SCEPman is a slim and resource-friendly solution to issue and validate certificates using SCEP. It is an Azure Web App providing the SCEP protocol and works directly with the Microsoft Graph and Intune API. SCEPman uses an Azure Key Vault based Root CA and certificate creation. No other component is involved, neither a database nor any other stateful storage except the Azure Key Vault itself. That said, SCEPman will not need any backup procedures or other operation level tasks. Only an Azure subscription is necessary to deploy it.
- Access to an Azure subscription (or Resource Group) with
OwnerRBAC Role assigned to Principal used for deployment - Terraform environemnt - local, GitHub Codespaces or Dev Containers
- Setup your environment using the following guide Getting Started
- Repository contains GitHub Codespaces dev container definitions
Visit containers.dev for more information
- You can use local Terraform state for demo purposes
- We recommend to Store Terraform state in Azure Storage for your Production environment
For more informations how to deploy the following example, see the Advanced Example Documentation.
# Version requirements
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.102.0"
}
}
backend "local" {}
required_version = ">= 1.3"
}
# Provider configuration
provider "azurerm" {
features {}
partner_id = "a262352f-52a9-4ed9-a9ba-6a2b2478d19b"
}
# Resources
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.location
tags = var.tags
}
module "scepman" {
# Option 1: Local module, use from local development
# source = "../.." # This is the local path to the module
# Option 2: Use the terraform registry version
source = "glueckkanja-gab/scepman/azurerm"
# version = "0.1.0"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
storage_account_name = var.storage_account_name
key_vault_name = var.key_vault_name
law_name = var.law_name
service_plan_name = var.service_plan_name
app_service_name_primary = var.app_service_name_primary
app_service_name_certificate_master = var.app_service_name_certificate_master
app_settings_primary = var.app_settings_primary
app_settings_certificate_master = var.app_settings_certificate_master
tags = var.tags
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| app_service_name_certificate_master | Name of the certificate master app service | string |
n/a | yes |
| app_service_name_primary | Name of the primary app service | string |
n/a | yes |
| app_settings_certificate_master | A mapping of app settings to assign to the certificate master app service | map(string) |
{} |
no |
| app_settings_primary | A mapping of app settings to assign to the primary app service | map(string) |
{} |
no |
| artifacts_url_primary | URL to the artifacts of the primary SCEPman Service | string |
"https://raw.githubusercontent.com/scepman/install/master/dist/Artifacts.zip" |
no |
| artifacts_url_certificate_master | URL to the artifacts of the SCEPman certificate master | string |
"https://raw.githubusercontent.com/scepman/install/master/dist-certmaster/CertMaster-Artifacts.zip" |
no |
| law_name | Name of the Log Analytics Workspace | string |
n/a | yes |
| law_resource_group | Resource Group of existing Log Analytics Workspace | string |
null |
no |
| key_vault_name | Name of the key vault | string |
n/a | yes |
| vnet_name | Name of VNET created for internal communication | string |
vnet-scepman | no |
| vnet_address_space | Address-Space of the VNET (needs to be /27 or larger) | list(any) |
["10.158.200.0/24"] | no |
| subnet_appservices_name | Name of the subnet created for integrating the App Services | string |
snet-scepman-appservices | no |
| subnet_endpoints_name | Name of the subnet created for the other endpoints | string |
snet-scepman-endpoints | no |
| location | Azure Region where the resources should be created | string |
n/a | yes |
| resource_group_name | Name of the resource group | string |
n/a | yes |
| service_plan_name | Name of the service plan | string |
n/a | yes |
| service_plan_sku | SKU of the service plan | string |
S1 |
no |
| service_plan_resource_id | Resource ID of the service plan | string |
null |
no |
| storage_account_name | Name of the storage account | string |
n/a | yes |
| organization_name | Your organization name presented in the O= field of the root certificate | string |
my-org |
no |
| tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| enable_application_insights | Create and connect Application Insights for the App services. NOTE: This will prevent Terraform from beeing able to destroy the ressource group! | bool |
false |
no |
| app_service_retention_in_days | Retention of http_logs in days | number |
180 |
no |
| app_service_retention_in_mb | Retention of http_logs in mb | number |
35 |
no |
| app_service_logs_detailed_error_messages | Detailed Error messages of the app service | bool |
true |
no |
| app_service_logs_failed_request_tracing | Trace failed requests | bool |
false |
no |
| app_service_application_logs_file_system_level | Application Log level for file_system | string |
"Error" |
no |
| Name | Description |
|---|---|
| scepman_certificate_master_url | SCEPman Certificate Master Url |
| scepman_url | SCEPman Url |