25,16 @@ module "keyvault_with_cmk" {
     enable_rbac_authorization       = true
     purge_protection                = true
     soft_delete_retention_days      = 30
+    public_network_access_enabled   = false
+    default_action                  = "Deny"
     sku                             = "standard"
     ip_rules                        = length(var.key_vault.ip_rules) == 0 ? null : var.key_vault.ip_rules
     subnet_ids                      = length(var.key_vault.subnet_ids) == 0 ? null : var.key_vault.subnet_ids
     network_bypass                  = "AzureServices"
     cmk_keys_create                 = true
+    cmk_rotation_period             = var.key_vault.cmk_rotation_period
+    cmk_expiry_period               = var.key_vault.cmk_expiry_period
+    cmk_notify_period               = var.key_vault.cmk_notify_period
     cmkrsa_key_name                 = var.key_vault.cmkrsa_key_name
     cmkec_key_name                  = var.key_vault.cmkec_key_name
   }

diff --git a/outputs.tf b/outputs.tf
@@ -10,12 +10,27 @@ output "key_vault_uri" {
   value = module.keyvault_with_cmk.key_vault_uri
 }
 
-output "key_vault_cmkrsa_key_name" {
-  value       = module.keyvault_with_cmk.key_vault_cmkrsa_key_name
+output "cmkrsa_key_name" {
+  value       = module.keyvault_with_cmk.cmkrsa_key_name
   description = "CMK RSA Key Name"
 }
 
-output "key_vault_cmkrsa_id" {
-  value       = module.keyvault_with_cmk.key_vault_cmkrsa_id
+output "cmkrsa_id" {
+  value       = module.keyvault_with_cmk.cmkrsa_id
   description = "CMK RSA Key ID"
 }
+
+output "cmkrsa_verionsless_id" {
+  value       = module.keyvault_with_cmk.cmkrsa_versionless_id
+  description = "CMK RSA Key ID"
+}
+
+output "cmkrsa_resource_versionless_id" {
+  value       = module.keyvault_with_cmk.cmkrsa_resource_versionless_id
+  description = "CMK RSA Key ID"
+}
+
+output "cmkrsa_resource_resource_id" {
+  value       = module.keyvault_with_cmk.cmkrsa_resource_resource_id
+  description = "CMK RSA Key Resource ID"
+}
diff --git a/variables.tf b/variables.tf
@@ -24,7 +24,9 @@ variable "key_vault" {
     cmk_keys_create                 = optional(bool, true)
     cmkrsa_key_name                 = optional(string, "cmkrsa")
     cmkec_key_name                  = optional(string, "cmkec")
-    cmk_rotation_period             = optional(string, "P90D")
+    cmk_rotation_period             = optional(string, "P18M")
+    cmk_expiry_period               = optional(string, "P2Y")
+    cmk_notify_period               = optional(string, "P30D")
   })
 }