support os_profile_secrets (#150)

* support os_profile_secrets

* os secrets test with keyvault

* terraform fmt

* fixed keyvault test

* fixed keyvault test

* vault test corrections

* vault test location correction

* updated README

* test os_profile_secrets for linux, terraform fmt

* Updated README

* updated os_profile_secrets variable description

Co-authored-by: Yuping Wei <56525716+yupwei68@users.noreply.github.com>

README.md

@@ -150,6 +150,16 @@ More specifically this provisions:
   - set one key by setting a path in ssh_key variable. e.g "joey_id_rsa.pub"
   - set shh_key and add zero or more files paths in extra_ssh_keys variable e.g. ["ross_id_rsa.pub", "rachel_id_rsa.pub"] (since v3.8.0)
 
+4 - You can install custom certificates / secrets on the virtual machine from Key Vault by using the variable `os_profile_secrets`.
+
+The variable accepts a list of maps with the following keys:
+
+* source_vault_id : The ID of the Key Vault Secret which contains the encrypted Certificate.
+* certificate_url : The certificate  URL in Key Vault
+* certificate_store : The certificate store on the Virtual Machine where the certificate should be added to (Windows Only).
+
+In the below example we use the data sources `azurerm_key_vault` and `azurerm_key_vault_certificate` to fetch the certificate information from Key Vault and add it to `windowsservers` via `os_profile_secrets` parameter.
+
 ```hcl
 provider "azurerm" {
   features {}
@@ -160,6 +170,16 @@ resource "azurerm_resource_group" "example" {
   location = "West Europe"
 }
 
+data "azurerm_key_vault" "example" {
+  name                = "examplekeyvault"
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+data "azurerm_key_vault_certificate" "example" {
+  name         = "example-kv-cert"
+  key_vault_id = data.azurerm_key_vault.example.id
+}
+
 module "linuxservers" {
   source                        = "Azure/compute/azurerm"
   resource_group_name           = azurerm_resource_group.example.name
@@ -207,6 +227,11 @@ module "windowsservers" {
   enable_accelerated_networking = true
   license_type                  = "Windows_Client"
   identity_type                 = "SystemAssigned" // can be empty, SystemAssigned or UserAssigned
+  os_profile_secrets            = [{
+    source_vault_id   = data.azurerm_key_vault.example.id
+    certificate_url   = data.azurerm_key_vault_certificate.example.secret_id
+    certificate_store = "My"
+  }]
 }
 
 module "network" {

main.tf

@@ -99,6 +99,17 @@ resource "azurerm_virtual_machine" "vm-linux" {
     }
   }
 
+  dynamic "os_profile_secrets" {
+    for_each = var.os_profile_secrets
+    content {
+      source_vault_id = os_profile_secrets.value["source_vault_id"]
+
+      vault_certificates {
+        certificate_url = os_profile_secrets.value["certificate_url"]
+      }
+    }
+  }
+
   tags = var.tags
 
   boot_diagnostics {
@@ -171,6 +182,18 @@ resource "azurerm_virtual_machine" "vm-windows" {
     provision_vm_agent = true
   }
 
+  dynamic "os_profile_secrets" {
+    for_each = var.os_profile_secrets
+    content {
+      source_vault_id = os_profile_secrets.value["source_vault_id"]
+
+      vault_certificates {
+        certificate_url   = os_profile_secrets.value["certificate_url"]
+        certificate_store = os_profile_secrets.value["certificate_store"]
+      }
+    }
+  }
+
   boot_diagnostics {
     enabled     = var.boot_diagnostics
     storage_uri = var.boot_diagnostics ? join(",", azurerm_storage_account.vm-sa.*.primary_blob_endpoint) : ""

test/fixture/keyvault.tf

@@ -0,0 +1,147 @@
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_key_vault" "test" {
+  name                        = "test${random_id.ip_dns.hex}kv"
+  location                    = var.location_alt
+  resource_group_name         = azurerm_resource_group.test.name
+  enabled_for_disk_encryption = true
+  enabled_for_deployment      = true
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  soft_delete_enabled         = false
+
+  sku_name = "standard"
+
