Create an Azure Key Vault with RBAC role assignments using Terraform
Azure Key Vault is a Microsoft Azure resource that securely stores and manages sensitive data, including secrets, encryption keys, and certificates, it features soft deletion of secrets, renovation of certificates, and security features including Role-Based Access Control (RBAC) and private network access.
In this post, I will show you how to use Terraform to create an Azure Key Vault and populate it adding some secrets. Additionally, I will show you how to use Terraform to assign a user a role so that they can create secrets in Azure Key Vault.
Create an Azure Key Vault using Terraform
What do you need
Your
subscription_id, this is a GUID and you can get it using one of the following ways:Using Azure CLI:
az account subscription listUsing the Azure Portal.
Your
tenant_id, this is a GUID and you can get it using one of the following ways:Using Azure CLI:
az account tenant listUsing the Azure Portal in the column
Directory ID.
Terraform files
main.tf
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "4.11.0"
}
}
}
provider "azurerm" {
# Configuration options
features {
key_vault {
purge_soft_delete_on_destroy = true
recover_soft_deleted_key_vaults = true
}
}
subscription_id = "a838fdd3-56b8-4508-93db-9611367b3aee" # Put your 'subscription_id' here
tenant_id = "c4421ca3-5bd8-472b-99c4-6b231540eac1" # Put your 'tenant_id' here
}
data "azurerm_client_config" "current" {}
In this file you declare the Terraform provider.
keyvault.tf
resource "azurerm_resource_group" "secrets_rg" {
name = "secrets"
location = "westus3"
}
resource "azurerm_key_vault" "secrets_keyvault" {
tenant_id = data.azurerm_client_config.current.tenant_id
resource_group_name = azurerm_resource_group.secrets_rg.name
name = "secrets"
location = azurerm_resource_group.secrets_rg.location
enable_rbac_authorization = true
enabled_for_deployment = false
enabled_for_disk_encryption = false
enabled_for_template_deployment = true
public_network_access_enabled = false
purge_protection_enabled = true
soft_delete_retention_days = 90
sku_name = "standard"
}
You can customize the Azure Key Vault in this file.
secrets.tf
resource "azurerm_key_vault_secret" "db_development" {
name = "DbConnectionStringDevelopment"
value = "mysql://root:password123@db.example.com:3306/mydatabase"
key_vault_id = azurerm_key_vault.secrets_keyvault.id
}
This file will store non-sensitive secrets, such as secrets for development or integration environments.
Role assignment using Terraform
Now we are assigning a user a role to access and manage secrets in the Azure Key Vault previously created.
Azure RBAC has some built-in roles that can be assigned to a user or group, allowing granular control over access to Azure Key Vault.
What do you need
The
principal_idof the user or group (also known asObject ID), this is a GUID and you can get it using one of the following ways:Using Azure CLI:
az ad user list --query "[].{Id:id, Name: displayName, Email: mail}" --output tableUsing the Azure Portal.
The
role_definition_idof the role that you want to assign, this is a GUID and you can get it using one of the following ways:Using Azure CLI:
az role definition list --query "[?contains(roleName, 'Key Vault')].{Name:name, Description: description}" --output tableUsing the Microsoft Docs in the column
ID.
Terraform files
rbac.tf
resource "azurerm_role_assignment" "keyvault_secrets_officer_john" {
scope = azurerm_key_vault.secrets_keyvault.id
principal_id = "8c4ab003-5dcd-49e2-86df-8f96b1f46a0d" # Put your 'principal_id' here
role_definition_id = "b86a8fe4-44ce-4948-aee5-eccb2c155cd7" # Put your 'role_definition_id' here
}
References
Categories
Automation scripting Development tools Front end web development Infrastructure Kubernetes Programming guide Security Software architectureTags
Recent Posts