infrastructure/security.tf at master · iceguard-ch/infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
resource "azurerm_resource_group" "igss_security_rg" {
    name = "igss-security-rg"
    location = "${var.region}"


  tags {
        project = "${var.project_tag}"
        Environment = "${var.env_tag}"
  }
}

#################
#KeyVault
#################

data "azurerm_client_config" "clientconfig_current" {}

resource "azurerm_key_vault" "igss_keyvault" {
  name                = "igss-keyvault"
  resource_group_name = "${azurerm_resource_group.igss_security_rg.name}"
  location            = "${azurerm_resource_group.igss_security_rg.location}"


  sku {
    name = "standard"
  }

  tenant_id = "${data.azurerm_client_config.clientconfig_current.tenant_id}"

  enabled_for_disk_encryption = true

  tags {
        project = "${var.project_tag}"
        Environment = "${var.env_tag}"
  }
}

resource "azurerm_key_vault_access_policy" "igss_keyvault_accesspolicy02" {
  vault_name          = "${azurerm_key_vault.igss_keyvault.name}"
  resource_group_name = "${azurerm_key_vault.igss_keyvault.resource_group_name}"

  tenant_id = "${data.azurerm_client_config.clientconfig_current.tenant_id}"
  object_id = "${data.azurerm_client_config.clientconfig_current.service_principal_object_id}"

    key_permissions = [

    ]

    secret_permissions = [
      "set",
      "get",
      "delete"
    ]
}

#Devteam_UserGroup
resource "azurerm_key_vault_access_policy" "igss_keyvault_accesspolicy03" {
  vault_name          = "${azurerm_key_vault.igss_keyvault.name}"
  resource_group_name = "${azurerm_key_vault.igss_keyvault.resource_group_name}"

  tenant_id = "${data.azurerm_client_config.clientconfig_current.tenant_id}"
  object_id = "${var.devteam_objectId}"

    key_permissions = [
      "backup",
      "create",
      "decrypt",
      "delete",
      "encrypt",
      "get",
      "import",
      "list",
      "purge",
      "recover",
      "restore",
      "sign",
      "unwrapKey",
      "update",
      "verify",
      "wrapKey"
    ]

    secret_permissions = [
      "backup",
      "delete",
      "get",
      "list",
      "purge",
      "recover",
      "restore",
      "set"
    ]

    certificate_permissions = [
      "backup",
      "create",
      "delete",
      "deleteissuers",
      "get",
      "getissuers",
      "import",
      "list",
      "listissuers",
      "managecontacts",
      "manageissuers",
      "purge",
      "recover",
      "restore",
      "setissuers",
      "update"
    ]

}