From fc735b9ab16d03d66f1a4454168217cc3bd2c446 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Tue, 3 Mar 2026 11:58:08 +0000 Subject: [PATCH 01/17] feat: create private endpoint for key vault apps service --- app/components/networking/data.tf | 7 ++++ app/components/networking/network.tf | 12 +++++++ app/stacks/uk-west/common/key-vault.tf | 46 ++++++++++++++++++-------- 3 files changed, 52 insertions(+), 13 deletions(-) diff --git a/app/components/networking/data.tf b/app/components/networking/data.tf index 81cdb36c4..42083fdae 100644 --- a/app/components/networking/data.tf +++ b/app/components/networking/data.tf @@ -4,3 +4,10 @@ data "azurerm_virtual_network" "tooling" { provider = azurerm.tooling } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_network_rg + + provider = azurerm.tooling +} diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 8610b87e2..2b687df31 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -192,6 +192,18 @@ resource "azurerm_private_dns_zone_virtual_network_link" "sql_synapse_vnet_link" provider = azurerm.tooling } +resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { + name = "pins-vnetlink-${var.service_name}-keyvault-${var.resource_suffix}" + resource_group_name = var.tooling_network_rg + private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name + virtual_network_id = azurerm_virtual_network.main.id + + tags = var.tags + + provider = azurerm.tooling +} + + resource "azurerm_virtual_network_peering" "env_to_tooling" { name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}" remote_virtual_network_id = data.azurerm_virtual_network.tooling.id diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index f6bf30bd0..43c5f6c21 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -1,17 +1,18 @@ resource "azurerm_key_vault" "environment_key_vault" { - #checkov:skip=CKV_AZURE_42: Soft delete protection enabled by default in latest Azure provider - #checkov:skip=CKV_AZURE_109: TODO: Network ACL, currently not implemented as it blocks pipeline - #checkov:skip=CKV_AZURE_189: TODO: Ensure that Azure Key Vault disables public network access - #checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault" - name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") - location = azurerm_resource_group.common_infrastructure.location - resource_group_name = azurerm_resource_group.common_infrastructure.name - enabled_for_disk_encryption = true - purge_protection_enabled = true - soft_delete_retention_days = 7 - tenant_id = data.azurerm_client_config.current.tenant_id - - sku_name = "standard" + name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") + location = azurerm_resource_group.common_infrastructure.location + resource_group_name = azurerm_resource_group.common_infrastructure.name + enabled_for_disk_encryption = true + purge_protection_enabled = true + soft_delete_retention_days = 7 + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + public_network_access_enabled = false + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + } tags = local.tags } @@ -109,3 +110,22 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key ] } } + +resource "azurerm_private_endpoint" "keyvault" { + name = "pins-pe-keyvault-${local.resource_suffix}" + location = module.primary_region.location + resource_group_name = azurerm_resource_group.primary.name + subnet_id = azurerm_subnet.main.id + + private_dns_zone_group { + name = "pins-pdns-${local.service_name}-keyvault-${var.environment}" + private_dns_zone_ids = [data.azurerm_private_dns_zone.keyvault.id] + } + + private_service_connection { + name = "pins-psc-keyvault-${local.resource_suffix}" + private_connection_resource_id = azurerm_key_vault.main.id + subresource_names = ["vault"] + is_manual_connection = false + } +} From cb6314d54fe150da3aa86612e7835e4b786a40e5 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Fri, 6 Mar 2026 11:45:50 +0000 Subject: [PATCH 02/17] feat: creating private endpoint terraform and depends on --- app/stacks/uk-west/common/key-vault.