Updates prior to release

mbrancato · Dec 28, 2020 · 6755551 · 6755551
1 parent 0db7513
commit 6755551
Show file tree

Hide file tree

Showing 4 changed files with 232 additions and 96 deletions.
diff --git a/README.md b/README.md
@@ -1,17 +1,40 @@
 # Vault Azure App Service Module
 
 This is a Terraform module to deploy a [Vault](https://www.vaultproject.io/)
-instance on
-[Azure Web App for Containers](https://azure.microsoft.com/en-us/services/app-service/containers/)
+instance on [Azure Web App for Containers](https://azure.microsoft.com/en-us/services/app-service/containers/)
 service. Vault is an open-source secrets management tool that generally is run
 in a high-availability (HA) cluster. This implementation is a single instance
-with auto-unseal and no HA support. Azure Web App for Containers is a way easily run a container on Azure without an orchestrator. This module makes use of the
-following Azure resources:
+with auto-unseal and no HA support. Azure Web App for Containers is a way 
+easily run a container on Azure without an orchestrator. This module makes use 
+of the following Azure resources:
 
 * Azure App Service
 * Azure Storage
 * Azure Key Vault
 
+---
+## Table of Contents
+
+- [Getting Started](#getting-started)
+- [Variables](#variables)
+  - [`name`](#name)
+  - [`location`](#location)
+  - [`resource_group_name`](#project)
+  - [`vault_image`](#vault_image-optional)
+  - [`vault_ui`](#vault_ui-optional)
+  - [`vault_api_addr`](#vault_api_addr-optional)
+  - [`vault_key_vault_tier`](#vault_key_vault_tier-optional)
+  - [`vault_key_name`](#vault_key_name-optional)
+  - [`vault_key_type`](#vault_key_type-optional)
+  - [`vault_key_size`](#vault_key_size-optional)
+  - [`vault_service_plan_tier`](#vault_service_plan_tier-optional)
+  - [`vault_service_plan_size`](#vault_service_plan_size-optional)
+  - [`vault_continuous_deployment`](#vault_continuous_deployment-optional)
+  - [`vault_storage_account_kind`](#vault_storage_account_kind-optional)
+  - [`vault_storage_account_tier`](#vault_storage_account_tier-optional)
+  - [`vault_storage_account_replication`](#vault_storage_account_replication-optional)
+- [Security Concerns](#security-concerns)
+
 ## Getting Started
 
 To get started, you'll need a resource group to deploy the resources. Due to
@@ -28,9 +51,9 @@ resource "azurerm_resource_group" "vault" {
 }
 
 module "vault" {
-  source              = "github.com/mbrancato/terraform-azure-vault"
+  source              = "mbrancato/vault/azure"
   name                = "vault"
-  resource_group_name = "${azurerm_resource_group.vault.name}"
+  resource_group_name = azurerm_resource_group.vault.name
   location            = "eastus"
 }
 
@@ -91,11 +114,75 @@ unseal itself automatically using the Azure Key Vault. For more information on
 deploying Vault, read
 [Deploy Vault](https://learn.hashicorp.com/vault/getting-started/deploy).
 
+## Variables
+
+### `name`
+- Application name.
+
+### `location`
+- Azure location where resources are to be created.
+
+### `resource_group_name`
+- Azure resource group where resources are to be created.
+
+### `vault_image` (optional)
+- Vault container image.
+  - See the [official docker image](https://hub.docker.com/_/vault).
+  - default - `"vault:1.6.1""`
+
+### `vault_ui` (optional)
+- Enable Vault UI.
+  - default - `false`
+
+### `vault_api_addr` (optional)
+- Full HTTP endpoint of Vault Server if using a custom domain name. Leave blank otherwise.
+  - default - `""`
+
+### `vault_key_vault_tier` (optional)
+- Azure KeyVault service tier (Standard or Premium).
+  - default - `"Standard"`
+
+### `vault_key_name` (optional)
+- Azure KeyVault key name.
+  - default - `"vault-key"`
+
+### `vault_key_type` (optional)
+- Azure KeyVault cryptographic key type.
+  - Specify the [key type](https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys#key-types-and-protection-methods).
+  - default - `"RSA"`
+
+### `vault_key_size` (optional)
+- Azure KeyVault cryptographic key size.
+  - default - `2048`
+
+### `vault_service_plan_tier` (optional)
+- Azure App Service Plan tier.
+  -default - `"Free"`
+
+### `vault_service_plan_size` (optional)
+- Azure App Service Plan size.
+  -default - `"F1"`
+
+### `vault_continuous_deployment` (optional)
+- Enable continuous deployment of new container tags (e.g. latest).
+  - default - `false`
+
+### `vault_storage_account_kind` (optional)
+- Azure Service Account kind.
+  - default - `"Storage"`
+
+### `vault_storage_account_tier` (optional)
+- Azure Service Account tier.
+  -default - `"Free"`
+
+### `vault_storage_account_replication` (optional)
+- Azure Service Account replication type.
+  -default - `"LRS"`
+
 ## Security Concerns
 
