Created
July 20, 2020 13:57
-
-
Save straubt1/f631dde08d4e875b2f829d203a5a1f17 to your computer and use it in GitHub Desktop.
key vault issue gits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "azurerm_client_config" "current" {} | |
variable "keyVaultLocation" { | |
default = "centralus" | |
} | |
variable "azTags" { | |
default = { | |
Owner = "me" | |
Application = "Azure DevOps Terraform Pipelines" | |
} | |
} | |
resource "azurerm_resource_group" "main" { | |
name = format("%s-rg", var.adoProjectName) | |
location = var.keyVaultLocation | |
tags = var.azTags | |
} | |
resource "random_pet" "kv-name" { | |
length = 3 | |
} | |
resource "azurerm_key_vault" "keyvault" { | |
resource_group_name = azurerm_resource_group.main.name | |
location = azurerm_resource_group.main.location | |
name = substr(replace(random_pet.kv-name.id, "-", ""), 0, 24) | |
tenant_id = data.azurerm_client_config.current.tenant_id | |
enabled_for_deployment = true | |
sku_name = "standard" | |
tags = var.azTags | |
} | |
# Grant access to the calling user to manage things inside the Key Vault | |
resource "azurerm_key_vault_access_policy" "access" { | |
key_vault_id = azurerm_key_vault.keyvault.id | |
tenant_id = data.azurerm_client_config.current.tenant_id | |
object_id = data.azurerm_client_config.current.object_id | |
key_permissions = [ | |
"get", | |
"List", | |
"Update", | |
"Restore", | |
"Backup", | |
"Recover", | |
"Delete", | |
"Import", | |
"Create", | |
] | |
secret_permissions = [ | |
"get", | |
"List", | |
"Set", | |
"Delete", | |
"Recover", | |
"Backup", | |
"Restore", | |
] | |
certificate_permissions = [ | |
"Get", | |
"List", | |
"Update", | |
"Create", | |
"Import", | |
"Delete", | |
"Recover", | |
"Backup", | |
"Restore", | |
"ManageContacts", | |
"DeleteIssuers", | |
"SetIssuers", | |
"ListIssuers", | |
"ManageIssuers", | |
"GetIssuers", | |
] | |
} | |
resource "azuread_application" "adospn" { | |
name = format("%s-app", var.adoProjectName) | |
} | |
resource "random_string" "password" { | |
length = 32 | |
special = true | |
} | |
resource "azuread_service_principal" "adospn" { | |
application_id = azuread_application.adospn.application_id | |
} | |
resource "azuread_service_principal_password" "adospn" { | |
service_principal_id = azuread_service_principal.adospn.id | |
value = random_string.password.result | |
end_date = "2021-01-01T00:00:00Z" | |
} | |
resource "azurerm_role_assignment" "main" { | |
principal_id = azuread_service_principal.adospn.id | |
scope = azurerm_key_vault.keyvault.id | |
role_definition_name = "Contributor" | |
} | |
resource "azurerm_key_vault_access_policy" "spnaccess" { | |
key_vault_id = azurerm_key_vault.keyvault.id | |
tenant_id = azurerm_key_vault.keyvault.tenant_id | |
object_id = azuread_service_principal.adospn.object_id | |
secret_permissions = [ | |
"get", | |
"List", | |
] | |
} | |
resource "azurerm_key_vault_secret" "example" { | |
key_vault_id = azurerm_key_vault.keyvault.id | |
name = "kv-secret" | |
value = "szechuan" | |
} | |
resource "azuredevops_serviceendpoint_azurerm" "endpointazure" { | |
project_id = azuredevops_project.project.id | |
service_endpoint_name = "AzureKeyVaultSE" | |
credentials { | |
serviceprincipalid = azuread_service_principal.adospn.application_id | |
serviceprincipalkey = random_string.password.result | |
} | |
azurerm_spn_tenantid = data.azurerm_client_config.current.tenant_id | |
azurerm_subscription_id = data.azurerm_client_config.current.subscription_id | |
azurerm_subscription_name = "Azure KeyVault Stored Subscription" | |
} | |
resource "azuredevops_variable_group" "this" { | |
project_id = azuredevops_project.project.id | |
name = "configuration" | |
description = "configuration" | |
allow_access = true | |
key_vault { | |
name = azurerm_key_vault.keyvault.name | |
service_endpoint_id = azuredevops_serviceendpoint_azurerm.endpointazure.id | |
} | |
variable { | |
name = "kv-secret" | |
enabled = true | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment