key-vault: add access policy for superadmins AAD group

Key Vault has its own Data Plane access policies. In order for
CI/CD pipelines to manage the infrastructure *and* to allow
humans with priviledged access to examine the contents, we
are using a superadmin group.

N.B. this is not relevant if you use Azure RBAC instead of access
policies. At time of writing, this is still in preview.

For details see
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
This commit is contained in:
Julie Ng 2020-11-20 16:00:49 +01:00
Родитель 8adc423fdd
Коммит ab5a6aa1ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 0CBC37BD160B350D
7 изменённых файлов: 29 добавлений и 12 удалений

1
.gitignore поставляемый
Просмотреть файл

@ -1,6 +1,7 @@
# Configuration - never check in credentials!
*.conf
.env
local.auto.tfvars
# Terraform - state and plan files
.terraform/

Просмотреть файл

@ -2,6 +2,7 @@
.env
*.conf
*.tfplan
local.auto.tfvars
# Directories
.github/

13
main.tf
Просмотреть файл

@ -31,7 +31,7 @@ module "ado_standard_permissions" {
for_each = var.projects
source = "./modules/azure-devops-permissions"
ado_project_id = azuredevops_project.team_projects["proj_${each.value.team}"].id
team_aad_id = azuread_group.groups["${each.value.team}"].id
team_aad_id = azuread_group.groups[each.value.team].id
admin_aad_id = azuread_group.groups["${each.value.team}_admins"].id
}
@ -102,11 +102,12 @@ module "collaboration_permissions_veggies" {
# ----------
module "workspace" {
for_each = var.environments
source = "./modules/azure-resources"
name = "${each.value.team}-${each.value.env}-${local.suffix}"
team_group_id = azuread_group.groups["${each.value.team}"].id
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
for_each = var.environments
source = "./modules/azure-resources"
name = "${each.value.team}-${each.value.env}-${local.suffix}"
team_group_id = azuread_group.groups[each.value.team].id
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
superadmins_group_id = var.superadmins_aad_object_id
}

Просмотреть файл

@ -36,12 +36,12 @@ resource "azurerm_key_vault" "kv" {
tags = var.tags
}
# Key Vault Access Policy - me
# Note: this assumes ARM client is central owner of all workspaces
# Key Vault Access Policy - superadmins
# e.g. admins as well has limited infrastructure service principals
resource "azurerm_key_vault_access_policy" "me" {
resource "azurerm_key_vault_access_policy" "superadmins" {
key_vault_id = azurerm_key_vault.kv.id
object_id = local.client_object_id
object_id = var.superadmins_group_id
tenant_id = local.client_tenant_id
secret_permissions = [

Просмотреть файл

@ -25,6 +25,11 @@ variable "admin_group_id" {
type = string
}
variable "superadmins_group_id" {
type = string
description = "Required: object ID of the AAD group for super admins, used to apply key vault access policies."
}
variable "client_tenant_id" {
description = "AAD Tenant ID for Azure Resource Manager (ARM) client. Defaults to current session."
type = string

Просмотреть файл

@ -14,8 +14,8 @@ provider "azuredevops" {
# Store Terraform Stage in Azure Storage Account (see azure.conf.sample)
terraform {
# backend "azurerm" {
# }
backend "azurerm" {
}
}
# So we can give current user access to resources too

Просмотреть файл

@ -1,3 +1,12 @@
# Superadmins
# -----------
variable "superadmins_aad_object_id" {
type = string
description = "Object ID of the AAD group for super admins, used to apply key vault access policies, so both humans and super privileged automation service principal can manage Key Vault resources (from outside Terraform)."
}
# Suffix
# ------
# Some Azure resources, e.g. storage accounts must have globally