-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathiam.tf
126 lines (103 loc) · 4.06 KB
/
iam.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
provider "azuread" {}
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
data "azurerm_subscription" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
data "azuread_client_config" "current" {}
locals {
app_rw_owned_by_id = azuread_service_principal.ms_graph.app_role_ids["Application.ReadWrite.All"]
group_rw_all_id = azuread_service_principal.ms_graph.app_role_ids["GroupMember.ReadWrite.All"]
}
resource "random_id" "random" {
byte_length = 4
}
resource "azurerm_resource_group" "vault_azure_rg" {
name = "vault_azure_tests_${random_id.random.hex}"
location = var.region
}
resource "azuread_application" "vault_azure_app" {
display_name = "vault_azure_tests"
# Details at https://learn.microsoft.com/en-us/graph/permissions-reference
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = local.app_rw_owned_by_id
type = "Role" # Application type
}
resource_access {
id = local.group_rw_all_id
type = "Role" # Application type
}
}
}
resource "azuread_service_principal" "ms_graph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_service_principal" "vault_azure_sp" {
application_id = azuread_application.vault_azure_app.application_id
}
resource "azuread_service_principal_password" "vault_azure_sp_pwd" {
service_principal_id = azuread_service_principal.vault_azure_sp.id
}
resource "azuread_app_role_assignment" "app_admin_consent" {
app_role_id = local.app_rw_owned_by_id
principal_object_id = azuread_service_principal.vault_azure_sp.object_id
resource_object_id = azuread_service_principal.ms_graph.object_id
}
resource "azuread_app_role_assignment" "group_admin_consent" {
app_role_id = local.group_rw_all_id
principal_object_id = azuread_service_principal.vault_azure_sp.object_id
resource_object_id = azuread_service_principal.ms_graph.object_id
}
resource "azurerm_role_assignment" "vault_sp_read_assignment" {
role_definition_name = "User Access Administrator"
scope = data.azurerm_subscription.current.id
principal_id = azuread_service_principal.vault_azure_sp.object_id
}
resource "azuread_group" "test_group" {
display_name = "azure-secrets-engine-test-group-${random_id.random.hex}"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
}
resource "local_file" "setup_environment_file" {
filename = "local_environment_setup.sh"
content = <<EOF
export AZURE_TEST_RESOURCE_GROUP=${azurerm_resource_group.vault_azure_rg.name}
export AZURE_SUBSCRIPTION_ID=${data.azurerm_client_config.current.subscription_id}
export AZURE_TENANT_ID=${data.azurerm_client_config.current.tenant_id}
export AZURE_GROUP_NAME=${azuread_group.test_group.display_name}
export AZURE_APPLICATION_OBJECT_ID=${azuread_application.vault_azure_app.object_id}
export AZURE_CLIENT_ID=${azuread_application.vault_azure_app.application_id}
export AZURE_CLIENT_SECRET=${azuread_service_principal_password.vault_azure_sp_pwd.value}
EOF
}
output "resource_group_name" {
value = azurerm_resource_group.vault_azure_rg.name
}
output "subscription_id" {
value = data.azurerm_client_config.current.subscription_id
}
output "tenant_id" {
value = data.azurerm_client_config.current.tenant_id
}
output "group_name" {
value = azuread_group.test_group.display_name
}
# Application Object ID for an existing service principal that can be used
# instead of creating dynamic service principals
# https://developer.hashicorp.com/vault/api-docs/secret/azure#application_object_id
output "application_object_id" {
value = azuread_application.vault_azure_app.object_id
}
output "client_id" {
value = azuread_application.vault_azure_app.application_id
}
output "client_secret" {
value = azuread_service_principal_password.vault_azure_sp_pwd.value
sensitive = true
}