Adding customer managed keys

CDCgov · Aug 30, 2024 · 558ccb2 · 558ccb2
1 parent 89764ab
commit 558ccb2
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 2 deletions.
diff --git a/operations/environments/dev/main.tf b/operations/environments/dev/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/internal/main.tf b/operations/environments/internal/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/pr/main.tf b/operations/environments/pr/main.tf
@@ -19,6 +19,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/prd/main.tf b/operations/environments/prd/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/environments/stg/main.tf b/operations/environments/stg/main.tf
@@ -20,6 +20,7 @@ provider "azurerm" {
   features {
     key_vault {
       purge_soft_deleted_secrets_on_destroy = false
+      purge_soft_deleted_keys_on_destroy    = false
     }
   }
 }

diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -3,7 +3,16 @@ resource "azurerm_container_registry" "registry" {
   name                = "cdcrssftp${var.environment}containerregistry"
   resource_group_name = data.azurerm_resource_group.group.name
   location            = data.azurerm_resource_group.group.location
-  sku                 = "Standard"
+  sku                 = "Premium"
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [
+      azurerm_user_assigned_identity.key_vault_identity.id
+    ]
+  }
+
+
 
   lifecycle {
     ignore_changes = [
@@ -19,6 +28,13 @@ resource "azurerm_role_assignment" "allow_app_to_pull_from_registry" {
   scope                = azurerm_container_registry.registry.id
 }
 
+resource "azurerm_user_assigned_identity" "key_vault_identity" {
+  resource_group_name = data.azurerm_resource_group.group.name
+  location            = data.azurerm_resource_group.group.location
+
+  name = "sftp-key-vault-identity-${var.environment}"
+}
+
 # Create the staging service plan
 resource "azurerm_service_plan" "plan" {
   name                   = "cdc-rs-sftp-${var.environment}-service-plan"

diff --git a/operations/template/key.tf b/operations/template/key.tf
@@ -7,7 +7,7 @@ resource "azurerm_key_vault" "key_storage" {
   sku_name  = "standard"
   tenant_id = data.azurerm_client_config.current.tenant_id
 
-  purge_protection_enabled = false
+  purge_protection_enabled = true
 
   lifecycle {
     ignore_changes = [
@@ -28,6 +28,17 @@ resource "azurerm_key_vault_access_policy" "allow_github_deployer" {
     "Delete",
     "Purge",
   ]
+
+  key_permissions = [
+    "Create",
+    "Delete",
+    "Get",
+    "Purge",
+    "Recover",
+    "Update",
+    "GetRotationPolicy",
+    "SetRotationPolicy",
+  ]
 }
 
 resource "azurerm_key_vault_access_policy" "allow_app_read" {
@@ -41,6 +52,18 @@ resource "azurerm_key_vault_access_policy" "allow_app_read" {
   ]
 }
 
+resource "azurerm_key_vault_access_policy" "allow_sftp_storage_account_wrapping" {
+  key_vault_id = azurerm_key_vault.key_storage.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azurerm_storage_account.storage.identity.0.principal_id
+
+  key_permissions = [
+    "Get",
+    "UnwrapKey",
+    "WrapKey",
+  ]
+}
+
 resource "azurerm_key_vault_secret" "mock_public_health_lab_private_key" {
   name  = "mock-public-health-lab-private-key-${var.environment}"
   value = "dogcow"
@@ -136,3 +159,22 @@ resource "azurerm_key_vault_secret" "sftp_server_public_key" {
   }
   depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
 }
+
+resource "azurerm_key_vault_key" "customer_managed_key" {
+  name         = "customer-managed-key-${var.environment}"
+  key_vault_id = azurerm_key_vault.key_storage.id
+
+  key_type = "RSA"
+  key_size = 4096
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey"
+  ]
+
+  depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
+}
diff --git a/operations/template/storage.tf b/operations/template/storage.tf
@@ -17,8 +17,25 @@ resource "azurerm_storage_account" "storage" {
       tags,
     ]
   }
+
+  identity {
+    type = "SystemAssigned"
+  }
 }
 
+
+resource "azurerm_storage_account_customer_managed_key" "storage_storage_account_customer_key" {
+storage_account_id = azurerm_storage_account.storage.id
+key_vault_id       = azurerm_key_vault.key_storage.id
+key_name           = azurerm_key_vault_key.customer_managed_key.name
+
+depends_on = [
+azurerm_key_vault_access_policy.allow_github_deployer,
+azurerm_key_vault_access_policy.allow_sftp_storage_account_wrapping
+] //wait for the permission that allows our deployer to write the secret
+}
+
+
 resource "azurerm_storage_container" "sftp_container" {
   name                  = "sftp"
   storage_account_name  = azurerm_storage_account.storage.name