Onboarding eds services - secret and external-dataset
All Submissions:
- [YES] Have you added an explanation of what your changes do and why you'd like us to include them?
- [YES] I have updated the documentation accordingly.
- [YES] My code follows the code style of this project.
Current Behavior or Linked Issues
- Service resources will be provisioned without secret service kv by default, there is a variable
secret_kv_enabled
, to enable kv at service resources level to enable this feature, it is disabled by default. - Added pipeline and sync pipeline in ADO as well as deployment scripts and variables for secret and proxy-dataset services.
Linked issues:
Does this introduce a breaking change?
- [NO]
Other information
The secret kv provisioning, will be completely optional and it is marked as feature with feature flag, disabled by default, this MR should not introduce any new resources unless kv flag it is marked as true:
Example plan for additional resources:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# azurerm_key_vault_secret.keyvault_uri_secret_service[0] will be created
+ resource "azurerm_key_vault_secret" "keyvault_uri_secret_service" {
+ id = (known after apply)
+ key_vault_id = "/subscriptions/*****************/resourceGroups/osdu-mvp-***-dwk9-rg/providers/Microsoft.KeyVault/vaults/osdumvpcrepmosdwk9kv"
+ name = "secret-service-keyvault-uri"
+ value = (sensitive value)
+ version = (known after apply)
+ versionless_id = (known after apply)
}
# azurerm_role_assignment.kv_secret_roles[0] will be created
+ resource "azurerm_role_assignment" "kv_secret_roles" {
+ id = (known after apply)
+ name = (known after apply)
+ principal_id = "aa086ed0-85b0-***-***-efa94357457e"
+ principal_type = (known after apply)
+ role_definition_id = (known after apply)
+ role_definition_name = "Reader"
+ scope = (known after apply)
+ skip_service_principal_aad_check = (known after apply)
}
# azurerm_role_assignment.kv_secret_roles[1] will be created
+ resource "azurerm_role_assignment" "kv_secret_roles" {
+ id = (known after apply)
+ name = (known after apply)
+ principal_id = "9f602b22-876a-***-***-ba405236858b"
+ principal_type = (known after apply)
+ role_definition_id = (known after apply)
+ role_definition_name = "Reader"
+ scope = (known after apply)
+ skip_service_principal_aad_check = (known after apply)
}
# module.keyvault_policy[0].azurerm_key_vault_access_policy.keyvault[0] will be created
+ resource "azurerm_key_vault_access_policy" "keyvault" {
+ certificate_permissions = [
+ "get",
+ "update",
+ "import",
]
+ id = (known after apply)
+ key_permissions = [
+ "get",
+ "encrypt",
+ "decrypt",
]
+ key_vault_id = (known after apply)
+ object_id = "aa086ed0-85b0-***-***-efa94357457e"
+ secret_permissions = [
+ "get",
+ "set",
+ "delete",
+ "recover",
+ "list",
+ "restore",
+ "purge",
+ "backup",
]
+ tenant_id = "61b6077c-23d1-43eb-8977-f9d3152d8cc4"
}
# module.keyvault_policy[0].azurerm_key_vault_access_policy.keyvault[1] will be created
+ resource "azurerm_key_vault_access_policy" "keyvault" {
+ certificate_permissions = [
+ "get",
+ "update",
+ "import",
]
+ id = (known after apply)
+ key_permissions = [
+ "get",
+ "encrypt",
+ "decrypt",
]
+ key_vault_id = (known after apply)
+ object_id = "9f602b22-876a-***-***-ba405236858b"
+ secret_permissions = [
+ "get",
+ "set",
+ "delete",
+ "recover",
+ "list",
+ "restore",
+ "purge",
+ "backup",
]
+ tenant_id = "61b6077c-23d1-***-***-f9d3152d8cc4"
}
# module.kv_secret_service[0].azurerm_key_vault.keyvault will be created
+ resource "azurerm_key_vault" "keyvault" {
+ access_policy = (known after apply)
+ id = (known after apply)
+ location = "centralus"
+ name = "osdu-mvp-srepmos-r8jm-sk"
+ purge_protection_enabled = true
+ resource_group_name = "osdu-mvp-srepmosdu-r8jm-rg"
+ sku_name = "standard"
+ soft_delete_enabled = (known after apply)
+ soft_delete_retention_days = 7
+ tags = {
+ "contact" = "pipeline"
}
+ tenant_id = "61b6077c-23d1-43eb-8977-f9d3152d8cc4"
+ vault_uri = (known after apply)
+ network_acls {
+ bypass = (known after apply)
+ default_action = (known after apply)
+ ip_rules = (known after apply)
+ virtual_network_subnet_ids = (known after apply)
}
}
# module.kv_secret_service[0].azurerm_key_vault_secret.keyvault["secret-kv-rg"] will be created
+ resource "azurerm_key_vault_secret" "keyvault" {
+ id = (known after apply)
+ key_vault_id = (known after apply)
+ name = "secret-kv-rg"
+ value = (sensitive value)
+ version = (known after apply)
+ versionless_id = (known after apply)
}
# module.kv_secret_service[0].module.deployment_service_principal_keyvault_access_policies.azurerm_key_vault_access_policy.keyvault[0] will be created
+ resource "azurerm_key_vault_access_policy" "keyvault" {
+ certificate_permissions = [
+ "create",
+ "get",
+ "list",
+ "delete",
+ "recover",
+ "restore",
+ "purge",
]
+ id = (known after apply)
+ key_permissions = [
+ "create",
+ "get",
+ "list",
+ "delete",
+ "encrypt",
+ "decrypt",
+ "recover",
+ "restore",
+ "purge",
+ "update",
]
+ key_vault_id = (known after apply)
+ object_id = "2859decc-aea3-***-***-b667e1f342dc"
+ secret_permissions = [
+ "set",
+ "get",
+ "list",
+ "delete",
+ "recover",
+ "restore",
+ "purge",
]
+ tenant_id = "61b6077c-23d1-***-***-f9d3152d8cc4"
}
Plan: 8 to add, 0 to change, 0 to destroy.
------------------------------------------------------------------------
Edited by Arturo Hernandez [EPAM]