Terraform Azure Key Vault Secrets: Secure Access & Management

• Introduction
• Step-by-Step Guide
• Code Example
• Additional Notes
• Summary
• Conclusion
• References

This guide demonstrates how to securely manage sensitive information in your Terraform projects using Azure Key Vault. We'll cover setting up Key Vault, storing secrets, granting Terraform access, and retrieving secrets for use in your infrastructure deployments. By following these practices, you can enhance the security of your deployments and protect your sensitive data.

1. Set up Azure Key Vault and store your secret:

   • Create an Azure Key Vault instance.
   • Store your sensitive information (e.g., database password) as a secret within the Key Vault.

   resource "azurerm_key_vault" "example" {
     # ... Key Vault configuration ...
   }
   
   resource "azurerm_key_vault_secret" "example" {
     # ... Secret configuration ...
     value = "your-secret-value" 
   }

2. Grant Terraform access to read secrets:

   • Ensure your Terraform execution environment has appropriate permissions to access the Key Vault. This usually involves assigning a Managed Identity or Service Principal to your Terraform deployment process and granting it reader permissions on the Key Vault.

3. Use azurerm_key_vault_secret data source:

   • Utilize the azurerm_key_vault_secret data source in your Terraform code to fetch the secret value from Azure Key Vault.

   data "azurerm_key_vault_secret" "example" {
     name     = "your-secret-name"
     vault_uri = azurerm_key_vault.example.vault_uri
   }

4. Access the secret value:

   • Access the retrieved secret value using data.azurerm_key_vault_secret.example.value.

   output "secret_value" {
     value = data.azurerm_key_vault_secret.example.value
   }

Important Considerations:

• Never hardcode secrets directly in your Terraform code.
• Use environment variables or secure input methods during development and local testing.
• Implement appropriate security measures to protect your Key Vault and its access policies.

This Terraform code demonstrates how to securely store and access a database password using Azure Key Vault. It first defines resources for an Azure resource group and a Key Vault. Then, it stores the password as a secret within the Key Vault. The code utilizes a data source to retrieve the secret from the Key Vault, emphasizing the importance of not hardcoding sensitive information. While not explicitly shown, the code assumes that a Managed Identity with appropriate permissions is configured to allow Terraform to access the Key Vault. Finally, the retrieved secret value is outputted, marked as sensitive to ensure its protection. The example stresses the significance of robust security measures, including least privilege access and regular permission reviews, for safeguarding the Key Vault and its contents.

This example demonstrates how to store a database password in Azure Key Vault and access it securely within your Terraform code.

1. Set up Azure Key Vault and store your secret:

# Configure the Azure Provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
  }
}

# Create a resource group
resource "azurerm_resource_group" "example" {
  name     = "key-vault-rg"
  location = "westus2"
}

# Create an Azure Key Vault
resource "azurerm_key_vault" "example" {
  name                = "my-key-vault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id

  sku_name = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    secret_permissions = [
      "get",
      "list",
    ]
  }
}

# Store the database password as a secret in Key Vault
resource "azurerm_key_vault_secret" "example" {
  name         = "db-password"
  value        = "your-secret-password" # Replace with your actual password
  key_vault_id = azurerm_key_vault.example.id
}

2. Grant Terraform access to read secrets (using Managed Identity):

• Note: This step is not explicitly shown in the code. You need to configure a Managed Identity for your deployment environment (e.g., Azure DevOps pipeline) and grant it "Reader" permissions on the Key Vault.

3. Use azurerm_key_vault_secret data source:

# Retrieve the database password from Key Vault
data "azurerm_key_vault_secret" "example" {
  name         = azurerm_key_vault_secret.example.name
  key_vault_id = azurerm_key_vault.example.id
}

4. Access the secret value:

# Output the retrieved secret value
output "secret_value" {
  value     = data.azurerm_key_vault_secret.example.value
  sensitive = true # Mark the output as sensitive
}

Important Considerations:

• Never hardcode secrets directly in your Terraform code. Use environment variables, secure input methods, or a dedicated secrets management solution during development and local testing.
• Implement appropriate security measures to protect your Key Vault and its access policies. Use the principle of least privilege and regularly review access permissions.
• This example uses a basic access policy for demonstration purposes. In a production environment, you should tailor the access policy to your specific needs and security requirements.

