CODEWITHSUNDEEP
azureterraform
Manjunath Rao
Manjunath Rao

Reputation: 1511

Update firewall rule of Azure KeyVault using Terraform

I have created an Azure KeyVault with default Firewall rules. Now I want to update the Firewall rule to add few IP addresses using Terraform. I know to fetch the current KeyVault and resource group. But I am finding difficulty to update the KeyVault with the new IP addresses (firewall). 

provider "azurerm" {
  version = "=1.36.0"
  subscription_id = "7e7f55d3-f30a-4bfd-a6be-1c59594b8592"
}

data "azurerm_resource_group" "rg_name" {
  name = "ITQIG-eu-rsv-sangamn-dev"
}

data "azurerm_key_vault" "kv_name" {
  name                = "manjugtestkv"
  resource_group_name = "${data.azurerm_resource_group.rg_name.name}"
}

Upvotes: 2

Views: 10509

Answers (2)

pijemcolu
pijemcolu

Reputation: 2605

You'll need to use the resource you've create the keyvault with:

Let's assume your keyvault is defined as in terraform docs. I've removed attributes which are irrelevant.

In order to allow a list of ip addresses you'll need to define them in the network_acls block:

resource "azurerm_key_vault" "example" {
  name                        = "testvault"
  ...

  access_policy {
    ...
  }

  network_acls {
    # The Default Action to use when no rules match from ip_rules / 
    # virtual_network_subnet_ids. Possible values are Allow and Deny
    default_action = "Deny"

    # Allows all azure services to access your keyvault. Can be set to 'None'
    bypass         = "AzureServices"

    # The list of allowed ip addresses.
    ip_rules       = ["1.1.1.1","2.2.2.2"]

  }
}

Upvotes: 3

boopzz
boopzz

Reputation: 63

If you've manually created the keyvault then the network ACLs are under that resource. To manage under TF you will need to import it into your state and then update it using the code.

So add your keyvault into your code, for example what was set previously

resource "azurerm_key_vault" "example" {
  name                        = "testvault"
  ...

}

Now you need to import into that part of the state file which would be similar to the following:

terraform import azurerm_key_vault.example /subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourceGroups/ITQIG-eu-rsv-sangamn-dev/providers/Microsoft.KeyVault/vaults/manjugtestkv

After the import when you run the plan it might show some discrepancies so you need to add them to code to match your state. Once it matches you can add your network_acls block.

Upvotes: 0

Related Questions