This reference architecture module provisions a Key Vault in its own Resource Group. Based on the inputs provided, it can also provision a Private Key Vault with private endpoints in a provided subnet.
.pre-commit-config.yaml file defines certain pre-commit hooks that are relevant to terraform, golang and common linting tasks. There are no custom hooks added.
commitlint hook enforces commit message in certain format. The commit contains the following structural elements, to communicate intent to the consumers of your commit messages:
- fix: a commit of the type
fixpatches a bug in your codebase (this correlates with PATCH in Semantic Versioning). - feat: a commit of the type
featintroduces a new feature to the codebase (this correlates with MINOR in Semantic Versioning). - BREAKING CHANGE: a commit that has a footer
BREAKING CHANGE:, or appends a!after the type/scope, introduces a breaking API change (correlating with MAJOR in Semantic Versioning). A BREAKING CHANGE can be part of commits of any type. footers other than BREAKING CHANGE: may be provided and follow a convention similar to git trailer format. - build: a commit of the type
buildadds changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm) - chore: a commit of the type
choreadds changes that don't modify src or test files - ci: a commit of the type
ciadds changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs) - docs: a commit of the type
docsadds documentation only changes - perf: a commit of the type
perfadds code change that improves performance - refactor: a commit of the type
refactoradds code change that neither fixes a bug nor adds a feature - revert: a commit of the type
revertreverts a previous commit - style: a commit of the type
styleadds code changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc) - test: a commit of the type
testadds missing tests or correcting existing tests
Base configuration used for this project is commitlint-config-conventional (based on the Angular convention)
If you are a developer using vscode, this plugin may be helpful.
detect-secrets-hook prevents new secrets from being introduced into the baseline. TODO: INSERT DOC LINK ABOUT HOOKS
In order for pre-commit hooks to work properly
- You need to have the pre-commit package manager installed. Here are the installation instructions.
pre-commitwould install all the hooks when commit message is added by default except forcommitlinthook.commitlinthook would need to be installed manually using the command below
pre-commit install --hook-type commit-msg
- For development/enhancements to this module locally, you'll need to install all of its components. This is controlled by the
configuretarget in the project'sMakefile. Before you can runconfigure, familiarize yourself with the variables in theMakefileand ensure they're pointing to the right places.
make configure
This adds in several files and directories that are ignored by git. They expose many new Make targets.
- THIS STEP APPLIES ONLY TO MICROSOFT AZURE. IF YOU ARE USING A DIFFERENT PLATFORM PLEASE SKIP THIS STEP. The first target you care about is
env. This is the common interface for setting up environment variables. The values of the environment variables will be used to authenticate with cloud provider from local development workstation.
make configure command will bring down azure_env.sh file on local workstation. Devloper would need to modify this file, replace the environment variable values with relevant values.
These environment variables are used by terratest integration suit.
Service principle used for authentication(value of ARM_CLIENT_ID) should have below privileges on resource group within the subscription.
"Microsoft.Resources/subscriptions/resourceGroups/write"
"Microsoft.Resources/subscriptions/resourceGroups/read"
"Microsoft.Resources/subscriptions/resourceGroups/delete"
Then run this make target to set the environment variables on developer workstation.
make env
- The first target you care about is
check.
Pre-requisites
Before running this target it is important to ensure that, developer has created files mentioned below on local workstation under root directory of git repository that contains code for primitives/segments. Note that these files are azure specific. If primitive/segment under development uses any other cloud provider than azure, this section may not be relevant.
- A file named
provider.tfwith contents below
provider "azurerm" {
features {}
}
- A file named
terraform.tfvarswhich contains key value pair of variables used.
Note that since these files are added in gitignore they would not be checked in into primitive/segment's git repo.
After creating these files, for running tests associated with the primitive/segment, run
make check
If make check target is successful, developer is good to commit the code to primitive/segment's git repo.
make check target
- runs
terraform commandstolint,validateandplanterraform code. - runs
conftests.conftestsmake surepolicychecks are successful. - runs
terratest. This is integration test suit. - runs
opatests
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| azurerm | ~> 3.77 |
No providers.
| Name | Source | Version |
|---|---|---|
| resource_names | terraform.registry.launch.nttdata.com/module_library/resource_name/launch | ~> 2.0 |
| resource_group | terraform.registry.launch.nttdata.com/module_primitive/resource_group/azurerm | ~> 1.0 |
| key_vault | terraform.registry.launch.nttdata.com/module_primitive/key_vault/azurerm | ~> 2.0 |
| role_assignment | terraform.registry.launch.nttdata.com/module_primitive/role_assignment/azurerm | ~> 1.0 |
| secrets | terraform.registry.launch.nttdata.com/module_primitive/key_vault_secret/azurerm | ~> 1.0 |
| imported_certificates | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate/azurerm | ~> 1.0 |
| certificate_issuers | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate_issuer/azurerm | ~> 1.0 |
| generated_certificates | terraform.registry.launch.nttdata.com/module_primitive/key_vault_certificate/azurerm | ~> 1.0 |
| private_endpoint | terraform.registry.launch.nttdata.com/module_primitive/private_endpoint/azurerm | ~> 1.0 |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | Location of the resource group and other services in this module. | string |
n/a | yes |
| key_vault_name | (Optional) If specified, this module will use this name for key vault else the naming module will create a name. Length must be less than 24 characters |
string |
null |
no |
| enabled_for_deployment | If Azure VM is permitted to retrieve secrets | bool |
false |
no |
| enabled_for_template_deployment | If Azure RM is permitted to retrieve secrets | bool |
false |
no |
| soft_delete_retention_days | Number of retention days for soft delete | number |
7 |
no |
| purge_protection_enabled | If purge_protection is enabled | bool |
false |
no |
| sku_name | SKU for the key vault - standard or premium | string |
"standard" |
no |
| access_policies | Additional Access policies for the vault except the current user which are added by default. Required only when enable_rbac_authorization is set to false. |
map(object({ |
{} |
no |
| enable_rbac_authorization | Enable RBAC authorization for the key vault | bool |
false |
no |
| network_acls | Network ACLs for the key vault | object({ |
{ |
no |
| public_network_access_enabled | (Optional) Whether public network access is allowed for this Key Vault. Defaults to true. If false, then only private endpoints can access the Key Vault. |
bool |
true |
no |
| certificates | List of certificates to be imported. If filepath is specified then the pfx files should be present in the root of the module (path.root). If content is specified then the content of the certificate should be provided in base 64 encoded format. Only one of them should be provided. |
map(object({ |
{} |
no |
| certificate_issuers | List of certificate issuers to be created | map(object({ |
{} |
no |
| generated_certificates | List of certificates to be generated using an issuer. | map(object({ |
{} |
no |
| secrets | List of secrets (name and value) | map(string) |
{} |
no |
| resource_names_map | A map of key to resource_name that will be used by tf-launch-module_library-resource_name to generate resource names | map(object({ |
{ |
no |
| environment | Environment in which the resource should be provisioned like dev, qa, prod etc. | string |
n/a | yes |
| environment_number | The environment count for the respective environment. Defaults to 000. Increments in value of 1 | string |
"000" |
no |
| resource_number | The resource count for the respective resource. Defaults to 000. Increments in value of 1 | string |
"000" |
no |
| logical_product_family | (Required) Name of the product family for which the resource is created. Example: org_name, department_name. |
string |
n/a | yes |
| logical_product_service | (Required) Name of the product service for which the resource is created. For example, backend, frontend, middleware etc. |
string |
n/a | yes |
| use_azure_region_abbr | Use Azure region abbreviation in the resource name | bool |
true |
no |
| role_assignments | A map of role assignments to be created | map(object({ |
{} |
no |
| subnet_id | The ID of the Subnet from which Private IP Addresses will be allocated for this Private Endpoint. Changing this forces a new resource to be created. |
string |
null |
no |
| private_dns_zone_ids | A list of Private DNS Zone IDs to link with the Private Endpoint. | list(string) |
[] |
no |
| private_dns_zone_group_name | Specifies the Name of the Private DNS Zone Group. | string |
"vault" |
no |
| is_manual_connection | Does the Private Endpoint require Manual Approval from the remote resource owner? Changing this forces a new resource to be created. |
bool |
false |
no |
| subresource_names | A list of subresource names which the Private Endpoint is able to connect to. subresource_names corresponds to group_id. Possible values are detailed in the product documentation in the Subresources column. https://docs.microsoft.com/azure/private-link/private-endpoint-overview#private-link-resource |
list(string) |
[ |
no |
| request_message | A message passed to the owner of the remote resource when the private endpoint attempts to establish the connection to the remote resource. The request message can be a maximum of 140 characters in length. Only valid if is_manual_connection=true |
string |
"" |
no |
| tags | A map of tags to be associated with the resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| resource_group_id | ID of the Resource Group |
| resource_group_name | Name of the Resource Group |
| key_vault_id | ID of the Key Vault |
| vault_uri | URI of the Key Vault |
| access_policies_object_ids | Object IDs of the Key Vault Access Policies |
| key_vault_name | Name of the Key Vault |
| private_endpoint_id | ID of the Private Endpoint |
| certificate_ids | IDs of the certificates from the Key Vault in the reference module |
| secret_ids | IDs of the secrets from the Key Vault in the reference module |
| key_ids | IDs of the keys from the Key Vault in the reference module |