chore: refactor keyvault to a dict

Tietokilta · Jun 29, 2024 · 3047e35 · 3047e35
1 parent 74ded11
commit 3047e35
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 235 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/main.tf b/main.tf
@@ -74,7 +74,7 @@ module "dns_github" {
   resource_group_name = module.dns_prod.resource_group_name
   zone_name           = module.dns_prod.root_zone_name
   challenge_name      = "_github-challenge-Tietokilta-org"
-  challenge_value     = module.keyvault.github_challenge_value
+  challenge_value     = module.keyvault.secrets["github-challenge-value"]
 
 }
 module "mailman" {
@@ -133,8 +133,8 @@ resource "azurerm_key_vault_secret" "postgres_admin_password" {
 
 module "mongodb" {
   source                    = "./modules/mongodb"
-  mongodb_atlas_public_key  = module.keyvault.mongodb_atlas_public_key
-  mongodb_atlas_private_key = module.keyvault.mongodb_atlas_private_key
+  mongodb_atlas_public_key  = module.keyvault.secrets["mongodb-atlas-public-key"]
+  mongodb_atlas_private_key = module.keyvault.secrets["mongodb-atlas-private-key"]
   serverless_instance_name  = "tikweb-serverless-instance"
   project_name              = "tikweb-${terraform.workspace}"
   atlas_region              = "EUROPE_WEST"
@@ -156,11 +156,11 @@ module "web" {
   dns_resource_group_name      = module.dns_prod.resource_group_name
   subdomain                    = "@"
   mongo_connection_string      = module.mongodb.db_connection_string
-  google_oauth_client_id       = module.keyvault.google_oauth_client_id
-  google_oauth_client_secret   = module.keyvault.google_oauth_client_secret
+  google_oauth_client_id       = module.keyvault.secrets["google-oauth-client-id"]
+  google_oauth_client_secret   = module.keyvault.secrets["google-oauth-client-secret"]
   public_ilmo_url              = "https://${module.ilmo.fqdn}"
   public_legacy_url            = "https://tietokilta.fi"
-  digitransit_subscription_key = module.keyvault.digitransit_subscription_key
+  digitransit_subscription_key = module.keyvault.secrets["digitransit-subscription-key"]
 }
 resource "azurerm_key_vault_secret" "cms_password" {
   name         = "cms-password"
@@ -175,10 +175,10 @@ module "ilmo" {
   postgres_server_fqdn    = module.common.postgres_server_fqdn
   postgres_admin_password = module.common.postgres_admin_password
   postgres_server_id      = module.common.postgres_server_id
-  edit_token_secret       = module.keyvault.ilmo_edit_token_secret
-  auth_jwt_secret         = module.keyvault.ilmo_auth_jwt_secret
-  mailgun_api_key         = module.keyvault.ilmo_mailgun_api_key
-  mailgun_domain          = module.keyvault.ilmo_mailgun_domain
+  edit_token_secret       = module.keyvault.secrets["ilmo-edit-token-secret"]
+  auth_jwt_secret         = module.keyvault.secrets["ilmo-auth-jwt-secret"]
+  mailgun_api_key         = module.keyvault.secrets["ilmo-mailgun-api-key"]
+  mailgun_domain          = module.keyvault.secrets["ilmo-mailgun-domain"]
   website_events_url      = "https://ilmo.tietokilta.fi"
   tikweb_app_plan_id      = module.common.tikweb_app_plan_id
   tikweb_rg_location      = module.common.resource_group_location
@@ -213,7 +213,7 @@ module "tenttiarkisto" {
   tikweb_app_plan_id           = module.common.tikweb_app_plan_id
   tikweb_app_plan_rg_location  = module.common.resource_group_location
   tikweb_app_plan_rg_name      = module.common.resource_group_name
-  django_secret_key            = module.keyvault.tenttiarkisto_django_secret_key
+  django_secret_key            = module.keyvault.secrets["tenttiarkisto-django-secret-key"]
 }
 
