Thomas Thornton – Microsoft Azure MVP – HashiCorp Ambassador

Microsoft Azure Blog – Microsoft MVP

Referencing Azure Key Vault secrets in Terraform

on by 4 Comments

A quick blog post on how to store your secrets in Azure Key Vault and referencing them within your Terraform configurations.

The Azure Key Vault and secrets

Azure key Vault and secrets is certainly the recommended approach for storing secrets in Azure!

Benefits include:

  • Azures recommendation service for secret and even certificate management
  • Secret rotation with base
  • Secure access permissions can be set on the Key Vault and secrets
  • Managed Identities can be configured for access

Now the Terraform

I am assuming you have used Terraform previously; rather than attempting to create and store secrets in variables etc; I will show how you can reference secret values from within Azure Key Vault. This will be done by using data resources

A data resource in Terraform in short, allows you to reference specific values of an Azure resource without modifying or applying a change to the resource. They are great to use within your Terraform configurations!

I have previously created a Key Vault: thomasthorntoncloudkv and secret: secret1

Firstly I will reference the Azure Key Vault in a data block

data "azurerm_key_vault" "thomasthorntoncloudkv" {
  name                = "thomasthorntoncloudkv"
  resource_group_name = "thomasthorntoncloud"
}

Next, the Key Vault secret – notice the reference to the Key Vault ID? Referenced from the above data block

data "azurerm_key_vault_secret" "secret1" {
  name         = "secret1"
  key_vault_id = data.azurerm_key_vault.existing.id
}

Now to use this secret1 value – I will be randomly referencing as resource group name, just to show how to reference Azure Key Vault secrets within your Terraform configuration. (Ensure your user / service principal / managed identity has the correct access permissions to the secret or you will be faced with permission error )

resource "azurerm_resource_group" "main" {
  name     = data.azurerm_key_vault_secret.secret1.value
  location = "West Europe"
}

Simple, but effective – I like it 🙂

GitHub repository here

4 comments

  2. Question? How did you authenticate to the AzureRM provider in the first place? what about that SP provider secret? Any thoughts?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s