This example provides a starting point for securely managing secrets with Azure Key Vault and Terraform. Remember to adapt it to your specific use case and security considerations.

General:

• Purpose of Azure Key Vault: Azure Key Vault is a secure, centralized service for storing and managing secrets, keys, and certificates used in your applications and cloud services. It helps you control access to sensitive information and protect it from unauthorized access.
• Alternatives to Managed Identities: While Managed Identities are a recommended approach for granting Terraform access to Key Vault, you can also use Service Principals or access tokens. However, these methods require more manual configuration and may have security implications if not managed properly.
• Secret Rotation: Consider enabling secret rotation in Azure Key Vault to automatically generate new versions of your secrets periodically. This enhances security by reducing the impact of a compromised secret.

Code Example:

• Resource Group: The code creates a dedicated resource group for the Key Vault. This is a good practice for organization and resource management.
• Key Vault SKU: The example uses the "standard" SKU for the Key Vault. You can choose a different SKU based on your performance and feature requirements.
• Access Policy: The access_policy block defines who can access the Key Vault and what permissions they have. In this case, it grants the current user (or service principal) "get" and "list" permissions for secrets.
• Sensitive Output: The output "secret_value" is marked as sensitive = true. This prevents Terraform from displaying the secret value in the console output or logs, enhancing security.

Security Best Practices:

• Principle of Least Privilege: Grant only the necessary permissions to your Terraform code and other entities accessing the Key Vault.
• Regularly Review Access Policies: Periodically review and update the access policies for your Key Vault to ensure that only authorized users and applications have access.
• Network Security: Consider implementing network security measures, such as Azure Private Link, to restrict access to your Key Vault from specific networks or virtual networks.
• Monitoring and Auditing: Enable logging and monitoring for your Key Vault to track access and detect any suspicious activity.

By following these best practices and using Azure Key Vault effectively, you can significantly improve the security of your Terraform deployments and protect your sensitive information.

This guide outlines how to securely manage sensitive information like database passwords in your Terraform projects using Azure Key Vault.

Steps:

1. Create an Azure Key Vault: Establish a secure vault to store your secrets.
2. Store your secret: Save your sensitive information as a secret within the Key Vault.
3. Grant Terraform access: Configure permissions for your Terraform deployment process to read secrets from the Key Vault. This typically involves Managed Identities or Service Principals.
4. Retrieve the secret: Utilize the azurerm_key_vault_secret data source in your Terraform code to fetch the secret value from the Key Vault.
5. Access and use the secret: Access the retrieved secret value within your Terraform code using data.azurerm_key_vault_secret.example.value.

Key Points:

• Never hardcode secrets directly in your Terraform code.
• Utilize environment variables or secure input methods during development and local testing.
• Implement robust security measures to protect your Key Vault and its access policies.

By following these steps, you can enhance the security of your Terraform projects and protect your sensitive information.

By combining Azure Key Vault with Terraform, you can significantly improve the security posture of your infrastructure deployments. Storing sensitive information in Key Vault and accessing it securely through Terraform ensures that secrets are never hardcoded in your code or configuration files. This approach, coupled with robust security practices like Managed Identities, least privilege access, and regular security audits, provides a solid foundation for secure infrastructure management in the cloud.

• azurerm_key_vault_secret | hashicorp/azurerm | Terraform | This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Secret is updated. ... keyvault.vault.azure.net/secrets/ ...
• Using Terraform with Azure Key Vault to Retrieve Secret Values | In this blog post we will explore how to use Terraform, with Azure Key Vault to retrieve secret values.
• azurerm_key_vault_secret | Data Sources | Terraform | versionless_id - The Versionless ID of the Key Vault Secret. This can be used to always get latest secret value, and enable fetching automatically rotating ...
• Secrets in a pipeline : r/Terraform | Posted by u/meatpak - 3 votes and 38 comments
• [azurerm_key_vault_secret] Writing a connection string into a key ... | Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me too" comments, th...
• Question: How to handle secrets in tfstate? : r/Terraform | Posted by u/syncsow - 16 votes and 14 comments
• Azure Key Vault Secret / Adding new secret to Azure key vault ... | Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me too" comments, th...
• Terraform - How do you handle secrets? : r/devops | Posted by u/Culpgrant21 - 86 votes and 64 comments
• Unable to read secrets from key vault located in another subscription ... | Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me too" comments, th...