Merge pull request #42 from hmcts/fix/dont-read-secrets-if-not-required

fix: don't read secrets if not required
hmcts · Sep 6, 2023 · ee395a2 · ee395a2
2 parents 5de49bd + a1b8f45
commit ee395a2
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 19 deletions.
diff --git a/keyvault.tf b/keyvault.tf
@@ -1,46 +1,49 @@
 data "azurerm_key_vault" "cnp_vault" {
+  count               = var.install_dynatrace_oneagent ? 1 : 0
   provider            = azurerm.cnp
   name                = "infra-vault-${var.env}"
   resource_group_name = local.cnp_vault_rg
 }
 
 data "azurerm_key_vault_secret" "token" {
+  count        = var.install_dynatrace_oneagent ? 1 : 0
   provider     = azurerm.cnp
   name         = "dynatrace-${var.env}-token"
-  key_vault_id = data.azurerm_key_vault.cnp_vault.id
+  key_vault_id = data.azurerm_key_vault.cnp_vault[0].id
 }
 
 data "azurerm_key_vault" "soc_vault" {
-  provider = azurerm.soc
-
+  count               = var.install_nessus_agent || var.install_splunk_uf ? 1 : 0
+  provider            = azurerm.soc
   name                = var.soc_vault_name
   resource_group_name = var.soc_vault_rg
 }
 
 # Splunk UF
 data "azurerm_key_vault_secret" "splunk_username" {
+  count        = var.install_splunk_uf ? 1 : 0
   provider     = azurerm.soc
   name         = "splunk-gui-admin-username"
-  key_vault_id = data.azurerm_key_vault.soc_vault.id
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
 
 data "azurerm_key_vault_secret" "splunk_password" {
-  provider = azurerm.soc
-
+  count        = var.install_splunk_uf ? 1 : 0
+  provider     = azurerm.soc
   name         = "splunk-gui-admin-password"
-  key_vault_id = data.azurerm_key_vault.soc_vault.id
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
 
 data "azurerm_key_vault_secret" "splunk_pass4symmkey" {
-  provider = azurerm.soc
-
+  count        = var.install_splunk_uf ? 1 : 0
+  provider     = azurerm.soc
   name         = "splunk-pass4symmkey"
-  key_vault_id = data.azurerm_key_vault.soc_vault.id
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
 
 data "azurerm_key_vault_secret" "nessus_agent_key" {
-  provider = azurerm.soc
-
+  count        = var.install_nessus_agent ? 1 : 0
+  provider     = azurerm.soc
   name         = "nessus-agent-key-${var.env}"
-  key_vault_id = data.azurerm_key_vault.soc_vault.id
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
 }
diff --git a/locals.tf b/locals.tf
@@ -12,17 +12,17 @@ locals {
 
   # Dynatrace OneAgent
 
-  dynatrace_settings = var.dynatrace_hostgroup == null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token == null || var.dynatrace_token == "" ? data.azurerm_key_vault_secret.token.value : var.dynatrace_token}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : var.dynatrace_hostgroup != null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\"}" : var.dynatrace_hostgroup == null && var.dynatrace_server != null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"server\" : \"${var.dynatrace_server == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"server\" : \"${var.dynatrace_server}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }"
+  dynatrace_settings = var.dynatrace_hostgroup == null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token == null || var.dynatrace_token == "" ? (length(data.azurerm_key_vault_secret.token) > 0 ? data.azurerm_key_vault_secret.token[0].value : "") : var.dynatrace_token}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : var.dynatrace_hostgroup != null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\"}" : var.dynatrace_hostgroup == null && var.dynatrace_server != null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"server\" : \"${var.dynatrace_server == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"server\" : \"${var.dynatrace_server}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }"
   template_file = base64encode(format("%s\n%s", templatefile("${path.module}/${local.bootstrap_vm_script}",
     {
       UF_INSTALL      = tostring(var.install_splunk_uf),
-      UF_USERNAME     = var.splunk_username == null || var.splunk_username == "" ? data.azurerm_key_vault_secret.splunk_username.value : var.splunk_username
-      UF_PASSWORD     = var.splunk_password == null || var.splunk_password == "" ? data.azurerm_key_vault_secret.splunk_password.value : var.splunk_password
-      UF_PASS4SYMMKEY = var.splunk_pass4symmkey == null || var.splunk_pass4symmkey == "" ? data.azurerm_key_vault_secret.splunk_pass4symmkey.value : var.splunk_pass4symmkey
+      UF_USERNAME     = var.splunk_username == null || var.splunk_username == "" ? (length(data.azurerm_key_vault_secret.splunk_username) > 0 ? data.azurerm_key_vault_secret.splunk_username[0].value : "") : var.splunk_username
+      UF_PASSWORD     = var.splunk_password == null || var.splunk_password == "" ? (length(data.azurerm_key_vault_secret.splunk_password) > 0 ? data.azurerm_key_vault_secret.splunk_password[0].value : "") : var.splunk_password
+      UF_PASS4SYMMKEY = var.splunk_pass4symmkey == null || var.splunk_pass4symmkey == "" ? (length(data.azurerm_key_vault_secret.splunk_pass4symmkey) > 0 ? data.azurerm_key_vault_secret.splunk_pass4symmkey[0].value : "") : var.splunk_pass4symmkey
       UF_GROUP        = var.splunk_group
-      NESSUS_INSTALL  = var.install_nessus_agent == null || var.install_nessus_agent == "" ? data.azurerm_key_vault_secret.nessus_agent_key.value : var.install_nessus_agent
+      NESSUS_INSTALL  = tostring(var.install_nessus_agent)
       NESSUS_SERVER   = var.nessus_server == null || var.nessus_server == "" ? local.dynatrace_server : var.nessus_server
-      NESSUS_KEY      = var.nessus_key == null || var.nessus_key == "" ? data.azurerm_key_vault_secret.nessus_agent_key.value : var.nessus_key
+      NESSUS_KEY      = var.nessus_key == null || var.nessus_key == "" ? (length(data.azurerm_key_vault_secret.nessus_agent_key) > 0 ? data.azurerm_key_vault_secret.nessus_agent_key[0].value : "") : var.nessus_key
       NESSUS_GROUPS   = var.nessus_groups == null || var.nessus_groups == "" ? "Platform-Operation-Bastions" : var.nessus_groups
   }), var.additional_script_path == null ? "" : file("${var.additional_script_path}")))