diff --git a/modules/azure-kv/.terraform-docs.yml b/modules/azure-kv/.terraform-docs.yml
new file mode 100644
index 000000000..bce3ca3a9
--- /dev/null
+++ b/modules/azure-kv/.terraform-docs.yml
@@ -0,0 +1,48 @@
+formatter: "markdown" # this is required
+
+version: ""
+
+header-from: docs/header.md
+footer-from: docs/footer.md
+
+recursive:
+ enabled: false
+ path: modules
+ include-main: true
+
+sections:
+ hide: []
+ show: []
+
+content: ""
+
+output:
+ file: "README.md"
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+output-values:
+ enabled: false
+ from: ""
+
+sort:
+ enabled: true
+ by: name
+
+settings:
+ anchor: true
+ color: true
+ default: true
+ description: false
+ escape: true
+ hide-empty: false
+ html: true
+ indent: 2
+ lockfile: true
+ read-comments: true
+ required: true
+ sensitive: true
+ type: true
\ No newline at end of file
diff --git a/modules/azure-kv/README.md b/modules/azure-kv/README.md
index 2df9594a8..b1563f42f 100644
--- a/modules/azure-kv/README.md
+++ b/modules/azure-kv/README.md
@@ -1,17 +1,97 @@
+
+# Azure Key Vault Terraform Module
+
+## Overview
+
+This Terraform module allows you to create and manage an Azure Key Vault with support for:
+- Custom access policies and/or RBAC authorization.
+- Integration with Resource Group and tag inheritance.
+- Soft delete protection and retention configuration.
+- Detailed permissions for keys, secrets, certificates, and storage.
+
+## Main features
+- Create Key Vault with advanced security options.
+- Support for access policies and RBAC.
+- Integration with Azure AD groups, users, and service principals.
+- Realistic configuration example.
+
+## Complete usage example
+
+```yaml
+# kv.yaml
+values:
+ name: "keyvault_name"
+ tags_from_rg: true
+ tags:
+ extra_tags: "example"
+ enabled_for_disk_encryption: true
+ resource_group: "resource_group_name"
+ soft_delete_retention_days: 7
+ purge_protection_enabled: true
+ sku_name: "standard"
+ enable_rbac_authorization: false # If RBAC is true, access policies will fail if any are defined.
+ access_policies:
+ - name: "Name for the Object ID"
+ type: "" # Leave empty if you provide the object ID directly
+ object_id: "1a9590f4-27d3-4abf-9e30-5be7f46959bb"
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "Group display name"
+ type: "group"
+ object_id: "" # Leave empty to look up the group ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "Service Principal display name"
+ type: "service_principal"
+ object_id: "" # Leave empty to look up the service principal ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "User principal name"
+ type: "user"
+ object_id: "" # Leave empty to look up the user ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+```
+
+## Notes
+- If `enable_rbac_authorization` is true, you must not define access policies.
+- You can inherit tags from the resource group with `tags_from_rg`.
+- Configure retention and soft delete protection according to your security needs.
+
+## File structure
+
+```
+.
+├── main.tf
+├── variables.tf
+├── outputs.tf
+├── README.md
+├── CHANGELOG.md
+└── docs/
+ ├── header.md
+ └── footer.md
+```
+
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.7.0 |
-| [azurerm](#requirement\_azurerm) | ~> 4.21.0 |
-| [azurerm](#requirement\_azurerm) | ~> 2.53.0 |
+| [azuread](#requirement\_azuread) | ~> 2.53.0 |
+| [azurerm](#requirement\_azurerm) | >= 4.21.0 |
## Providers
| Name | Version |
|------|---------|
-| [azurerm](#provider\_azurerm) | ~> 4.21.0 |
-| [azuread](#provider\_azuread) | ~> 2.53.0 |
+| [azuread](#provider\_azuread) | ~> 2.53.0 |
+| [azurerm](#provider\_azurerm) | >= 4.21.0 |
## Modules
@@ -22,33 +102,26 @@ No modules.
