Thomas Thornton – Microsoft Azure MVP – HashiCorp Ambassador

Microsoft Azure Blog – Microsoft MVP

Terraform Secret Management in Azure using Azure Key Vault

on by Leave a comment

Deploying Terraform to Azure is a great way to manage your infrastructure as code. In this blog post, I will show you how to use Azure Key Vault to store your Terraform secrets.

I was asked this query recently and thought I would create a quick blog post to show how to do this.

Why Azure Key Vault?

Azure Key Vault is a great way to store secrets in Azure. It is a secure place to store and access secrets. You can generate, store, and control access to tokens, passwords, certificates, API keys, and other secrets.

Create an Azure Key Vault using Terraform

Lets create a Key Vault using Terraform.

resource "azurerm_resource_group" "rg" {
  name     = var.resource_group_name
  location = "uksouth"
}

resource "azurerm_key_vault" "kv" {
  name                = "tamopskv"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    secret_permissions = [
      "Get",
      "List",
      "Set",
      "Delete"
    ]
  }
}

Creating secrets using both Terraform and Azure CLI

Once the Key Vault is created, we can create a secret. I will create two, one by Terraform and one by the Azure CLI to show how you can reference an already created secret in Terraform.

Terraform

resource "azurerm_key_vault_secret" "sa" {
  name         = "saname1"
  value        = "tamopsstorage1"
  key_vault_id = azurerm_key_vault.kv.id
}

Creating a second Key Vault secret using Azure CLI

az keyvault secret set --vault-name tamopskv --name saname2 --value tamopsstorage2

The two secrets created below:

Referencing the two secrets in Terraform

In this example, I have added two secrets above. I will now show how to reference them in Terraform.

The first will create a storage account based on the secret created by Terraform. The second will create a storage account based on the secret created by the Azure CLI.

resource "azurerm_storage_account" "sa" {
  name                     = azurerm_key_vault_secret.sa.value
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  depends_on = [
    azurerm_resource_group.rg
  ]
}

For the second example, I will use the data source to reference the secret created by the Azure CLI.

data "azurerm_key_vault_secret" "saname2" {
  name         = "saname2"
  key_vault_id = azurerm_key_vault.kv.id
}

resource "azurerm_storage_account" "sa2" {
  name                     = data.azurerm_key_vault_secret.saname2.value
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  depends_on = [
    azurerm_resource_group.rg
  ]
}

We can now see two new storage accounts have been created with the Key Vault secrets created by Terraform and Azure CLI:

In this blog post, I have shown you how to use Azure Key Vault to store your Terraform secrets. I hope you found this useful.

Both the Terraform and Azure CLI examples can be found in my GitHub repo here.

Additional references to the Terraform in which I recommend you check out:

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s