Skip to content

feat: create private endpoint for key vault apps service #1252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
m-juckes-pins wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

feat: create private endpoint for key vault apps service #1252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
fc735b9
feat: create private endpoint for key vault apps service
m-juckes-pins Mar 3, 2026
cb6314d
feat: creating private endpoint terraform and depends on
m-juckes-pins Mar 6, 2026
cd35e10
feat: creating private endpoint terraform and depends on
m-juckes-pins Mar 19, 2026
edafbd2
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
eb8cfe6
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
41dede7
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
26030b5
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
39fc020
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
6bd6aa5
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
4b55b64
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
aa53974
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
792ec12
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
33d8d63
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
27443c0
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
df156e8
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
783f3bf
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
2c7fedc
feat: adding in private endpoint for common key vault
m-juckes-pins Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions app/components/networking/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,10 @@ data "azurerm_virtual_network" "tooling" {

provider = azurerm.tooling
}

data "azurerm_private_dns_zone" "keyvault" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = var.tooling_network_rg

provider = azurerm.tooling
}
11 changes: 11 additions & 0 deletions app/components/networking/network.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,17 @@ resource "azurerm_private_dns_zone_virtual_network_link" "sql_synapse_vnet_link"
provider = azurerm.tooling
}

resource "azurerm_private_dns_zone_virtual_network_link" "keyvault" {
name = "pins-vnetlink-${var.service_name}-keyvault-${var.resource_suffix}"
resource_group_name = var.tooling_network_rg
private_dns_zone_name = data.azurerm_private_dns_zone.keyvault.name
virtual_network_id = azurerm_virtual_network.common_infrastructure.id

tags = var.tags

provider = azurerm.tooling
}

resource "azurerm_virtual_network_peering" "env_to_tooling" {
name = "pins-peer-env-to-tooling-${var.service_name}-${var.resource_suffix}"
remote_virtual_network_id = data.azurerm_virtual_network.tooling.id
Expand Down
7 changes: 7 additions & 0 deletions app/stacks/uk-west/common/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,10 @@ data "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key" {
name = azurerm_key_vault_secret.applications_service_vpn_gateway_shared_key.name
key_vault_id = azurerm_key_vault.environment_key_vault.id
}

data "azurerm_private_dns_zone" "keyvault" {
name = "privatelink.vaultcore.azure.net"
resource_group_name = var.tooling_network_rg

provider = azurerm.tooling
}
58 changes: 46 additions & 12 deletions app/stacks/uk-west/common/key-vault.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
resource "azurerm_key_vault" "environment_key_vault" {
#checkov:skip=CKV_AZURE_42: Soft delete protection enabled by default in latest Azure provider
#checkov:skip=CKV_AZURE_109: TODO: Network ACL, currently not implemented as it blocks pipeline
#checkov:skip=CKV_AZURE_189: TODO: Ensure that Azure Key Vault disables public network access
#checkov:skip=CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "")
location = azurerm_resource_group.common_infrastructure.location
resource_group_name = azurerm_resource_group.common_infrastructure.name
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7
tenant_id = data.azurerm_client_config.current.tenant_id

sku_name = "standard"
name = replace("pinskv${local.service_name}${local.kv_resource_suffix}", "-", "")
location = azurerm_resource_group.common_infrastructure.location
resource_group_name = azurerm_resource_group.common_infrastructure.name
enabled_for_disk_encryption = true
purge_protection_enabled = true
soft_delete_retention_days = 7
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "standard"
public_network_access_enabled = false

network_acls {
bypass = "AzureServices"
default_action = "Deny"
}

tags = local.tags
}
Expand Down Expand Up @@ -101,6 +103,10 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key
name = "applications-service-vpn-gateway-shared-key"
value = "<enter_value>"

depends_on = [
azurerm_private_endpoint.keyvault,
]

tags = local.tags

lifecycle {
Expand All @@ -109,3 +115,31 @@ resource "azurerm_key_vault_secret" "applications_service_vpn_gateway_shared_key
]
}
}

resource "azurerm_private_endpoint" "keyvault" {
name = "pins-pe-keyvault-${local.resource_suffix}"
location = azurerm_resource_group.common_infrastructure.location # This is throwing up errors?
Copy link
Copy Markdown
Collaborator Author

@m-juckes-pins m-juckes-pins Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no errors, old code comment

resource_group_name = azurerm_resource_group.common_infrastructure.name
subnet_id = azurerm_subnet.private_endpoints.id # Not sure on which subnet it lives
Copy link
Copy Markdown
Collaborator Author

@m-juckes-pins m-juckes-pins Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a new one will be created


private_dns_zone_group {
name = "pins-pdns-${local.service_name}-keyvault-${var.environment}"
private_dns_zone_ids = [data.azurerm_private_dns_zone.keyvault.id]
}

private_service_connection {
name = "pins-psc-keyvault-${local.resource_suffix}"
private_connection_resource_id = azurerm_key_vault.environment_key_vault.id
subresource_names = ["vault"]
is_manual_connection = false
}

tags = local.tags
}

resource "azurerm_subnet" "private_endpoints" {
name = "snet-private-endpoints"
resource_group_name = azurerm_resource_group.common_infrastructure.name
virtual_network_name = module.networking.vnet_name
address_prefixes = ["10.0.1.0/24"] # Ensure this doesn't overlap!
Copy link
Copy Markdown
Collaborator Author

@m-juckes-pins m-juckes-pins Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this ip range needs to be double checked. It may need to be moved into networking section (this did break my pipeline when i did but probably not referencing it correctly).

}
Loading