feat(azure): add support for role-based keyvault access to agw-public#276
feat(azure): add support for role-based keyvault access to agw-public#276
Conversation
|
| # NOTE: Certificate KeyVault Resource Group is created by CDC Cloud Team | ||
| data "azurerm_resource_group" "key_vault_cert_rg" { | ||
| name = var.agw_key_vault_cert_rg | ||
| } | ||
|
|
||
|
|
||
| # Get vNet Data | ||
| data "azurerm_virtual_network" "vnet" { | ||
| name = var.agw_vnet_name | ||
| resource_group_name = data.azurerm_resource_group.rg.name | ||
| } | ||
|
|
||
| # Get App Gateway Subnet Data | ||
| data "azurerm_subnet" "agw_subnet" { | ||
| name = var.agw_subnet_name | ||
| virtual_network_name = data.azurerm_virtual_network.vnet.name | ||
| resource_group_name = data.azurerm_virtual_network.vnet.resource_group_name | ||
| } | ||
|
|
||
| # Get KeyVault Id | ||
| data "azurerm_key_vault" "key_vault" { | ||
| name = var.agw_key_vault_name | ||
| resource_group_name = data.azurerm_resource_group.key_vault_cert_rg.name | ||
| } | ||
|
|
||
| # Get Certificate from KeyVault | ||
| data "azurerm_key_vault_secret" "agw_key_vault_cert" { | ||
| name = var.agw_key_vault_cert_name | ||
| key_vault_id = data.azurerm_key_vault.key_vault.id |
There was a problem hiding this comment.
These make the presumption that certificate will be stored in keyvault. This is not currently a requirement of NBS7, though it can be an option. It is however how one of our environments function so we should remove reference of CDC Cloud team since they are not part of this release.
There was a problem hiding this comment.
The reasoning here is that some STLT will want to bring their own certs. But if we are saying keyvault is the way to BYOC then lets offer it as a module as well (this is where the logic gets tricky).
|
|
||
| resource "azurerm_role_assignment" "agw" { | ||
| count = var.role_based_kv ? 1 : 0 | ||
| scope = data.azurerm_key_vault.key_vault.id |
There was a problem hiding this comment.
scope dependent on resolution of previous comment
| depends_on = [ | ||
| azurerm_public_ip.agw_public_ip, | ||
| azurerm_key_vault_access_policy.agw_mi_policy, | ||
| azurerm_user_assigned_identity.agw_mi | ||
| ] |
There was a problem hiding this comment.
The app gateway should allow for a network to already exist. It might mean that this is better suited to be deployed in the subsequent layer
2 participants
Add support for conditional role-based keyvault access