Zilu/keyvault legacy (#12)

* add a switch to use legacy key vault model * change the way to set secrets location add more variables * change back the implementation due to the validation error * remove security settings local var * use flatten magic to bypass validation error * fix plan error
Azure · Sep 25, 2024 · 4fb0368 · 4fb0368
1 parent 634f292
commit 4fb0368
Show file tree

Hide file tree

Showing 5 changed files with 258 additions and 82 deletions.
diff --git a/README.md b/README.md
@@ -249,6 +249,22 @@ Type: `map(string)`
 
 Default: `null`
 
+### <a name="input_bitlocker_boot_volume"></a> [bitlocker\_boot\_volume](#input\_bitlocker\_boot\_volume)
+
+Description: When set to true, BitLocker XTS\_AES 256-bit encryption is enabled for all data-at-rest on the OS volume of your Azure Stack HCI cluster. This setting is TPM-hardware dependent.
+
+Type: `bool`
+
+Default: `true`
+
+### <a name="input_bitlocker_data_volumes"></a> [bitlocker\_data\_volumes](#input\_bitlocker\_data\_volumes)
+
+Description: When set to true, BitLocker XTS-AES 256-bit encryption is enabled for all data-at-rest on your Azure Stack HCI cluster shared volumes.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name)
 
 Description: The name of the HCI cluster.
@@ -328,6 +344,14 @@ Default:
 ]
 ```
 
+### <a name="input_configuration_mode"></a> [configuration\_mode](#input\_configuration\_mode)
+
+Description: The configuration mode for the storage.
+
+Type: `string`
+
+Default: `"Express"`
+
 ### <a name="input_create_key_vault"></a> [create\_key\_vault](#input\_create\_key\_vault)
 
 Description: Set to true to create the key vault, or false to skip it
@@ -344,6 +368,14 @@ Type: `bool`
 
 Default: `true`
 
+### <a name="input_credential_guard_enforced"></a> [credential\_guard\_enforced](#input\_credential\_guard\_enforced)
+
+Description: When set to true, Credential Guard is enabled on your Azure HCI cluster.
+
+Type: `bool`
+
+Default: `false`
+
 ### <a name="input_cross_tenant_replication_enabled"></a> [cross\_tenant\_replication\_enabled](#input\_cross\_tenant\_replication\_enabled)
 
 Description: Indicates whether cross-tenant replication is enabled.
@@ -368,6 +400,22 @@ Type: `map(string)`
 
 Default: `null`
 
+### <a name="input_drift_control_enforced"></a> [drift\_control\_enforced](#input\_drift\_control\_enforced)
+
+Description: When set to true, the security baseline is re-applied regularly.
+
+Type: `bool`
+
+Default: `true`
+
+### <a name="input_drtm_protection"></a> [drtm\_protection](#input\_drtm\_protection)
+
+Description: By default, Secure Boot is enabled on your Azure HCI cluster. This setting is hardware dependent.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_enable_telemetry"></a> [enable\_telemetry](#input\_enable\_telemetry)
 
 Description: This variable controls whether or not telemetry is enabled for the module.  
@@ -386,6 +434,14 @@ Type: `bool`
 
 Default: `false`
 
+### <a name="input_hvci_protection"></a> [hvci\_protection](#input\_hvci\_protection)
+
+Description: By default, Hypervisor-protected Code Integrity is enabled on your Azure HCI cluster.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_intent_name"></a> [intent\_name](#input\_intent\_name)
 
 Description: The name of intent.
@@ -586,6 +642,30 @@ Type: `string`
 
 Default: `""`
 
+### <a name="input_side_channel_mitigation_enforced"></a> [side\_channel\_mitigation\_enforced](#input\_side\_channel\_mitigation\_enforced)
+
+Description: When set to true, all the side channel mitigations are enabled.
+
+Type: `bool`
+
+Default: `true`
+
+### <a name="input_smb_cluster_encryption"></a> [smb\_cluster\_encryption](#input\_smb\_cluster\_encryption)
+
+Description: When set to true, cluster east-west traffic is encrypted.
+
+Type: `bool`
+
+Default: `false`
+
+### <a name="input_smb_signing_enforced"></a> [smb\_signing\_enforced](#input\_smb\_signing\_enforced)
+
+Description: When set to true, the SMB default instance requires sign in for the client and server services.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_storage_adapter_ip_info"></a> [storage\_adapter\_ip\_info](#input\_storage\_adapter\_ip\_info)
 
 Description: The IP information for the storage networks. Key is the storage network name.
@@ -696,6 +776,22 @@ Default:
 ]
 ```
 
+### <a name="input_use_legacy_key_vault_model"></a> [use\_legacy\_key\_vault\_model](#input\_use\_legacy\_key\_vault\_model)
+
+Description: Indicates whether to use the legacy key vault model.
+
+Type: `bool`
+
+Default: `false`
+
+### <a name="input_wdac_enforced"></a> [wdac\_enforced](#input\_wdac\_enforced)
+
+Description: WDAC is enabled by default and limits the applications and the code that you can run on your Azure Stack HCI cluster.
+
+Type: `bool`
+
+Default: `true`
+
 ### <a name="input_witness_path"></a> [witness\_path](#input\_witness\_path)
 