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 43c5f6c21..ef8bbd17f 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -128,4 +128,6 @@ resource "azurerm_private_endpoint" "keyvault" { subresource_names = ["vault"] is_manual_connection = false } + + tags = local.tags } From cd35e10e8154382f507306043e7bb7a4eba9400c Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Thu, 19 Mar 2026 09:33:36 +0000 Subject: [PATCH 03/17] feat: creating private endpoint terraform and depends on --- app/components/networking/network.tf | 10 ++++++++++ app/stacks/uk-west/common/data.tf | 7 +++++++ app/stacks/uk-west/common/key-vault.tf | 21 +++++++++++++++++---- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 2b687df31..7153ccf67 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -203,6 +203,16 @@ resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { provider = azurerm.tooling } +resource "azurerm_private_dns_zone_virtual_network_link" "keyvault_common" { + name = "pins-vnetlink-${var.service_name}-keyvault-common-${var.resource_suffix}" + resource_group_name = var.tooling_network_rg + private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name + virtual_network_id = azurerm_virtual_network.common_infrastructure.id + + tags = var.tags + + provider = azurerm.tooling +} resource "azurerm_virtual_network_peering" "env_to_tooling" { name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}" diff --git a/app/stacks/uk-west/common/data.tf b/app/stacks/uk-west/common/data.tf index ebb138ecb..734a089f5 100644 --- a/app/stacks/uk-west/common/data.tf +++ b/app/stacks/uk-west/common/data.tf @@ -4,3 +4,10 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" { name = azurerm_key_vault_secret.applications_service_vpn_gateway_shared_key.name key_vault_id = azurerm_key_vault.environment_key_vault.id } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_config.network_rg + + provider = azurerm.tooling +} diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index ef8bbd17f..061ae1ced 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -1,4 +1,5 @@ resource "azurerm_key_vault" "environment_key_vault" { + #checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault" name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") location = azurerm_resource_group.common_infrastructure.location resource_group_name = azurerm_resource_group.common_infrastructure.name @@ -102,6 +103,11 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key name = "applications-service-vpn-gateway-shared-key" value = "" + depends_on = [ + azurerm_private_endpoint.keyvault, + azurerm_private_dns_zone_virtual_network_link.keyvault + ] + tags = local.tags lifecycle { @@ -113,9 +119,9 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key resource "azurerm_private_endpoint" "keyvault" { name = "pins-pe-keyvault-${local.resource_suffix}" - location = module.primary_region.location - resource_group_name = azurerm_resource_group.primary.name - subnet_id = azurerm_subnet.main.id + location = azurerm_resource_group.common_infrastructure.location + resource_group_name = azurerm_resource_group.common_infrastructure.name + subnet_id = azurerm_subnet.main.id # Not sure on which subnet it lives private_dns_zone_group { name = "pins-pdns-${local.service_name}-keyvault-${var.environment}" @@ -124,10 +130,17 @@ resource "azurerm_private_endpoint" "keyvault" { private_service_connection { name = "pins-psc-keyvault-${local.resource_suffix}" - private_connection_resource_id = azurerm_key_vault.main.id + private_connection_resource_id = azurerm_key_vault.environment_key_vault.id subresource_names = ["vault"] is_manual_connection = false } tags = local.tags } + +resource "azurerm_subnet" "endpoints" { + name = "snet-private-endpoints" + resource_group_name = azurerm_resource_group.common_infrastructure.name + virtual_network_name = azurerm_virtual_network.common_infrastructure.name + address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! +} From edafbd259bad16816bdd7baa0424b8a6dc6d55bd Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 10:23:30 +0000 Subject: [PATCH 04/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/key-vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 061ae1ced..8e17f4afd 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -119,7 +119,7 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key resource "azurerm_private_endpoint" "keyvault" { name = "pins-pe-keyvault-${local.resource_suffix}" - location = azurerm_resource_group.common_infrastructure.location + location = azurerm_resource_group.common_infrastructure.location # This is throwing up errors? resource_group_name = azurerm_resource_group.common_infrastructure.name subnet_id = azurerm_subnet.main.id # Not sure on which subnet it lives From eb8cfe633f16d8064dfd70927ca675ec3f633e62 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 10:43:56 +0000 Subject: [PATCH 05/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/data.tf | 2 +- app/stacks/uk-west/common/key-vault.