locals.auth.tf (84 lines of code) (raw):

locals { admin_password_input = (var.account_credentials.admin_credentials.password != null ? var.account_credentials.admin_credentials.password : (var.admin_password != null ? var.admin_password : null)) #set the admin password to either a generated value or the entered value admin_password_linux = (lower(var.os_type) == "linux") ? ( local.password_authentication_disabled == false ? ( #if os is linux and password authentication is enabled local.admin_password_input == null ? random_password.admin_password[0].result : local.admin_password_input #use generated password if input is null, otherwise use input password ) : null #null value if password authentication is disabled ) : null #null value if os is not linux admin_password_windows = (lower(var.os_type) == "windows") ? ( local.admin_password_input == null ? random_password.admin_password[0].result : local.admin_password_input #use generated password if input is null, otherwise use input password ) : null #null value if os is not windows # set the ssh key for the admin user in linux admin_ssh_key = ((local.password_authentication_disabled == true) && (lower(var.os_type) == "linux")) ? ( length(local.admin_ssh_key_input) == 0 ? [{ public_key = tls_private_key.this[0].public_key_openssh username = local.admin_username }] : [ for key in local.admin_ssh_key_input : { public_key = key username = local.admin_username } ] ) : [] #if ssh key set in multiple places, prefer the var.account_credentials value admin_ssh_key_input = (length(var.account_credentials.admin_credentials.ssh_keys) > 0 ? var.account_credentials.admin_credentials.ssh_keys : (length(local.deprecated_keys) > 0 ? local.deprecated_keys : [])) #set the ssh key secret value to the generated key if password authentication is disabled and no ssh key is provided. Otherwise, set it to "no_key" to indicate that no key was provided. admin_ssh_key_secret_value = ((local.password_authentication_disabled == true) && (lower(var.os_type) == "linux") && length(local.admin_ssh_key_input) == 0) ? tls_private_key.this[0].private_key_pem : "no_key" #concat the ssh key values list admin_ssh_keys = concat(var.admin_ssh_keys, local.admin_ssh_key) #set this to the local after deprecation #set the admin user to use the following order: # 1. account_credentials.username # 2. admin_username # 3. azureuser (default value if not provided)) admin_username = var.account_credentials.admin_credentials.username != "azureuser" ? var.account_credentials.admin_credentials.username : (var.admin_username != "azureuser" ? var.admin_username : "azureuser") #both default to azureuser without input so no need for special handling. After deprecation, set admin_username to var.account_credentials.username #set the name for the password secret in the key vault if the key vault secret configuration is not null and there is a password input. credential_secret_name_password = ( local.credentials_key_vault_config != null ? ( local.credentials_key_vault_config.secret_configuration != null ? ( local.credentials_key_vault_config.secret_configuration.name != null ? local.credentials_key_vault_config.secret_configuration.name : "${var.name}-${local.admin_username}-password" ) : "${var.name}-${local.admin_username}-password") : "${var.name}-${local.admin_username}-password") #set the name for the ssh secret in the key vault if the key vault secret configuration is not null and there is a password input. credential_secret_name_ssh_key = ( local.credentials_key_vault_config != null ? ( local.credentials_key_vault_config.secret_configuration != null ? ( local.credentials_key_vault_config.secret_configuration.name != null ? local.credentials_key_vault_config.secret_configuration.name : "${var.name}-${local.admin_username}-ssh-private-key" ) : "${var.name}-${local.admin_username}-ssh-private-key") : "${var.name}-${local.admin_username}-ssh-private-key") #use locals to define whether a secret should be created in the key vault credential_secret_vault_count = ( #if the key vault config is set, then create a credential secret local.credentials_key_vault_config != null ? 