+  network_acls {
+    default_action = "Allow"
+    bypass         = "AzureServices"
+  }
+
+}
+
+resource "azurerm_key_vault_access_policy" "test" {
+  key_vault_id = azurerm_key_vault.test.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_client_config.current.object_id
+
+  certificate_permissions = [
+    "create",
+    "delete",
+    "deleteissuers",
+    "get",
+    "getissuers",
+    "import",
+    "list",
+    "listissuers",
+    "managecontacts",
+    "manageissuers",
+    "setissuers",
+    "update",
+  ]
+
+  key_permissions = [
+    "backup",
+    "create",
+    "decrypt",
+    "delete",
+    "encrypt",
+    "get",
+    "import",
+    "list",
+    "purge",
+    "recover",
+    "restore",
+    "sign",
+    "unwrapKey",
+    "update",
+    "verify",
+    "wrapKey",
+  ]
+
+  secret_permissions = [
+    "backup",
+    "delete",
+    "get",
+    "list",
+    "purge",
+    "recover",
+    "restore",
+    "set",
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "test-vm" {
+  key_vault_id = azurerm_key_vault.test.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = azurerm_user_assigned_identity.test.principal_id
+
+  certificate_permissions = [
+    "get",
+  ]
+
+  key_permissions = [
+    "get",
+  ]
+
+  secret_permissions = [
+    "get",
+  ]
+}
+
+
+resource "azurerm_key_vault_certificate" "test" {
+  name         = "test${random_id.ip_dns.hex}kvcert"
+  key_vault_id = azurerm_key_vault.test.id
+
+  certificate_policy {
+    issuer_parameters {
+      name = "Self"
+    }
+
+    key_properties {
+      exportable = true
+      key_size   = 2048
+      key_type   = "RSA"
+      reuse_key  = true
+    }
+
+    lifetime_action {
+      action {
+        action_type = "AutoRenew"
+      }
+
+      trigger {
+        days_before_expiry = 30
+      }
+    }
+
+    secret_properties {
+      content_type = "application/x-pkcs12"
+    }
+
+    x509_certificate_properties {
+      # Server Authentication = 1.3.6.1.5.5.7.3.1
+      # Client Authentication = 1.3.6.1.5.5.7.3.2
+      extended_key_usage = ["1.3.6.1.5.5.7.3.1"]
+
+      key_usage = [
+        "cRLSign",
+        "dataEncipherment",
+        "digitalSignature",
+        "keyAgreement",
+        "keyCertSign",
+        "keyEncipherment",
+      ]
+
+      subject_alternative_names {
+        dns_names = ["internal.contoso.com", "domain.hello.world"]
+      }
+
+      subject            = "CN=hello-world"
+      validity_in_months = 12
+    }
+  }
+
+  depends_on = [azurerm_key_vault_access_policy.test, azurerm_key_vault_access_policy.test-vm]
+}

test/fixture/main.tf

@@ -64,6 +64,10 @@ module "ubuntuservers" {
   enable_ssh_key                = false
   identity_type                 = "UserAssigned"
   identity_ids                  = [azurerm_user_assigned_identity.test.id]
+  os_profile_secrets = [{
+    source_vault_id = azurerm_key_vault.test.id
+    certificate_url = azurerm_key_vault_certificate.test.secret_id
+  }]
   
   depends_on = [azurerm_resource_group.test]
 }
@@ -98,7 +102,13 @@ module "windowsservers" {
   public_ip_dns       = ["winsimplevmips-${random_id.ip_dns.hex}"] // change to a unique name per datacenter region
   vnet_subnet_id      = azurerm_subnet.subnet3.id
   license_type        = var.license_type
-  identity_type       = var.identity_type
-  
+  identity_type       = "UserAssigned"
+  identity_ids        = [azurerm_user_assigned_identity.test.id]
+  os_profile_secrets = [{
+    source_vault_id   = azurerm_key_vault.test.id
+    certificate_url   = azurerm_key_vault_certificate.test.secret_id
+    certificate_store = "My"
+  }]
+
   depends_on = [azurerm_resource_group.test]
 }

variables.tf

@@ -220,3 +220,9 @@ variable "identity_ids" {
   type        = list(string)
   default     = []
 }
+
+variable "os_profile_secrets" {
+  description = "Specifies a list of certificates to be installed on the VM, each list item is a map with the keys source_vault_id, certificate_url and certificate_store."
+  type        = list(map(string))
+  default     = []
+}