d-bis/smom-dbis-138
4
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
fc3a95de08c95e1d0a96b640ea1fda99ac56510e
smom-dbis-138/terraform/modules/keyvault-enhanced/main.tf
defiQUG 1fb7266469 Add Oracle Aggregator and CCIP Integration 
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control.
- Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities.
- Created .gitmodules to include OpenZeppelin contracts as a submodule.
- Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment.
- Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks.
- Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring.
- Created scripts for resource import and usage validation across non-US regions.
- Added tests for CCIP error handling and integration to ensure robust functionality.
- Included various new files and directories for the orchestration portal and deployment scripts.
2025-12-12 14:57:48 -08:00

196 lines
5.4 KiB
HCL
Raw Blame History

# Enhanced Key Vault Module
# Implements Well-Architected Framework best practices for Key Vault
variable "resource_group_name" {
description = "Name of the resource group"
type = string
}
variable "location" {
description = "Azure region"
type = string
}
variable "key_vault_name" {
description = "Name of the Key Vault"
type = string
}
variable "environment" {
description = "Environment (prod, dev, test, staging)"
type = string
}
variable "enable_rbac" {
description = "Enable RBAC authorization (recommended)"
type = bool
default = true
}
variable "enable_private_endpoint" {
description = "Enable private endpoint"
type = bool
default = true
}
variable "private_endpoint_subnet_id" {
description = "Subnet ID for private endpoint"
type = string
default = ""
}
variable "allowed_subnet_ids" {
description = "List of subnet IDs allowed to access Key Vault"
type = list(string)
default = []
}
variable "allowed_ip_ranges" {
description = "List of IP ranges allowed to access Key Vault (management)"
type = list(string)
default = []
}
variable "soft_delete_retention_days" {
description = "Soft delete retention days"
type = number
default = 90
}
variable "purge_protection_enabled" {
description = "Enable purge protection"
type = bool
default = true
}
variable "tags" {
description = "Tags to apply to Key Vault"
type = map(string)
default = {}
}
# Get current client config for RBAC assignments
data "azurerm_client_config" "current" {}
# Private DNS Zone for Key Vault
resource "azurerm_private_dns_zone" "keyvault" {
count = var.enable_private_endpoint ? 1 : 0
name = "privatelink.vaultcore.azure.net"
resource_group_name = var.resource_group_name
tags = var.tags
}
# Private DNS Zone Virtual Network Link
# Note: This requires the virtual network to be in the same resource group or accessible
# For production, create the DNS zone link separately or use a shared DNS zone
resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" {
count = var.enable_private_endpoint && length(var.allowed_subnet_ids) > 0 ? 1 : 0
name = "kv-vnet-link-${replace(var.key_vault_name, "-", "")}"
resource_group_name = var.resource_group_name
private_dns_zone_name = azurerm_private_dns_zone.keyvault[0].name
virtual_network_id = data.azurerm_subnet.main[0].virtual_network_id
registration_enabled = false
tags = var.tags
}
# Key Vault
resource "azurerm_key_vault" "main" {
name = var.key_vault_name
location = var.location
resource_group_name = var.resource_group_name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
# Enable RBAC (recommended)
enable_rbac_authorization = var.enable_rbac
# Soft delete and purge protection
soft_delete_retention_days = var.soft_delete_retention_days
purge_protection_enabled = var.purge_protection_enabled
# Network ACLs (restrict access)
network_acls {
default_action = "Deny" # Deny by default
bypass = "AzureServices"
# Allow from specific subnets
virtual_network_subnet_ids = var.allowed_subnet_ids
# Allow from specific IPs (management)
ip_rules = var.allowed_ip_ranges
}
# Public network access (disable if using private endpoint)
public_network_access_enabled = !var.enable_private_endpoint
tags = merge(var.tags, {
Environment = var.environment
Purpose = "Secrets"
Security = "High"
})
}
# Private Endpoint for Key Vault
resource "azurerm_private_endpoint" "keyvault" {
count = var.enable_private_endpoint && var.private_endpoint_subnet_id != "" ? 1 : 0
name = "${var.key_vault_name}-pe"
location = var.location
resource_group_name = var.resource_group_name
subnet_id = var.private_endpoint_subnet_id
private_service_connection {
name = "${var.key_vault_name}-psc"
private_connection_resource_id = azurerm_key_vault.main.id
subresource_names = ["vault"]
is_manual_connection = false
}
private_dns_zone_group {
name = "default"
private_dns_zone_ids = [azurerm_private_dns_zone.keyvault[0].id]
}
tags = var.tags
}
# RBAC Role Assignment (if RBAC enabled)
resource "azurerm_role_assignment" "keyvault_administrator" {
count = var.enable_rbac ? 1 : 0
scope = azurerm_key_vault.main.id
role_definition_name = "Key Vault Administrator"
principal_id = data.azurerm_client_config.current.object_id
}
# Get Virtual Network data (only if subnets are provided)
data "azurerm_subnet" "main" {
count = length(var.allowed_subnet_ids) > 0 ? 1 : 0
name = split("/", var.allowed_subnet_ids[0])[10]
resource_group_name = split("/", var.allowed_subnet_ids[0])[4]
virtual_network_name = split("/", var.allowed_subnet_ids[0])[8]
}
# Outputs
output "key_vault_id" {
value = azurerm_key_vault.main.id
}
output "key_vault_name" {
value = azurerm_key_vault.main.name
}
output "key_vault_uri" {
value = azurerm_key_vault.main.vault_uri
}
output "private_endpoint_id" {
value = var.enable_private_endpoint && var.private_endpoint_subnet_id != "" ? azurerm_private_endpoint.keyvault[0].id : null
}
Reference in New Issue View Git Blame Copy Permalink