resource "azurerm_key_vault" "this" { location = var.location name = var.name resource_group_name = var.resource_group_name sku_name = var.sku_name tenant_id = var.tenant_id enable_rbac_authorization = !var.legacy_access_policies_enabled enabled_for_deployment = var.enabled_for_deployment enabled_for_disk_encryption = var.enabled_for_disk_encryption enabled_for_template_deployment = var.enabled_for_template_deployment public_network_access_enabled = var.public_network_access_enabled purge_protection_enabled = var.purge_protection_enabled soft_delete_retention_days = var.soft_delete_retention_days tags = var.tags # Only one network_acls block is allowed. # Create it if the variable is not null. dynamic "network_acls" { for_each = var.network_acls != null ? { this = var.network_acls } : {} content { bypass = network_acls.value.bypass default_action = network_acls.value.default_action ip_rules = network_acls.value.ip_rules virtual_network_subnet_ids = network_acls.value.virtual_network_subnet_ids } } } resource "azurerm_management_lock" "this" { count = var.lock != null ? 1 : 0 lock_level = var.lock.kind name = coalesce(var.lock.name, "lock-${var.name}") scope = azurerm_key_vault.this.id } resource "azurerm_role_assignment" "this" { for_each = var.role_assignments principal_id = each.value.principal_id scope = azurerm_key_vault.this.id condition = each.value.condition condition_version = each.value.condition_version delegated_managed_identity_resource_id = each.value.delegated_managed_identity_resource_id principal_type = each.value.principal_type role_definition_id = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? each.value.role_definition_id_or_name : null role_definition_name = strcontains(lower(each.value.role_definition_id_or_name), lower(local.role_definition_resource_substring)) ? null : each.value.role_definition_id_or_name skip_service_principal_aad_check = each.value.skip_service_principal_aad_check } resource "azurerm_monitor_diagnostic_setting" "this" { for_each = var.diagnostic_settings name = each.value.name != null ? each.value.name : "diag-${var.name}" target_resource_id = azurerm_key_vault.this.id eventhub_authorization_rule_id = each.value.event_hub_authorization_rule_resource_id eventhub_name = each.value.event_hub_name log_analytics_destination_type = each.value.log_analytics_destination_type log_analytics_workspace_id = each.value.workspace_resource_id partner_solution_id = each.value.marketplace_partner_resource_id storage_account_id = each.value.storage_account_resource_id dynamic "enabled_log" { for_each = each.value.log_categories content { category = enabled_log.value } } dynamic "enabled_log" { for_each = each.value.log_groups content { category_group = enabled_log.value } } dynamic "metric" { for_each = each.value.metric_categories content { category = metric.value } } } resource "azurerm_key_vault_certificate_contacts" "this" { count = length(var.contacts) > 0 ? 1 : 0 key_vault_id = azurerm_key_vault.this.id dynamic "contact" { for_each = var.contacts content { email = contact.value.email name = contact.value.name phone = contact.value.phone } } depends_on = [time_sleep.wait_for_rbac_before_contact_operations] } resource "time_sleep" "wait_for_rbac_before_contact_operations" { count = length(var.contacts) != 0 ? 1 : 0 create_duration = var.wait_for_rbac_before_contact_operations.create destroy_duration = var.wait_for_rbac_before_contact_operations.destroy triggers = { contacts = jsonencode(var.contacts) } depends_on = [azurerm_role_assignment.this] }