Skip to content

schubergphilis/terraform-azure-mcaf-key-vault

BranchesTags

Repository files navigation

terraform-azure-mcaf-key-vault

Terraform module to deploy a key vault with defaults, and optionaly some customer managed keys keys.

Requirements

Name Version
terraform >= 1.7
azurerm >= 4

Providers

Name Version
azurerm 4.3.0

Modules

No modules.

Resources

Name Type
azurerm_key_vault.this resource
azurerm_key_vault_key.customer_managed_key_rsa resource
azurerm_key_vault_key.this resource
azurerm_private_endpoint.this resource
azurerm_private_endpoint.this_unmanaged_dns resource
azurerm_role_assignment.this resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
name The name of the Azure Key Vault. string n/a yes
resource_group_name The name of the resource group in which the Key Vault will be created. string n/a yes
tenant_id The Azure Active Directory tenant ID for authenticating requests to the Key Vault. string n/a yes
customer_managed_key Defines the configuration for a customer-managed RSA key in Azure Key Vault.

- rsa_key_name - (Optional) The name of the RSA key. Defaults to "cmkrsa".
- rsa_key_size - (Optional) The size of the RSA key in bits. Common values are 2048, 3072, or 4096. Defaults to 4096.
- rotation_period - (Optional) The duration before the key should be automatically rotated, in ISO 8601 format (e.g., P18M = 18 months). Defaults to "P18M".
- expiry_period - (Optional) The duration after which the key will expire, in ISO 8601 format (e.g., P2Y = 2 years). Defaults to "P2Y".
- notify_period - (Optional) The duration before key expiration to send a notification, in ISO 8601 format. Defaults to "P30D".
- expiration_date - (Optional) A specific RFC 3339 timestamp for when the key should expire. Overrides expiry_period if set.
- time_before_expiry - (Optional) A buffer duration before expiration to trigger pre-expiry actions or automation. if set rotation period will be ignored.		 
object({
    rsa_key_name       = optional(string, "cmkrsa")
    rsa_key_size       = optional(string, 4096)
    rotation_period    = optional(string, "P18M")
    expiry_period      = optional(string, "P2Y")
    notify_period      = optional(string, "P30D")
    expiration_date    = optional(string)
    time_before_expiry = optional(string)
  })
 null no
default_network_action The default action when no network rule matches. Usually 'Deny'. string "Deny" no
enable_rbac_authorization Specifies whether Azure RBAC is used to authorize access instead of access policies. bool true no
enabled_for_deployment Specifies if Azure Resource Manager is permitted to retrieve secrets. bool false no
enabled_for_disk_encryption Specifies if Azure Disk Encryption is permitted to retrieve secrets and unwrap keys. bool false no
enabled_for_template_deployment Specifies if Azure Resource Manager templates can retrieve secrets. bool false no
ip_rules List of IP addresses allowed to access the Key Vault. list(string) [] no
key_vault_administrators Set of Key vault Administrators 
map(object({
    principal_id                     = string
    skip_service_principal_aad_check = optional(bool, false)
    principal_type                   = optional(string)
  }))
 {} no
key_vault_certificate_users Map of Key Vault Certificate Users 
map(object({
    principal_id                     = string
    skip_service_principal_aad_check = optional(bool, false)
    principal_type                   = optional(string)
  }))
 {} no
key_vault_crypto_users Map of Key Vault Crypto Users 
map(object({
    principal_id                     = string
    skip_service_principal_aad_check = optional(bool, false)
    principal_type                   = optional(string)
  }))
 {} no
key_vault_encryption_users Map of Key Vault Encryption Users 
map(object({
    principal_id                     = string
    skip_service_principal_aad_check = optional(bool, false)
    principal_type                   = optional(string)
  }))
 {} no
key_vault_secret_users Map of Key Vault Secret Users 
map(object({
    principal_id                     = string
    skip_service_principal_aad_check = optional(bool, false)
    principal_type                   = optional(string, null)
  }))
 {} no
keys This map describes the configuration for Azure Key Vault keys.