 module "voo" {
@@ -251,8 +251,8 @@ module "tikjob_app" {
 
   ghost_mail_host     = "smtp.eu.mailgun.org"
   ghost_mail_port     = 465
-  ghost_mail_username = module.keyvault.tikjob_ghost_mail_username
-  ghost_mail_password = module.keyvault.tikjob_ghost_mail_password
+  ghost_mail_username = module.keyvault.secrets["tikjob-ghost-mail-username"]
+  ghost_mail_password = module.keyvault.secrets["tikjob-ghost-mail-password"]
 
   acme_account_key = module.common.acme_account_key
 

diff --git a/modules/keyvault/main.tf b/modules/keyvault/main.tf
@@ -65,108 +65,33 @@ resource "azurerm_key_vault_access_policy" "admin" {
 
 }
 
-data "azurerm_key_vault_secret" "digitransit_subscription_key" {
-  name         = "digitransit-subscription-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "ilmo_auth_jwt_secret" {
-  name         = "ilmo-auth-jwt-secret"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "ilmo_edit_token_secret" {
-  name         = "ilmo-edit-token-secret"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "ilmo_mailgun_api_key" {
-  name         = "ilmo-mailgun-api-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "ilmo_mailgun_domain" {
-  name         = "ilmo-mailgun-domain"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "tikjob_ghost_mail_username" {
-  name         = "tikjob-ghost-mail-username"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "tikjob_ghost_mail_password" {
-  name         = "tikjob-ghost-mail-password"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "tenttiarkisto_django_secret_key" {
-  name         = "tenttiarkisto-django-secret-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "github_app_key" {
-  name         = "github-app-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "google_oauth_client_id" {
-  name         = "google-oauth-client-id"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "google_oauth_client_secret" {
-  name         = "google-oauth-client-secret"
-  key_vault_id = azurerm_key_vault.keyvault.id
-  depends_on   = [azurerm_key_vault_access_policy.admin, azurerm_key_vault_access_policy.CI]
-}
-
-data "azurerm_key_vault_secret" "m0_smtp_email" {
-  name         = "muistinnollaus-smtp-email"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
-
-data "azurerm_key_vault_secret" "m0_smtp_password" {
-  name         = "muistinnollaus-smtp-password"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
-
-data "azurerm_key_vault_secret" "muistinnollaus_strapi_token" {
-  name         = "muistinnollaus-strapi-token"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
-
-data "azurerm_key_vault_secret" "muistinnollaus_paytrail_merchant_id" {
-  name         = "muistinnollaus-paytrail-merchant-id"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
-
-data "azurerm_key_vault_secret" "muistinnollaus_paytrail_secret_key" {
-  name         = "muistinnollaus-paytrail-secret-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
-
-data "azurerm_key_vault_secret" "mongodb_atlas_public_key" {
-  name         = "mongodb-atlas-public-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
+locals {
+  keyvault_secrets = [
+    "digitransit-subscription-key",
+    "ilmo-auth-jwt-secret",
+    "ilmo-edit-token-secret",
+    "ilmo-mailgun-api-key",
+    "ilmo-mailgun-domain",
+    "tikjob-ghost-mail-username",
+    "tikjob-ghost-mail-password",
+    "tenttiarkisto-django-secret-key",
+    "github-app-key",
+    "google-oauth-client-id",
+    "google-oauth-client-secret",
+    "muistinnollaus-smtp-email",
+    "muistinnollaus-smtp-password",
+    "muistinnollaus-strapi-token",
+    "muistinnollaus-paytrail-merchant-id",
+    "muistinnollaus-paytrail-secret-key",
+    "mongodb-atlas-public-key",
+    "mongodb-atlas-private-key",
+    "github-challenge-value"
+  ]
 }
 
-data "azurerm_key_vault_secret" "mongodb_atlas_private_key" {
-  name         = "mongodb-atlas-private-key"
-  key_vault_id = azurerm_key_vault.keyvault.id
-}
 
