README.md

Governance (Regional)

This module is used for governance on a regional level and not using any specific resource groups. Replaces the old governance together with governance-global.

Requirements

Name	Version
terraform	>= 1.3.0
azuread	2.50.0
azurecaf	2.0.0-preview3
azurerm	3.107.0
pal	0.2.5
random	3.5.1

Providers

Name	Version
azuread	2.50.0
azurecaf	2.0.0-preview3
azurerm	3.107.0

Modules

Name	Source	Version
names	../names	n/a

Resources

Name	Type
azuread_application_password.delegate_kv_aad	resource
azuread_application_password.sub_reader_sp	resource
azurerm_key_vault.delegate_kv	resource
azurerm_key_vault_access_policy.ap_kvreader_sp	resource
azurerm_key_vault_access_policy.ap_owner_spn	resource
azurerm_key_vault_access_policy.ap_rg_aad_group	resource
azurerm_key_vault_access_policy.ap_rg_sp	resource
azurerm_key_vault_access_policy.ap_sub_aad_group_contributor	resource
azurerm_key_vault_access_policy.ap_sub_aad_group_owner	resource
azurerm_key_vault_secret.aad_sp	resource
azurerm_key_vault_secret.delegate_kv_aad	resource
azurerm_key_vault_secret.sub_reader_sp	resource
azurerm_management_lock.rg	resource
azurerm_resource_group.rg	resource
azurerm_role_assignment.aad_sp	resource
azurerm_role_assignment.rg_contributor	resource
azurerm_role_assignment.rg_owner	resource
azurerm_role_assignment.rg_reader	resource
azuread_service_principal.owner_spn	data source
azurecaf_name.azurerm_key_vault_delegate_kv	data source
azurecaf_name.azurerm_resource_group_rg	data source
azurerm_client_config.current	data source
azurerm_subscription.current	data source

Inputs

Name	Description	Type	Default	Required
aad_sp_passwords	Application password per resource group.	map(string)	n/a	yes
azuread_apps	Azure AD applications from global	object({ delegate_kv = map(object({ display_name = string application_object_id = string client_id = string service_principal_object_id = string })) rg_contributor = map(object({ display_name = string application_object_id = string client_id = string service_principal_object_id = string })) sub_reader = object({ display_name = string application_object_id = string client_id = string service_principal_object_id = string }) })	n/a	yes
azuread_groups	Azure AD groups from global	object({ rg_owner = map(object({ id = string })) rg_contributor = map(object({ id = string })) rg_reader = map(object({ id = string })) sub_owner = object({ id = string }) sub_contributor = object({ id = string }) sub_reader = object({ id = string }) service_endpoint_join = object({ id = string }) })	n/a	yes
core_name	The commonName for the core infrastructure	string	n/a	yes
environment	The environment name to use for the deploy	string	n/a	yes
location	The location for the subscription	string	n/a	yes
location_short	The location shortname for the subscription	string	n/a	yes
owner_service_principal_name	The name of the service principal that will be used to run terraform and is owner of the subsciptions	string	n/a	yes
resource_group_configs	Resource group configuration	list( object({ common_name = string delegate_aks = bool # Delegate aks permissions delegate_key_vault = bool # Delegate KeyVault creation delegate_service_endpoint = bool # Delegate Service Endpoint permissions delegate_service_principal = bool # Delegate Service Principal lock_resource_group = bool # Adds management_lock (CanNotDelete) to the resource group disable_unique_suffix = bool # Disable unique_suffix on resource names key_vault_purge_protection_enabled = optional(bool, false) tags = map(string) }) )	n/a	yes
resource_name_overrides	A way to override the resource names	any	null	no
unique_suffix	Unique suffix that is used in globally unique resources names	string	""	no

Outputs

Name	Description
key_vault_name	Output each keyvault name