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/stacks/uk-west/common/data.tf b/app/stacks/uk-west/common/data.tf index 734a089f5..ebdba1f8e 100644 --- a/app/stacks/uk-west/common/data.tf +++ b/app/stacks/uk-west/common/data.tf @@ -7,7 +7,7 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" { data "azurerm_private_dns_zone" "keyvault" { name = "privatelink.vaultcore.azure.net" - resource_group_name = var.tooling_config.network_rg + resource_group_name = var.tooling_network_rg provider = azurerm.tooling } diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 8e17f4afd..696bd8d4f 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -141,6 +141,6 @@ resource "azurerm_private_endpoint" "keyvault" { resource "azurerm_subnet" "endpoints" { name = "snet-private-endpoints" resource_group_name = azurerm_resource_group.common_infrastructure.name - virtual_network_name = azurerm_virtual_network.common_infrastructure.name + virtual_network_name = azurerm_virtual_network.common_infrastructure.name # Link this with the app/components and the VNet name address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! } From 41dede79f4f421b2e755627e6193d0b2fbc6a392 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 10:51:44 +0000 Subject: [PATCH 06/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/key-vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 696bd8d4f..853f3b2e8 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -141,6 +141,6 @@ resource "azurerm_private_endpoint" "keyvault" { resource "azurerm_subnet" "endpoints" { name = "snet-private-endpoints" resource_group_name = azurerm_resource_group.common_infrastructure.name - virtual_network_name = azurerm_virtual_network.common_infrastructure.name # Link this with the app/components and the VNet name + virtual_network_name = azurerm_virtual_network.common_infrastructure.id address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! } From 26030b5cce5afe6ecb36122f96d6eec37ffd9fd6 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 11:06:56 +0000 Subject: [PATCH 07/17] feat: adding in private endpoint for common key vault --- app/components/networking/network.tf | 2 +- app/stacks/uk-west/common/key-vault.tf | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 7153ccf67..973370aa4 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -196,7 +196,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { name = "pins-vnetlink-${var.service_name}-keyvault-${var.resource_suffix}" resource_group_name = var.tooling_network_rg private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name - virtual_network_id = azurerm_virtual_network.main.id + virtual_network_id = azurerm_virtual_network.common_infrastructure.id tags = var.tags diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 853f3b2e8..d748b6b2b 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -1,3 +1,8 @@ +data "azurerm_virtual_network" "common_infrastructure" { + name = "vnet-common-services-uk-west" + resource_group_name = azurerm_resource_group.common_infrastructure.name +} + resource "azurerm_key_vault" "environment_key_vault" { #checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault" name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") @@ -121,7 +126,7 @@ resource "azurerm_private_endpoint" "keyvault" { name = "pins-pe-keyvault-${local.resource_suffix}" location = azurerm_resource_group.common_infrastructure.location # This is throwing up errors? resource_group_name = azurerm_resource_group.common_infrastructure.name - subnet_id = azurerm_subnet.main.id # Not sure on which subnet it lives + subnet_id = azurerm_subnet.private_endpoints.id # Not sure on which subnet it lives private_dns_zone_group { name = "pins-pdns-${local.service_name}-keyvault-${var.environment}" @@ -138,7 +143,7 @@ resource "azurerm_private_endpoint" "keyvault" { tags = local.tags } -resource "azurerm_subnet" "endpoints" { +resource "azurerm_subnet" "private_endpoints" { name = "snet-private-endpoints" resource_group_name = azurerm_resource_group.common_infrastructure.name virtual_network_name = azurerm_virtual_network.common_infrastructure.id From 39fc020bb02d6c2c5ca79841f07c4bf67fe4dcd9 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 11:36:00 +0000 Subject: [PATCH 08/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/key-vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index d748b6b2b..f6d9f7c1c 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -146,6 +146,6 @@ resource "azurerm_private_endpoint" "keyvault" { resource "azurerm_subnet" "private_endpoints" { name = "snet-private-endpoints" resource_group_name = azurerm_resource_group.common_infrastructure.name - virtual_network_name = azurerm_virtual_network.common_infrastructure.id + virtual_network_name = data.azurerm_virtual_network.common_infrastructure.name address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! } From 6bd6aa54d83c8fd53697459ffdcc1d224e1ea253 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:19:39 +0000 Subject: [PATCH 09/17] feat: adding in private endpoint for common key vault --- app/components/networking/network.tf | 16 ++++++++-------- app/stacks/uk-west/common/key-vault.tf | 7 +------ 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 973370aa4..a2f406597 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -203,16 +203,16 @@ resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { provider = azurerm.tooling } -resource "azurerm_private_dns_zone_virtual_network_link" "keyvault_common" { - name = "pins-vnetlink-${var.service_name}-keyvault-common-${var.resource_suffix}" - resource_group_name = var.tooling_network_rg - private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name - virtual_network_id = azurerm_virtual_network.common_infrastructure.id +# resource "azurerm_private_dns_zone_virtual_network_link" "keyvault_common" { +# name = "pins-vnetlink-${var.service_name}-keyvault-common-${var.resource_suffix}" +# resource_group_name = var.tooling_network_rg +# private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name +# virtual_network_id = azurerm_virtual_network.common_infrastructure.id - tags = var.tags +# tags = var.tags - provider = azurerm.tooling -} +# provider = azurerm.tooling +# } resource "azurerm_virtual_network_peering" "env_to_tooling" { name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}" diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index f6d9f7c1c..1b2c801c9 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -1,8 +1,3 @@ -data "azurerm_virtual_network" "common_infrastructure" { - name = "vnet-common-services-uk-west" - resource_group_name = azurerm_resource_group.common_infrastructure.name -} - resource "azurerm_key_vault" "environment_key_vault" { #checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault" name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "") @@ -146,6 +141,6 @@ resource "azurerm_private_endpoint" "keyvault" { resource "azurerm_subnet" "private_endpoints" { name = "snet-private-endpoints" resource_group_name = azurerm_resource_group.common_infrastructure.name - virtual_network_name = data.azurerm_virtual_network.common_infrastructure.name + virtual_network_name = module.networking.vnet_name address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! } From 4b55b644e8d222828a72b557f239020717a3e0d0 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:26:36 +0000 Subject: [PATCH 10/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/key-vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 1b2c801c9..89e929116 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -105,7 +105,7 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key depends_on = [ azurerm_private_endpoint.keyvault, - azurerm_private_dns_zone_virtual_network_link.keyvault + module.networking ] tags = local.tags From aa53974407fbbb4a747377c7bbaece0cbac55058 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:31:13 +0000 Subject: [PATCH 11/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/key-vault.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/app/stacks/uk-west/common/key-vault.tf b/app/stacks/uk-west/common/key-vault.tf index 89e929116..4e7d9a18f 100644 --- a/app/stacks/uk-west/common/key-vault.tf +++ b/app/stacks/uk-west/common/key-vault.tf @@ -105,7 +105,6 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key depends_on = [ azurerm_private_endpoint.keyvault, - module.networking ] tags = local.tags From 792ec124f25077131867f264909e4602697e908c Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:32:42 +0000 Subject: [PATCH 12/17] feat: adding in private endpoint for common key vault --- app/components/networking/network.tf | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index a2f406597..f1c8f0c35 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -203,17 +203,6 @@ resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" { provider = azurerm.tooling } -# resource "azurerm_private_dns_zone_virtual_network_link" "keyvault_common" { -# name = "pins-vnetlink-${var.service_name}-keyvault-common-${var.resource_suffix}" -# resource_group_name = var.tooling_network_rg -# private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name -# virtual_network_id = azurerm_virtual_network.common_infrastructure.id - -# tags = var.tags - -# provider = azurerm.tooling -# } - resource "azurerm_virtual_network_peering" "env_to_tooling" { name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}" remote_virtual_network_id = data.azurerm_virtual_network.tooling.id From 33d8d631106bce5b9c48f97f4bf32453668cd0f7 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:42:46 +0000 Subject: [PATCH 13/17] feat: adding in private endpoint for common key vault --- app/stacks/uk-west/common/data.