How To Create & Manage Azure Key Vault with Terraform Scripting?

Protecting keys and client secrets are essential to protect the cloud user’s data and identity. Azure Key Vault offers an end-to-end security solution to safeguard cryptographic keys, client secrets, digital tokens, and certificates.

But how to create and manage a Key Vault? Microsoft offers various solutions such as Azure Portal, Azure CLI (command line interface), Azure ARM Templates, etc. However, these solutions are limited to Azure and don’t work for other cloud platforms such as AWS, GCP, etc.

“HashiCorp Terraform is the latest IaC (infrastructure as code) tool that eliminates such limitations!”

Terrosform allows developers to provision and manage cloud and on-prem infrastructure resources like the Azure Key Vault across different cloud platforms!

Why Use Terraform?

Terrosform IaC tool defines configuration files that can be used cross-platform for building, deploying, and versioning cloud and on-premise resources. These are some of the benefits of using Terraform:

  • It supports cross-platform resource deployment in Azure, AWS, GCP, etc.
  • The modules and configuration files are reusable across different projects.
  • It helps enterprises automate various infrastructure deployment processes.
  • It is declarative that specifies resource properties and settings.

With Terraform, cloud developers can create and manage any cloud service, resource, or application. The core workflow is the same as below:

  • Write (Define the resource configuration across the cloud providers)
  • Plan (Describe the infrastructure configuration with an execution plan)
  • Apply (Deploy the configuration changes within the selected environment)
  • Requirements To Deploy Azure Key Vault Using Terraform

    Here are the initial requirements to create and manage Azure Resources like the Key Vault at the Azure tenant level:

    • An Azure DevOps project
    • An active Azure subscription
    • An existing or new resource group
    • A dedicated storage account with one or more containers
    • PAT (Personal Access Token) from Azure DevOps
    • A unique client ID with client secrets

    “Enterprises with cloud infrastructure use the Key Vault to streamline and control their key management processes.”

    Install & Configure Terraform Executable Module

    First, Azure Developers must install and configure the Terraform executable module that performs authentication and authorization at the Azure tenant level.

    Step 1: Launch PowerShell and run “az login” to initiate the Azure Tenant authentication process that returns the active subscription details.

    Step 2: Create a service principle that you will use to create an Azure Key and perform other actions.

    Step 3: Safe keep the return values to further use in creating variables. tf file (Terraform variables file).

    Step 4: Create a dedicated folder as the “root module” that contains all configuration files related to the Key Vault.

    Step 5: Create the file to create child modules and use the file to add the Terraform variables.

    Step 6: Define the terraform { } section to specify Azure provider and version details using local variables.

    Step 7: Add the existing or newly created resource group that contains various deployment components of the Azure Key Vault.

    Step 8: Run the commands terraform init; terraform fmt; terraform validate; and terraform apply to initialize, format, validate, apply configuration files with Terraform.

    Required Terraform Scripts To Manage Key Vaults

    Creating and managing the Key Vaults per project involves quite a few Terraform scripts, such as: File

    It is the main Terraform file. It contains the required provider details like Azure DevOps, Azure RM, and Azure AD. It uses different modules, locals, and data sources to create the Key Vaults. File

    This file contains all providers’ information and config definitions for Key Vault deployment. The objects in this file are the Azure DevOps provider and Azure RM. Other file objects can also use the objects of this file. File

    This file defines the variables of all Azure Key Vault objects individually in an Azure project. It specifies the variable types and sets default values. The developer can replace the variable values according to the project requirements. File

    This file initiates the integration validation between key vaults and DevOps projects. Developers use this file to create separate service principals for the key vaults. Later, this helps define service connections. File

    This file assigns the RBAC role as “Contributor” to the Azure resources and resource groups that access and manage the key vaults. File

    This terraform file automates the Key Vault creation process. You can use the same file and create multiple Key Vaults in Azure DevOps projects. Plus, you can create the Azure Key Vault in different environments such as dev, test, and prod. File

    The script creates service connections between various Azure resources in Azure DevOps Projects. File

    The file grants permission for the key vaults to create, access, get, rotate, and delete secrets.

    Variables.tfvars File

    With this .tfvars file, the Azure Developer declares the variables like PAT, Azure subscription ID, tenant ID, client ID, client secret, storage account, resource group, container names, organization URL, service URL, and the file name to store keys.

    Conducting Terraform Script Execution

    Run the “terraform init” command to initialize the terraform script. Complete the script execution based on the pre-defined script workflow. Indeed, Terraform is a powerful tool that can help Azure Administrators maintain Azure Key Vault and secure keys in the cloud infrastructure. However, how the terraform scripts are formed depends on the project’s underlying infrastructure settings. So, developers can custom-build separate terraform scripts to create key vaults, manage customer-manged keys, enable Key Vault secrets, configure key rotation, and more.

    Do you want to secure your Azure keys and secrets? Consult with Azure DevOps experts today!

    The following two tabs change content below.


    Co-Founder & Director, Business Management
    BDCC Global is a leading DevOps research company. We believe in sharing knowledge and increasing awareness, and to contribute to this cause, we try to include all the latest changes, news, and fresh content from the DevOps world into our blogs.

    About BDCC

    BDCC Global is a leading DevOps research company. We believe in sharing knowledge and increasing awareness, and to contribute to this cause, we try to include all the latest changes, news, and fresh content from the DevOps world into our blogs.