Az external secrets permissions (#409)

ManagedKube · Feb 27, 2023 · d713f57 · d713f57
1 parent 6b02602
commit d713f57
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 7 deletions.
diff --git a/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf b/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf
@@ -44,13 +44,10 @@ resource "azurerm_key_vault_access_policy" "this" {
   tenant_id    = var.azure_tenant_id
   object_id    = azuread_service_principal.app.object_id
 
-  key_permissions = [
-    "Get",
-  ]
-
-  secret_permissions = [
-    "Get",
-  ]
+  certificate_permissions = var.certificate_permissions
+  key_permissions         = var.key_permissions
+  secret_permissions      = var.secret_permissions
+  storage_permissions     = var.storage_permissions
 }
 
 ################################################

diff --git a/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf b/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf
@@ -39,3 +39,35 @@ variable "azurerm_key_vault_id" {
   default     = ""
   description = "(Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created."
 }
+
+variable "certificate_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update"
+}
+
+variable "key_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy, and SetRotationPolicy."
+}
+
+variable "secret_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set."
+}
+
+variable "storage_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update."
+}