| Name | Type |
|------|------|
| [azurerm_key_vault.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azuread_group.this](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_service_principal.this](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_user.this](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/user) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
-| [azuread_user.this](https://registry.terraform.io/providers/hashicorp/azuread/2.53.0/docs/data-sources/user) | data source |
-| [azuread_group.this](https://registry.terraform.io/providers/hashicorp/azuread/2.53.0/docs/data-sources/group) | data source |
-| [azuread_application.this](https://registry.terraform.io/providers/hashicorp/azuread/2.53.0/docs/data-sources/application) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [enabled\_for\_disk\_encryption](#input\_enabled\_for\_disk\_encryption) | Specifies whether the Key Vault is enabled for Azure Disk Encryption | `bool` | n/a | yes |
-| [name](#input\_name) | The name of the Key Vault | `string` | n/a | yes |
-| [purge\_protection\_enabled](#input\_purge\_protection\_enabled) | Specifies whether purge protection is enabled for the Key Vault | `bool` | n/a | yes |
-| [resource\_group](#input\_resource\_group) | The name of the resource group in which the Key Vault is created | `string` | n/a | yes |
-| [sku\_name](#input\_sku\_name) | The SKU name of the Key Vault (e.g., standard or premium) | `string` | n/a | yes |
-| [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | The number of days that soft-deleted items are retained in the Key Vault | `number` | n/a | yes |
-| [enable_rbac_authorization](#input\_enable\_rbac\_authorization) | Set RBAC authorization for the Key Vault. Disable access policies authorization | `bool` | n/a | yes |
-| [access_policies](#input\_access\_policies) | Block for access policies definition. Will fail if `enable_rbac_authorization: true` | `list(object)` | n/a | optional |
-| [access_policies.name](#input\_access\_policies.name) | Name for the access policy. Display name in groups and SPN, user principal name in users and custom for `object_id` | `string` | n/a | optional |
-| [access_policies.name.type](#input\_access\_policies.name.type) | Entity type \[ group \| service_principal \| user \]. If we provide the `object_id` type value must be `""` | `string` | n/a | optional |
-| [access_policies.name.object_id](#input\_access\_policies.name.object_id) | Object ID of the entity. If we provide an entity type value must be `""` | `string` | n/a | optional |
-| [access_policies.name.key_permissions](#input\_access\_policies.name.key_permissions) | [List of key permissions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#key_permissions) | `list(string)` | n/a | optional |
-| [access_policies.name.secret_permissions](#input\_access\_policies.name.secret_permissions) | [List of secret permissions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#secret_permissions) | `list(string)` | n/a | optional |
-| [access_policies.name.certificate_permissions](#input\_access\_policies.name.certificate_permissions) | [List of certificate permissions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#certificate_permissions) | `list(string)` | n/a | optional |
-| [access_policies.name.storage_permissions](#input\_access\_policies.name.storage_permissions) | [List of storage permissions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#storage_permissions) | `list(string)` | n/a | optional |
-| [tags\_from\_rg](#input\_tags\_from\_rg) | Enable inherit tags from resource group | `bool` | `false` | no |
-| [tags](#input\_tags) | Tags | `map(string)` | `{}` | no |
+| [access\_policies](#input\_access\_policies) | n/a | list(object({
type = optional(string)
name = optional(string)
object_id = optional(string, "")
key_permissions = optional(list(string))
secret_permissions = optional(list(string))
certificate_permissions = optional(list(string))
storage_permissions = optional(list(string))
})) | `[]` | no |
+| [enable\_rbac\_authorization](#input\_enable\_rbac\_authorization) | n/a | `bool` | n/a | yes |
+| [enabled\_for\_disk\_encryption](#input\_enabled\_for\_disk\_encryption) | n/a | `bool` | n/a | yes |
+| [name](#input\_name) | n/a | `string` | n/a | yes |
+| [purge\_protection\_enabled](#input\_purge\_protection\_enabled) | n/a | `bool` | n/a | yes |
+| [resource\_group](#input\_resource\_group) | n/a | `string` | n/a | yes |
+| [sku\_name](#input\_sku\_name) | n/a | `string` | n/a | yes |
+| [soft\_delete\_retention\_days](#input\_soft\_delete\_retention\_days) | n/a | `number` | n/a | yes |
+| [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| [tags\_from\_rg](#input\_tags\_from\_rg) | n/a | `bool` | `false` | no |
## Outputs
@@ -56,49 +129,19 @@ No modules.
