From 08a6279e7863667f8f528c2da0b04a33f866ff5c Mon Sep 17 00:00:00 2001
From: Paul Yu <paul.d.yu@gmail.com>
Date: Fri, 16 Feb 2024 15:10:24 -0800
Subject: [PATCH] feat: adding var to optionally set kv access mode to azure
 rbac

---
 infra/terraform/keyvault.tf  | 81 +++++++++++++++++++++++++++++++++++-
 infra/terraform/variables.tf |  6 +++
 2 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/infra/terraform/keyvault.tf b/infra/terraform/keyvault.tf
index b85bb66c..0592b59c 100644
--- a/infra/terraform/keyvault.tf
+++ b/infra/terraform/keyvault.tf
@@ -5,10 +5,89 @@ resource "azurerm_key_vault" "example" {
   enabled_for_disk_encryption = true
   tenant_id                   = data.azurerm_client_config.current.tenant_id
   sku_name                    = "standard"
-  enable_rbac_authorization   = true
+  enable_rbac_authorization   = var.kv_rbac_enabled
+
+  dynamic "access_policy" {
+    for_each = var.kv_rbac_enabled ? [] : [1]
+    content {
+      tenant_id = data.azurerm_client_config.current.tenant_id
+      object_id = data.azurerm_client_config.current.object_id
+
+      certificate_permissions = [
+        "Backup",
+        "Create",
+        "Delete",
+        "DeleteIssuers",
+        "Get",
+        "GetIssuers",
+        "Import",
+        "List",
+        "ListIssuers",
+        "ManageContacts",
+        "ManageIssuers",
+        "Purge",
+        "Recover",
+        "Restore",
+        "SetIssuers",
+        "Update"
+      ]
+
+      key_permissions = [
+        "Backup",
+        "Create",
+        "Decrypt",
+        "Delete",
+        "Encrypt",
+        "Get",
+        "Import",
+        "List",
+        "Purge",
+        "Recover",
+        "Restore",
+        "Sign",
+        "UnwrapKey",
+        "Update",
+        "Verify",
+        "WrapKey",
+        "Release",
+        "Rotate",
+        "GetRotationPolicy",
+        "SetRotationPolicy"
+      ]
+
+      secret_permissions = [
+        "Backup",
+        "Delete",
+        "Get",
+        "List",
+        "Purge",
+        "Recover",
+        "Restore",
+        "Set"
+      ]
+
+      storage_permissions = [
+        "Backup",
+        "Delete",
+        "DeleteSAS",
+        "Get",
+        "GetSAS",
+        "List",
+        "ListSAS",
+        "Purge",
+        "Recover",
+        "RegenerateKey",
+        "Restore",
+        "Set",
+        "SetSAS",
+        "Update"
+      ]
+    }
+  }
 }
 
 resource "azurerm_role_assignment" "example_akv_rbac" {
+  count                = var.kv_rbac_enabled ? 1 : 0
   principal_id         = data.azurerm_client_config.current.object_id
   role_definition_name = "Key Vault Administrator"
   scope                = azurerm_key_vault.example.id
diff --git a/infra/terraform/variables.tf b/infra/terraform/variables.tf
index c015770d..e81cbd22 100644
--- a/infra/terraform/variables.tf
+++ b/infra/terraform/variables.tf
@@ -2,6 +2,12 @@ variable "location" {
   type = string
 }
 
+variable "kv_rbac_enabled" {
+  description = "value of keyvault rbac enabled. when set to true, key vault will use azure role-based access control"
+  type        = bool
+  default     = false
+}
+
 variable "ai_location" {
   description = "value of azure region for deploying azure ai service"
   type        = string