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/app/stacks/uk-west/common/data.tf b/app/stacks/uk-west/common/data.tf index ebdba1f8e..ebb138ecb 100644 --- a/app/stacks/uk-west/common/data.tf +++ b/app/stacks/uk-west/common/data.tf @@ -4,10 +4,3 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" { name = azurerm_key_vault_secret.applications_service_vpn_gateway_shared_key.name key_vault_id = azurerm_key_vault.environment_key_vault.id } - -data "azurerm_private_dns_zone" "keyvault" { - name = "privatelink.vaultcore.azure.net" - resource_group_name = var.tooling_network_rg - - provider = azurerm.tooling -} From 27443c0a29313f554b55402a353b0e6dc5a7b1c7 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:45:14 +0000 Subject: [PATCH 14/17] feat: adding in private endpoint for common key vault --- app/components/networking/data.tf | 7 ------- app/stacks/uk-west/common/data.tf | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/app/components/networking/data.tf b/app/components/networking/data.tf index 42083fdae..81cdb36c4 100644 --- a/app/components/networking/data.tf +++ b/app/components/networking/data.tf @@ -4,10 +4,3 @@ data "azurerm_virtual_network" "tooling" { provider = azurerm.tooling } - -data "azurerm_private_dns_zone" "keyvault" { - name = "privatelink.vaultcore.azure.net" - resource_group_name = var.tooling_network_rg - - provider = azurerm.tooling -} diff --git a/app/stacks/uk-west/common/data.tf b/app/stacks/uk-west/common/data.tf index ebb138ecb..ebdba1f8e 100644 --- a/app/stacks/uk-west/common/data.tf +++ b/app/stacks/uk-west/common/data.tf @@ -4,3 +4,10 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" { name = azurerm_key_vault_secret.applications_service_vpn_gateway_shared_key.name key_vault_id = azurerm_key_vault.environment_key_vault.id } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_network_rg + + provider = azurerm.tooling +} From df156e827135defb109092607562c37375f86fba Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 13:48:41 +0000 Subject: [PATCH 15/17] feat: adding in private endpoint for common key vault --- app/components/networking/data.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/components/networking/data.tf b/app/components/networking/data.tf index 81cdb36c4..42083fdae 100644 --- a/app/components/networking/data.tf +++ b/app/components/networking/data.tf @@ -4,3 +4,10 @@ data "azurerm_virtual_network" "tooling" { provider = azurerm.tooling } + +data "azurerm_private_dns_zone" "keyvault" { + name = "privatelink.vaultcore.azure.net" + resource_group_name = var.tooling_network_rg + + provider = azurerm.tooling +} From 783f3bfbe4cf1e60cafb10e09ecdfa088c28c33e Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 14:26:35 +0000 Subject: [PATCH 16/17] feat: adding in private endpoint for common key vault --- app/components/networking/network.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index f1c8f0c35..447b4ebce 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -77,6 +77,13 @@ resource "azurerm_subnet" "back_office_integration_subnet" { } } +resource "azurerm_subnet" "private_endpoints" { + name = "snet-private-endpoints" + resource_group_name = azurerm_resource_group.common_infrastructure.name + virtual_network_name = module.networking.vnet_name + address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! +} + resource "azurerm_subnet" "common_integration_functions_subnet" { name = "pins-common-integration-functions-${var.resource_suffix}" resource_group_name = var.resource_group_name From 2c7fedc92d10d331c965c38b0cb9c868574cec65 Mon Sep 17 00:00:00 2001 From: Michael Juckes Date: Mon, 23 Mar 2026 15:05:04 +0000 Subject: [PATCH 17/17] feat: adding in private endpoint for common key vault --- app/components/networking/network.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/app/components/networking/network.tf b/app/components/networking/network.tf index 447b4ebce..f1c8f0c35 100644 --- a/app/components/networking/network.tf +++ b/app/components/networking/network.tf @@ -77,13 +77,6 @@ resource "azurerm_subnet" "back_office_integration_subnet" { } } -resource "azurerm_subnet" "private_endpoints" { - name = "snet-private-endpoints" - resource_group_name = azurerm_resource_group.common_infrastructure.name - virtual_network_name = module.networking.vnet_name - address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap! -} - resource "azurerm_subnet" "common_integration_functions_subnet" { name = "pins-common-integration-functions-${var.resource_suffix}" resource_group_name = var.resource_group_name