Added Dynamic Access Policy

main.tf

@@ -66,6 +66,18 @@ resource "azurerm_key_vault" "key_vault" {
       phone = contact.value.phone
     }
   }
+  dynamic "access_policy" {
+    for_each = var.use_dynamic_access_policy ? var.access_policies : []
+    content {
+      tenant_id               = data.azurerm_client_config.current_client_config.tenant_id
+      object_id               = access_policy.value.object_id
+      certificate_permissions = access_policy.value.certificate_permissions
+      key_permissions         = access_policy.value.key_permissions
+      secret_permissions      = access_policy.value.secret_permissions
+      storage_permissions     = access_policy.value.storage_permissions
+    }
+  }
+
 
   lifecycle {
     ignore_changes = [
@@ -90,7 +102,7 @@ resource "azurerm_key_vault_secret" "key_vault_secret" {
 ##-----------------------------------------------------------------------------
 resource "azurerm_key_vault_access_policy" "readers_policy" {
   provider = azurerm.main_sub
-  for_each = toset(var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? [] : var.reader_objects_ids)
+  for_each = toset(var.use_dynamic_access_policy || var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? [] : var.reader_objects_ids)
 
   object_id    = each.value
   tenant_id    = data.azurerm_client_config.current_client_config.tenant_id
@@ -114,7 +126,7 @@ resource "azurerm_key_vault_access_policy" "readers_policy" {
 
 resource "azurerm_key_vault_access_policy" "admin_policy" {
   provider = azurerm.main_sub
-  for_each = toset(var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? [] : var.admin_objects_ids)
+  for_each = toset(var.use_dynamic_access_policy || var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? [] : var.reader_objects_ids)
 
   object_id    = each.value
   tenant_id    = data.azurerm_client_config.current_client_config.tenant_id
@@ -180,7 +192,7 @@ resource "azurerm_key_vault_access_policy" "admin_policy" {
 ##-----------------------------------------------------------------------------
 resource "azurerm_role_assignment" "rbac_keyvault_administrator" {
   provider = azurerm.main_sub
-  for_each = toset(var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? var.admin_objects_ids : [])
+  for_each = toset(var.enable_rbac_authorization && var.enabled && var.keyvault_admin_enabled && !var.managed_hardware_security_module_enabled ? var.admin_objects_ids : [])
 
   scope                = azurerm_key_vault.key_vault[0].id
   role_definition_name = "Key Vault Administrator"
@@ -205,6 +217,15 @@ resource "azurerm_role_assignment" "rbac_keyvault_reader" {
   principal_id         = each.value
 }
 
+resource "azurerm_role_assignment" "rbac_keyvault_contributor" {
+  provider = azurerm.main_sub
+  for_each = toset(var.enable_rbac_authorization && var.enabled && !var.managed_hardware_security_module_enabled ? var.contributor_objects_ids : [])
+
+  scope                = azurerm_key_vault.key_vault[0].id
+  role_definition_name = "Key Vault Contributor"
+  principal_id         = each.value
+}
+
 ##-----------------------------------------------------------------------------
 ##Below resource will deploy private endpoint for key vault.
 ##-----------------------------------------------------------------------------

variables.tf

@@ -29,6 +29,11 @@ variable "secrets" {
   default     = {}
 }
 
+variable "use_dynamic_access_policy" {
+  description = "If true, use dynamic access policy block within azurerm_key_vault. If false, use separate azurerm_key_vault_access_policy resource."
+  type        = bool
+  default     = false
+}
 
 variable "managedby" {
   type        = string
@@ -265,3 +270,27 @@ variable "network_acls" {
   })
   default = {}
 }
+
+variable "access_policies" {
+  type = list(object({
+    object_id               = string,
+    certificate_permissions = list(string),
+    key_permissions         = list(string),
+    secret_permissions      = list(string),
+    storage_permissions     = list(string),
+  }))
+  default     = []
+  description = "Map of access policies for an object_id (user, service principal, security group) to backend."
+}
+
+variable "keyvault_admin_enabled" {
+  type        = bool
+  default     = false
+  description = "Controls whether to assign Key Vault Administrator (true) or Key Vault Contributor (false) roles to the specified principals."
+}
+
+variable "contributor_objects_ids" {
+  type        = list(string)
+  default     = []
+  description = "List of principal IDs (Object IDs) that will be assigned the Key Vault Contributor role when keyvault_admin_enabled is set to false. These can be User, Group, or Service Principal Object IDs from Azure Active Directory."
+}