Reputation: 193
Hashicorp Terraform - Storing Azure Storage account access key in Azure Key Vault
Just as a disclaimer, I'm quite new to Terraform, and I'm trying to figure out how to store my Azure Storage Account Access Key in my Azure Key Vault. (Referenced here).
The specific command that is referenced is:
export ARM_ACCESS_KEY=$(az keyvault secret show --name terraform-backend-key --vault-name myKeyVault --query value -o tsv)
I get that the --vault value should be replaced with the name of my Key Vault, but what am I supposed to replace the --name value with?
And as importantly, in what file/config am I supposed to put the whole export ARM_ACCESS_KEY string?
Thanks so much, everyone!
Upvotes: 0
Views: 3834
Answers (2)
Reputation: 8161
--name is for keyvault secret's name.
Which file/config to put?
In Terraform the names of individual files are not significant and instead Terraform works with whole directories. The idea is to first execute this(state mechanism). I usually put it in the terraform.tf : these are the contents and backend section gets the key from env variable(as mentioned here)
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=2.46.0"
}
}
backend "azurerm" {
resource_group_name = "tfstate"
storage_account_name = "<storage_account_name>"
container_name = "tfstate"
key = "terraform.tfstate"
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "state-demo-secure" {
name = "state-demo"
location = "eastus"
}
Another option is to use tfmake. When using tfmake as a wrapper around terraform , setting the ARM_ACCESS_KEY can be automated using it's configuration as follows:
$PROJECT/.tfmake/config
provider: azure
environment:
- ARM_ACCESS_KEY = $(az keyvault secret show --name storage-account-key1 --vault-name kv-terraform-storage --query value -o tsv)
Using this configuration, the ARM_ACCESS_KEY will become an environment variable just before actually executing any terraform command.
Upvotes: 0
Reputation: 31454
To store the Terraform state in Azure Storage Account, the necessary resource is Storage account, but for you, you want to store your storage access key in the Azure Key Vault. So you need to create a new Key Vault or use the existing one.
You can use the CLI command to store your storage access key in your key vault like this:
az keyvault secret set --name secret_name --vault-name yourKeyvault_name --value yourStorageAccessKey
Then use the command you provide to export the environment variable ARM_ACCESS_KEY:
export ARM_ACCESS_KEY=$(az keyvault secret show --name secret_name --vault-name yourKeyvault_name --query value -o tsv)
Then you just need to follow the steps in the document that you have referred in your question.
Update
If you want to set the environment variables when you in Windows, you can do it like this:
$env:VAR_NAME='vaule'
In your issue, you could export the storage access key like this:
$env:ARM_ACCESS_KEY=(az keyvault secret show --name secret_name --vault-name yourKeyvault_name --query value -o tsv)
Change the secret_name and yourKeyvault_name into your resource. The result on my side:
Upvotes: 1
Related Questions
- Terraform with Azure Key Vault to get secret value
- Terraform create a azure key vault
- How to securely build a key vault with secrets with terraform
- Terraform key vault access policy
- Azure Storage Account with Key Vault to manage its keys
- Secure management plane's key vault in Terraform
- Using Terraform to create Key Vault secret for Virtual Machine password
- How, if possible, to add "Archive to a storage account" in terraform?
- Terraform Azure provider - How do I add via terraform more than one key and/or secret for my key vault?
- Terraform Populate secrets from central key vault