skip: update CI 219

epam · Aug 27, 2024 · f8ed07f · f8ed07f
1 parent 4db5dda
commit f8ed07f
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 6 deletions.
diff --git a/auto_policy_testing/green/postgresql/key_vault.tf b/auto_policy_testing/green/postgresql/key_vault.tf
@@ -1,10 +1,42 @@
 data "azurerm_client_config" "current" {}
 
-resource "azurerm_key_vault_access_policy" "server" {
-  key_vault_id = data.terraform_remote_state.common.outputs.key_vault_id
-  tenant_id    = azurerm_postgresql_server.cmk.identity[0].tenant_id
+resource "azurerm_key_vault" "this" {
+  name                = "${module.naming.resource_prefix.keyvault}postgres${random_integer.this.result}"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "premium"
+
+  purge_protection_enabled = true
+}
+
+resource "azurerm_key_vault_access_policy" "postgresql" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = azurerm_postgresql_server.cmk.identity[0].principal_id
 
   key_permissions    = ["Get", "UnwrapKey", "WrapKey"]
   secret_permissions = ["Get"]
+}
+
+resource "azurerm_key_vault_access_policy" "client" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy"]
+  secret_permissions = ["Get"]
+}
+
+resource "azurerm_key_vault_key" "this" {
+  name         = "${module.naming.resource_prefix.keyvault-key}-${random_integer.this.result}"
+  key_vault_id = azurerm_key_vault.this.id
+  key_type     = "RSA"
+  key_size     = 2048
+  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
+
+  depends_on = [
+    azurerm_key_vault_access_policy.client,
+    azurerm_key_vault_access_policy.postgresql
+  ]
 }
diff --git a/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf b/auto_policy_testing/green/postgresql/postgresql_server_cmk.tf
@@ -1,7 +1,15 @@
+resource "azurerm_resource_group" "this" {
+  name     = "postgrescmk-rg-green"
+  location = data.terraform_remote_state.common.outputs.location
+
+  tags = module.naming.default_tags
+}
+
+
 resource "azurerm_postgresql_server" "cmk" {
   name                = "${module.naming.resource_prefix.postgresql-server}-cmk"
-  location                      = data.terraform_remote_state.common.outputs.location
-  resource_group_name           = data.terraform_remote_state.common.outputs.resource_group
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
 
   sku_name   = "GP_Gen5_2"
   version    = "11"

diff --git a/auto_policy_testing/green/postgresql/provider.tf b/auto_policy_testing/green/postgresql/provider.tf
@@ -14,5 +14,10 @@ terraform {
 }
 
 provider "azurerm" {
-  features {}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy       = true
+      purge_soft_deleted_keys_on_destroy = false
+    }
+  }
 }