Skip to content

Commit

Permalink
fix: tf destroy issue fixed
Browse files Browse the repository at this point in the history
  • Loading branch information
cloudlovely committed Jan 18, 2024
1 parent a2dce2c commit 3c52c42
Show file tree
Hide file tree
Showing 6 changed files with 87 additions and 80 deletions.
67 changes: 31 additions & 36 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,48 +40,40 @@ include:
usage: |-
### Simple Example
Here is an example of how you can use this module in your inventory structure:
#### default storage
#### storage account without cmk encryption
```hcl
module "storage" {
depends_on = [module.resource_group]
source = "clouddrove/storage/azure"
name = "app"
environment = "test"
label_order = ["name", "environment"]
default_enabled = true
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
storage_account_name = "stordtyre236"
source = "../.."
name = local.name
environment = local.environment
label_order = local.label_order
resource_group_name = "test-rg"
location = "Central India"
storage_account_name = "storage7386"
public_network_access_enabled = true
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "GRS"
## Encryption is not enabled for this Storage account
cmk_encryption_enabled = false
## Storage Container
containers_list = [
{ name = "app-test", access_type = "private" },
{ name = "app2", access_type = "private" },
]
## Storage File Share
file_shares = [
{ name = "fileshare1", quota = 5 },
]
## Storage Tables
tables = ["table1"]
## Storage Queues
queues = ["queue1"]
file_shares = [
{ name = "fileshare", quota = "10" },
]
management_policy_enable = true
#enable private endpoint
virtual_network_id = module.vnet.vnet_id[0]
subnet_id = module.subnet.default_subnet_id[0]
log_analytics_workspace_id = module.log-analytics.workspace_id
virtual_network_id = "/subscriptions/--------------<vnet_id>---------------"
subnet_id = "/subscriptions/--------------<subnet_id>---------------"
log_analytics_workspace_id = "/subscriptions/--------------<log_analytics_workspace_id>---------------"
}
```
#### storage with cmk encryption
#### storage account with cmk encryption
```hcl
module "storage" {
source = "../.."
Expand All @@ -90,27 +82,30 @@ usage: |-
label_order = local.label_order
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
storage_account_name = "storage877656"
storage_account_name = "storage874682"
public_network_access_enabled = true
account_kind = "StorageV2"
account_tier = "Standard"
identity_type = "UserAssigned"
object_id = [data.azurerm_client_config.current_client_config.object_id]
account_replication_type = "ZRS"
cmk_enabled = true
cmk_encryption_enabled = true
admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id]
###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
key_vault_id = module.vault.id
## Storage Container
containers_list = [
{ name = "app-test", access_type = "private" },
]
tables = ["table1"]
queues = ["queue1"]
file_shares = [
{ name = "fileshare", quota = "10" },
]
virtual_network_id = module.vnet.vnet_id[0]
subnet_id = module.subnet.default_subnet_id[0]
virtual_network_id = module.vnet.vnet_id[0]
subnet_id = module.subnet.default_subnet_id[0]
log_analytics_workspace_id = module.log-analytics.workspace_id
}
```
26 changes: 14 additions & 12 deletions _example/basic/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,26 +16,28 @@ module "storage" {
source = "../.."
name = local.name
environment = local.environment
resource_group_name = "app-test-rg"
label_order = local.label_order
resource_group_name = "test-rg"
location = "Central India"
storage_account_name = "stordtyrey36"
public_network_access_enabled = false
storage_account_name = "storage7386"
public_network_access_enabled = true
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "GRS"

## Encryption is not enabled for this Storage account
cmk_encryption_enabled = false

## Storage Container
containers_list = [
{ name = "app-test", access_type = "private" },
{ name = "app2", access_type = "private" },
]
## Storage File Share
file_shares = [
{ name = "fileshare1", quota = 5 },
]
## Storage Tables
tables = ["table1"]
## Storage Queues
queues = ["queue1"]
file_shares = [
{ name = "fileshare", quota = "10" },
]

management_policy_enable = true
#enable private endpoint
virtual_network_id = "/subscriptions/--------------<vnet_id>---------------"
subnet_id = "/subscriptions/--------------<subnet_id>---------------"
log_analytics_workspace_id = "/subscriptions/--------------<log_analytics_workspace_id>---------------"
Expand Down
4 changes: 2 additions & 2 deletions _example/basic/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
output "storage_account_id" {
value = module.storage.default_storage_account_id
value = module.storage.storage_account_id
description = "The ID of the storage account."
}

output "storage_account_name" {
value = module.storage.default_storage_account_name
value = module.storage.storage_account_name
description = "The name of the storage account."
}

