Update documentation

Author: Terje Torkelsen

README.md

@@ -1,8 +1,8 @@
 # Remote backend
 
-Terraform module to deploy a remote backend storage with Key Vault to manage SAS Token and key rotation. To access the remote state the retrieve the SAS Token from Key Vault, do not use the access keys on storage account. SAS Token retrieved from Key Vault grants 1 day access, after that it will have to be refreshed. The access keys on storage account will automatically rotate on a 30 day schedule, this can be adjusted with the input variable `key_rotation_days`.
+Terraform module to deploy a remote backend storage with Key Vault to manage SAS Token and key rotation. To access the remote state retrieve the SAS Token from Key Vault, do not use the access keys on storage account. SAS Token retrieved from Key Vault grants 1 day access, after that it will have to be refreshed. The access keys on storage account will automatically rotate on a 30 day schedule, this can be adjusted with the input variable `key_rotation_days`.
 
-Each backend creates a new storage account and Key Vault. The Key Vault can also be used for storing other secrets related to terraform.
+Each backend creates a new storage account and Key Vault. The Key Vault can also be used for storing other secrets related to terraform. Use the `access_policies` variable to define users that should have access. It is recommended to read [Secure access to a key vault](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault) documentation for which policies to apply.
 
 **Terraform has to run with Owner priviledge in Azure.**
 
@@ -37,15 +37,15 @@ inputs {
 }
 ```
 
-2. Run tau init, plan and apply, but do not create any overrides (skips backend)
+2. Run tau init, plan and apply, but do not create any overrides (skips backend configuration)
 
 ```bash
 tau init --no-overrides
 tau plan
 tau apply
 ```
 
-3. State should now be stored locally. Reconfigure to backend
+3. State should now be stored locally. Reconfigure to move to defined backend
 
 ```bash
 tau init --reconfigure
@@ -81,7 +81,7 @@ access_policies = [
 
 ## SAS Token
 
-The SAS Token is stored in Key Vault as a secret with name `{storageaccount_name}-terraformsastoken`. So to access for example below run following command to get in clear text:
+The SAS Token is stored in Key Vault as a secret with name `{storageaccount_name}-terraformsastoken`. So to access for example above run following command to get in clear text:
 
 ```bash
 az keyvault secret show --vault-name tfstatedevkv --name tfstatedevsa-terraformsastoken --query value -o tsv

examples/access_policy/README.md

@@ -1,3 +1,3 @@
 # Example: Access policy example
 
-This example shows how to assign access policies on Key Vault.
+This example shows how to assign access policies on Key Vault. In example it defines a standard user access and admin access following [Microsoft documentation]((https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault)) on how to secure access.

examples/access_policy/main.tf

@@ -1,19 +1,25 @@
 module "simple" {
-    source = "../../"
+    source = "avinor/remote-backend/azurerm"
+    version = "1.0.1"
 
     name = "simple"
     resource_group_name = "simple-rg"
     location = "westeurope"
 
-    backends = ["dev"]
-
     access_policies = [
         {
-            object_id = "guid",
-            backends = ["dev"],
-            certificate_permissions = [],
-            key_permissions = [],
-            secret_permissions = ["get"],
+            // Security team, "admin" access
+            object_id = "guid"
+            certificate_permissions = []
+            key_permissions = ["backup", "create", "delete", "get", "import", "list", "restore"]
+            secret_permissions  = ["backup", "delete", "get", "list", "purge", "recover", "restore", "set"]
+        },
+        {
+            // Read only access
+            object_id = "guid"
+            certificate_permissions = []
+            key_permissions = ["sign"]
+            secret_permissions = ["get"]
         }
     ]
 }

examples/network-rules/README.md

@@ -1,3 +1,3 @@
 # Example: Network-rules
 
-Creates a remote backend with network rules defined on storage account.
+Creates a remote backend with network rules defined on storage account. Network rules will restrict access to the storage account from certain IP ranges. Since remote state has to be accessed from output of Azure it does not restrict on subnet level, only on IP.

examples/network-rules/main.tf

@@ -1,12 +1,11 @@
 module "simple" {
-    source = "../../"
+    source = "avinor/remote-backend/azurerm"
+    version = "1.0.1"
 
     name = "simple"
     resource_group_name = "simple-rg"
     location = "westeurope"
 
-    backends = ["dev"]
-    
     network_rules = {
         bypass = ["None"],
         ip_rules = ["127.0.0.1"],

examples/simple/README.md

@@ -1,3 +1,3 @@
 # Example: Simple
 
-A simple example that only assigns the required variables.
+A simple example that only assigns the required variables. It creates a storage account and key vault, but with no additional access policies to key vault.

examples/simple/main.tf

@@ -1,9 +1,8 @@
 module "simple" {
-    source = "../../"
+    source = "avinor/remote-backend/azurerm"
+    version = "1.0.1"
 
-    name = "simple"
+    name = "simplestate"
     resource_group_name = "simple-rg"
     location = "westeurope"
-
-    backends = ["dev"]
 }