Merge pull request #16 from data-platform-hq/kv-permissions

kharkevich · web-flow · commit d74d1802167e · 2023-03-20T18:10:25.000-04:00
feat: add kv access configuration
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ No modules.
 |------|------|
 | [azurerm_app_service_virtual_network_swift_connection.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection) | resource |
 | [azurerm_application_insights.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource |
+| [azurerm_key_vault_access_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_linux_web_app.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app) | resource |
 | [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_monitor_diagnostic_categories.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_diagnostic_categories) | data source |
@@ -46,6 +47,7 @@ No modules.
 | <a name="input_env"></a> [env](#input\_env) | Environment | `string` | n/a | yes |
 | <a name="input_identity_ids"></a> [identity\_ids](#input\_identity\_ids) | List of user assigned identity IDs | `list(string)` | `null` | no |
 | <a name="input_ip_restriction"></a> [ip\_restriction](#input\_ip\_restriction) | Firewall settings for the web app | <pre>list(object({<br>    name                      = string<br>    ip_address                = string<br>    service_tag               = string<br>    virtual_network_subnet_id = string<br>    priority                  = string<br>    action                    = string<br>    headers = list(object({<br>      x_azure_fdid      = list(string)<br>      x_fd_health_probe = list(string)<br>      x_forwarded_for   = list(string)<br>      x_forwarded_host  = list(string)<br>    }))<br>  }))</pre> | <pre>[<br>  {<br>    "action": "Allow",<br>    "headers": null,<br>    "ip_address": null,<br>    "name": "allow_azure",<br>    "priority": "100",<br>    "service_tag": "AzureCloud",<br>    "virtual_network_subnet_id": null<br>  }<br>]</pre> | no |
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | Configure Linux Function App to Key Vault | <pre>object({<br>    id                  = optional(string, null)<br>    key_permissions     = optional(list(string), null)<br>    secret_permissions  = optional(list(string), ["Get", "List"])<br>    storage_permissions = optional(list(string), null)<br>  })</pre> | `{}` | no |
 | <a name="input_location"></a> [location](#input\_location) | Location | `string` | n/a | yes |
 | <a name="input_logs"></a> [logs](#input\_logs) | Logs configuration | <pre>object({<br>    detailed_error_messages = bool<br>    failed_request_tracing  = bool<br>    http_logs = object({<br>      file_system = object({<br>        retention_in_days = number<br>        retention_in_mb   = number<br>      })<br>    })<br>  })</pre> | <pre>{<br>  "detailed_error_messages": false,<br>  "failed_request_tracing": false,<br>  "http_logs": {<br>    "file_system": {<br>      "retention_in_days": 7,<br>      "retention_in_mb": 35<br>    }<br>  }<br>}</pre> | no |
 | <a name="input_name"></a> [name](#input\_name) | Web index/name (like 007) | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
@@ -133,6 +133,16 @@ resource "azurerm_linux_web_app" "this" {
   }
 }
 
+resource "azurerm_key_vault_access_policy" "this" {
+  count               = var.key_vault.id == null ? 0 : 1
+  key_vault_id        = var.key_vault.id
+  tenant_id           = azurerm_linux_web_app.this.identity[0].tenant_id
+  object_id           = azurerm_linux_web_app.this.identity[0].principal_id
+  key_permissions     = var.key_vault.key_permissions
+  secret_permissions  = var.key_vault.secret_permissions
+  storage_permissions = var.key_vault.storage_permissions
+}
+
 resource "azurerm_app_service_virtual_network_swift_connection" "this" {
   count          = var.use_private_net ? 1 : 0
   app_service_id = azurerm_linux_web_app.this.id
diff --git a/variables.tf b/variables.tf
@@ -204,3 +204,14 @@ variable "worker_count" {
   description = "Number of workers"
   default     = null
 }
+
+variable "key_vault" {
+  description = "Configure Linux Function App to Key Vault"
+  type = object({
+    id                  = optional(string, null)
+    key_permissions     = optional(list(string), null)
+    secret_permissions  = optional(list(string), ["Get", "List"])
+    storage_permissions = optional(list(string), null)
+  })
+  default = {}
+}