Expand Down
9 changes: 5 additions & 4 deletions _example/complete/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ module "vault" {
source = "clouddrove/key-vault/azure"
version = "1.1.0"

name = "vault8767768"
name = "vault65960589"
environment = "test"
label_order = ["name", "environment", ]
resource_group_name = module.resource_group.resource_group_name
Expand All @@ -107,7 +107,7 @@ module "vault" {
# existing_private_dns_zone_resource_group_name = ""

#### enable diagnostic setting
diagnostic_setting_enable = true
diagnostic_setting_enable = false
log_analytics_workspace_id = module.log-analytics.workspace_id ## when diagnostic_setting_enable enable, add log analytics workspace id
}

Expand All @@ -122,14 +122,15 @@ module "storage" {
label_order = local.label_order
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
storage_account_name = "storage877656"
storage_account_name = "storage874682"
public_network_access_enabled = true
account_kind = "StorageV2"
account_tier = "Standard"
identity_type = "UserAssigned"
object_id = [data.azurerm_client_config.current_client_config.object_id]
account_replication_type = "ZRS"
cmk_enabled = true
cmk_encryption_enabled = true
admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id]

###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
key_vault_id = module.vault.id
Expand Down
43 changes: 23 additions & 20 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ module "labels" {
##-----------------------------------------------------------------------------
resource "azurerm_storage_account" "storage" {
count = var.enabled ? 1 : 0
depends_on = [azurerm_role_assignment.identity_assigned]
# depends_on = [azurerm_role_assignment.identity_assigned]
name = var.storage_account_name
resource_group_name = var.resource_group_name
location = var.location
Expand Down Expand Up @@ -191,14 +191,14 @@ resource "azurerm_storage_account" "storage" {
}
}
dynamic "identity" {
for_each = var.identity_type != null ? [1] : []
for_each = var.cmk_encryption_enabled && var.identity_type != null ? [1] : []
content {
type = var.identity_type
identity_ids = var.identity_type == "UserAssigned" ? [join("", azurerm_user_assigned_identity.identity.*.id)] : null

Check warning on line 197 in main.tf

View workflow job for this annotation

GitHub Actions / tf-lint / tflint

List items should be accessed using square brackets

Check warning on line 197 in main.tf

View workflow job for this annotation

GitHub Actions / tf-lint / tflint

List items should be accessed using square brackets
}
}
dynamic "customer_managed_key" {
for_each = var.cmk_enabled ? [1] : []
for_each = var.cmk_encryption_enabled ? [1] : []
content {
key_vault_key_id = var.key_vault_id != null ? azurerm_key_vault_key.kvkey[0].id : null
user_assigned_identity_id = var.key_vault_id != null ? azurerm_user_assigned_identity.identity[0].id : null
Expand All @@ -211,7 +211,7 @@ resource "azurerm_storage_account" "storage" {
## This user assigned identity will be created when storage account with cmk is created.
##-----------------------------------------------------------------------------
resource "azurerm_user_assigned_identity" "identity" {
count = var.enabled && var.cmk_enabled ? 1 : 0
count = var.enabled && var.cmk_encryption_enabled ? 1 : 0
location = var.location
name = format("%s-storage-mid", module.labels.id)
resource_group_name = var.resource_group_name
Expand All @@ -222,18 +222,30 @@ resource "azurerm_user_assigned_identity" "identity" {
##-----------------------------------------------------------------------------
resource "azurerm_role_assignment" "identity_assigned" {
depends_on = [azurerm_user_assigned_identity.identity]
count = var.enabled && var.key_vault_rbac_auth_enabled ? 1 : 0
count = var.enabled && var.cmk_encryption_enabled && var.key_vault_rbac_auth_enabled ? 1 : 0
principal_id = azurerm_user_assigned_identity.identity[0].principal_id
scope = var.key_vault_id
role_definition_name = "Key Vault Crypto Service Encryption User"
}

##-----------------------------------------------------------------------------
## Below resource will provide user access on key vault based on role base access in azure environment.
## if rbac is enabled then below resource will create.
##-----------------------------------------------------------------------------
resource "azurerm_role_assignment" "rbac_keyvault_crypto_officer" {
for_each = toset(var.key_vault_rbac_auth_enabled && var.enabled && var.cmk_encryption_enabled ? var.admin_objects_ids : [])

scope = var.key_vault_id
role_definition_name = "Key Vault Crypto Officer"
principal_id = each.value
}

