add roles to kvs

src/core/_modules/key_vaults/kv.tf

@@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "kv_adgroup_admin" {
   key_vault_id = azurerm_key_vault.kv.id
 
   tenant_id = var.tenant_id
-  object_id = var.azure_ad_group_admin_object_id
+  object_id = var.azure_adgroup_admin_object_id
 
   key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
@@ -57,7 +57,7 @@ resource "azurerm_key_vault_access_policy" "kv_adgroup_developers" {
   key_vault_id = azurerm_key_vault.kv.id
 
   tenant_id = var.tenant_id
-  object_id = var.azure_ad_group_developers_object_id
+  object_id = var.azure_adgroup_developers_object_id
 
   key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
@@ -86,3 +86,123 @@ resource "azurerm_key_vault_access_policy" "kv_azdevops_platform_iac" {
   storage_permissions     = []
   certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ]
 }
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_wallet_admins" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_wallet_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_wallet_devs" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_wallet_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_com_admins" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_com_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_com_devs" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_com_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_svc_admins" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_svc_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_svc_devs" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_svc_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_auth_admins" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_auth_devs_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_auth_devs" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_auth_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_bonus_admins" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_bonus_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_adgroup_bonus_devs" {
+  key_vault_id = azurerm_key_vault.kv.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_bonus_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}

src/core/_modules/key_vaults/kv_common.tf

@@ -23,7 +23,7 @@ resource "azurerm_key_vault_access_policy" "kv_common_adgroup_admin" {
   key_vault_id = azurerm_key_vault.common.id
 
   tenant_id = var.tenant_id
-  object_id = var.azure_ad_group_admin_object_id
+  object_id = var.azure_adgroup_admin_object_id
 
   key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
@@ -57,7 +57,7 @@ resource "azurerm_key_vault_access_policy" "kv_common_adgroup_developers" {
   key_vault_id = azurerm_key_vault.common.id
 
   tenant_id = var.tenant_id
-  object_id = var.azure_ad_group_developers_object_id
+  object_id = var.azure_adgroup_developers_object_id
 
   key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
@@ -100,3 +100,123 @@ resource "azurerm_key_vault_access_policy" "kv_common_azdevops_platform_iac" {
   storage_permissions     = []
   certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ]
 }
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_wallet_admins" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_wallet_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_wallet_devs" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_wallet_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_com_admins" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_com_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_com_devs" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_com_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_svc_admins" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_svc_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_svc_devs" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_svc_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_auth_admins" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_auth_devs_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_auth_devs" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_auth_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_bonus_admins" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_bonus_admins_object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+resource "azurerm_key_vault_access_policy" "kv_common_adgroup_bonus_devs" {
+  key_vault_id = azurerm_key_vault.common.id
+
+  tenant_id = var.tenant_id
+  object_id = var.azure_adgroup_bonus_devs_object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List", "Set", "Delete"]
+  storage_permissions     = []
+  certificate_permissions = []
+}

src/core/_modules/key_vaults/variables.tf

@@ -34,12 +34,62 @@ variable "tenant_id" {
   description = "Azure tenant id"
 }
 
-variable "azure_ad_group_admin_object_id" {
+variable "azure_adgroup_wallet_admins_object_id" {
   type        = string
   description = "Object Id of the Entra group for subscription admins"
 }
 
-variable "azure_ad_group_developers_object_id" {
+variable "azure_adgroup_wallet_devs_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_com_admins_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_com_devs_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_svc_admins_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_svc_devs_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_auth_admins_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_auth_devs_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_bonus_admins_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_bonus_devs_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_admin_object_id" {
+  type        = string
+  description = "Object Id of the Entra group for subscription admins"
+}
+
+variable "azure_adgroup_developers_object_id" {
   type        = string
   description = "Object Id of the Entra group for subscription developers"
 }

src/core/prod/README.md

@@ -43,8 +43,18 @@
 | [azurerm_resource_group.linux_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.role_assignment_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.sec_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.auth_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.auth_devs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.bonus_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.bonus_devs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.com_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.com_devs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.svc_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.svc_devs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.wallet_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.wallet_devs](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |