Merge pull request #1572 from aztfmod/cert-issuer

Enhancement: add support for remote dynamic secret reference for cert issuer
aztfmod · May 25, 2023 · 4af384f · 4af384f
2 parents dbd8369 + cacb4ab
commit 4af384f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/examples/keyvault/102-keyvault-cert-issuer/configuration.tfvars b/examples/keyvault/102-keyvault-cert-issuer/configuration.tfvars
@@ -49,9 +49,11 @@ keyvault_certificate_issuers = {
     organization_id    = "ExampleOrg"
     account_id         = "0000"
     resource_group_key = "kv_region1"
+    # lz_key           = "" # for remote lz
     keyvault_key       = "cert_secrets"
     cert_password_key  = "cert-password"
     # cert_issuer_password = "password in clear text. not recommended"
+    # cert_secret_name = "cert-password" # replace the cert_password_key for remote lz reference
 
     admin_settings = {
       admin1 = {

diff --git a/keyvault_certificate_issuers.tf b/keyvault_certificate_issuers.tf
@@ -10,20 +10,33 @@ module "keyvault_certificate_issuers" {
   global_settings = local.global_settings
   settings        = each.value
   keyvault_id     = can(each.value.keyvault_id) ? each.value.keyvault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id
-  password        = try(data.azurerm_key_vault_secret.certificate_issuer_password[each.key].value, each.value.cert_issuer_password)
+  password        = can(each.value.cert_secret_name) || can(each.value.cert_issuer_password) ? try(jsondecode(data.azapi_resource.certificate_issuer_password[each.key].output).properties.value, each.value.cert_issuer_password) : data.azurerm_key_vault_secret.certificate_issuer_password[each.key].value
 }
 
 data "azurerm_key_vault_secret" "certificate_issuer_password" {
   depends_on = [module.dynamic_keyvault_secrets]
   for_each = {
     for key, value in local.security.keyvault_certificate_issuers : key => value
-    if try(value.cert_password_key, null) != null
+    if can(value.cert_password_key)
   }
 
   name         = var.security.dynamic_keyvault_secrets[each.value.keyvault_key][each.value.cert_password_key].secret_name
   key_vault_id = can(each.value.key_vault_id) ? each.value.key_vault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id
 }
 
+data "azapi_resource" "certificate_issuer_password" {
+  depends_on = [module.dynamic_keyvault_secrets]
+  for_each = {
+    for key, value in local.security.keyvault_certificate_issuers : key => value
+    if can(value.cert_secret_name)
+  }
+
+  type      = "Microsoft.KeyVault/vaults/secrets@2022-07-01"
+  parent_id = can(each.value.key_vault_id) ? each.value.key_vault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id
+  name      = each.value.cert_secret_name
+
+}
+
 output "keyvault_certificate_issuers" {
   value = module.keyvault_certificate_issuers