 Description: The path to the witness.

diff --git a/keyvault.tf b/keyvault.tf
@@ -28,7 +28,7 @@ data "azurerm_key_vault" "key_vault" {
 
 resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
   key_vault_id = local.key_vault.id
-  name         = "${var.name}-AzureStackLCMUserCredential"
+  name         = var.use_legacy_key_vault_model ? "AzureStackLCMUserCredential" : "${var.name}-AzureStackLCMUserCredential"
   value        = base64encode("${var.deployment_user}:${var.deployment_user_password}")
   content_type = one(flatten([var.azure_stack_lcm_user_credential_content_type]))
   tags         = var.azure_stack_lcm_user_credential_tags
@@ -41,7 +41,7 @@ resource "azurerm_key_vault_secret" "azure_stack_lcm_user_credential" {
 
 resource "azurerm_key_vault_secret" "local_admin_credential" {
   key_vault_id = local.key_vault.id
-  name         = "${var.name}-LocalAdminCredential"
+  name         = var.use_legacy_key_vault_model ? "LocalAdminCredential" : "${var.name}-LocalAdminCredential"
   value        = base64encode("${var.local_admin_user}:${var.local_admin_password}")
   content_type = one(flatten([var.local_admin_credential_content_type]))
   tags         = var.local_admin_credential_tags
@@ -54,7 +54,7 @@ resource "azurerm_key_vault_secret" "local_admin_credential" {
 
 resource "azurerm_key_vault_secret" "default_arb_application" {
   key_vault_id = local.key_vault.id
-  name         = "${var.name}-DefaultARBApplication"
+  name         = var.use_legacy_key_vault_model ? "DefaultARBApplication" : "${var.name}-DefaultARBApplication"
   value        = base64encode("${var.service_principal_id}:${var.service_principal_secret}")
   content_type = one(flatten([var.default_arb_application_content_type]))
   tags         = var.default_arb_application_tags
@@ -67,7 +67,7 @@ resource "azurerm_key_vault_secret" "default_arb_application" {
 
 resource "azurerm_key_vault_secret" "witness_storage_key" {
   key_vault_id = local.key_vault.id
-  name         = "${var.name}-WitnessStorageKey"
+  name         = var.use_legacy_key_vault_model ? "WitnessStorageKey" : "${var.name}-WitnessStorageKey"
   value        = base64encode(var.create_witness_storage_account ? azurerm_storage_account.witness[0].primary_access_key : data.azurerm_storage_account.witness[0].primary_access_key)
   content_type = one(flatten([var.witness_storage_key_content_type]))
   tags         = var.witness_storage_key_tags

diff --git a/locals.tf b/locals.tf
@@ -21,8 +21,86 @@ locals {
     adapterPropertyOverrides = var.rdma_enabled ? local.rdma_adapter_properties : local.adapter_properties
   }]
   decoded_user_storages = jsondecode(data.azapi_resource_list.user_storages.output).value
-  key_vault             = var.create_key_vault ? azurerm_key_vault.deployment_keyvault[0] : data.azurerm_key_vault.key_vault[0]
-  owned_user_storages   = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
+  deployment_data = {
+    securitySettings = {
+      hvciProtection                = var.hvci_protection
+      drtmProtection                = var.drtm_protection
+      driftControlEnforced          = var.drift_control_enforced
+      credentialGuardEnforced       = var.credential_guard_enforced
+      smbSigningEnforced            = var.smb_signing_enforced
+      smbClusterEncryption          = var.smb_cluster_encryption
+      sideChannelMitigationEnforced = var.side_channel_mitigation_enforced
+      bitlockerBootVolume           = var.bitlocker_boot_volume
+      bitlockerDataVolumes          = var.bitlocker_data_volumes
+      wdacEnforced                  = var.wdac_enforced
+    }
+    observability = {
+      streamingDataClient = true
+      euLocation          = var.eu_location
+      episodicDataUpload  = true
+    }
+    cluster = {
+      name                 = var.cluster_name == "" ? azapi_resource.cluster.name : var.cluster_name
+      witnessType          = var.witness_type
+      witnessPath          = var.witness_path
+      cloudAccountName     = var.create_witness_storage_account ? azurerm_storage_account.witness[0].name : var.witness_storage_account_name
+      azureServiceEndpoint = var.azure_service_endpoint
+    }
+    storage = {
+      configurationMode = var.configuration_mode
+    }
+    namingPrefix = var.site_id
+    domainFqdn   = var.domain_fqdn
+    infrastructureNetwork = [{
+      useDhcp    = false
+      subnetMask = var.subnet_mask
+      gateway    = var.default_gateway
+      ipPools = [
+        {
+          startingAddress = var.starting_address
+          endingAddress   = var.ending_address
+        }
+      ]
+      dnsServers = flatten(var.dns_servers)
+    }]
+    physicalNodes = flatten(var.servers)
+    hostNetwork = {
+      enableStorageAutoIp           = true
+      intents                       = local.converged ? local.converged_intents : local.seperate_intents
+      storageNetworks               = local.storage_networks
+      storageConnectivitySwitchless = false
+    }
+    adouPath        = var.adou_path
+    secretsLocation = var.use_legacy_key_vault_model ? local.secrets_location : null
+    secrets = var.use_legacy_key_vault_model ? null : [
+      {
+        secretName     = "${var.name}-AzureStackLCMUserCredential"
+        eceSecretName  = "AzureStackLCMUserCredential"
+        secretLocation = "${local.secrets_location}secrets/${var.name}-AzureStackLCMUserCredential"
+      },
+      {
+        secretName     = "${var.name}-LocalAdminCredential"
+        eceSecretName  = "LocalAdminCredential"
+        secretLocation = "${local.secrets_location}secrets/${var.name}-LocalAdminCredential"
+      },
+      {
+        secretName     = "${var.name}-DefaultARBApplication"
+        eceSecretName  = "DefaultARBApplication"
+        secretLocation = "${local.secrets_location}secrets/${var.name}-DefaultARBApplication"
+      },
+      {
+        secretName     = "${var.name}-WitnessStorageKey"
+        eceSecretName  = "WitnessStorageKey"
+        secretLocation = "${local.secrets_location}secrets/${var.name}-WitnessStorageKey"
+      }
+    ]
+    optionalServices = {
+      customLocation = var.custom_location_name
+    }
+  }
+  deployment_data_omit_null = { for k, v in local.deployment_data : k => v if v != null }
+  key_vault                 = var.create_key_vault ? azurerm_key_vault.deployment_keyvault[0] : data.azurerm_key_vault.key_vault[0]
+  owned_user_storages       = [for storage in local.decoded_user_storages : storage if lower(storage.extendedLocation.name) == lower(data.azapi_resource.customlocation.id)]
   rdma_adapter_properties = {
     jumboPacket             = "9014"
     networkDirect           = "Enabled"

