Mahira Technology Private Limited's Blog

Creating Key Vault in Azure using Terraform

Creating Key Vault in Azure using Terraform

Mahira Technology Private Limited's photo
Mahira Technology Private Limited
·

2 min read

What is Azure Key Vault: #Azure Key Vault helps teams to securely store and manage sensitive information such as keys, passwords, certificates, etc., in a centralized storage which are safeguarded by industry-standard algorithms, key lengths, and even hardware security modules.

Benefits of using Key vault in IaC tool like Terraform

  1. In terraform we add the values to variables.tf in default parameter or

  2. We pass the variable.tfvars at command line by setting option -var-file. or

  3. We pass variable values at command line by setting option as -var.

All the above listed options are great when you have less amount of variable to be passed and if you are not working in distributed environment.

So then question is why not use SCM tools like GitHub, Bitbucket or Gitlab to check in our secrets? The answer is NO. We can not push our secrets in SCM tool as security breach.

So how do we make use of these secrets in our IaC tools like Terraform, CloudFormation or Ansible to deploy the infrastructure.

There are couple of tools in market which helps us to store the secret like #Azure key vault, #AWS Secret Manger or HashiCorp Vault. Lets discuss about #Azure key vault below.

main.tf

data "azurerm_client_config" "current" {
}
resource "azurerm_key_vault" "vault" {
  name                = "${var.project_name}-vault-${var.env_name}"
  location                    = var.location
  resource_group_name         = var.rg
  enabled_for_disk_encryption = true
  tenant_id                   = "<tenant_id>"
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id = "<tenant_id>"
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      "Get", "List", "Backup", "Create", "Decrypt", "Delete", "Encrypt", "Import", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey",
    ]
    secret_permissions = [
      "Get", "List", "Backup", "Delete", "Purge", "Recover", "Restore", "Set",
    ]
    storage_permissions = [
      "Get", "List", "Backup", "Delete", "DeleteSAS", "GetSAS", "ListSAS", "Purge", "Recover", "RegenerateKey", "Restore", "Set", "SetSAS", "Update",
    ]
    certificate_permissions = [
        "Get", "List", "Backup", "Create", "Delete", "DeleteIssuers", "GetIssuers", "Import", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update",
    ]
  }
}

output.tf

output "vault_id" {
    description = "key Vault id"
    value = azurerm_key_vault.vault.id
}

variables.tf

variable "location" {
 type    = string 
 default = "northeurope"
 description     = "The location where the resource group should be  created. For a list of all Azure location" 
}
variable "env_name" {
  type    = string 
  default = "dev"
  description = "Type of environment ex: dev, stage or prod"
}
variable "project_name" {
  type    = string 
  default = "azure-test"
  description = "project name"
}
variable "rg" {
  type    = string 
  default = "azure-test-rg"
  description = "resource group name"
}

Run below commands

terraform init

terraform plan

terraform apply

TerraformInfrastructure as codeDevopsAzure Key Vaultazure-devops