-
Notifications
You must be signed in to change notification settings - Fork 147
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CMK support for core resources (#4149)
* added management key vault * added cmk for vmss and storage accounts * add default value for variables * add CMK for cosmos accounts * move tre-encryption key from mgmt to core * fix order of creation for encryption key * add cmk for the state store in mgmt * add support for external KV * revert CMK for cosmos - not working, need to redo this * refine comments and files names * remove redundant space * add space * upper case in comment * revert cosmos tags * update changelog + core version * remove unused var * remove redundant variable * remove redundant variables * add check for enable_cmk_encryption for the key_store_id variable in tf * bugfix: remove redundant data keyword * add enable_cmk_encryption check in module variables --------- Co-authored-by: Matthew Fortunka <[email protected]>
- Loading branch information
1 parent
f40dee6
commit 38bd432
Showing
26 changed files
with
507 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
resource "azurerm_user_assigned_identity" "encryption" { | ||
count = var.enable_cmk_encryption ? 1 : 0 | ||
resource_group_name = azurerm_resource_group.core.name | ||
location = azurerm_resource_group.core.location | ||
tags = local.tre_core_tags | ||
|
||
name = "id-encryption-${var.tre_id}" | ||
|
||
lifecycle { ignore_changes = [tags] } | ||
} | ||
|
||
resource "azurerm_role_assignment" "kv_encryption_key_user" { | ||
count = var.enable_cmk_encryption ? 1 : 0 | ||
scope = local.key_store_id | ||
role_definition_name = "Key Vault Crypto Service Encryption User" | ||
principal_id = azurerm_user_assigned_identity.encryption[0].principal_id | ||
} | ||
|
||
# Key used to encrypt resources | ||
resource "azurerm_key_vault_key" "tre_encryption" { | ||
count = var.enable_cmk_encryption ? 1 : 0 | ||
|
||
name = var.kv_encryption_key_name | ||
key_vault_id = local.key_store_id | ||
key_type = "RSA" | ||
key_size = 2048 | ||
|
||
key_opts = [ | ||
"decrypt", | ||
"encrypt", | ||
"unwrapKey", | ||
"wrapKey", | ||
] | ||
|
||
depends_on = [ | ||
azurerm_role_assignment.kv_encryption_key_user | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.