Another quick blog post on how you can reference certificates in your Azure Key Vault within your Terraform configurations. This subject follows a previous blog post in which I demonstrated how to reference Azure Key Vault secrets in Terraform. After receiving an inquiry in the comments about the possibility of doing the same for certificates, the answer is yes! In this blog post, I’ll illustrate this with a practical example.
Why use an Azure Key Vault to store your certificates?
- Ability to centrally manage all certificates: Key Vault is a great place to centrally manage and store all your certificates in one place that you may want to use with your Azure environment(s)
- Seamless integration with other Azure Services: Need a certificate as part of an Azure service? It will have seamless integration with Azure Key Vault certifictes
- Secure and traceable: Provides a highly secure and tamper-evident storage solution for certificates, ensuring the confidentiality and integrity of your sensitive data.
Referencing Azure Key Vault Certificates in Terraform
With the below, I am Assuming you have some prior experience with Terraform, let’s explore how to reference certificate values stored in Azure Key Vault. We’ll accomplish this using data resources, a feature in Terraform that allows you to access specific information from Azure resources without altering or affecting the resource itself. Data resources prove to be exceptionally useful within your Terraform configurations.
I have previously created a Key Vault: tamopskv and a certificate: thomasthontoncertificate
Firstly, lets reference the Key Vault to where the certificate is stored in a data block
# Reference Azure Key Vault
data "azurerm_key_vault" "tamopskv" {
name = "tamopskv"
resource_group_name = "tamopsrg"
}
Lets create another data block, this time to reference the certificate stored in the above Key Vault (Notice the reference to the Key vault ID? Taken from the above Key Vault data block)
# Reference Key Vault certificate
data "azurerm_key_vault_certificate" "certificate" {
name = "thomasthorntoncertificate"
key_vault_id = data.azurerm_key_vault.tamopskv.id
}
Now that we have the required key vault certificate within our Terraform, we can make reference to it and use various attributes of it – these are available within the current documentation. In my example, I will just show an output of the certificates thumbprint
# Example to show output of certificate thumbprint
output "certificate_thumbprint" {
value = data.azurerm_key_vault_certificate.certificate.thumbprint
}
Running a Terraform plan, we can successfully see the certificate_thumbprint value of the above certificate
data.azurerm_key_vault.tamopskv: Reading...
data.azurerm_key_vault.tamopskv: Read complete after 0s [id=/subscriptions/04109105-f3ca-44ac-a3a7-66b4936112c3/resourceGroups/tamopsrg/providers/Microsoft.KeyVault/vaults/tamopskv]
data.azurerm_key_vault_certificate.certificate: Reading...
data.azurerm_key_vault_certificate.certificate: Read complete after 1s [id=https://tamopskv.vault.azure.net/certificates/thomasthorntoncertificate/7d04f2bb149245ffaf7e44a854391c63]
Changes to Outputs:
+ certificate_thumbprint = "E1CCE8AB8D3450D7F93611A6A9EC6E0124F50B29"
You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.
Concluding..
Referencing Azure Key Vault certificates in Terraform is a crucial aspect of securing your infrastructure in Azure. By following the steps outlined in this quick guide, you can begin to effectively manage and use certificates in your Terraform deployments which are stored within an Azure Key Vault. This approach not only enhances security but also streamlines certificate management, ensuring a smooth and reliable infrastructure.
As always, thank you for reading! GitHub repository storing the example code
Thomas Thornton - Microsoft Azure MVP - GitHub Star - HashiCorp Ambassador 