Terraform Module: Azure Key Vault
This Terraform module provisions an Azure Key Vault along with necessary role assignments.
Features
- Creates an Azure Key Vault with soft delete and purge protection enabled.
- Assigns the "Key Vault Administrator" role to a specified Azure AD group.
- Outputs essential details like Key Vault ID, name, and resource group.
Requirements
- Terraform
>= 1.0 - AzureRM Provider
>= 4.18.0
Providers
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "4.18.0"
}
}
}
provider "azurerm" {
features {}
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
Inputs
| Name | Type | Description | Required |
|---|---|---|---|
key_vault_name | string | The name of the Key Vault. | Yes |
key_vault_resource_group_name | string | The name of the resource group for the Key Vault. | Yes |
location | string | The Azure region where the Key Vault is created. | Yes |
Outputs
| Name | Description |
|---|---|
key_vault_id | The ID of the created Key Vault. |
key_vault_name | The name of the created Key Vault. |
key_vault_resource_group | The resource group containing the Key Vault. |
Usage Example
module "key_vault" {
source = "./modules/key_vault"
key_vault_name = "my-keyvault"
key_vault_resource_group_name = "my-resource-group"
location = "West Europe"
}
output "vault_id" {
value = module.key_vault.key_vault_id
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
Notes
- Make sure the Azure AD group exists before assigning the role.
- Ensure that your Terraform identity has the necessary permissions to create and manage Key Vaults.
License
MIT
Requirements
| Name | Version |
|---|---|
| azuread | 3.1.0 |
| azurerm | 4.18.0 |
| random | 3.6.3 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| azurerm_key_vault.key_vault | resource |
| azurerm_resource_group.key_vault | resource |
| azurerm_role_assignment.cloudfoundation_tfdeploy | resource |
| random_string.resource_code | resource |
| azuread_user.users | data source |
| azurerm_client_config.current | data source |
| azurerm_role_definition.keyvault | data source |
| azurerm_subscription.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| key_vault_name | The name of the key vault. | string | n/a | yes |
| key_vault_resource_group_name | The name of the resource group containing the key vault. | string | n/a | yes |
| location | The location/region where the key vault is created. | string | n/a | yes |
| public_network_access_enabled | n/a | bool | false | no |
| subscription_id | n/a | string | n/a | yes |
| users | Users and their roles provided by meshStack (Note that users must exist in stackit) | list(object( | n/a | yes |
Outputs
| Name | Description |
|---|---|
| key_vault_id | n/a |
| key_vault_name | n/a |
| key_vault_resource_group | n/a |
Source code & Installation
The source code of this kit module can be found here
Run the following command to install the kit module:
collie kit import azure/buildingblocks/key-vault/buildingblock
1