Terraform with Azure DevOps: Key Vault Secrets
- Terraform on Azure
- Deployments with Terraform and ARM Templates
- Modularisation of Terraform and ARM Templates
- Dependencies in Terraform and ARM Templates
- Terraform Calling ARM Templates
- Terraform with Azure DevOps: Setup
- Terraform with Azure DevOps: Key Vault Secrets
- Terraform Modules and Code Structure
- Terraform and Azure DevOps Tips and Tricks
Key Vault Secrets, Terraform and DevOps
This article discusses the incorporation of Key Vault Secret values in Terraform modules and how they can be used as part of a release pipeline definition on Azure DevOps.
Azure Key Vault
Secret management done right in Azure basically involves Key Vault. If you’re not familiar with this Azure offering, you can get the low-down at the following link:
https://docs.microsoft.com/en-us/azure/key-vault/
This article assumes you have followed best practice regarding securing your state file, as described in Terraform with Azure DevOps: Setup. Outputs relating to Secret values will be stored within the state file, so this is essential for maintaining confidentiality.
There are two key approaches to using Key Vault secrets within your Terraform deployments.
Data Sources for Key Vault and Secrets Data References.
This involves using Terraform to retrieve the required Key Vault. One of the advantages of this method is that it avoids the need to create variables within Azure DevOps for use within the Terraform modules. This can save a lot of ‘to-ing and fro-ing’ between Terraform modules and the DevOps portal, leaving you to work solely with Terraform for the duration. It also has the advantage of being self-contained within Terraform, allowing for easier testing and portability.
Azure Key Vault Data Source
We’ll assume you have created a Key Vault using the azurerm_key_vault resource type, added some secrets using the azurerm_key_vault_secret and set an azurerm_key_vault_access_policy for the required Users, Service Principals, Security Groups and/or Azure AD Applications.
If you don’t have the Key Vault and related Secrets available in the current Terraform modules that you are using, you will need to add a data source for these resources in order to reference these. This is typically the case if you have a previously deployed (perhaps centrally controlled) Key Vault and Secrets.
Setting up the Key Vault data source in the same Azure AD tenant is simply a matter of supplying the Key Vault name and Resource Group. Once this is done you can access various outputs such as Vault URI although in practice you’ll only really need the id attribute to refer to in Secret data sources.
data "azurerm_key_vault" "otherworld-visitors" {
name = "ET-and-friends"
resource_group_name = "central-rg-01"
}
output "vault_uri" {
value = data.azurerm_key_vault.central.vault_uri
}
I’ll leave you to browse the official definition for the azurerm_key_vault data source for further information on outputs.
Azure Key Vault Secrets Data Source
Create Key Vault Secret data sources for each of the secrets you require.
data "azurerm_key_vault_secret" "ufo-admin-login-password" {
name = "area-51-admin-password"
key_vault_id = data.azurerm_key_vault.otherworld-visitors.id
}
output "secret_value" {
value = data.azurerm_key_vault_secret.ufo-admin-login-password.value
}
There are again a number of outputs for the data source, including the Secret value, version and id attributes.
You can then reference the Secret’s value by using the respective Key Vault Secret data source value attribute wherever your module attributes require it.
resource "azurerm_sql_database" "area-51-db" {
name = "LittleGreenPeople"
administrator_login_password = "${data.azurerm_key_vault_secret.ufo-admin-login-password.value}"
....
}
If you are using a centralised variables file within each module, which aligns with recommended best practice, this means only having to change the one file when introducing new secrets. Our variables file simply references the required Key Vault Secret data sources as below,
ufo_admin_login_password = "${data.azurerm_key_vault_secret.ufo-admin-login-password.value}"
and our module resource includes the variable reference.
resource "azurerm_sql_database" "area-51-db" {
name = "LittleGreenPeople"
administrator_login_password = "${var.ufo_admin_login_password}"
....
}
As previously mentioned this has not involved any Azure DevOps elements and the Terraform won’t require additional input variables in order to work with the Key Vault Secrets.
Retrieval of Key Vault Secret Values into DevOps Variables
The second approach uses a combination of DevOps variable groups and Terraform functionality to achieve the same end result.
DevOps Key Vault Variable Group
The first step is to grab our secrets into DevOps variables for use within the pipeline. Variable groups can be linked to a Key Vault as below.
This then allows the mapping of Secrets to DevOps variables for use within the various tasks of our pipelines.
I’ll demonstrate two ways to work with these variables within our Terraform modules. I’m sure there are others of course, but these are ones that I’ve found simplest for DevOps – Terraform integration.
Replacement of Tokenised Placeholders
The Replace Tokens task can be used to to replace delimited placeholders with secret values stored in variables. This does of course require that you adopt a standard for your placeholders that can be used across your modules. This approach can result in code that is disjointed to read, but is a common practice with artifacts such as app.config files in the DotNet world. The advantage of this is that you can take a single approach to Secret substitution. We can use Token replacement for both of these areas your code, be it Terraform IaC or DotNet.
Use of ‘TF_VAR_’ Variables
The other technique I mention here is the use of the inbuilt support for variables with names that are prefixed ‘TF_VAR_’. Any environment variables with this naming convention will be mapped by design to Terraform variables within your modules. More information from Terraform docs is available at https://www.terraform.io/docs/commands/environment-variables.html.
We can pass DevOps variables that have been populated with Secrets values into the Terraform task as Environment Variables. You can then use standard variable substitution within your modules. So, ‘TF_VAR_my_secret’ will substitute for the ‘my_secret’ Terraform variable. Please note that all DevOps variables containing secret values should be marked as sensitive. This then obfuscates the variable values within the DevOps log.
Summing Up
Terraform and Azure DevOps allow more than one method for building pipelines that require secrets stored within Key Vault. For me, the Terraform ‘native’ approach of using Key Vault and Key Vault secrets data sources via the Azure RM Terraform provider is the simplest approach. There is no overhead of managing DevOps variables involved which keeps things nicely contained. You may of course prefer alternatives such as those others shown above or have another method, which I’d love to hear about.
I hope this post has provided some insight into using Terraform within Azure DevOps. These two technologies are a winning combination in address real-world Infrastructure as Code adoption within your organisation.
In the final post of this series I’ll be looking at best practices for managing your code using Terraform Modules.
Nigel Meakins administrator
Having worked for many years in the world of data and analytics, I enjoy following new innovations and understanding how best to apply them within business. I have a broad technical skill set and an acute awareness of how to make Agile work on data projects. Working at all levels and in a variety of roles on projects, I help our clients understand how the latest technology can be applied to realise greater value from their data.
About the author