 The following things may be of concern from a security perspective:
 
-* This is a publicly accessible Vault instance. Anyone with the DNS name can connect to it.
-* The Terraform state will contain secrets. You may consider deleting it.
-* App Service environment variables will contain secrets including credentials to read the unseal key.
+* This is a publicly accessible Vault instance. Anyone with the DNS name can connect to it. If you are interested in private endpoint support, open an issue.
+* App Service environment variables will contain secrets including credentials to read the unseal key. Once managed service identities are supported fully by Vault on App Service, this should go away.
 * By default, Vault is running on a shared compute instance for the App Service plan.
diff --git a/main.tf b/main.tf
@@ -1,52 +1,48 @@
-provider "azurerm" {
-  version = "~> 1.35"
-}
-
-provider "azuread" {}
-
 data "azurerm_client_config" "current" {}
 
 locals {
   vault_config = jsonencode(
     {
-      "storage" : {
-        "azure" : {
-          "accountName" : "${azurerm_storage_account.vault.name}"
-          "accountKey" : "${azurerm_storage_account.vault.primary_access_key}"
-          "container" : "vault"
-          "environment" : "AzurePublicCloud"
+      storage = {
+        azure = {
+          accountName = azurerm_storage_account.vault.name
+          accountKey  = azurerm_storage_account.vault.primary_access_key
+          container   = azurerm_storage_container.vault.name
+          environment = "AzurePublicCloud"
         }
-      },
-      "seal" : {
-        "azurekeyvault" : {
-          "client_id" : "${azuread_service_principal.vault.application_id}",
-          "client_secret" : "${random_string.vault_sp_password.result}",
-          "tenant_id" : "${data.azurerm_client_config.current.tenant_id}",
-          "vault_name" : "${azurerm_key_vault.vault.name}",
-          "key_name" : "${var.key_name}"
+      }
+      seal = {
+        azurekeyvault = {
+          client_id     = azuread_service_principal.vault.application_id
+          client_secret = random_string.vault_sp_password.result
+          tenant_id     = data.azurerm_client_config.current.tenant_id
+          vault_name    = azurerm_key_vault.vault.name
+          key_name      = var.vault_key_name
         }
-      },
-      "default_lease_ttl" : "168h",
-      "max_lease_ttl" : "720h",
-      "disable_mlock" : "true",
-      "listener" : {
-        "tcp" : {
-          "address" : "0.0.0.0:8200",
-          "tls_disable" : "1"
+      }
+      default_lease_ttl = "168h"
+      max_lease_ttl     = "720h"
+      disable_mlock     = "true"
+      listener = {
+        tcp = {
+          address     = "0.0.0.0:8200"
+          tls_disable = "1"
         }
       }
+      ui = var.vault_ui
     }
   )
 }
 
 # Create a Service Principal for Vault
+# TODO: When some MSI things are fixed, remove SP usage.
 resource "azuread_application" "vault" {
   name                       = "${var.name}-sp"
   available_to_other_tenants = false
 }
 
 resource "azuread_service_principal" "vault" {
-  application_id = "${azuread_application.vault.application_id}"
+  application_id = azuread_application.vault.application_id
 }
 
 resource "random_string" "vault_sp_password" {
@@ -55,8 +51,8 @@ resource "random_string" "vault_sp_password" {
 }
 
 resource "azuread_service_principal_password" "vault" {
-  service_principal_id = "${azuread_service_principal.vault.id}"
-  value                = "${random_string.vault_sp_password.result}"
+  service_principal_id = azuread_service_principal.vault.id
+  value                = random_string.vault_sp_password.result
   end_date             = "2099-01-01T00:00:00Z"
 }
 
@@ -67,18 +63,18 @@ resource "random_id" "vault" {
 # Create an Azure Key Vault for Vault
 resource "azurerm_key_vault" "vault" {
   name                        = "${var.name}-${lower(random_id.vault.hex)}-kv"
-  location                    = "${var.location}"
-  resource_group_name         = "${var.resource_group_name}"
+  location                    = var.location
+  resource_group_name         = var.resource_group_name
   enabled_for_deployment      = true
   enabled_for_disk_encryption = true
-  tenant_id                   = "${data.azurerm_client_config.current.tenant_id}"
-  sku_name                    = "${lower(var.key_vault_tier)}"
+  tenant_id                   = data.azurerm_client_config.current.tenant_id
+  sku_name                    = lower(var.vault_key_vault_tier)
 }
 
