From 28eede71ce85b360e89e372add3af0c0c13aa2ee Mon Sep 17 00:00:00 2001 From: vit-corp Date: Wed, 25 Sep 2024 22:39:10 +0300 Subject: [PATCH] skip: update CI 272 --- .../green/cosmosdb/cosmosdb.tf | 2 +- .../green/cosmosdb/key_vault.tf | 52 ++++++++++++++++++- .../green/cosmosdb/provider.tf | 7 ++- 3 files changed, 58 insertions(+), 3 deletions(-) diff --git a/auto_policy_testing/green/cosmosdb/cosmosdb.tf b/auto_policy_testing/green/cosmosdb/cosmosdb.tf index 01dd25e6..f197945e 100644 --- a/auto_policy_testing/green/cosmosdb/cosmosdb.tf +++ b/auto_policy_testing/green/cosmosdb/cosmosdb.tf @@ -25,7 +25,7 @@ resource "azurerm_cosmosdb_account" "this" { ip_range_filter = "127.0.0.1" - key_vault_key_id = data.terraform_remote_state.common.outputs.key_versionless_id + key_vault_key_id = azurerm_key_vault_key.this.versionless_id access_key_metadata_writes_enabled = false diff --git a/auto_policy_testing/green/cosmosdb/key_vault.tf b/auto_policy_testing/green/cosmosdb/key_vault.tf index 9b36bcea..84bff765 100644 --- a/auto_policy_testing/green/cosmosdb/key_vault.tf +++ b/auto_policy_testing/green/cosmosdb/key_vault.tf @@ -4,8 +4,58 @@ data "azuread_service_principal" "cosmosdb" { display_name = "Azure Cosmos DB" } +resource "azurerm_key_vault" "this" { + name = "${module.naming.resource_prefix.keyvault}kv${random_integer.this.result}" + location = data.terraform_remote_state.common.outputs.location + resource_group_name = data.terraform_remote_state.common.outputs.resource_group + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + soft_delete_retention_days = 7 + purge_protection_enabled = true + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy" + ] + + secret_permissions = [ + "Get", + "List", + "Set", + "Delete", + "Purge", + ] + + } + + tags = module.naming.default_tags +} + +resource "azurerm_key_vault_key" "this" { + name = "${module.naming.resource_prefix.keyvaultkey}key${random_integer.this.result}" + key_vault_id = azurerm_key_vault.this.id + key_type = "RSA" + key_size = 2048 + expiration_date = "2025-01-01T12:00:00Z" + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + + tags = module.naming.default_tags +} + + resource "azurerm_key_vault_access_policy" "cosmosdb" { - key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id + key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azuread_service_principal.cosmosdb.id diff --git a/auto_policy_testing/green/cosmosdb/provider.tf b/auto_policy_testing/green/cosmosdb/provider.tf index bbba9127..0d181b83 100644 --- a/auto_policy_testing/green/cosmosdb/provider.tf +++ b/auto_policy_testing/green/cosmosdb/provider.tf @@ -14,5 +14,10 @@ terraform { } provider "azurerm" { - features {} + features { + key_vault { + purge_soft_delete_on_destroy = true + purge_soft_deleted_keys_on_destroy = true + } + } } \ No newline at end of file