Initial commit: add .gitignore and README

terraform/modules/azure/keyvault/main.tf

@@ -0,0 +1,61 @@
+# Azure Key Vault Module
+# Main resources
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Key Vault
+resource "azurerm_key_vault" "main" {
+  name                = var.keyvault_name
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  tenant_id           = var.tenant_id
+  sku_name            = var.sku_name
+
+  enabled_for_deployment          = var.enabled_for_deployment
+  enabled_for_disk_encryption     = var.enabled_for_disk_encryption
+  enabled_for_template_deployment = var.enabled_for_template_deployment
+
+  network_acls {
+    default_action = var.network_acls.default_action
+    bypass         = var.network_acls.bypass
+    ip_rules       = var.network_acls.ip_rules
+    virtual_network_subnet_ids = var.network_acls.virtual_network_subnet_ids
+  }
+
+  tags = var.tags
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Access Policies
+resource "azurerm_key_vault_access_policy" "policies" {
+  for_each = { for idx, policy in var.access_policies : idx => policy }
+
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = var.tenant_id
+  object_id    = each.value.object_id
+
+  key_permissions         = each.value.key_permissions
+  secret_permissions      = each.value.secret_permissions
+  certificate_permissions = each.value.certificate_permissions
+  storage_permissions     = each.value.storage_permissions
+}
+
+# RBAC (if enabled)
+resource "azurerm_role_assignment" "rbac" {
+  for_each = var.enable_rbac ? var.rbac_assignments : {}
+
+  scope                = azurerm_key_vault.main.id
+  role_definition_name = each.value.role_definition_name
+  principal_id         = each.value.principal_id
+}
+