Azure
/
devops-governance
зеркало из https://github.com/Azure/devops-governance.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

key-vault: add access policy for superadmins AAD group 

Key Vault has its own Data Plane access policies. In order for
CI/CD pipelines to manage the infrastructure *and* to allow
humans with priviledged access to examine the contents, we
are using a superadmin group.

N.B. this is not relevant if you use Azure RBAC instead of access
policies. At time of writing, this is still in preview.

For details see
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
This commit is contained in:
Julie Ng 2020-11-20 16:00:49 +01:00
Родитель 8adc423fdd
Коммит ab5a6aa1ad
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 0CBC37BD160B350D
7 изменённых файлов: 29 добавлений и 12 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
.gitignore поставляемый
Просмотреть файл

@ -1,6 +1,7 @@
# Configuration - never check in credentials!
*.conf
.env
local.auto.tfvars
# Terraform - state and plan files
.terraform/

1
.terraformignore
Просмотреть файл

@ -2,6 +2,7 @@
.env
*.conf
*.tfplan
local.auto.tfvars
# Directories
.github/

13
main.tf
Просмотреть файл

@ -31,7 +31,7 @@ module "ado_standard_permissions" {
for_each = var.projects
source = "./modules/azure-devops-permissions"
ado_project_id = azuredevops_project.team_projects["proj_${each.value.team}"].id
team_aad_id = azuread_group.groups["${each.value.team}"].id
team_aad_id = azuread_group.groups[each.value.team].id
admin_aad_id = azuread_group.groups["${each.value.team}_admins"].id
}
@ -102,11 +102,12 @@ module "collaboration_permissions_veggies" {
# ----------
module "workspace" {
for_each = var.environments
source = "./modules/azure-resources"
name = "${each.value.team}-${each.value.env}-${local.suffix}"
team_group_id = azuread_group.groups["${each.value.team}"].id
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
for_each = var.environments
source = "./modules/azure-resources"
name = "${each.value.team}-${each.value.env}-${local.suffix}"
team_group_id = azuread_group.groups[each.value.team].id
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
superadmins_group_id = var.superadmins_aad_object_id
}

8
modules/azure-resources/_azure-resources.tf
Просмотреть файл

@ -36,12 +36,12 @@ resource "azurerm_key_vault" "kv" {
tags = var.tags
}
# Key Vault Access Policy - me
# Note: this assumes ARM client is central owner of all workspaces
# Key Vault Access Policy - superadmins
# e.g. admins as well has limited infrastructure service principals
resource "azurerm_key_vault_access_policy" "me" {
resource "azurerm_key_vault_access_policy" "superadmins" {
key_vault_id = azurerm_key_vault.kv.id
object_id = local.client_object_id
object_id = var.superadmins_group_id
tenant_id = local.client_tenant_id
secret_permissions = [

5
modules/azure-resources/variables.tf
Просмотреть файл

@ -25,6 +25,11 @@ variable "admin_group_id" {
type = string
}
variable "superadmins_group_id" {
type = string
description = "Required: object ID of the AAD group for super admins, used to apply key vault access policies."
}
variable "client_tenant_id" {
description = "AAD Tenant ID for Azure Resource Manager (ARM) client. Defaults to current session."
type = string

4
provider.tf
Просмотреть файл

@ -14,8 +14,8 @@ provider "azuredevops" {
# Store Terraform Stage in Azure Storage Account (see azure.conf.sample)
terraform {
# backend "azurerm" {
# }
backend "azurerm" {
}
}
# So we can give current user access to resources too

9
variables.tf
Просмотреть файл

@ -1,3 +1,12 @@
# Superadmins
# -----------
variable "superadmins_aad_object_id" {
type = string
description = "Object ID of the AAD group for super admins, used to apply key vault access policies, so both humans and super privileged automation service principal can manage Key Vault resources (from outside Terraform)."
}
# Suffix
# ------
# Some Azure resources, e.g. storage accounts must have globally