keyvault sample

Author: brown9804

4_identity-security/README.md

@@ -15,6 +15,7 @@ Last updated: 2026-02-03
 ## Templates available
 
 - [Microsoft Entra ID (Entra ID)](./entra_id)
+- [Azure Key Vault](./key-vault)
 
 <!-- START BADGE -->
 <div align="center">

4_identity-security/key-vault/README.md

@@ -0,0 +1,97 @@
+````markdown
+# Terraform Template - Azure Key Vault
+
+Costa Rica
+
+[![GitHub](https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff)](https://github.com/)
+[brown9804](https://github.com/brown9804)
+
+Last updated: 2026-02-06
+
+------------------------------------------
+
+> This template contains Terraform configurations to create and manage an Azure Key Vault with dependencies on a Resource Group.
+
+> [!NOTE]
+> Key Vault data-plane access (secrets/keys/certificates) depends on your authorization mode:
+> - If `enable_rbac_authorization = true`, grant Azure RBAC roles (for example: Key Vault Secrets Officer) at the vault scope.
+> - If `enable_rbac_authorization = false`, you must manage Key Vault access policies (not included in this minimal template).
+
+## File Descriptions
+
+- **main.tf**: Contains the main configuration for creating the Azure Key Vault and the Resource Group it depends on.
+- **variables.tf**: Defines the input variables used in the Terraform configuration.
+- **provider.tf**: Configures the Azure provider to interact with Azure resources.
+- **terraform.tfvars**: Provides example values for the variables defined in `variables.tf`.
+- **outputs.tf**: Defines the outputs of the Terraform configuration, such as the Key Vault URI and Resource Group.
+
+## Variables
+
+Below is a list of variables used in this template, their expected values, types, and examples:
+
+| Variable Name | Description | Type | Example Value |
+| --- | --- | --- | --- |
+| `resource_group_name` | The name of the Azure Resource Group to associate the Key Vault with. | string | `"rg-identity-security-dev"` |
+| `location` | The Azure region where the Resource Group will be created. | string | `"East US"` |
+| `key_vault_name` | The name of the Azure Key Vault to create. | string | `"kvidentitydev001"` |
+| `key_vault_name_use_random_suffix` | Append a short random suffix to avoid global name collisions. | bool | `true` |
+| `sku_name` | The SKU name for Key Vault (`standard` or `premium`). | string | `"standard"` |
+| `enable_rbac_authorization` | Use Azure RBAC for data-plane permissions. | bool | `true` |
+| `public_network_access_enabled` | Enable or disable public network access. | bool | `true` |
+| `soft_delete_retention_days` | Soft delete retention days (7-90). | number | `90` |
+| `purge_protection_enabled` | Enable purge protection (affects destroy). | bool | `false` |
+| `network_default_action` | Network ACL default action (`Allow` or `Deny`). | string | `"Allow"` |
+| `network_bypass` | Firewall bypass (`AzureServices` or `None`). | string | `"AzureServices"` |
+| `ip_rules` | List of public IPs/CIDRs allowed. | list(string) | `[]` |
+| `virtual_network_subnet_ids` | List of subnet IDs allowed. | list(string) | `[]` |
+| `tags` | A map of tags to assign to the resources. | map(string) | `{ "env": "dev" }` |
+
+## Usage
+
+1. Authenticate:
+
+   ```sh
+   az login
+   ```
+
+2. Ensure Azure CLI has the correct active subscription:
+
+   ```sh
+   az account show
+   # If needed:
+   az account set --subscription "<subscription-id-or-name>"
+   ```
+
+3. Initialize:
+
+   ```sh
+   terraform init -upgrade
+   ```
+
+4. Validate and plan:
+
+   ```sh
+   terraform validate
+   terraform plan
+   ```
+
+5. Apply:
+
+   ```sh
+   terraform apply -auto-approve
+   ```
+
+## Notes
+
+- This template creates the Resource Group for you.
+- Key Vault names are globally unique. If you see `VaultAlreadyExists`, either change the base name or keep `key_vault_name_use_random_suffix = true`.
+- If you enable `purge_protection_enabled`, Key Vault deletion becomes more restrictive and `terraform destroy` may fail until purge protection rules allow cleanup.
+
+<!-- START BADGE -->
+<div align="center">
+  <img src="https://img.shields.io/badge/Total%20views-0-limegreen" alt="Total views">
+  <p>Refresh Date: 2026-02-06</p>
+</div>
+<!-- END BADGE -->
+
+````

