secrets.tf 5.14 KB
Newer Older
Daniel Scholl's avatar
Daniel Scholl committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
//  Copyright © Microsoft Corporation
//
//  Licensed under the Apache License, Version 2.0 (the "License");
//  you may not use this file except in compliance with the License.
//  You may obtain a copy of the License at
//
//       http://www.apache.org/licenses/LICENSE-2.0
//
//  Unless required by applicable law or agreed to in writing, software
//  distributed under the License is distributed on an "AS IS" BASIS,
//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//  See the License for the specific language governing permissions and
//  limitations under the License.


/*
.Synopsis
   Terraform Security Control
.DESCRIPTION
   This file holds security settings.
*/


#-------------------------------
# Private Variables
#-------------------------------
locals {
  storage_account_name = format("tbl-storage")
  storage_key_name     = format("%s-key", local.storage_account_name)

31
32
33
34
  graph_connection  = format("graph-db-connection")
  graph_endpoint    = format("graph-db-endpoint")
  graph_primary_key = format("graph-db-primary-key")

Daniel Scholl's avatar
Daniel Scholl committed
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
  logs_id_name  = "log-workspace-id"
  logs_key_name = "log-workspace-key"
}


#-------------------------------
# Misc
#-------------------------------
resource "azurerm_key_vault_secret" "base_name_cr" {
  name         = "base-name-cr"
  value        = local.base_name_60
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "tenant_id" {
  name         = "tenant-id"
  value        = data.azurerm_client_config.current.tenant_id
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "subscription_id" {
  name         = "subscription-id"
  value        = data.azurerm_client_config.current.subscription_id
  key_vault_id = module.keyvault.keyvault_id
}


#-------------------------------
# Container Registry
#-------------------------------
resource "azurerm_key_vault_secret" "container_registry_name" {
  name         = "container-registry"
  value        = module.container_registry.container_registry_name
  key_vault_id = module.keyvault.keyvault_id
}


#-------------------------------
# Storage
#-------------------------------
resource "azurerm_key_vault_secret" "storage_name" {
  name         = local.storage_account_name
  value        = module.storage_account.name
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "storage_key" {
  name         = local.storage_key_name
  value        = module.storage_account.primary_access_key
  key_vault_id = module.keyvault.keyvault_id
}


88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#-------------------------------
# GraphDB
#-------------------------------
resource "azurerm_key_vault_secret" "graph_connection" {
  name         = local.graph_connection
  value        = module.graph_account.properties.cosmosdb.connection_strings[0]
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "graph_endpoint" {
  name         = local.graph_endpoint
  value        = module.graph_account.properties.cosmosdb.endpoint
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "graph_key" {
  name         = local.graph_primary_key
  value        = module.graph_account.properties.cosmosdb.primary_master_key
  key_vault_id = module.keyvault.keyvault_id
}

Daniel Scholl's avatar
Daniel Scholl committed
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

#-------------------------------
# Application Insights
#-------------------------------
resource "azurerm_key_vault_secret" "insights" {
  name         = "appinsights-key"
  value        = module.app_insights.app_insights_instrumentation_key
  key_vault_id = module.keyvault.keyvault_id
}

#-------------------------------
# Log Analytics
#-------------------------------
resource "azurerm_key_vault_secret" "workspace_id" {
  name         = local.logs_id_name
  value        = module.log_analytics.log_workspace_id
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "workspace_key" {
  name         = local.logs_key_name
  value        = module.log_analytics.log_workspace_key
  key_vault_id = module.keyvault.keyvault_id
}

#-------------------------------
# AD Principal and Applications
#-------------------------------
resource "azurerm_key_vault_secret" "principal_id" {
  name         = "app-dev-sp-username"
  value        = module.service_principal.client_id
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "principal_secret" {
  name         = "app-dev-sp-password"
  value        = module.service_principal.client_secret
  key_vault_id = module.keyvault.keyvault_id
}

resource "azurerm_key_vault_secret" "principal_object_id" {
  name         = "app-dev-sp-id"
  value        = module.service_principal.id
  key_vault_id = module.keyvault.keyvault_id
}

// Add Application Information to KV
resource "azurerm_key_vault_secret" "application_id" {
  name         = "aad-client-id"
158
  value        = module.ad_application.id
Daniel Scholl's avatar
Daniel Scholl committed
159
160
161
162
163
164
165
166
167
168
169
170
  key_vault_id = module.keyvault.keyvault_id
}

#-------------------------------
# OSDU Identity
#-------------------------------

// Add Application Information to KV
resource "azurerm_key_vault_secret" "identity_id" {
  name         = "osdu-identity-id"
  value        = azurerm_user_assigned_identity.osduidentity.client_id
  key_vault_id = module.keyvault.keyvault_id
171
}