From d713f57ec314b4f2e22e7b893fd5dc2f0926829c Mon Sep 17 00:00:00 2001
From: garland-kan-sage <92883807+garland-kan-sage@users.noreply.github.com>
Date: Mon, 27 Feb 2023 14:59:55 -0800
Subject: [PATCH] Az external secrets permissions (#409)

---
 .../external-secrets/secret_store/main.tf     | 11 +++----
 .../secret_store/variables.tf                 | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf b/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf
index f22b2d117..d8a9481ca 100644
--- a/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf
+++ b/terraform-modules/azure/kubernetes/external-secrets/secret_store/main.tf
@@ -44,13 +44,10 @@ resource "azurerm_key_vault_access_policy" "this" {
   tenant_id    = var.azure_tenant_id
   object_id    = azuread_service_principal.app.object_id
 
-  key_permissions = [
-    "Get",
-  ]
-
-  secret_permissions = [
-    "Get",
-  ]
+  certificate_permissions = var.certificate_permissions
+  key_permissions         = var.key_permissions
+  secret_permissions      = var.secret_permissions
+  storage_permissions     = var.storage_permissions
 }
 
 ################################################
diff --git a/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf b/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf
index 1290ac798..7d9083260 100644
--- a/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf
+++ b/terraform-modules/azure/kubernetes/external-secrets/secret_store/variables.tf
@@ -39,3 +39,35 @@ variable "azurerm_key_vault_id" {
   default     = ""
   description = "(Required) Specifies the id of the Key Vault resource. Changing this forces a new resource to be created."
 }
+
+variable "certificate_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of certificate permissions, must be one or more from the following: Backup, Create, Delete, DeleteIssuers, Get, GetIssuers, Import, List, ListIssuers, ManageContacts, ManageIssuers, Purge, Recover, Restore, SetIssuers and Update"
+}
+
+variable "key_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of key permissions, must be one or more from the following: Backup, Create, Decrypt, Delete, Encrypt, Get, Import, List, Purge, Recover, Restore, Sign, UnwrapKey, Update, Verify, WrapKey, Release, Rotate, GetRotationPolicy, and SetRotationPolicy."
+}
+
+variable "secret_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of secret permissions, must be one or more from the following: Backup, Delete, Get, List, Purge, Recover, Restore and Set."
+}
+
+variable "storage_permissions" {
+  type        = list(string)
+  default     = [
+    "Get",
+  ]
+  description = "(Optional) List of storage permissions, must be one or more from the following: Backup, Delete, DeleteSAS, Get, GetSAS, List, ListSAS, Purge, Recover, RegenerateKey, Restore, Set, SetSAS and Update."
+}