-
Notifications
You must be signed in to change notification settings - Fork 40
/
variables-keyvault.tf
92 lines (78 loc) · 4.36 KB
/
variables-keyvault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#######################
# Key Vault variables #
#######################
variable "kv-full-object-id" {
type = string
description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for FULL access to the Azure Key Vault"
default = ""
}
variable "kv-read-object-id" {
type = string
description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for READ access to the Azure Key Vault"
default = ""
}
variable "kv-vm-deployment" {
type = string
description = "Allow Azure Virtual Machines to retrieve certificates stored as secrets from the Azure Key Vault"
default = "true"
}
variable "kv-disk-encryption" {
type = string
description = "Allow Azure Disk Encryption to retrieve secrets from the Azure Key Vault and unwrap keys"
default = "true"
}
variable "kv-template-deployment" {
type = string
description = "Allow Azure Resource Manager to retrieve secrets from the Azure Key Vault"
default = "true"
}
variable "kv-key-permissions-full" {
type = list(string)
description = "List of full key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey"
default = [ "backup", "create", "decrypt", "delete", "encrypt", "get", "import", "list", "purge",
"recover", "restore", "sign", "unwrapKey","update", "verify", "wrapKey" ]
}
variable "kv-secret-permissions-full" {
type = list(string)
description = "List of full secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set"
default = [ "backup", "delete", "get", "list", "purge", "recover", "restore", "set" ]
}
variable "kv-certificate-permissions-full" {
type = list(string)
description = "List of full certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update"
default = [ "create", "delete", "deleteissuers", "get", "getissuers", "import", "list", "listissuers",
"managecontacts", "manageissuers", "purge", "recover", "setissuers", "update", "backup", "restore" ]
}
variable "kv-storage-permissions-full" {
type = list(string)
description = "List of full storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update"
default = [ "backup", "delete", "deletesas", "get", "getsas", "list", "listsas",
"purge", "recover", "regeneratekey", "restore", "set", "setsas", "update" ]
}
variable "kv-key-permissions-read" {
type = list(string)
description = "List of read key permissions, must be one or more from the following: backup, create, decrypt, delete, encrypt, get, import, list, purge, recover, restore, sign, unwrapKey, update, verify and wrapKey"
default = [ "get", "list" ]
}
variable "kv-secret-permissions-read" {
type = list(string)
description = "List of full secret permissions, must be one or more from the following: backup, delete, get, list, purge, recover, restore and set"
default = [ "get", "list" ]
}
variable "kv-certificate-permissions-read" {
type = list(string)
description = "List of full certificate permissions, must be one or more from the following: backup, create, delete, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers, purge, recover, restore, setissuers and update"
default = [ "get", "getissuers", "list", "listissuers" ]
}
variable "kv-storage-permissions-read" {
type = list(string)
description = "List of read storage permissions, must be one or more from the following: backup, delete, deletesas, get, getsas, list, listsas, purge, recover, regeneratekey, restore, set, setsas and update"
default = [ "get", "getsas", "list", "listsas" ]
}
variable "kv-secrets" {
type = map(object({
value = string
}))
description = "Define Azure Key Vault secrets"
default = {}
}