Create Key Vault resource instead of referencing existing

Replaces the data source for an existing Key Vault with a resource block to create a new Key Vault. Updates the role assignment to reference the newly created Key Vault resource. This change allows the infrastructure to provision and manage the Key Vault directly.

Author: potatoqualitee

gh-runners/vmss.tf

@@ -6,10 +6,24 @@ data "azurerm_resource_group" "rg" {
   name = var.resource_group_name
 }
 
-# Reference existing Key Vault
-data "azurerm_key_vault" "vmss" {
-  name                = var.keyvault_name
-  resource_group_name = data.azurerm_resource_group.rg.name
+# Create Key Vault
+resource "azurerm_key_vault" "vmss" {
+  name                       = var.keyvault_name
+  resource_group_name        = data.azurerm_resource_group.rg.name
+  location                   = data.azurerm_resource_group.rg.location
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  soft_delete_retention_days = 7
+  purge_protection_enabled   = false
+  enable_rbac_authorization  = true
+
+  lifecycle {
+    ignore_changes = [
+      contact,
+      network_acls,
+      tags
+    ]
+  }
 }
 
 # Reference existing custom image
@@ -109,7 +123,7 @@ resource "azurerm_virtual_machine_scale_set_extension" "vmss" {
 
 # Grant VMSS managed identity access to Key Vault secrets
 resource "azurerm_role_assignment" "vmss_kv_secrets_user" {
-  scope                = data.azurerm_key_vault.vmss.id
+  scope                = azurerm_key_vault.vmss.id
   role_definition_name = "Key Vault Secrets User"
   principal_id         = azurerm_windows_virtual_machine_scale_set.vmss.identity[0].principal_id