- key_vault_id - (Required) The ID of the Key Vault.
- key_type - (Required) The type of the key.
- key_size - (Required) The size of the key.
- key_opts - (Required) The key operations that are permitted.

Example Inputs:
hcl
  key_vault_key = {
    key_rsa = {
      type = "RSA"
      size = 4096
      opts = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
    }
    key_ec = {
      type = "EC"
      curve = "P-256"
      opts = ["sign", "verify"]
    }
  }
 
map(object({
    name            = optional(string)
    type            = optional(string)
    curve           = optional(string)
    size            = optional(number)
    opts            = optional(list(string), [])
    expiration_date = optional(string)
    not_before_date = optional(string)
    rotation_policy = optional(object({
      automatic = optional(object({
        time_after_creation = optional(string)
        time_before_expiry  = optional(string)
      }))
      expire_after         = optional(string)
      notify_before_expiry = optional(string)
    }))
    tags = optional(map(string), {})
  }))
 {} no
location The location of the Key Vault. If not specified, the location of the calling module is used. string null no
network_bypass Specifies which traffic can bypass network rules. Options: 'AzureServices', 'None'. string "None" no
private_endpoint Defines a private endpoint to create.

A Private endpoint supports the following attributes:

- name – (Optional) The name of the private endpoint. If omitted, a name will be auto-generated.
- location – (Optional) Azure region where the private endpoint will be created. If not specified, defaults to the location of the associated resource group.
- tags – (Optional) A map of tags to assign to the private endpoint. Defaults to an empty map.
- subnet_id – (Required) The full resource ID of the subnet in which to deploy the private endpoint.
- private_dns_zone_group_name – (Optional) The name of the DNS zone group to associate. Defaults to "default" if not set.
- private_dns_zone_resource_ids – (Optional) A set of private DNS zone resource IDs to link to the private endpoint. If not provided, no DNS zone association is made.
- private_service_connection_name – (Optional) The name of the private service connection. If not specified, a name will be generated.
- custom_network_interface_name – (Optional) Custom name for the network interface resource. If omitted, a default will be used.
- resource_group_name – (Optional) The resource group in which to create the private endpoint. If not set, it defaults to the resource group of the associated resource.

Use this variable to declaratively manage private endpoint instances, including DNS integration, naming, and network placement.		 
object({
    name                            = optional(string)
    location                        = optional(string)
    tags                            = optional(map(string), {})
    subnet_id                       = string
    private_dns_zone_group_name     = optional(string, "default")
    private_dns_zone_resource_ids   = optional(set(string), [])
    private_service_connection_name = optional(string)
    custom_network_interface_name   = optional(string)
    resource_group_name             = optional(string)
  })
 null no
private_endpoints_manage_dns_zone_group Whether to manage private DNS zone groups with this module. If set to false, you must manage private DNS zone groups externally, e.g. using Azure Policy. bool true no
public_network_access_enabled Specifies whether public network access is allowed. bool false no
purge_protection Specifies whether purge protection is enabled for this Key Vault. bool true no
sku The SKU name of the Key Vault. Can be 'standard' or 'premium'. string "standard" no
soft_delete_retention_days Number of days to retain soft deleted items. number 30 no
subnet_ids List of subnet IDs allowed to access the Key Vault. list(string) [] no
tags A mapping of tags to assign to the resources. map(string) {} no

Outputs

Name Description
cmkrsa_id CMK RSA Key ID
cmkrsa_key_name CMK RSA Key Name
cmkrsa_resource_resource_id CMK RSA Key Resource ID
cmkrsa_resource_versionless_id CMK RSA Key Versionless Resource ID
cmkrsa_versionless_id CMK RSA Key Versionless ID
key_vault_id n/a
key_vault_name n/a
key_vault_uri n/a

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

About

Terraform module to generate keys vault

Topics

azure terraform terraform-module

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

24 watching

Forks

0 forks
Report repository

Releases 12

v1.1.1 Latest
Jul 28, 2025
+ 11 releases

Packages

No packages published

Contributors 7

Languages