key-vault: add access policy for superadmins AAD group
Key Vault has its own Data Plane access policies. In order for CI/CD pipelines to manage the infrastructure *and* to allow humans with priviledged access to examine the contents, we are using a superadmin group. N.B. this is not relevant if you use Azure RBAC instead of access policies. At time of writing, this is still in preview. For details see https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
This commit is contained in:
Родитель
8adc423fdd
Коммит
ab5a6aa1ad
|
@ -1,6 +1,7 @@
|
|||
# Configuration - never check in credentials!
|
||||
*.conf
|
||||
.env
|
||||
local.auto.tfvars
|
||||
|
||||
# Terraform - state and plan files
|
||||
.terraform/
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
.env
|
||||
*.conf
|
||||
*.tfplan
|
||||
local.auto.tfvars
|
||||
|
||||
# Directories
|
||||
.github/
|
||||
|
|
13
main.tf
13
main.tf
|
@ -31,7 +31,7 @@ module "ado_standard_permissions" {
|
|||
for_each = var.projects
|
||||
source = "./modules/azure-devops-permissions"
|
||||
ado_project_id = azuredevops_project.team_projects["proj_${each.value.team}"].id
|
||||
team_aad_id = azuread_group.groups["${each.value.team}"].id
|
||||
team_aad_id = azuread_group.groups[each.value.team].id
|
||||
admin_aad_id = azuread_group.groups["${each.value.team}_admins"].id
|
||||
}
|
||||
|
||||
|
@ -102,11 +102,12 @@ module "collaboration_permissions_veggies" {
|
|||
# ----------
|
||||
|
||||
module "workspace" {
|
||||
for_each = var.environments
|
||||
source = "./modules/azure-resources"
|
||||
name = "${each.value.team}-${each.value.env}-${local.suffix}"
|
||||
team_group_id = azuread_group.groups["${each.value.team}"].id
|
||||
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
|
||||
for_each = var.environments
|
||||
source = "./modules/azure-resources"
|
||||
name = "${each.value.team}-${each.value.env}-${local.suffix}"
|
||||
team_group_id = azuread_group.groups[each.value.team].id
|
||||
admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
|
||||
superadmins_group_id = var.superadmins_aad_object_id
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -36,12 +36,12 @@ resource "azurerm_key_vault" "kv" {
|
|||
tags = var.tags
|
||||
}
|
||||
|
||||
# Key Vault Access Policy - me
|
||||
# Note: this assumes ARM client is central owner of all workspaces
|
||||
# Key Vault Access Policy - superadmins
|
||||
# e.g. admins as well has limited infrastructure service principals
|
||||
|
||||
resource "azurerm_key_vault_access_policy" "me" {
|
||||
resource "azurerm_key_vault_access_policy" "superadmins" {
|
||||
key_vault_id = azurerm_key_vault.kv.id
|
||||
object_id = local.client_object_id
|
||||
object_id = var.superadmins_group_id
|
||||
tenant_id = local.client_tenant_id
|
||||
|
||||
secret_permissions = [
|
||||
|
|
|
@ -25,6 +25,11 @@ variable "admin_group_id" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "superadmins_group_id" {
|
||||
type = string
|
||||
description = "Required: object ID of the AAD group for super admins, used to apply key vault access policies."
|
||||
}
|
||||
|
||||
variable "client_tenant_id" {
|
||||
description = "AAD Tenant ID for Azure Resource Manager (ARM) client. Defaults to current session."
|
||||
type = string
|
||||
|
|
|
@ -14,8 +14,8 @@ provider "azuredevops" {
|
|||
|
||||
# Store Terraform Stage in Azure Storage Account (see azure.conf.sample)
|
||||
terraform {
|
||||
# backend "azurerm" {
|
||||
# }
|
||||
backend "azurerm" {
|
||||
}
|
||||
}
|
||||
|
||||
# So we can give current user access to resources too
|
||||
|
|
|
@ -1,3 +1,12 @@
|
|||
# Superadmins
|
||||
# -----------
|
||||
|
||||
variable "superadmins_aad_object_id" {
|
||||
type = string
|
||||
description = "Object ID of the AAD group for super admins, used to apply key vault access policies, so both humans and super privileged automation service principal can manage Key Vault resources (from outside Terraform)."
|
||||
}
|
||||
|
||||
|
||||
# Suffix
|
||||
# ------
|
||||
# Some Azure resources, e.g. storage accounts must have globally
|
||||
|
|
Загрузка…
Ссылка в новой задаче