|------|-------------|
| [id](#output\_id) | n/a |
-## Example
+## Examples
-```yaml
-# kv.yaml
- values:
- name: "keyvault_name"
- tags_from_rg: true
- tags:
- extra_tags: "example"
- enabled_for_disk_encryption: true
- resource_group: "resource_group_name"
- soft_delete_retention_days: 7
- purge_protection_enabled: true
- sku_name: "standard"
- enable_rbac_authorization: false # If RBAC is set to true access policies will fail if there are any defined.
- access_policies:
- - name: "Name for the Object ID"
- type: "" # Leave empty value if you provide directly the object ID
- object_id: "1a9590f4-27d3-4abf-9e30-5be7f46959bb"
- key_permissions: ["Get", "List"]
- secret_permissions: ["Get", "List"]
- certificate_permissions: ["Get", "List"]
- storage_permissions: ["Get", "List"]
- - name: "Group display name"
- type: "group"
- object_id: "" # Leave empty value if you want to look up the group ID
- key_permissions: ["Get", "List"]
- secret_permissions: ["Get", "List"]
- certificate_permissions: ["Get", "List"]
- storage_permissions: ["Get", "List"]
- - name: "Service Principal display name"
- type: "service_principal"
- object_id: "" # Leave empty value if you want to look up the service principal ID
- key_permissions: ["Get", "List"]
- secret_permissions: ["Get", "List"]
- certificate_permissions: ["Get", "List"]
- storage_permissions: ["Get", "List"]
- - name: "User principal name"
- type: "user"
- object_id: "" # Leave empty value if you want to look up the user ID
- key_permissions: ["Get", "List"]
- secret_permissions: ["Get", "List"]
- certificate_permissions: ["Get", "List"]
- storage_permissions: ["Get", "List"]
+For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-kv/_examples):
-```
+- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-kv/_examples/basic) - Key Vault with basic access policies and optional RBAC.
+
+## Resources and support
+
+- [Official Azure Key Vault documentation](https://learn.microsoft.com/en-us/azure/key-vault/)
+- [Terraform reference for azurerm\_key\_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [Community support](https://github.com/prefapp/terraform-modules/discussions)
+
+## Support
+
+For issues, questions, or contributions related to this module, please visit the repository’s issue tracker: [https://github.com/prefapp/tfm/issues](https://github.com/prefapp/tfm/issues)
+
\ No newline at end of file
diff --git a/modules/azure-kv/_examples/basic/main.tf b/modules/azure-kv/_examples/basic/main.tf
new file mode 100644
index 000000000..54b8ee365
--- /dev/null
+++ b/modules/azure-kv/_examples/basic/main.tf
@@ -0,0 +1,30 @@
+// Basic example: Azure Key Vault with a simple access policy
+
+module "azure_kv" {
+ source = "../../"
+
+ name = "example-kv"
+ resource_group = "example-rg"
+ sku_name = "standard"
+ enabled_for_disk_encryption = true
+ soft_delete_retention_days = 7
+ purge_protection_enabled = true
+ enable_rbac_authorization = false
+
+ access_policies = [
+ {
+ type = "User"
+ name = "example-user"
+ object_id = "00000000-0000-0000-0000-000000000000"
+ key_permissions = ["Get", "List"]
+ secret_permissions = ["Get", "List", "Set"]
+ certificate_permissions = []
+ storage_permissions = []
+ }
+ ]
+
+ tags = {
+ environment = "dev"
+ application = "example"
+ }
+}
diff --git a/modules/azure-kv/_examples/basic/values.yaml b/modules/azure-kv/_examples/basic/values.yaml
new file mode 100644
index 000000000..5bdb776c6
--- /dev/null
+++ b/modules/azure-kv/_examples/basic/values.yaml
@@ -0,0 +1,27 @@
+# Basic example values for azure-kv module
+
+name: example-kv
+resource_group: example-rg
+sku_name: standard
+enabled_for_disk_encryption: true
+soft_delete_retention_days: 7
+purge_protection_enabled: true
+enable_rbac_authorization: false
+
+access_policies:
+ - type: User
+ name: example-user
+ object_id: 00000000-0000-0000-0000-000000000000
+ key_permissions:
+ - Get
+ - List
+ secret_permissions:
+ - Get
+ - List
+ - Set
+ certificate_permissions: []
+ storage_permissions: []
+
+tags:
+ environment: dev
+ application: example
\ No newline at end of file
diff --git a/modules/azure-kv/docs/footer.md b/modules/azure-kv/docs/footer.md
new file mode 100644
index 000000000..45ed88f0f
--- /dev/null
+++ b/modules/azure-kv/docs/footer.md
@@ -0,0 +1,15 @@
+## Examples
+
+For detailed examples, refer to the [module examples](https://github.com/prefapp/tfm/tree/main/modules/azure-kv/_examples):
+
+- [basic](https://github.com/prefapp/tfm/tree/main/modules/azure-kv/_examples/basic) - Key Vault with basic access policies and optional RBAC.
