Merge pull request #40 from meshcloud/feature/remove-perm-keyvault

florianow · web-flow · commit adadee1d6341 · 2025-05-30T16:59:31.000+02:00
chore: remove user permissions from key-vault
diff --git a/modules/azure/key-vault/buildingblock/README.md b/modules/azure/key-vault/buildingblock/README.md
@@ -38,11 +38,8 @@ provider "azurerm" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.1.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | 3.1.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.18.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | 4.18.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.3 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | 3.6.3 |
 
 ## Modules
 
@@ -54,11 +51,8 @@ No modules.
 |------|------|
 | [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/resources/key_vault) | resource |
 | [azurerm_resource_group.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/resources/role_assignment) | resource |
 | [random_string.resource_code](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource |
-| [azuread_user.users](https://registry.terraform.io/providers/hashicorp/azuread/3.1.0/docs/data-sources/user) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/data-sources/client_config) | data source |
-| [azurerm_role_definition.keyvault](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/data-sources/role_definition) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/4.18.0/docs/data-sources/subscription) | data source |
 
 ## Inputs
@@ -69,8 +63,6 @@ No modules.
 | <a name="input_key_vault_resource_group_name"></a> [key\_vault\_resource\_group\_name](#input\_key\_vault\_resource\_group\_name) | The name of the resource group containing the key vault. | `string` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | The location/region where the key vault is created. | `string` | n/a | yes |
 | <a name="input_public_network_access_enabled"></a> [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | n/a | `bool` | `false` | no |
-| <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | n/a | `string` | n/a | yes |
-| <a name="input_users"></a> [users](#input\_users) | Users and their roles provided by meshStack (Note that users must exist in stackit) | <pre>list(object(<br>    {<br>      meshIdentifier = string<br>      username       = string<br>      firstName      = string<br>      lastName       = string<br>      email          = string<br>      euid           = string<br>      roles          = list(string)<br>    }<br>  ))</pre> | n/a | yes |
 
 ## Outputs
 
diff --git a/modules/azure/key-vault/buildingblock/main.tf b/modules/azure/key-vault/buildingblock/main.tf
@@ -1,9 +1,3 @@
-locals {
-  admins  = { for user in var.users : user.username => user if contains(user["roles"], "admin") }
-  editors = { for user in var.users : user.username => user if contains(user["roles"], "user") }
-  readers = { for user in var.users : user.username => user if contains(user["roles"], "reader") }
-}
-
 data "azurerm_subscription" "current" {}
 
 data "azurerm_client_config" "current" {}
@@ -14,11 +8,6 @@ resource "random_string" "resource_code" {
   upper   = false
 }
 
-data "azuread_user" "users" {
-  for_each = merge(local.admins, local.readers)
-  mail     = each.value.username
-}
-
 resource "azurerm_resource_group" "key_vault" {
   name     = var.key_vault_resource_group_name
   location = var.location
@@ -35,14 +24,3 @@ resource "azurerm_key_vault" "key_vault" {
   enable_rbac_authorization     = true
   public_network_access_enabled = var.public_network_access_enabled
 }
-
-data "azurerm_role_definition" "keyvault" {
-  name = "Key Vault Administrator"
-}
-
-resource "azurerm_role_assignment" "cloudfoundation_tfdeploy" {
-  for_each             = data.azuread_user.users
-  principal_id         = each.value.object_id
-  scope                = azurerm_key_vault.key_vault.id
-  role_definition_name = data.azurerm_role_definition.keyvault.name
-}
diff --git a/modules/azure/key-vault/buildingblock/variables.tf b/modules/azure/key-vault/buildingblock/variables.tf
@@ -15,25 +15,6 @@ variable "location" {
   description = "The location/region where the key vault is created."
 }
 
-variable "subscription_id" {
-  type = string
-}
-
-variable "users" {
-  type = list(object(
-    {
-      meshIdentifier = string
-      username       = string
-      firstName      = string
-      lastName       = string
-      email          = string
-      euid           = string
-      roles          = list(string)
-    }
-  ))
-  description = "Users and their roles provided by meshStack (Note that users must exist in stackit)"
-}
-
 variable "public_network_access_enabled" {
   type    = bool
   default = false