4_identity-security/key-vault/main.tf

@@ -0,0 +1,51 @@
+# main.tf
+# This file contains the main configuration for creating Azure Key Vault.
+# It defines the resource blocks for the Azure Resource Group and Key Vault.
+
+data "azurerm_client_config" "current" {}
+
+resource "random_id" "kv_suffix" {
+  byte_length = 2
+}
+
+locals {
+  effective_tenant_id = data.azurerm_client_config.current.tenant_id
+  effective_key_vault_name = lower(
+    var.key_vault_name_use_random_suffix
+    ? "${var.key_vault_name}${random_id.kv_suffix.hex}"
+    : var.key_vault_name
+  )
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = var.resource_group_name
+  location = var.location
+
+  tags = var.tags
+}
+
+resource "azurerm_key_vault" "example" {
+  name                          = local.effective_key_vault_name
+  location                      = azurerm_resource_group.example.location
+  resource_group_name           = azurerm_resource_group.example.name
+  tenant_id                     = local.effective_tenant_id
+  sku_name                      = lower(var.sku_name)
+  enable_rbac_authorization     = var.enable_rbac_authorization
+  public_network_access_enabled = var.public_network_access_enabled
+
+  soft_delete_retention_days = var.soft_delete_retention_days
+  purge_protection_enabled   = var.purge_protection_enabled
+
+  network_acls {
+    default_action             = var.network_default_action
+    bypass                     = var.network_bypass
+    ip_rules                   = var.ip_rules
+    virtual_network_subnet_ids = var.virtual_network_subnet_ids
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    azurerm_resource_group.example
+  ]
+}

4_identity-security/key-vault/outputs.tf

@@ -0,0 +1,27 @@
+# outputs.tf
+# This file defines the outputs of the Terraform configuration.
+
+output "key_vault_id" {
+  description = "The resource ID of the Key Vault."
+  value       = azurerm_key_vault.example.id
+}
+
+output "key_vault_name" {
+  description = "The name of the Key Vault."
+  value       = azurerm_key_vault.example.name
+}
+
+output "key_vault_uri" {
+  description = "The DNS name (vault URI) of the Key Vault."
+  value       = azurerm_key_vault.example.vault_uri
+}
+
+output "resource_group_name" {
+  description = "The name of the Resource Group created for this template."
+  value       = azurerm_resource_group.example.name
+}
+
+output "tenant_id" {
+  description = "The tenant ID used for the Key Vault."
+  value       = local.effective_tenant_id
+}

4_identity-security/key-vault/provider.tf

@@ -0,0 +1,32 @@
+# provider.tf
+# This file configures the Azure provider to interact with Azure resources.
+# It specifies the required provider and its version, along with provider-specific configurations.
+
+terraform {
+  required_version = ">= 1.8, < 2.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm" # Source of the AzureRM provider
+      version = "~> 3.116"          # Version of the AzureRM provider
+    }
+
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.5"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+
+  # Uses the current Azure CLI context (az login + az account set)
+  skip_provider_registration = false
+}
+
+provider "random" {}

