Terraform – Using Azure KeyVault Secrets During Deployments

Terraform has become one of the most prominent tools in the DevOps world. It is an open-source Infrastructure as Code (IaC) software tool that enables users to define and provide data centre infrastructure using a declarative configuration language. This blog post focuses on how to use Azure KeyVault secrets during Terraform deployments.

1 What is Azure KeyVault?

Azure KeyVault is a cloud-based service for managing cryptographic keys and other secrets securely. It eliminates the need to store sensitive data in configuration files or code, thereby improving the security posture of your applications.

2 Why use Azure KeyVault with Terraform?

By integrating Azure KeyVault with Terraform, you can securely manage secrets needed for your infrastructure deployments. This practice ensures that sensitive data, such as database connection strings, admin credentials, or API keys, aren’t exposed in your Terraform configuration files.

3 How to use Azure KeyVault with Terraform

Let’s break down the process into steps:

3.1 Step 1: Set up Azure KeyVault

Before using Azure KeyVault with Terraform, you must create a vault in Azure. After creating the vault, you can generate or import a secret into the vault. For this tutorial, let’s assume you’ve created a secret named : MySecret.

Here’s an example of how to create a KeyVault and a secret using Azure CLI:

1
2

az keyvault create --name MyKeyVault --resource-group MyResourceGroup --location westus
az keyvault secret set --vault-name MyKeyVault --name MySecret --value "This is a secret"

3.2 Step 2: Configure Terraform to use Azure Provider

To allow Terraform to manage resources on Azure, you need to configure the Azure provider. This involves specifying your Azure subscription ID, tenant ID, client ID, and client secret.

1
2
3
4
5
6
7
8

provider "azurerm" {
  features {}

  subscription_id = "your-subscription-id"
  tenant_id       = "your-tenant-id"
  client_id       = "your-client-id"
  client_secret   = "your-client-secret"
}

3.3 Step 3: Retrieve the Secret in Terraform

Now, you can retrieve the secret you stored in Azure KeyVault using the azurerm_key_vault_secret data source. Replace MyKeyVault and MySecret with the name of your KeyVault and secret, respectively.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

data "azurerm_key_vault" "existing" {
  name                = "MyKeyVault"
  resource_group_name = "MyResourceGroup"
}

data "azurerm_key_vault_secret" "existing" {
  name         = "MySecret"
  key_vault_id = data.azurerm_key_vault.existing.id
}

output "secret_value" {
  value = data.azurerm_key_vault_secret.existing.value
}

With this setup, Terraform will output the value MySecret when you run. terraform apply.

4 Conclusion

Using Azure KeyVault secrets during Terraform deployments is a secure and effective way to manage sensitive data. It helps ensure that your secrets are not exposed in your Terraform configurations and are managed in a way that aligns with best security practices.

Remember to replace the example values in the commands and configurations with your Azure details. And always ensure your secrets are handled securely, following the principle of least privilege and regular rotation of credentials.