How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform

naveen0142 — Wed, 22 Jan 2025 13:18:57 GMT

Hi all,

I’m currently working with Terraform to set up Azure resources, including OpenAI services, and I’d like to extend my configuration to create an Azure Key Vault. Specifically, I want to:

Create an Azure Key Vault to store secrets/keys.

Assign the Key Vault Administrator role to a specific user or service principal to manage the vault.

Here's the existing Terraform configuration I have for the OpenAI service:

terraform {
  required_version = ">= 1.0.0"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 2.0.0"
    }
  }
}

provider "azurerm" {
  features {}
   # Authentication with Service Principal
  client_id       = var.client_id
  client_secret   = var.client_secret
  tenant_id       = var.tenant_id
  subscription_id = var.subscription_id
}

# Define the resource group
resource "azurerm_resource_group" "example" {
  name     = var.resource_group_name
  location = var.location  # Update to a supported region
}

# Define the Cognitive Services account
resource "azurerm_cognitive_account" "openai" {
  name                = var.cognitive_account_name
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  kind                = "OpenAI"
  sku_name            = "S0"  # Ensure this attribute is specified

  identity {
    type = "SystemAssigned"
  }
}

# Define the Cognitive Services model deployment
resource "azurerm_cognitive_deployment" "model" {
  name                  = var.model_name
  cognitive_account_id  = azurerm_cognitive_account.openai.id

  model {
    name   = var.model_name
    format = "OpenAI"
  }

  sku {
    name = "Standard"  # Ensure this is a supported SKU for the chosen region
  }
}

# Define the output blocks
output "api_base" {
  value     = azurerm_cognitive_account.openai.endpoint
  sensitive = true
}

output "api_key" {
  value     = azurerm_cognitive_account.openai.primary_access_key
  sensitive = true
}

output "api_type" {
  value = "azure"
}

output "api_version" {
  value = "2024-08-01-preview"  # Use the latest version
}

output "engine" {
  value = azurerm_cognitive_deployment.model.name
}

What I want to add:

Create a Key Vault.
Add a Key Vault Administrator role assignment for a service principal or a user (please specify how to do this).
Store keys/secrets in the Key Vault.
Can someone provide an example or guide me on how to extend my Terraform configuration to include these steps?
Thank you in advance for your help!

Re: How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform

parthSundarka — Wed, 22 Jan 2025 20:03:31 GMT

Hi @naveen0142 ,

1. Create the Key Vault

resource "azurerm_key_vault" "example"

{
  name                = var.key_vault_name

  location            = azurerm_resource_group.example.location

  resource_group_name = azurerm_resource_group.example.name

  sku_name            = "standard"

  tenant_id          = var.tenant_id

  # Enable soft delete and purge protection (recommended)
  soft_delete_retention_days = 7

  purge_protection_enabled    = true

}

2. Assign Role to a User or Service Principal

# Assign Key Vault Administrator role

data "azurerm_client_config" "example" {
}
resource "azurerm_role_assignment" "key_vault_admin" {
principal_id = data.azurerm_client_config.example.object_id
role_definition_name = "Key Vault Administrator"
scope = azurerm_key_vault.example.id
}

Ref - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

3. Create Secrets in the Key Vault

ephemeral "azurerm_key_vault_secret" "example_secret" {
name = "example-secret"
value = "your-secret-value" # Replace with your actual secret value
key_vault_id = azurerm_key_vault.example.id
}

Ref - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/ephemeral-resources/key_vault_secret

This is example code blocks and might need to be updated based on requirement.

For other Azure resources, here is the reference - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/

topic Re: How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform in Get Started Discussions

How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform

Re: How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform