Merge pull request #871 from DFE-Digital/feature/er-716-azure-prod-wo…

…rkflows ER: GitHub Access Policy to KeyVault
DFE-Digital · Sep 29, 2023 · 3f7cc1f · 3f7cc1f
2 parents c62fc97 + 72c54c1
commit 3f7cc1f
Showing 1 changed file with 27 additions and 8 deletions.
diff --git a/terraform-azure/terraform-azure-network/cert.tf b/terraform-azure/terraform-azure-network/cert.tf
@@ -62,6 +62,33 @@ resource "azurerm_key_vault_access_policy" "kv_ap" {
   }
 }
 
+# Access Policy for GitHub Actions
+resource "azurerm_key_vault_access_policy" "kv_gh_ap" {
+  # Key Vault only deployed to the Test and Production subscription
+  count = var.environment != "development" ? 1 : 0
+
+  key_vault_id = azurerm_key_vault.kv[0].id
+  tenant_id    = data.azurerm_client_config.az_config.tenant_id
+  object_id    = data.azurerm_client_config.az_config.object_id
+
+  secret_permissions = [
+    "Get"
+  ]
+
+  certificate_permissions = [
+    "Create",
+    "Get",
+    "GetIssuers",
+    "Import",
+    "List",
+    "ListIssuers",
+    "ManageContacts",
+    "ManageIssuers",
+    "SetIssuers",
+    "Update"
+  ]
+}
+
 resource "azurerm_key_vault_access_policy" "kv_mi_ap" {
   # Key Vault only deployed to the Test and Production subscription
   count = var.environment != "development" ? 1 : 0
@@ -95,10 +122,6 @@ resource "azurerm_key_vault_certificate_issuer" "kv_ca" {
     last_name     = var.kv_certificate_authority_admin_last_name
     phone         = var.kv_certificate_authority_admin_phone_no
   }
-
-  lifecycle {
-    ignore_changes = all
-  }
 }
 
 resource "azurerm_key_vault_certificate" "kv_cert" {
@@ -141,8 +164,4 @@ resource "azurerm_key_vault_certificate" "kv_cert" {
       validity_in_months = 12
     }
   }
-
-  lifecycle {
-    ignore_changes = all
-  }
 }