Quickstart: Create an Azure key vault and key using Terraform
Article
Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, and certificate. This article focuses on the process of deploying a Terraform file to create a key vault and a key.
Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.
In this article, you learn how to:
Create a random value for the Azure resource group name using random_pet
Create a file named variables.tf and insert the following code:
Terraform
variable"resource_group_location" {
type = string
description = "Location for all resources."
default = "eastus"
}
variable"resource_group_name_prefix" {
type = string
description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
default = "rg"
}
variable"vault_name" {
type = string
description = "The name of the key vault to be created. The value will be randomly generated if blank."
default = ""
}
variable"key_name" {
type = string
description = "The name of the key to be created. The value will be randomly generated if blank."
default = ""
}
variable"sku_name" {
type = string
description = "The SKU of the vault to be created."
default = "standard"
validation {
condition = contains(["standard", "premium"], var.sku_name)
error_message = "The sku_name must be one of the following: standard, premium."
}
}
variable"key_permissions" {
type = list(string)
description = "List of key permissions."
default = ["List", "Create", "Delete", "Get", "Purge", "Recover", "Update", "GetRotationPolicy", "SetRotationPolicy"]
}
variable"secret_permissions" {
type = list(string)
description = "List of secret permissions."
default = ["Set"]
}
variable"key_type" {
description = "The JsonWebKeyType of the key to be created."
default = "RSA"
type = string
validation {
condition = contains(["EC", "EC-HSM", "RSA", "RSA-HSM"], var.key_type)
error_message = "The key_type must be one of the following: EC, EC-HSM, RSA, RSA-HSM."
}
}
variable"key_ops" {
type = list(string)
description = "The permitted JSON web key operations of the key to be created."
default = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
}
variable"key_size" {
type = number
description = "The size in bits of the key to be created."
default = 2048
}
variable"msi_id" {
type = string
description = "The Managed Service Identity ID. If this value isn't null (the default), 'data.azurerm_client_config.current.object_id' will be set to this value."
default = null
}
Create a file named outputs.tf and insert the following code:
Terraform
output"resource_group_name" {
value = azurerm_resource_group.rg.name
}
output"azurerm_key_vault_name" {
value = azurerm_key_vault.vault.name
}
output"azurerm_key_vault_id" {
value = azurerm_key_vault.vault.id
}
Initialize Terraform
Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.
Console
terraform init -upgrade
Key points:
The -upgrade parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.
The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
Apply a Terraform execution plan
Run terraform apply to apply the execution plan to your cloud infrastructure.
Console
terraform apply main.tfplan
Key points:
The example terraform apply command assumes you previously ran terraform plan -out main.tfplan.
If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
If you didn't use the -out parameter, call terraform apply without any parameters.
The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.