aztfmod · arnaudlh · Nov 8, 2023 · Oct 25, 2023
diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json
@@ -30,6 +30,7 @@
     "networking/virtual_wan/104-vwan-hub-gw-spp",
     "networking/virtual_wan/105-vwan-hub-route-table",
     "networking/virtual_wan/109-vwan-vpn-gateway-connection",
+    "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert",
     "redis_cache/100-redis-standard",
     "redis_cache/101-redis-diagnostics",
     "redis_cache/102-redis-private",

diff --git a/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars b/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars
@@ -0,0 +1,98 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+provider_azurerm_features_keyvault = {
+  // set to true to cleanup the CI
+  purge_soft_delete_on_destroy = true
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+keyvaults = {
+  vwan-kv = {
+    name               = "vwan-kv"
+    resource_group_key = "hub_re1"
+    sku_name           = "standard"
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+    secrets = {
+      ca_cert = {
+        name  = "ca-cert"
+        value = <<EOF
+          -----BEGIN CERTIFICATE-----
+          MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn
+          MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+          d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg
+          Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV
+          BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
+          Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB
+          MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j
+          QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8
+          zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf
+          GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d
+          GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8
+          Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2
+          DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
+          HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW
+          jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP
+          9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR
+          QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL
+          uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn
+          WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq
+          M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=
+          -----END CERTIFICATE-----
+          EOF
+      }
+    }
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+
+    hubs = {
+      hub_re1 = {
+        hub_name           = "hub-re1"
+        region             = "region1"
+        hub_address_prefix = "10.0.3.0/24"
+        deploy_p2s         = true
+        p2s_config = {
+          name       = "caf-sea-vpn-p2s"
+          scale_unit = 2
+          connection_configuration = {
+            name = "client-connections"
+            vpn_client_address_pool = {
+              address_prefixes = ["192.168.0.0/24"]
+            }
+          }
+          server_config = {
+            vpn_authentication_types = ["Certificate"]
+            client_root_certificate = {
+              name = "root-ca"
+              keyvault_secret = {
+                keyvault_key = "vwan-kv"
+                secret_name  = "ca-cert"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
diff --git a/modules/networking/virtual_wan/variables.tf b/modules/networking/virtual_wan/variables.tf
@@ -23,6 +23,9 @@ variable "virtual_networks" {
 variable "public_ip_addresses" {
   description = "Combined object for public ip addresses"
 }
+variable "keyvaults" {
+  description = "Combined object for keyvaults"
+}
 variable "client_config" {
 
-}
+}
diff --git a/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf
@@ -64,7 +64,7 @@ resource "azurerm_vpn_server_configuration" "p2s_configuration" {
     for_each = contains(var.virtual_hub_config.p2s_config.server_config.vpn_authentication_types, "Certificate") ? [1] : []
     content {
       name             = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.name
-      public_cert_data = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.public_cert_data
+      public_cert_data = can(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret) ? replace(replace(data.azurerm_key_vault_secret.vpn_client_configuration_root_certificate[0].value, "-----BEGIN CERTIFICATE-----", ""), "-----END CERTIFICATE-----", "") : var.virtual_hub_config.p2s_config.server_config.client_root_certificate.public_cert_data
     }
   }
 
@@ -78,3 +78,11 @@ resource "azurerm_vpn_server_configuration" "p2s_configuration" {
   }
 }
 
+data "azurerm_key_vault_secret" "vpn_client_configuration_root_certificate" {
+  count = try(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret, null) != null ? 1 : 0
+  name  = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.secret_name
+  key_vault_id = try(
+    var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.key_vault_id,
+    var.keyvaults[try(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.lz_key, var.client_config.landingzone_key)][var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.keyvault_key].id
+  )
+}
diff --git a/modules/networking/virtual_wan/virtual_hub/variables.tf b/modules/networking/virtual_wan/virtual_hub/variables.tf
@@ -45,6 +45,9 @@ variable "virtual_networks" {
 variable "public_ip_addresses" {
   description = "Combined object for public ip addresses"
 }
+variable "keyvaults" {
+  description = "Combined object for keyvaults"
+}
 variable "client_config" {
 
-}
+}
diff --git a/modules/networking/virtual_wan/virtual_wan.tf b/modules/networking/virtual_wan/virtual_wan.tf
@@ -34,5 +34,6 @@ module "hubs" {
   tags                = merge(try(each.value.tags, null), local.tags)
   virtual_hub_config  = each.value
   virtual_networks    = var.virtual_networks
+  keyvaults = var.keyvaults
   vwan_id             = azurerm_virtual_wan.vwan.id
 }
diff --git a/networking_virtual_hubs.tf b/networking_virtual_hubs.tf
@@ -23,6 +23,7 @@ module "virtual_hubs" {
   tags                = try(local.global_settings.inherit_tags, false) ? merge(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].tags, try(each.value.tags, null)) : {}
   virtual_hub_config  = each.value
   virtual_networks    = local.combined_objects_networking
+  keyvaults           = local.combined_objects_keyvaults
   vwan_id             = can(each.value.virtual_wan) ? local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, local.client_config.landingzone_key)][each.value.virtual_wan.key].virtual_wan.id : null
 }
 
diff --git a/networking_virtual_wan.tf b/networking_virtual_wan.tf
@@ -25,5 +25,6 @@ module "virtual_wans" {
   global_settings     = local.global_settings
   virtual_networks    = local.combined_objects_networking
   public_ip_addresses = local.combined_objects_public_ip_addresses
+  keyvaults           = local.combined_objects_keyvaults
 }