diff --git a/app/components/networking/data.tf b/app/components/networking/data.tf index 81cdb36c4..42083fdae 100644 --- a/app/components/networking/data.tf +++ b/app/components/networking/data.tf @@ -4,3 +4,10 @@ data "azurerm_virtual_network" "tooling" { provider = azurerm.tooling } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_network_rg + + provider = azurerm.tooling +} diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 8610b87e2..f1c8f0c35 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -192,6 +192,17 @@ resource "azurerm_private_dns_zone_virtual_network_link" "sql_synapse_vnet_link" provider = azurerm.tooling } +resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { + name = "pins-vnetlink-${var.service_name}-keyvault-${var.resource_suffix}" + resource_group_name = var.tooling_network_rg + private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name + virtual_network_id = azurerm_virtual_network.common_infrastructure.id + + tags = var.tags + + provider = azurerm.tooling +} + resource "azurerm_virtual_network_peering" "env_to_tooling" { name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}" remote_virtual_network_id = data.azurerm_virtual_network.tooling.id diff --git a/app/stacks/uk-west/common/data.tf b/app/stacks/uk-west/common/data.tf index ebb138ecb..ebdba1f8e 100644 --- a/app/stacks/uk-west/common/data.tf +++ b/app/stacks/uk-west/common/data.tf @@ -4,3 +4,10 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" { name = azurerm_key_vault_secret.applications_service_vpn_gateway_shared_key.name key_vault_id = azurerm_key_vault.environment_key_vault.id } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_network_rg + + provider = azurerm.tooling +} diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index f6bf30bd0..4e7d9a18f 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -1,17 +1,19 @@ resource "azurerm_key_vault" "environment_key_vault" { - #checkov:skip=CKV_AZURE_42: Soft delete protection enabled by default in latest Azure provider - #checkov:skip=CKV_AZURE_109: TODO: Network ACL, currently not implemented as it blocks pipeline - #checkov:skip=CKV_AZURE_189: TODO: Ensure that Azure Key Vault disables public network access #checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault" - name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") - location = azurerm_resource_group.common_infrastructure.location - resource_group_name = azurerm_resource_group.common_infrastructure.name - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - tenant_id = data.azurerm_client_config.current.tenant_id - - sku_name = "standard" + name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") + location = azurerm_resource_group.common_infrastructure.location + resource_group_name = azurerm_resource_group.common_infrastructure.name + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + public_network_access_enabled = false + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + } tags = local.tags } @@ -101,6 +103,10 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key name = "applications-service-vpn-gateway-shared-key" value = "" + depends_on = [ + azurerm_private_endpoint.keyvault, + ] + tags = local.tags lifecycle { @@ -109,3 +115,31 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key ] } } + +resource "azurerm_private_endpoint" "keyvault" { + name = "pins-pe-keyvault-${local.resource_suffix}" + location = azurerm_resource_group.common_infrastructure.location # This is throwing up errors? + resource_group_name = azurerm_resource_group.common_infrastructure.name + subnet_id = azurerm_subnet.private_endpoints.id # Not sure on which subnet it lives + + private_dns_zone_group { + name = "pins-pdns-${local.service_name}-keyvault-${var.environment}" + private_dns_zone_ids = [data.azurerm_private_dns_zone.keyvault.id] + } + + private_service_connection { + name = "pins-psc-keyvault-${local.resource_suffix}" + private_connection_resource_id = azurerm_key_vault.environment_key_vault.id + subresource_names = ["vault"] + is_manual_connection = false + } + + tags = local.tags +} + +resource "azurerm_subnet" "private_endpoints" { + name = "snet-private-endpoints" + resource_group_name = azurerm_resource_group.common_infrastructure.name + virtual_network_name = module.networking.vnet_name + address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! +}