##-----------------------------------------------------------------------------
## Below resource will create key vault key that will be used for encryption.
##-----------------------------------------------------------------------------
resource "azurerm_key_vault_key" "kvkey" {
depends_on = [azurerm_role_assignment.identity_assigned, azurerm_user_assigned_identity.identity]
count = var.enabled && var.cmk_enabled ? 1 : 0
depends_on = [azurerm_role_assignment.identity_assigned, azurerm_role_assignment.rbac_keyvault_crypto_officer]
count = var.enabled && var.cmk_encryption_enabled ? 1 : 0
name = format("%s-storage-key-vault-key", module.labels.id)
expiration_date = var.expiration_date
key_vault_id = var.key_vault_id
Expand All @@ -248,7 +260,7 @@ resource "azurerm_key_vault_key" "kvkey" {
"wrapKey",
]
dynamic "rotation_policy" {
for_each = var.enable_rotation_policy ? var.rotation_policy : {}
for_each = var.rotation_policy_enabled ? var.rotation_policy : {}
content {
automatic {
time_before_expiry = rotation_policy.value.time_before_expiry
Expand All @@ -264,7 +276,7 @@ resource "azurerm_key_vault_key" "kvkey" {
## Below resource will create network rules for storage account.
##-----------------------------------------------------------------------------
resource "azurerm_storage_account_network_rules" "network-rules" {
for_each = var.enabled == false ? { for rule in var.network_rules : rule.default_action => rule } : {}
for_each = var.enabled ? { for rule in var.network_rules : rule.default_action => rule } : {}
storage_account_id = join("", azurerm_storage_account.storage.*.id)
default_action = lookup(each.value, "default_action", "Deny")
ip_rules = lookup(each.value, "ip_rules", null)
Expand Down Expand Up @@ -292,7 +304,7 @@ resource "azurerm_advanced_threat_protection" "atp" {
## Below resource will create access policy for user whose object id will be mentioned.
## This resource is not required when key vault has role based authorization(rbac) enabled.
##-----------------------------------------------------------------------------
resource "azurerm_key_vault_access_policy" "example" {
resource "azurerm_key_vault_access_policy" "keyvault-access-policy" {
count = var.enabled && var.key_vault_rbac_auth_enabled == false ? length(var.object_id) : 0
key_vault_id = var.key_vault_id
tenant_id = data.azurerm_client_config.current.tenant_id
Expand Down Expand Up @@ -562,7 +574,7 @@ resource "azurerm_private_dns_a_record" "arecord1" {
resource "azurerm_monitor_diagnostic_setting" "storage" {
count = var.enabled && var.enable_diagnostic ? 1 : 0
name = format("storage-diagnostic-log")
target_resource_id = join("", azurerm_storage_account.storage.*.id) # "${azurerm_storage_account.default_storage[0].id}/blobServices/default/" : "${azurerm_storage_account.storage[0].id}/blobServices/default/" # "${azurerm_storage_account.core.id}/blobServices/default/"
target_resource_id = join("", azurerm_storage_account.storage.*.id)
storage_account_id = var.storage_account_id
eventhub_name = var.eventhub_name
eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
Expand Down Expand Up @@ -623,12 +635,3 @@ resource "azurerm_monitor_diagnostic_setting" "storage-nic" {
ignore_changes = [log_analytics_destination_type]
}
}

# resource "azurerm_storage_account_customer_managed_key" "example" {
# depends_on = [ azurerm_storage_account.storage ]
# count = var.enabled && var.cmk_enabled ? 1 : 0
# storage_account_id = join("", azurerm_storage_account.storage.*.id)
# key_vault_id = var.key_vault_id
# key_name = join("", azurerm_key_vault_key.kvkey.*.name)
# user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id)
# }
18 changes: 12 additions & 6 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ variable "identity_type" {

variable "key_vault_id" {
type = string
default = null
default = ""
}

variable "expiration_date" {
Expand Down Expand Up @@ -349,6 +349,12 @@ variable "allowed_copy_scope" {
description = "Restrict copy to and from Storage Accounts within an AAD tenant or with Private Links to the same VNet. Possible values are AAD and PrivateLink."
}

variable "admin_objects_ids" {
description = "IDs of the objects that can do all operations on all keys, secrets and certificates."
type = list(string)
default = []
}

## Private endpoint
variable "virtual_network_id" {
type = string
Expand Down Expand Up @@ -376,7 +382,7 @@ variable "existing_private_dns_zone" {

variable "existing_private_dns_zone_resource_group_name" {
type = string
default = ""
default = null
description = "The name of the existing resource group"
}

Expand All @@ -389,13 +395,13 @@ variable "addon_vent_link" {

variable "addon_resource_group_name" {
type = string
default = ""
default = null
description = "The name of the addon vnet resource group"
}

variable "addon_virtual_network_id" {
type = string
default = ""
default = null
description = "The name of the addon vnet link vnet id"
}

Expand Down Expand Up @@ -659,13 +665,13 @@ variable "key_vault_rbac_auth_enabled" {
description = "Is key vault has role base access enable or not."
}

variable "cmk_enabled" {
variable "cmk_encryption_enabled" {
type = bool
default = false
description = "Whether to create CMK or not"
}

variable "enable_rotation_policy" {
variable "rotation_policy_enabled" {
type = bool
default = false
description = "Whether or not to enable rotation policy"
Expand Down

0 comments on commit 3c52c42

Please sign in to comment.