Welcome Back!

In our last post, we introduced Terraform and deployed a basic Azure resource group. Now, we’ll take the next step by provisioning an Azure Key Vault and securing it with Role-Based Access Control (RBAC).

If you're new to the series, be sure to check out our previous post on setting up Terraform with Azure.

Why Use Terraform for Key Vault Deployment?

Azure Key Vault is essential for securely storing secrets, keys, and certificates. Instead of manually configuring it through the Azure portal as we did here, Terraform automates this process, ensuring consistent, repeatable, and scalable deployments.

Using Terraform to manage Key Vault:

• Automates the creation and configuration process

• Enforces RBAC for controlled access

• Ensures security by restricting access at the network level

• Enables repeatable and scalable deployments

In contrast to manually creating a Key Vault through the Azure portal, Terraform is a way of writing infrastructure as code, ensuring that deployments are automated and predictable.

A Brief Recap on Terraform State

As mentioned previously, Terraform maintains a state file that records all deployed resources. This ensures that:

• Terraform applies only necessary updates instead of recreating resources

• Deployments remain consistent across environments

• Changes are tracked, reducing the risk of accidental resource deletion

By default, Terraform manages state locally, but for larger teams, remote state storage (such as an Azure Storage Account) allows multiple users to work collaboratively.

If you would like a tutorial on how to manage state remotely, let me know, for this series we will be using local state.

Step 1: Writing the Key Vault Configuration

Firstly, we’ll create a new Terraform file called keyvault.tf and define our Key Vault resource:

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "ci_cd_key_vault" {
  name                        = "cicdkvsample"
  location                    = azurerm_resource_group.ci_cd_key_vault.location
  resource_group_name         = azurerm_resource_group.ci_cd_key_vault.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 90
  purge_protection_enabled    = false
  enable_rbac_authorization   = true

  sku_name = "standard"

  network_acls {
    bypass = "AzureServices"
    default_action = "Deny"
    ip_rules = ["<YOUR-IP-ADDRESS>"]
  }
}

Explanation of the Configuration

• enable_rbac_authorization = true → Uses RBAC-based access instead of traditional access policies

• network_acls → Restricts Key Vault access to a specific IP address

• soft_delete_retention_days = 90 → Retains deleted secrets for 90 days

• tenant_id → Fetches the current tenant ID dynamically

This ensures that the Key Vault is securely configured and centrally managed using RBAC.

Step 2: Assigning RBAC Permissions to Manage the Key Vault

To manage access, we need to assign ourselves the Key Vault Administrator role (or search the role you want your current user to have here):

resource "azurerm_role_assignment" "ci_cd_key_vault" {
  scope                = azurerm_key_vault.ci_cd_key_vault.id
  role_definition_name = "Key Vault Administrator"
  principal_id         = data.azurerm_client_config.current.object_id
}

Why RBAC Instead of Access Policies?

Azure is moving towards RBAC-based access control, which provides:

• More scalable permissions across multiple Key Vaults

• Integration with Azure Active Directory roles

• Easier management through IAM policies

It is the recommended authorisation model for Azure Key Vault because using RBAC provides centralised and consistent access control across Azure services.

Step 3: Deploying the Key Vault with Terraform

Once the configuration is ready, we deploy it using Terraform:

1. Initialize Terraform - This downloads the required providers and prepares the Terraform environment.

terraform init

2. Plan the deployment - Terraform will generate an execution plan showing what resources will be created or modified.

terraform plan

3. Apply the configuration - Confirm the deployment by typing yes when prompted.

terraform apply

Step 4: Verifying the Deployment

After the deployment is complete, we can check the Azure portal to verify the resources:

1. Navigate to Resource Groups → Select CI/CD Key Vault RG

2. Under Key Vaults, find cicdkvsample

3. Go to Networking and confirm that IP restrictions are applied

4. Check Access Control (IAM) to ensure that the Key Vault Administrator role is assigned

At this point, our Key Vault should be successfully deployed and configured with the correct permissions.

Common Issues and How to Fix Them

Terraform tries to recreate an existing resource

If Terraform detects a change in a resource name, it may try to delete and recreate it. Be cautious when renaming resources, as this can cause unintended deletions.

If you are okay with tearing down the environment (for example if you’re using a personal dev environment) before you re-deploy, then you can run:

terraform destroy

Which will clear up any resources that were previously created that you no longer need.

RBAC role assignment fails

Ensure that the Azure account that is logged into Terraform has Owner or User Access Administrator permissions. Without these, Terraform cannot assign RBAC roles.

Wrap-Up

With Terraform, we’ve automated the deployment of an Azure Key Vault and secured it using RBAC-based access control. This ensures a repeatable and secure infrastructure setup.

Thanks for checking out this blog! If you found it useful, like and subscribe to follow our series for more insights on infrastructure as code and cloud management. In the next post, we’ll explore managing keys in Azure Key Vault using Terraform.