cancel
Showing results for 
Search instead for 
Did you mean: 
Get Started Discussions
Start your journey with Databricks by joining discussions on getting started guides, tutorials, and introductory topics. Connect with beginners and experts alike to kickstart your Databricks experience.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to Create Azure Key Vault and Assign Key Vault Administrator Role Using Terraform

naveen0142
New Contributor

Hi all,

Iā€™m currently working with Terraform to set up Azure resources, including OpenAI services, and Iā€™d like to extend my configuration to create an Azure Key Vault. Specifically, I want to:

  1. Create an Azure Key Vault to store secrets/keys.
  2. Assign the Key Vault Administrator role to a specific user or service principal to manage the vault.

    Here's the existing Terraform configuration I have for the OpenAI service:

    terraform {
      required_version = ">= 1.0.0"
    
      required_providers {
        azurerm = {
          source  = "hashicorp/azurerm"
          version = ">= 2.0.0"
        }
      }
    }
    
    provider "azurerm" {
      features {}
       # Authentication with Service Principal
      client_id       = var.client_id
      client_secret   = var.client_secret
      tenant_id       = var.tenant_id
      subscription_id = var.subscription_id
    }
    
    # Define the resource group
    resource "azurerm_resource_group" "example" {
      name     = var.resource_group_name
      location = var.location  # Update to a supported region
    }
    
    # Define the Cognitive Services account
    resource "azurerm_cognitive_account" "openai" {
      name                = var.cognitive_account_name
      resource_group_name = azurerm_resource_group.example.name
      location            = azurerm_resource_group.example.location
      kind                = "OpenAI"
      sku_name            = "S0"  # Ensure this attribute is specified
    
      identity {
        type = "SystemAssigned"
      }
    }
    
    # Define the Cognitive Services model deployment
    resource "azurerm_cognitive_deployment" "model" {
      name                  = var.model_name
      cognitive_account_id  = azurerm_cognitive_account.openai.id
    
      model {
        name   = var.model_name
        format = "OpenAI"
      }
    
      sku {
        name = "Standard"  # Ensure this is a supported SKU for the chosen region
      }
    }
    
    # Define the output blocks
    output "api_base" {
      value     = azurerm_cognitive_account.openai.endpoint
      sensitive = true
    }
    
    output "api_key" {
      value     = azurerm_cognitive_account.openai.primary_access_key
      sensitive = true
    }
    
    output "api_type" {
      value = "azure"
    }
    
    output "api_version" {
      value = "2024-08-01-preview"  # Use the latest version
    }
    
    output "engine" {
      value = azurerm_cognitive_deployment.model.name
    }
     

    What I want to add:

    1. Create a Key Vault.
    2. Add a Key Vault Administrator role assignment for a service principal or a user (please specify how to do this).
    3. Store keys/secrets in the Key Vault.

      Can someone provide an example or guide me on how to extend my Terraform configuration to include these steps?

      Thank you in advance for your help!

1 REPLY 1

parthSundarka
Databricks Employee
Databricks Employee

Hi @naveen0142 ,

1. Create the Key Vault

resource "azurerm_key_vault" "example"
{ name = var.key_vault_name
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "standard"
tenant_id = var.tenant_id # Enable soft delete and purge protection (recommended) soft_delete_retention_days = 7
purge_protection_enabled = true
}
 
2. Assign Role to a User or Service Principal
# Assign Key Vault Administrator role
data "azurerm_client_config" "example" { 
}
resource "azurerm_role_assignment" "key_vault_admin" {
principal_id = data.azurerm_client_config.example.object_id
role_definition_name = "Key Vault Administrator"
scope = azurerm_key_vault.example.id
}
 
3. Create Secrets in the Key Vault
ephemeral "azurerm_key_vault_secret" "example_secret" {
name = "example-secret"
value = "your-secret-value" # Replace with your actual secret value
key_vault_id = azurerm_key_vault.example.id
}
 
This is example code blocks and might need to be updated based on requirement.
For other Azure resources, here is the reference - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/

Connect with Databricks Users in Your Area

Join a Regional User Group to connect with local Databricks users. Events will be happening in your city, and you wonā€™t want to miss the chance to attend and share knowledge.

If there isnā€™t a group near you, start one and help create a community that brings people together.

Request a New Group