key-vault: add access policy for superadmins AAD group

Key Vault has its own Data Plane access policies. In order for
CI/CD pipelines to manage the infrastructure *and* to allow
humans with priviledged access to examine the contents, we
are using a superadmin group.

N.B. this is not relevant if you use Azure RBAC instead of access
policies. At time of writing, this is still in preview.

For details see
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide

.gitignore

@@ -1,6 +1,7 @@
 # Configuration - never check in credentials!
 *.conf
 .env
+local.auto.tfvars
 
 # Terraform - state and plan files
 .terraform/

.terraformignore

@@ -2,6 +2,7 @@
 .env
 *.conf
 *.tfplan
+local.auto.tfvars
 
 # Directories
 .github/

main.tf

@@ -31,7 +31,7 @@ module "ado_standard_permissions" {
   for_each       = var.projects
   source         = "./modules/azure-devops-permissions"
   ado_project_id = azuredevops_project.team_projects["proj_${each.value.team}"].id
-  team_aad_id    = azuread_group.groups["${each.value.team}"].id
+  team_aad_id    = azuread_group.groups[each.value.team].id
   admin_aad_id   = azuread_group.groups["${each.value.team}_admins"].id
 }
 
@@ -102,11 +102,12 @@ module "collaboration_permissions_veggies" {
 # ----------
 
 module "workspace" {
-  for_each       = var.environments
+  for_each             = var.environments
-  source         = "./modules/azure-resources"
+  source               = "./modules/azure-resources"
-  name           = "${each.value.team}-${each.value.env}-${local.suffix}"
+  name                 = "${each.value.team}-${each.value.env}-${local.suffix}"
-  team_group_id  = azuread_group.groups["${each.value.team}"].id
+  team_group_id        = azuread_group.groups[each.value.team].id
-  admin_group_id = azuread_group.groups["${each.value.team}_admins"].id
+  admin_group_id       = azuread_group.groups["${each.value.team}_admins"].id
+  superadmins_group_id = var.superadmins_aad_object_id
 }
 
 

modules/azure-resources/_azure-resources.tf

@@ -36,12 +36,12 @@ resource "azurerm_key_vault" "kv" {
   tags                        = var.tags
 }
 
-# Key Vault Access Policy - me
+# Key Vault Access Policy - superadmins
-# Note: this assumes ARM client is central owner of all workspaces
+# e.g. admins as well has limited infrastructure service principals
 
-resource "azurerm_key_vault_access_policy" "me" {
+resource "azurerm_key_vault_access_policy" "superadmins" {
   key_vault_id = azurerm_key_vault.kv.id
-  object_id    = local.client_object_id
+  object_id    = var.superadmins_group_id
   tenant_id    = local.client_tenant_id
 
   secret_permissions = [

modules/azure-resources/variables.tf

@@ -25,6 +25,11 @@ variable "admin_group_id" {
   type        = string
 }
 
+variable "superadmins_group_id" {
+  type        = string
+  description = "Required: object ID of the AAD group for super admins, used to apply key vault access policies."
+}
+
 variable "client_tenant_id" {
   description = "AAD Tenant ID for Azure Resource Manager (ARM) client. Defaults to current session."
   type        = string

provider.tf

@@ -14,8 +14,8 @@ provider "azuredevops" {
 
 # Store Terraform Stage in Azure Storage Account (see azure.conf.sample)
 terraform {
-  # backend "azurerm" {
+  backend "azurerm" {
-  # }
+  }
 }
 
 # So we can give current user access to resources too

variables.tf

@@ -1,3 +1,12 @@
+# Superadmins
+# -----------
+
+variable "superadmins_aad_object_id" {
+  type        = string
+  description = "Object ID of the AAD group for super admins, used to apply key vault access policies, so both humans and super privileged automation service principal can manage Key Vault resources (from outside Terraform)."
+}
+
+
 # Suffix
 # ------
 # Some Azure resources, e.g. storage accounts must have globally