1 : 0 #the resource_id value is a required field in both cases, so we can use that to determine if the key vault config is set. ) #set the credentials key vault configuration. Prefer the var.account_credentials value if set, otherwise use the var.generated_secrets_key_vault_secret_config value. If both are set, prefer the var.account_credentials value. credentials_key_vault_config = var.account_credentials.key_vault_configuration != null ? var.account_credentials.key_vault_configuration : ( #if key vault config set in multiple places, prefer the var.account_credentials value local.deprecated_key_vault_config != null ? local.deprecated_key_vault_config : null) #create a version of the old key vault config with the new schema so the ternary can be used to set the key vault config deprecated_key_vault_config = var.generated_secrets_key_vault_secret_config != null ? { resource_id = var.generated_secrets_key_vault_secret_config.key_vault_resource_id secret_configuration = { name = var.generated_secrets_key_vault_secret_config.name expiration_date_length_in_days = var.generated_secrets_key_vault_secret_config.expiration_date_length_in_days content_type = var.generated_secrets_key_vault_secret_config.content_type not_before_date = var.generated_secrets_key_vault_secret_config.not_before_date tags = var.generated_secrets_key_vault_secret_config.tags } } : null deprecated_keys = length(var.admin_ssh_keys) > 0 ? local.flattened_ssh_keys : [] #ssh key for handling deprecated ssh key input (the schema's are different,so we need to handle this) flattened_ssh_keys = flatten([for key in var.admin_ssh_keys : key.public_key]) generate_admin_ssh_key_count = ( (lower(var.os_type) == "linux") && ( (var.generate_admin_password_or_ssh_key == true) && (var.account_credentials.admin_credentials.generate_admin_password_or_ssh_key == true) ) && (local.password_authentication_disabled == true) ? 1 : 0 ) generate_random_password_count = ( ( (lower(var.os_type) == "windows") && ( (var.generate_admin_password_or_ssh_key == true) && (var.account_credentials.admin_credentials.generate_admin_password_or_ssh_key == true) ) ) ? 1 : ( (lower(var.os_type) == "linux") && ( (var.generate_admin_password_or_ssh_key == true && var.account_credentials.admin_credentials.generate_admin_password_or_ssh_key == true) && (local.password_authentication_disabled == false) ) ) ? 1 : 0 ) generated_secret_expiration_date_utc = local.generated_secret_expiration_date_utc_new == null ? local.generated_secret_expiration_date_utc_depr : local.generated_secret_expiration_date_utc_new #calculate the expiration date for the key vault secret. If the key vault config is set, then use that value. Otherwise, use the default value of 45 days. generated_secret_expiration_date_utc_depr = local.deprecated_key_vault_config != null ? formatdate("YYYY-MM-DD'T'hh:mm:ssZ", (timeadd(timestamp(), "${local.deprecated_key_vault_config.secret_configuration.expiration_date_length_in_days * 24}h"))) : null generated_secret_expiration_date_utc_new = var.account_credentials.key_vault_configuration != null ? formatdate("YYYY-MM-DD'T'hh:mm:ssZ", (timeadd(timestamp(), "${var.account_credentials.key_vault_configuration.secret_configuration.expiration_date_length_in_days * 24}h"))) : null #validate this works when expire is undefined password_authentication_disabled = var.account_credentials.password_authentication_disabled == false ? var.account_credentials.password_authentication_disabled : ( var.disable_password_authentication == false ? var.disable_password_authentication : true) #defaults to true for both vars. Prefer var.account_credentials value if set, otherwise use var.disable_password_authentication. If both are set, prefer var.account_credentials value. After deprecation, set password_authentication_disabled to var.account_credentials.password_authentication_disabled #set the count to 1 if a password value is provided and a secret configuration is provided or generated. This will be used to create the key vault secret. password_secret_count = ( (local.credential_secret_vault_count == 1 && lower(var.os_type) == "windows") || (local.credential_secret_vault_count == 1 && lower(var.os_type) == "linux" && local.password_authentication_disabled == false) ? 1 : 0 ) #set the count to 1 if a ssh value is provided and a secret configuration is provided or generated. This will be used to create the key vault secret. ssh_secret_count = (local.credential_secret_vault_count == 1 && local.generate_admin_ssh_key_count == 1) ? 1 : 0 }