diff --git a/validate.tf b/validate.tf
@@ -19,82 +19,7 @@ resource "azapi_resource" "validatedeploymentsetting" {
         version = "10.0.0.0"
         scaleUnits = [
           {
-            deploymentData = {
-              securitySettings = {
-                hvciProtection                = true
-                drtmProtection                = true
-                driftControlEnforced          = true
-                credentialGuardEnforced       = true
-                smbSigningEnforced            = true
-                smbClusterEncryption          = false
-                sideChannelMitigationEnforced = true
-                bitlockerBootVolume           = true
-                bitlockerDataVolumes          = true
-                wdacEnforced                  = true
-              }
-              observability = {
-                streamingDataClient = true
-                euLocation          = var.eu_location
-                episodicDataUpload  = true
-              }
-              cluster = {
-                name                 = var.cluster_name == "" ? azapi_resource.cluster.name : var.cluster_name
-                witnessType          = var.witness_type
-                witnessPath          = var.witness_path
-                cloudAccountName     = var.create_witness_storage_account ? azurerm_storage_account.witness[0].name : var.witness_storage_account_name
-                azureServiceEndpoint = var.azure_service_endpoint
-              }
-              storage = {
-                configurationMode = "Express"
-              }
-              namingPrefix = var.site_id
-              domainFqdn   = var.domain_fqdn
-              infrastructureNetwork = [{
-                useDhcp    = false
-                subnetMask = var.subnet_mask
-                gateway    = var.default_gateway
-                ipPools = [
-                  {
-                    startingAddress = var.starting_address
-                    endingAddress   = var.ending_address
-                  }
-                ]
-                dnsServers = flatten(var.dns_servers)
-              }]
-              physicalNodes = flatten(var.servers)
-              hostNetwork = {
-                enableStorageAutoIp           = true
-                intents                       = local.converged ? local.converged_intents : local.seperate_intents
-                storageNetworks               = local.storage_networks
-                storageConnectivitySwitchless = false
-              }
-              adouPath = var.adou_path
-              secrets = [
-                {
-                  secretName     = "${var.name}-AzureStackLCMUserCredential"
-                  eceSecretName  = "AzureStackLCMUserCredential"
-                  secretLocation = "${local.secrets_location}secrets/${var.name}-AzureStackLCMUserCredential"
-                },
-                {
-                  secretName     = "${var.name}-LocalAdminCredential"
-                  eceSecretName  = "LocalAdminCredential"
-                  secretLocation = "${local.secrets_location}secrets/${var.name}-LocalAdminCredential"
-                },
-                {
-                  secretName     = "${var.name}-DefaultARBApplication"
-                  eceSecretName  = "DefaultARBApplication"
-                  secretLocation = "${local.secrets_location}secrets/${var.name}-DefaultARBApplication"
-                },
-                {
-                  secretName     = "${var.name}-WitnessStorageKey"
-                  eceSecretName  = "WitnessStorageKey"
-                  secretLocation = "${local.secrets_location}secrets/${var.name}-WitnessStorageKey"
-                }
-              ]
-              optionalServices = {
-                customLocation = var.custom_location_name
-              }
-            }
+            deploymentData = local.deployment_data_omit_null
           }
         ]
       }