Skip to content

Key Vault

Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. The Key Vault module allows you to create and configure Azure Key Vaults with various security settings including network access controls, RBAC authorization, and access policies.

Basic Configuration

Below is the most basic example of creating a Key Vault with default settings:

1
2
3
4
5
key_vaults = {
    EpicKV = {
        resource_group = "keyvault"
    }
}

This creates a Key Vault with the following defaults: - SKU: standard - RBAC Authorization: Enabled - Public Network Access: Disabled - Network ACLs: Default action set to Deny, bypass set to AzureServices -> these settings maintain the ability to continue to maintain the keyvault using terraform even though public access is disabled - Tenant ID: Uses the deployment subscription's tenant ID - Location: Uses the location defined in the main configuration

Advanced Configuration

The following example demonstrates a more advanced Key Vault configuration with premium SKU, network access controls, and additional security settings:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
key_vaults = {
    EpicKV = {
        resource_group = "keyvault"

        location = "centralus" # If null, defaults to global location set in tfvars
        # tenant_id = "" # Specify a tenant ID if different from the deployment subscription

        sku_name = "premium"

        network_acls = { 
            bypass = "AzureServices"
            default_action = "Deny"
            ip_rules = [] # One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
            virtual_network_subnet_ids = [] # One or more Subnet Resource IDs which should be able to access the Key Vault.
        }

        public_network_access_enabled = true
        enabled_for_disk_encryption = true #Enable Azure Disk Encryption to retrieve secrets from the vault
        enabled_for_deployment = true #Enable Azure Virtual Machines to retrieve certificates stored as secrets
        enabled_for_template_deployment = true #Enable Azure Resource Manager to retrieve secrets from the vault during deployments

        tags = {
            environment = "nonprod"
        }
    }
}

Configuration Parameters

Parameter Type Required Default Description
resource_group string Yes - The name of the resource group key where the Key Vault will be created
name string No Auto-generated Custom name for the Key Vault. If not specified, uses naming convention: {name_prefix}keyvault{key}{name_suffix}keyvault
location string No Global location set in tfvars The Azure region where the Key Vault will be created
tenant_id string No Current tenant The Azure AD tenant ID. Defaults to the deployment subscription's tenant
sku_name string No standard The SKU name. Possible values: standard, premium
rbac_authorization_enabled bool No true Enable Azure RBAC for authorization. If disabled, access policies must be defined
enabled_for_disk_encryption bool No false Enable Azure Disk Encryption to retrieve secrets from the vault
enabled_for_deployment bool No false Enable Azure Virtual Machines to retrieve certificates stored as secrets
enabled_for_template_deployment bool No false Enable Azure Resource Manager to retrieve secrets from the vault during deployments
public_network_access_enabled bool No false Whether public network access is allowed for this Key Vault
network_acls object No See below Network access control settings
access_policies list(object) No null List of access policies (required if rbac_authorization_enabled is false)
tags map(string) No {} Tags to assign to the Key Vault (merged with default tags)

Network ACLs

When network_acls is specified, you can control network access to the Key Vault:

network_acls = {
    bypass = "AzureServices"           # Default: "AzureServices". Allows Azure services to bypass network rules
    default_action = "Deny"             # Default: "Deny". Default action when no rule matches
    ip_rules = ["0.0.0.0/0"]      # List of IP addresses or CIDR blocks allowed to access
    virtual_network_subnet_ids = []     # List of subnet resource IDs allowed to access
}

To disable network ACLs entirely, set network_acls = null.

Access Policies

If RBAC authorization is disabled (rbac_authorization_enabled = false), you must define access policies:

key_vaults = {
    MyKV = {
        resource_group = "keyvault"
        rbac_authorization_enabled = false
        access_policies = [
            {
                tenant_id = "00000000-0000-0000-0000-000000000000"
                object_id = "00000000-0000-0000-0000-000000000000" # User, service principal, or security group ID
                permissions = {
                    keys         = ["Get", "List", "Create"]
                    secrets      = ["Get", "List", "Set"]
                    certificates = ["Get", "List"]
                }
            }
        ]
    }
}

Naming Convention

Key Vault names are automatically generated using the following pattern:

{name_prefix}keyvault{key_vault_key}{name_suffix}keyvault

For example, with the following prefixes and suffixes: 

name_prefixes = {
    keyvault = "prod-"
}

name_suffixes = {
    keyvault = "-eastus2-kv"
}

key_vaults = {
    EpicKV = {
        resource_group = "keyvault"
    }
}

The resulting Key Vault name would be: prod-EpicKV-eastus2-kv

To override the automatic naming, specify a custom name: 

key_vaults = {
    EpicKV = {
        name = "my-custom-keyvault-name"
        resource_group = "keyvault"
    }
}

Premium vs Standard SKU

The Key Vault SKU determines the features available:

  • Standard: Secrets encrypted with software keys
  • Premium: Adds support for HSM-backed keys (Hardware Security Module)

Multiple Key Vaults

You can create multiple Key Vaults in a single configuration:

key_vaults = {
    ProductionKV = {
        resource_group = "keyvault"
        sku_name = "premium"
        tags = {
            environment = "production"
        }
    }
    DevelopmentKV = {
        resource_group = "keyvault"
        sku_name = "standard"
        tags = {
            environment = "development"
        }
    }
}

Best Practices

  1. Use RBAC Authorization: Keep rbac_authorization_enabled = true (default) for more granular and manageable access control
  2. Network Security: Configure network ACLs to restrict access to trusted networks and IP addresses
  3. Premium SKU for Production: Use premium SKU for production workloads requiring HSM-backed key protection
  4. Disable Public Access: Keep public_network_access_enabled = false (default) and use private endpoints for enhanced security