+
+## Resources and support
+
+- [Official Azure Key Vault documentation](https://learn.microsoft.com/en-us/azure/key-vault/)
+- [Terraform reference for azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [Community support](https://github.com/prefapp/terraform-modules/discussions)
+
+## Support
+
+For issues, questions, or contributions related to this module, please visit the repository’s issue tracker: [https://github.com/prefapp/tfm/issues](https://github.com/prefapp/tfm/issues)
\ No newline at end of file
diff --git a/modules/azure-kv/docs/header.md b/modules/azure-kv/docs/header.md
new file mode 100644
index 000000000..b8200bb94
--- /dev/null
+++ b/modules/azure-kv/docs/header.md
@@ -0,0 +1,78 @@
+# Azure Key Vault Terraform Module
+
+## Overview
+
+This Terraform module allows you to create and manage an Azure Key Vault with support for:
+- Custom access policies and/or RBAC authorization.
+- Integration with Resource Group and tag inheritance.
+- Soft delete protection and retention configuration.
+- Detailed permissions for keys, secrets, certificates, and storage.
+
+## Main features
+- Create Key Vault with advanced security options.
+- Support for access policies and RBAC.
+- Integration with Azure AD groups, users, and service principals.
+- Realistic configuration example.
+
+## Complete usage example
+
+```yaml
+# kv.yaml
+values:
+ name: "keyvault_name"
+ tags_from_rg: true
+ tags:
+ extra_tags: "example"
+ enabled_for_disk_encryption: true
+ resource_group: "resource_group_name"
+ soft_delete_retention_days: 7
+ purge_protection_enabled: true
+ sku_name: "standard"
+ enable_rbac_authorization: false # If RBAC is true, access policies will fail if any are defined.
+ access_policies:
+ - name: "Name for the Object ID"
+ type: "" # Leave empty if you provide the object ID directly
+ object_id: "1a9590f4-27d3-4abf-9e30-5be7f46959bb"
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "Group display name"
+ type: "group"
+ object_id: "" # Leave empty to look up the group ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "Service Principal display name"
+ type: "service_principal"
+ object_id: "" # Leave empty to look up the service principal ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+ certificate_permissions: ["Get", "List"]
+ storage_permissions: ["Get", "List"]
+ - name: "User principal name"
+ type: "user"
+ object_id: "" # Leave empty to look up the user ID
+ key_permissions: ["Get", "List"]
+ secret_permissions: ["Get", "List"]
+```
+
+## Notes
+- If `enable_rbac_authorization` is true, you must not define access policies.
+- You can inherit tags from the resource group with `tags_from_rg`.
+- Configure retention and soft delete protection according to your security needs.
+
+## File structure
+
+```
+.
+├── main.tf
+├── variables.tf
+├── outputs.tf
+├── README.md
+├── CHANGELOG.md
+└── docs/
+ ├── header.md
+ └── footer.md
+```
\ No newline at end of file