Azure Key Vault Secrets
The azure_secret helper fetches secrets from Azure Key Vault Service.
Example
config/stacks/demo/tfvars/dev.tfvars
user = "<%= azure_secret("demo-:ENV-user") %>"
pass = "<%= azure_secret("demo-:ENV-pass") %>"
For example if you have these secret values:
$ VAULT=REPLACE_WITH_YOUR_VAULT_NAME
$ az keyvault secret show --vault-name $VAULT --name "demo-dev-user" | jq '.value'
bob
$ az keyvault secret show --vault-name $VAULT --name "demo-dev-pass" | jq '.value'
test
.terraspace-cache/eastus/dev/stacks/demo/1-dev.auto.tfvars
user = "bob"
pass = "test"
Setup
To set up the Azure Key Vault to use:
config/plugins/azurerm.rb
TerraspacePluginAzurerm.configure do |config|
config.secrets.vault = "REPLACE_WITH_YOUR_VAULT_NAME"
end
Key Vault Access Policy
When you create the Azure Key Vault, only the user used to create the vault has permission to access secrets from it. The Azure AD application also needs Azure Key Vault permissions to retrieve the secret. Else you’ll get an error like this:
The user, group or application ‘appid=EXAMPLE-bb76-432a-b5e4-73a53e0a27f7;oid=1a99ba5c-1b7c-4970-85e9-EXAMPLE;iss=https://sts.windows.net/EXAMPLE-8ad0-4651-8b4c-EXAMPLE/’ does not have secrets get permission on key vault ‘vault-name-EXAMPLE;location=eastus’. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287”
Note: You may have set up the ARM_* env vars in the Learn Azure Configure Guide docs.
Refer to the Docs to set up: Assign a Key Vault access policy using the Azure portal
Automatic Expansion
Notice how :ENV is expanded in the example above. Support for this was automatically added in terraspace_plugin_azurerm 0.3.3.
To selectively disable expansion you can provide the expand: false option.
config/stacks/demo/tfvars/dev.tfvars
user = "<%= azure_secret("demo-:ENV-user", expand: false) %>"
pass = "<%= azure_secret("demo-:ENV-pass", expand: false) %>"
