Automate Application Gateway Config, Switch Hub Key Vault to access p…

…olicy mode (#71)

.azuredevops/templates/steps/tf_apply.yaml

@@ -30,4 +30,4 @@ steps:
       workingDirectory: $(TF_DIRECTORY)
       inlineScript: |
         ${{ parameters.tfApplyScript }}
-        terraform apply -auto-approve $(TF_PLAN_ARTIFACT)/$(ENVIRONMENT).tfplan
+        terraform apply -auto-approve -input=false $(TF_PLAN_ARTIFACT)/$(ENVIRONMENT).tfplan

infrastructure/modules/application-gateway/main.tf

@@ -1,3 +1,5 @@
+data "azurerm_client_config" "current" {}
+
 resource "azurerm_application_gateway" "this" {
   name                = var.names.name
   resource_group_name = var.resource_group_name
@@ -140,7 +142,7 @@ resource "azurerm_application_gateway" "this" {
       frontend_port_name             = var.names.frontend_port_name[http_listener.value.frontend_port_key]
       protocol                       = http_listener.value.protocol
       require_sni                    = http_listener.value.require_sni
-      ssl_certificate_name           = var.names.ssl_certificate_name[http_listener.value.ssl_certificate_key]
+      ssl_certificate_name           = http_listener.value.ssl_certificate_key != null ? var.names.ssl_certificate_name[http_listener.value.ssl_certificate_key] : null
       ssl_profile_name               = http_listener.value.ssl_profile_name
     }
   }
@@ -159,7 +161,7 @@ resource "azurerm_application_gateway" "this" {
   }
 
   depends_on = [
-    module.key_vault_rbac_assignments
+    azurerm_key_vault_access_policy.appgw
   ]
 
   tags = var.tags
@@ -170,3 +172,21 @@ resource "azurerm_user_assigned_identity" "appgw" {
   resource_group_name = var.resource_group_name
   location            = var.location
 }
+
+# Application Gateway cannot use RBAC auth for Key Vault, unless by PowerShell. An Azure Policy exemption will be needed when this is forbidden by NHS
+# https://learn.microsoft.com/azure/application-gateway/key-vault-certs?WT.mc_id=Portal-Microsoft_Azure_HybridNetworking#key-vault-azure-role-based-access-control-permission-model
+resource "azurerm_key_vault_access_policy" "appgw" {
+  key_vault_id = var.key_vault_id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azurerm_user_assigned_identity.appgw.principal_id
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Get",
+    "List",
+  ]
+}

infrastructure/modules/application-gateway/output.tf

@@ -0,0 +1,3 @@
+output "principal_id" {
+  value = azurerm_user_assigned_identity.appgw.principal_id
+}

infrastructure/modules/application-gateway/variables.tf

@@ -93,7 +93,7 @@ variable "probe" {
     minimum_servers                           = optional(number)
     port                                      = optional(number)
     match = optional(object({
-      status_code = list(number)
+      status_code = list(string)
       body        = optional(string)
     }))
   }))

infrastructure/modules/key-vault/main.tf

@@ -14,20 +14,6 @@ resource "azurerm_key_vault" "keyvault" {
 
   enable_rbac_authorization = var.enable_rbac_authorization
 
-  dynamic "access_policy" {
-    for_each = var.enable_rbac_authorization ? [] : [1]
-
-    content {
-      tenant_id = data.azurerm_client_config.current.tenant_id
-      object_id = data.azurerm_client_config.current.object_id
-
-      certificate_permissions = ["Get", "List"]
-      key_permissions         = ["Get", "List"]
-      secret_permissions      = ["Get", "Set", "List"]
-      storage_permissions     = ["Get", "List"]
-    }
-  }
-
   tags = var.tags
 
   lifecycle {

infrastructure/modules/key-vault/variables.tf

@@ -3,15 +3,6 @@ variable "enable_rbac_authorization" {
   default = false
 }
 
-variable "name" {
-  type = string
-}
-
-variable "resource_group_name" {
-  type        = string
-  description = "The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created."
-}
-
 variable "location" {
   type        = string
   description = "The location/region where the  Key Vault is created."
@@ -38,6 +29,10 @@ variable "monitor_diagnostic_setting_keyvault_metrics" {
   description = "Controls what metrics will be enabled for the keyvault"
 }
 
+variable "name" {
+  type = string
+}
+
 variable "private_endpoint_properties" {
   description = "Consolidated properties for the Key Vault Private Endpoint."
   type = object({
@@ -61,6 +56,11 @@ variable "purge_protection_enabled" {
   default     = false
 }
 
+variable "resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created."
+}
+
 variable "rbac_roles" {
   description = "List of RBAC roles to assign to the Key Vault."
   type        = list(string)

infrastructure/modules/shared-config/output.tf

@@ -26,8 +26,9 @@ locals {
         apim_portal  = lower("apim-portal-beap-${var.env}-${var.location_map[var.location]}-${var.application}")
       }
       backend_http_settings_name = {
+        apim_shared = lower("apim-shared-htst-${var.env}-${var.location_map[var.location]}-${var.application}")
         apim_gateway = lower("apim-gateway-htst-${var.env}-${var.location_map[var.location]}-${var.application}")
-        apim_portal  = lower("apim-gateway-htst-${var.env}-${var.location_map[var.location]}-${var.application}")
+        apim_portal  = lower("apim-portal-htst-${var.env}-${var.location_map[var.location]}-${var.application}")
       }
       ssl_certificate_name = {
         private = "lets-encrypt-wildcard-private"