How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi all,
Iām currently working with Terraform to set up Azure resources, including OpenAI services, and Iād like to extend my configuration to create an Azure Key Vault. Specifically, I want to:
- Create an Azure Key Vault to store secrets/keys.
- Assign the Key Vault Administrator role to a specific user or service principal to manage the vault.
Here's the existing Terraform configuration I have for the OpenAI service:
terraform { required_version = ">= 1.0.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 2.0.0" } } } provider "azurerm" { features {} # Authentication with Service Principal client_id = var.client_id client_secret = var.client_secret tenant_id = var.tenant_id subscription_id = var.subscription_id } # Define the resource group resource "azurerm_resource_group" "example" { name = var.resource_group_name location = var.location # Update to a supported region } # Define the Cognitive Services account resource "azurerm_cognitive_account" "openai" { name = var.cognitive_account_name resource_group_name = azurerm_resource_group.example.name location = azurerm_resource_group.example.location kind = "OpenAI" sku_name = "S0" # Ensure this attribute is specified identity { type = "SystemAssigned" } } # Define the Cognitive Services model deployment resource "azurerm_cognitive_deployment" "model" { name = var.model_name cognitive_account_id = azurerm_cognitive_account.openai.id model { name = var.model_name format = "OpenAI" } sku { name = "Standard" # Ensure this is a supported SKU for the chosen region } } # Define the output blocks output "api_base" { value = azurerm_cognitive_account.openai.endpoint sensitive = true } output "api_key" { value = azurerm_cognitive_account.openai.primary_access_key sensitive = true } output "api_type" { value = "azure" } output "api_version" { value = "2024-08-01-preview" # Use the latest version } output "engine" { value = azurerm_cognitive_deployment.model.name }
What I want to add:
- Create a Key Vault.
- Add a Key Vault Administrator role assignment for a service principal or a user (please specify how to do this).
- Store keys/secrets in the Key Vault.
Can someone provide an example or guide me on how to extend my Terraform configuration to include these steps?
Thank you in advance for your help!
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi @naveen0142 ,
1. Create the Key Vault
resource "azurerm_key_vault" "example"
{
name = var.key_vault_name
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "standard"
tenant_id = var.tenant_id
# Enable soft delete and purge protection (recommended)
soft_delete_retention_days = 7
purge_protection_enabled = true
}
2. Assign Role to a User or Service Principal
# Assign Key Vault Administrator role
data "azurerm_client_config" "example" {
}
resource "azurerm_role_assignment" "key_vault_admin" {
principal_id = data.azurerm_client_config.example.object_id
role_definition_name = "Key Vault Administrator"
scope = azurerm_key_vault.example.id
}
}
resource "azurerm_role_assignment" "key_vault_admin" {
principal_id = data.azurerm_client_config.example.object_id
role_definition_name = "Key Vault Administrator"
scope = azurerm_key_vault.example.id
}
Ref - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
3. Create Secrets in the Key Vault
ephemeral "azurerm_key_vault_secret" "example_secret" {
name = "example-secret"
value = "your-secret-value" # Replace with your actual secret value
key_vault_id = azurerm_key_vault.example.id
}
name = "example-secret"
value = "your-secret-value" # Replace with your actual secret value
key_vault_id = azurerm_key_vault.example.id
}
This is example code blocks and might need to be updated based on requirement.
For other Azure resources, here is the reference - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/