feature: add initial core implementation

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

CHANGELOG.md

@@ -3,4 +3,3 @@
 All notable changes to this project will automatically be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-

README.md

@@ -0,0 +1,49 @@
+# terraform-azure-mcaf-core
+Terraform module to create the Core component of each workload, currently only implements Terraform-azure-mcaf-key-vault
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 4 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 4 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_keyvault_with_cmk"></a> [keyvault\_with\_cmk](#module\_keyvault\_with\_cmk) | github.com/schubergphilis/terraform-azure-mcaf-key-vault.git | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | n/a | <pre>object({<br>    name                            = string<br>    enabled_for_disk_encryption     = optional(bool, false)<br>    enabled_for_deployment          = optional(bool, false)<br>    enabled_for_template_deployment = optional(bool, false)<br>    enable_rbac_authorization       = optional(bool, true)<br>    purge_protection                = optional(bool, true)<br>    soft_delete_retention_days      = optional(number, 30)<br>    sku                             = optional(string, "standard")<br>    ip_rules                        = optional(list(string), [])<br>    subnet_ids                      = optional(list(string), [])<br>    network_bypass                  = optional(string, "None")<br>    cmk_keys_create                 = optional(bool, true)<br>    cmkrsa_key_name                 = optional(string, "cmkrsa")<br>    cmkec_key_name                  = optional(string, "cmkec")<br>    cmk_rotation_period             = optional(string, "P90D")<br>  })</pre> | n/a | yes |
+| <a name="input_location"></a> [location](#input\_location) | Location of the resources to create | `string` | n/a | yes |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | The name of the resource group in which to create the resources. | <pre>object({<br>    name = string<br>  })</pre> | <pre>{<br>  "name": null<br>}</pre> | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_key_vault_cmkrsa_id"></a> [key\_vault\_cmkrsa\_id](#output\_key\_vault\_cmkrsa\_id) | CMK RSA Key ID |
+| <a name="output_key_vault_cmkrsa_key_name"></a> [key\_vault\_cmkrsa\_key\_name](#output\_key\_vault\_cmkrsa\_key\_name) | CMK RSA Key Name |
+| <a name="output_key_vault_id"></a> [key\_vault\_id](#output\_key\_vault\_id) | n/a |
+| <a name="output_key_vault_name"></a> [key\_vault\_name](#output\_key\_vault\_name) | n/a |
+| <a name="output_key_vault_uri"></a> [key\_vault\_uri](#output\_key\_vault\_uri) | n/a |
+<!-- END_TF_DOCS -->

examples/basic/main.tf

@@ -0,0 +1,30 @@
+terraform {
+  required_version = ">= 1.7"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4"
+    }
+  }
+}
+
+provider "azurerm" {
+  subscription_id = "00000000-0000-0000-0000-000000000000"
+  features {}
+}
+
+module "azure_core" {
+  source = "../.."
+
+  resource_group = {
+    name = "example-rg"
+  }
+
+  key_vault = {
+    name = "example-kv"
+  }
+
+  location = "West Europe"
+  tags     = { Environment = "Production" }
+}

main.tf

@@ -0,0 +1,38 @@
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "this" {
+  name     = var.resource_group.name
+  location = var.location
+  tags = merge(
+    try(var.tags),
+    tomap({
+      "Resource Type" = "Resource Group"
+    })
+  )
+}
+
+module "keyvault_with_cmk" {
+  source = "github.com/schubergphilis/terraform-azure-mcaf-key-vault.git"
+
+  key_vault = {
+    name                            = var.key_vault.name
+    tenant_id                       = data.azurerm_client_config.current.tenant_id
+    resource_group_name             = azurerm_resource_group.this.name
+    location                        = var.location
+    enabled_for_disk_encryption     = true
+    enabled_for_deployment          = false
+    enabled_for_template_deployment = false
+    enable_rbac_authorization       = true
+    purge_protection                = true
+    soft_delete_retention_days      = 30
+    sku                             = "standard"
+    ip_rules                        = length(var.key_vault.ip_rules) == 0 ? null : var.key_vault.ip_rules
+    subnet_ids                      = length(var.key_vault.subnet_ids) == 0 ? null : var.key_vault.subnet_ids
+    network_bypass                  = "AzureServices"
+    cmk_keys_create                 = true
+    cmkrsa_key_name                 = var.key_vault.cmkrsa_key_name
+    cmkec_key_name                  = var.key_vault.cmkec_key_name
+  }
+
+  tags = var.tags
+}

outputs.tf

@@ -0,0 +1,21 @@
+output "key_vault_id" {
+  value = module.keyvault_with_cmk.key_vault_id
+}
+
+output "key_vault_name" {
+  value = module.keyvault_with_cmk.key_vault_name
+}
+
+output "key_vault_uri" {
+  value = module.keyvault_with_cmk.key_vault_uri
+}
+
+output "key_vault_cmkrsa_key_name" {
+  value       = module.keyvault_with_cmk.key_vault_cmkrsa_keyname
+  description = "CMK RSA Key Name"
+}
+
+output "key_vault_cmkrsa_id" {
+  value       = module.keyvault_with_cmk.key_vault_cmkrsa_id
+  description = "CMK RSA Key ID"
+}

terraform.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.7"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4"
+    }
+  }
+}

variables.tf

@@ -0,0 +1,41 @@
+variable "resource_group" {
+  description = "The name of the resource group in which to create the resources."
+  type = object({
+    name = string
+  })
+  default = {
+    name = null
+  }
+}
+
+variable "key_vault" {
+  type = object({
+    name                            = string
+    enabled_for_disk_encryption     = optional(bool, false)
+    enabled_for_deployment          = optional(bool, false)
+    enabled_for_template_deployment = optional(bool, false)
+    enable_rbac_authorization       = optional(bool, true)
+    purge_protection                = optional(bool, true)
+    soft_delete_retention_days      = optional(number, 30)
+    sku                             = optional(string, "standard")
+    ip_rules                        = optional(list(string), [])
+    subnet_ids                      = optional(list(string), [])
+    network_bypass                  = optional(string, "None")
+    cmk_keys_create                 = optional(bool, true)
+    cmkrsa_key_name                 = optional(string, "cmkrsa")
+    cmkec_key_name                  = optional(string, "cmkec")
+    cmk_rotation_period             = optional(string, "P90D")
+  })
+}
+
+variable "location" {
+  description = "Location of the resources to create"
+  type        = string
+}
+
+variable "tags" {
+  description = "A map of tags to assign to the resource."
+  type        = map(string)
+  default     = {}
+}
+