-data "azurerm_key_vault_secret" "github_challenge_value" {
-  name         = "github-challenge-value"
+data "azurerm_key_vault_secret" "secret" {
+  for_each     = toset(local.keyvault_secrets)
+  name         = each.value
   key_vault_id = azurerm_key_vault.keyvault.id
 }
diff --git a/modules/keyvault/output.tf b/modules/keyvault/output.tf
@@ -2,97 +2,9 @@ output "keyvault_id" {
   value = azurerm_key_vault.keyvault.id
 }
 
-output "digitransit_subscription_key" {
-  value     = data.azurerm_key_vault_secret.digitransit_subscription_key.value
-  sensitive = true
-}
-
-output "ilmo_auth_jwt_secret" {
-  value     = data.azurerm_key_vault_secret.ilmo_auth_jwt_secret.value
-  sensitive = true
-}
-
-output "ilmo_edit_token_secret" {
-  value     = data.azurerm_key_vault_secret.ilmo_edit_token_secret.value
-  sensitive = true
-}
-
-output "ilmo_mailgun_api_key" {
-  value     = data.azurerm_key_vault_secret.ilmo_mailgun_api_key.value
-  sensitive = true
-}
-
-output "ilmo_mailgun_domain" {
-  value     = data.azurerm_key_vault_secret.ilmo_mailgun_domain.value
-  sensitive = true
-}
-
-output "tikjob_ghost_mail_username" {
-  value     = data.azurerm_key_vault_secret.tikjob_ghost_mail_username.value
-  sensitive = true
-}
-
-output "tikjob_ghost_mail_password" {
-  value     = data.azurerm_key_vault_secret.tikjob_ghost_mail_password.value
-  sensitive = true
-}
-
-output "tenttiarkisto_django_secret_key" {
-  value     = data.azurerm_key_vault_secret.tenttiarkisto_django_secret_key.value
-  sensitive = true
-}
-
-output "github_app_key" {
-  value     = data.azurerm_key_vault_secret.github_app_key.value
-  sensitive = true
-}
-
-output "google_oauth_client_id" {
-  value     = data.azurerm_key_vault_secret.google_oauth_client_id.value
-  sensitive = true
-}
-
-output "google_oauth_client_secret" {
-  value     = data.azurerm_key_vault_secret.google_oauth_client_secret.value
-  sensitive = true
-}
-
-output "m0_smtp_email" {
-  value     = data.azurerm_key_vault_secret.m0_smtp_email.value
-  sensitive = true
-}
-
-output "m0_smtp_password" {
-  value     = data.azurerm_key_vault_secret.m0_smtp_password.value
-  sensitive = true
-}
-
-output "muistinnollaus_strapi_token" {
-  value     = data.azurerm_key_vault_secret.muistinnollaus_strapi_token.value
-  sensitive = true
-}
-
-output "muistinnollaus_paytrail_merchant_id" {
-  value     = data.azurerm_key_vault_secret.muistinnollaus_paytrail_merchant_id.value
-  sensitive = true
-}
-
-output "muistinnollaus_paytrail_secret_key" {
-  value     = data.azurerm_key_vault_secret.muistinnollaus_paytrail_secret_key.value
-  sensitive = true
-}
-
-output "mongodb_atlas_public_key" {
-  value     = data.azurerm_key_vault_secret.mongodb_atlas_public_key.value
-  sensitive = true
-}
-
-output "mongodb_atlas_private_key" {
-  value     = data.azurerm_key_vault_secret.mongodb_atlas_private_key.value
-  sensitive = true
-}
-
-output "github_challenge_value" {
-  value     = data.azurerm_key_vault_secret.github_challenge_value.value
+output "secrets" {
+  value = {
+    for s in local.keyvault_secrets : s => data.azurerm_key_vault_secret.secret[s].value
+  }
   sensitive = true
 }