Welcome back!

In our last post, we deployed an Azure Key Vault using Terraform and secured it with Role-Based Access Control (RBAC). Now, we’re taking the next step: creating and managing encryption keys inside our Key Vault using Terraform.

If you're new to the series, be sure to check out our previous post on setting up Terraform for Azure Key Vault deployment.

Why Manage Keys with Terraform?

Azure Key Vault is a secure way to store and manage cryptographic keys. Instead of manually creating keys in the Azure portal, Terraform allows us to:

• Automate key creation and lifecycle management

• Enforce security policies like key rotation

• Ensure repeatability for infrastructure deployments

• Integrate seamlessly into CI/CD pipelines

Using Terraform for Key Vault key management ensures that your security infrastructure is codified, version-controlled, and easily reproducible.

Step 1: Defining the Key Vault Key in Terraform

To create a cryptographic key in Azure Key Vault, we define the following Terraform resource:

resource "azurerm_key_vault_key" "ci_cd_key_vault_key" {
  name         = "ci-cd-key-vault-key"
  key_vault_id = azurerm_key_vault.ci_cd_key_vault.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify"]

  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }

    expire_after = "P90D"
    notify_before_expiry = "P31D"
  }
}

Breaking It Down

• name → Unique name for the key

• key_vault_id → Links the key to the existing Key Vault

• key_type → Specifies the cryptographic algorithm (RSA)

• key_size → Defines the key size (2048-bit)

• key_opts → Defines the operations allowed on the key (encrypt, decrypt, sign, etc.)

Key Rotation Policy

• Automatic rotation → Triggers 30 days before expiry

• Expire after → Key expires after 90 days

• Notify before expiry → Notification sent 31 days before expiry

This ensures that keys are securely rotated without manual intervention.

Step 2: Deploying the Key with Terraform

Now, let’s deploy our key using Terraform.

1️⃣ Initialize Terraform

Run the following command to set up Terraform and download required providers:

terraform init

2️⃣ Plan the Deployment

Before applying changes, preview them using:

terraform plan

This will show a preview of what Terraform will create in Azure.

3️⃣ Apply the Configuration

Once you’re satisfied with the changes, apply them:

terraform apply

Confirm with yes when prompted.

Step 3: Verifying the Key in Azure

After deployment, verify that the key has been created:

1. Go to Azure Portal → Navigate to your Key Vault

2. Click on "Keys" → You should see ci-cd-key-vault-key

3. Check the Rotation Policy → Ensure rotation settings are applied

At this point, we’ve successfully created and configured a cryptographic key inside Azure Key Vault using Terraform.

Best Practices for Managing Terraform State

When working with Terraform and Azure, it's critical to manage Terraform state securely.

• Do not push Terraform state files to Git repositories (they might contain sensitive data).

• Use a .gitignore file to exclude Terraform state files like this one here.

What’s Next?

Now that we’ve created our Key Vault key, the next step is to use it in an application. In the upcoming post, we’ll:

• Run the dev container in the CI/CD pipelines

• Automate deployment with CI/CD pipelines

• Build a .NET application that interacts with Azure Key Vault

• Use the created key to encrypt and decrypt files

Stay tuned for an end-to-end Terraform + Key Vault + Application integration.

Wrapping Up

• We used Terraform to create and manage a cryptographic key in Azure Key Vault

• We defined key rotation policies to ensure security

• We deployed and verified the key using Terraform

If you found this useful, consider subscribing to follow along with the series. More infrastructure as code and cloud automation topics coming soon!