d-bis/infrastructure
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: add .gitignore and README

Browse Source
This commit is contained in:
defiQUG
2026-02-09 21:51:46 -08:00
commit b970b4fc51
52 changed files with 3362 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
terraform/modules/azure/keyvault/README.md Normal file
View File

@@ -0,0 +1,61 @@
# Azure Key Vault Module
**Purpose**: Create Azure Key Vault with RBAC
**Status**: 🚧 Planned
---
## Usage
```hcl
module "keyvault" {
source = "../../modules/azure/keyvault"
resource_group_name = "rg-example"
location = "eastus"
keyvault_name = "kv-example"
access_policies = [
{
object_id = var.service_principal_id
key_permissions = ["Get", "List"]
secret_permissions = ["Get", "List"]
}
]
tags = {
Environment = "production"
}
}
```
---
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|----------|
| resource_group_name | Name of the resource group | string | - | yes |
| location | Azure region | string | - | yes |
| keyvault_name | Name of the Key Vault | string | - | yes |
| sku_name | SKU name (standard or premium) | string | "standard" | no |
| enabled_for_deployment | Enable for VM deployment | bool | false | no |
| enabled_for_disk_encryption | Enable for disk encryption | bool | false | no |
| enabled_for_template_deployment | Enable for template deployment | bool | false | no |
| access_policies | List of access policies | list(object) | [] | no |
| tags | Tags to apply | map(string) | {} | no |
---
## Outputs
| Name | Description |
|------|-------------|
| keyvault_id | Key Vault ID |
| keyvault_uri | Key Vault URI |
| keyvault_name | Key Vault name |
---
**Status**: 🚧 Planned - Module structure ready, implementation pending

61
terraform/modules/azure/keyvault/main.tf Normal file
View File

@@ -0,0 +1,61 @@
# Azure Key Vault Module
# Main resources
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}
# Key Vault
resource "azurerm_key_vault" "main" {
name = var.keyvault_name
location = var.location
resource_group_name = var.resource_group_name
tenant_id = var.tenant_id
sku_name = var.sku_name
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
network_acls {
default_action = var.network_acls.default_action
bypass = var.network_acls.bypass
ip_rules = var.network_acls.ip_rules
virtual_network_subnet_ids = var.network_acls.virtual_network_subnet_ids
}
tags = var.tags
lifecycle {
create_before_destroy = true
}
}
# Access Policies
resource "azurerm_key_vault_access_policy" "policies" {
for_each = { for idx, policy in var.access_policies : idx => policy }
key_vault_id = azurerm_key_vault.main.id
tenant_id = var.tenant_id
object_id = each.value.object_id
key_permissions = each.value.key_permissions
secret_permissions = each.value.secret_permissions
certificate_permissions = each.value.certificate_permissions
storage_permissions = each.value.storage_permissions
}
# RBAC (if enabled)
resource "azurerm_role_assignment" "rbac" {
for_each = var.enable_rbac ? var.rbac_assignments : {}
scope = azurerm_key_vault.main.id
role_definition_name = each.value.role_definition_name
principal_id = each.value.principal_id
}

17
terraform/modules/azure/keyvault/outputs.tf Normal file
View File

@@ -0,0 +1,17 @@
# Azure Key Vault Module Outputs
output "keyvault_id" {
description = "Key Vault ID"
value = azurerm_key_vault.main.id
}
output "keyvault_uri" {
description = "Key Vault URI"
value = azurerm_key_vault.main.vault_uri
}
output "keyvault_name" {
description = "Key Vault name"
value = azurerm_key_vault.main.name
}

95
terraform/modules/azure/keyvault/variables.tf Normal file
View File

@@ -0,0 +1,95 @@
# Azure Key Vault Module Variables
variable "resource_group_name" {
description = "Name of the resource group"
type = string
}
variable "location" {
description = "Azure region"
type = string
}
variable "keyvault_name" {
description = "Name of the Key Vault"
type = string
}
variable "tenant_id" {
description = "Azure tenant ID"
type = string
}
variable "sku_name" {
description = "SKU name (standard or premium)"
type = string
default = "standard"
}
variable "enabled_for_deployment" {
description = "Enable for VM deployment"
type = bool
default = false
}
variable "enabled_for_disk_encryption" {
description = "Enable for disk encryption"
type = bool
default = false
}
variable "enabled_for_template_deployment" {
description = "Enable for template deployment"
type = bool
default = false
}
variable "network_acls" {
description = "Network ACLs configuration"
type = object({
default_action = string
bypass = string
ip_rules = list(string)
virtual_network_subnet_ids = list(string)
})
default = {
default_action = "Deny"
bypass = "AzureServices"
ip_rules = []
virtual_network_subnet_ids = []
}
}
variable "access_policies" {
description = "List of access policies"
type = list(object({
object_id = string
key_permissions = list(string)
secret_permissions = list(string)
certificate_permissions = list(string)
storage_permissions = list(string)
}))
default = []
}
variable "enable_rbac" {
description = "Enable RBAC for Key Vault"
type = bool
default = false
}
variable "rbac_assignments" {
description = "RBAC role assignments"
type = map(object({
role_definition_name = string
principal_id = string
}))
default = {}
}
variable "tags" {
description = "Tags to apply to resources"
type = map(string)
default = {}
}

13
terraform/modules/azure/keyvault/versions.tf Normal file
View File

@@ -0,0 +1,13 @@
# Azure Key Vault Module - Provider Versions
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0"
}
}
}