4_identity-security/key-vault/terraform.tfvars

@@ -0,0 +1,29 @@
+# Example values for the Key Vault template
+
+resource_group_name = "rg-identity-security-dev"
+location            = "East US"
+key_vault_name      = "kvidentitydev001"
+
+# Key Vault names are globally unique; keep this true to avoid collisions.
+key_vault_name_use_random_suffix = true
+
+
+
+# Optional
+sku_name                      = "standard"
+enable_rbac_authorization     = true
+public_network_access_enabled = true
+soft_delete_retention_days    = 90
+purge_protection_enabled      = false
+
+tags = {
+  env   = "dev"
+  app   = "identity-security"
+  owner = "terraform"
+}
+
+# Network ACLs (optional)
+network_default_action     = "Allow"
+network_bypass             = "AzureServices"
+ip_rules                   = []
+virtual_network_subnet_ids = []

4_identity-security/key-vault/variables.tf

@@ -0,0 +1,108 @@
+# variables.tf
+# This file defines the input variables used in the Terraform configuration.
+
+variable "resource_group_name" {
+  description = "The name of the Azure Resource Group to associate the Key Vault with."
+  type        = string
+}
+
+variable "location" {
+  description = "The Azure region where the Resource Group will be created."
+  type        = string
+}
+
+variable "key_vault_name" {
+  description = "The base name of the Azure Key Vault to create (3-24 characters, alphanumeric only)."
+  type        = string
+
+  validation {
+    condition     = can(regex("^[0-9A-Za-z]{3,24}$", var.key_vault_name))
+    error_message = "key_vault_name must be 3-24 characters and alphanumeric only (A-Z, a-z, 0-9)."
+  }
+}
+
+variable "key_vault_name_use_random_suffix" {
+  description = "When true, appends a short random suffix to the Key Vault name to avoid global name collisions."
+  type        = bool
+  default     = true
+}
+
+variable "sku_name" {
+  description = "The SKU name for Key Vault. Valid values: standard, premium."
+  type        = string
+  default     = "standard"
+
+  validation {
+    condition     = contains(["standard", "premium"], lower(var.sku_name))
+    error_message = "sku_name must be either 'standard' or 'premium'."
+  }
+}
+
+variable "enable_rbac_authorization" {
+  description = "When true, Key Vault data-plane access is controlled via Azure RBAC instead of access policies."
+  type        = bool
+  default     = true
+}
+
+variable "public_network_access_enabled" {
+  description = "When true, allows public network access to the Key Vault (subject to firewall rules)."
+  type        = bool
+  default     = true
+}
+
+variable "soft_delete_retention_days" {
+  description = "Number of days to retain soft-deleted vaults, keys, secrets, and certificates."
+  type        = number
+  default     = 90
+
+  validation {
+    condition     = var.soft_delete_retention_days >= 7 && var.soft_delete_retention_days <= 90
+    error_message = "soft_delete_retention_days must be between 7 and 90."
+  }
+}
+
+variable "purge_protection_enabled" {
+  description = "Enable purge protection (recommended for production; can affect destroy workflows)."
+  type        = bool
+  default     = false
+}
+
+variable "tags" {
+  description = "A map of tags to assign to the resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "network_default_action" {
+  description = "Default action for Key Vault network ACLs. Valid values: Allow, Deny."
+  type        = string
+  default     = "Allow"
+
+  validation {
+    condition     = contains(["Allow", "Deny"], var.network_default_action)
+    error_message = "network_default_action must be either 'Allow' or 'Deny'."
+  }
+}
+
+variable "network_bypass" {
+  description = "Specifies which traffic can bypass the firewall. Valid values: AzureServices, None."
+  type        = string
+  default     = "AzureServices"
+
+  validation {
+    condition     = contains(["AzureServices", "None"], var.network_bypass)
+    error_message = "network_bypass must be either 'AzureServices' or 'None'."
+  }
+}
+
+variable "ip_rules" {
+  description = "List of public IPs/CIDRs permitted to access the Key Vault when network ACLs are enabled."
+  type        = list(string)
+  default     = []
+}
+
+variable "virtual_network_subnet_ids" {
+  description = "List of subnet resource IDs permitted to access the Key Vault when network ACLs are enabled."
+  type        = list(string)
+  default     = []
+}