 resource "azurerm_key_vault_access_policy" "vault_sp" {
-  key_vault_id = "${azurerm_key_vault.vault.id}"
-  tenant_id    = "${data.azurerm_client_config.current.tenant_id}"
-  object_id    = "${azuread_service_principal.vault.object_id}"
+  key_vault_id = azurerm_key_vault.vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azuread_service_principal.vault.object_id
 
   key_permissions = [
     "get",
@@ -92,9 +88,9 @@ resource "azurerm_key_vault_access_policy" "vault_sp" {
 }
 
 resource "azurerm_key_vault_access_policy" "azure_account" {
-  key_vault_id = "${azurerm_key_vault.vault.id}"
-  tenant_id    = "${data.azurerm_client_config.current.tenant_id}"
-  object_id    = "${data.azurerm_client_config.current.object_id}"
+  key_vault_id = azurerm_key_vault.vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
 
   key_permissions = [
     "get",
@@ -104,10 +100,10 @@ resource "azurerm_key_vault_access_policy" "azure_account" {
 }
 
 resource "azurerm_key_vault_key" "vault" {
-  name         = "${var.key_name}"
-  key_vault_id = "${azurerm_key_vault.vault.id}"
-  key_type     = "RSA"
-  key_size     = 2048
+  name         = var.vault_key_name
+  key_vault_id = azurerm_key_vault.vault.id
+  key_type     = var.vault_key_type
+  key_size     = var.vault_key_size
 
   key_opts = [
     "decrypt",
@@ -124,43 +120,44 @@ resource "azurerm_key_vault_key" "vault" {
 # Create an Azure Storage Account for Vault
 resource "azurerm_storage_account" "vault" {
   name                     = "${replace(replace(var.name, "_", ""), "-", "")}${lower(random_id.vault.hex)}"
-  location                 = "${var.location}"
-  resource_group_name      = "${var.resource_group_name}"
-  account_tier             = "Standard"
-  account_replication_type = "LRS"
+  location                 = var.location
+  resource_group_name      = var.resource_group_name
+  account_kind             = var.vault_storage_account_kind
+  account_tier             = var.vault_storage_account_tier
+  account_replication_type = var.vault_storage_account_replication
 }
 
 resource "azurerm_storage_container" "vault" {
   name                  = "vault"
-  storage_account_name  = "${azurerm_storage_account.vault.name}"
+  storage_account_name  = azurerm_storage_account.vault.name
   container_access_type = "private"
 }
 
 # Deploy Vault on Azure App Service
 resource "azurerm_app_service_plan" "vault" {
   name                = "${var.name}-plan"
-  location            = "${var.location}"
-  resource_group_name = "${var.resource_group_name}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
   kind                = "Linux"
   reserved            = true
 
   sku {
-    tier = "${var.service_plan_tier}"
-    size = "${var.service_plan_size}"
+    tier     = var.vault_service_plan_tier
+    size     = var.vault_service_plan_size
+    capacity = 1
   }
-
 }
 
 resource "azurerm_app_service" "vault" {
   name                = "${var.name}-${lower(random_id.vault.hex)}-as"
-  location            = "${var.location}"
-  resource_group_name = "${var.resource_group_name}"
-  app_service_plan_id = "${azurerm_app_service_plan.vault.id}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  app_service_plan_id = azurerm_app_service_plan.vault.id
   https_only          = true
 
   site_config {
     app_command_line          = "server"
-    linux_fx_version          = "DOCKER|vault:${var.vault_version}"
+    linux_fx_version          = "DOCKER|${var.vault_image}"
     use_32_bit_worker_process = true
     ftps_state                = "Disabled"
   }
@@ -170,19 +167,12 @@ resource "azurerm_app_service" "vault" {
     "WEBSITES_PORT"                       = "8200"
     "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
     "DOCKER_REGISTRY_SERVER_URL"          = "https://index.docker.io"
-    "DOCKER_ENABLE_CI"                    = "${var.enable_continuous_deployment}"
-    "VAULT_LOCAL_CONFIG"                  = "${local.vault_config}"
+    "DOCKER_ENABLE_CI"                    = var.vault_continuous_deployment
+    "VAULT_LOCAL_CONFIG"                  = local.vault_config
+    "VAULT_API_ADDR"                      = var.vault_api_addr
   }
 }
 
 output "vault_addr" {
-  value = <<VAULT
-
-    Connect to Vault by setting the VAULT_ADDR
-
-    $ export VAULT_ADDR=https://${azurerm_app_service.vault.default_site_hostname}
-
-
-VAULT
-
+  value = azurerm_app_service.vault.default_site_hostname
 }