Azure Key Vault Key Vault

This page shows how to write Terraform and Azure Resource Manager for Key Vault Key Vault and write them securely.

azurerm_key_vault (Terraform)

The Key Vault in Key Vault can be configured in Terraform with the resource name azurerm_key_vault. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

keyvault-purge-enabled.tf#L1
resource "azurerm_key_vault" "good_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.good_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = true
keyvault-specify-network-acl.tf#L1
resource "azurerm_key_vault" "good_example" {
    name                        = "examplekeyvault"
    location                    = azurerm_resource_group.good_example.location
    enabled_for_disk_encryption = true
    soft_delete_retention_days  = 7
    purge_protection_enabled    = false
keyvault.tf#L1
resource "azurerm_key_vault" "keyvault" {
  name                = local.key_vault_name
  location            = azurerm_resource_group.hub.location
  resource_group_name = azurerm_resource_group.hub.name
  tenant_id           = data.azurerm_client_config.current.tenant_id

positive.tf#L1
resource "azurerm_key_vault" "example1" {
  name                        = "example1-vault"
  location                    = "West US"
  resource_group_name         = "example-resources"
}
resource "azurerm_key_vault" "example2" {
02_resources.tf#L98
resource "azurerm_key_vault" "dev" {
  name                = var.kv_dev
  location            = var.location
  resource_group_name = azurerm_resource_group.mgmt.name
  tenant_id           = var.tenant_id
  purge_protection_enabled = false
02_resources.tf#L98
resource "azurerm_key_vault" "dev" {
  name                = var.kv_dev
  location            = var.location
  resource_group_name = var.resource_group_mgmt
  tenant_id           = var.tenant_id
  purge_protection_enabled = false
main.tf#L63
resource "azurerm_key_vault" "keyvault" {
  name                              = var.kv_name
  location                          = var.location
  resource_group_name               = var.resource_group
  tenant_id                         = var.tenant_id
  sku_name                          = try(var.settings.sku_name, "standard")
main.tf#L21
resource "azurerm_key_vault" "rg" {
  name                = "kvault-primera-01"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"
key_vault_certificate_test.tf#L11
resource "azurerm_key_vault" "premium" {
  name                       = "examplekeyvault"
  location                   = "eastus"
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = "00000000-0000-0000-0000-000000000000"
  sku_name                   = "premium"
key_vault.tf#L7
resource "azurerm_key_vault" "kv_prvt" {
  count                      = local.prvt_kv_exist ? 0 : 1
  name                       = local.prvt_kv_name
  location                   = local.region
  resource_group_name        = local.rg_exists ? data.azurerm_resource_group.library[0].name : azurerm_resource_group.library[0].name
  tenant_id                  = local.service_principal.tenant_id

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_key_vault

There are 2 settings in azurerm_key_vault that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to specify a network ACL for the key vault

It is better to specify network ACL for the key vault. The default should be set to deny and Azure Services should be still accepted.

risk-label

Ensure to enable purge protection for key vaults

It is better to enable purge protection which is not enabled by default for key vaults. This could be enabled once the soft delete is enabled.

Review your Azure Key Vault settings

You can check if the azurerm_key_vault setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages a Key Vault.

Tips: Best Practices for The Other Azure Key Vault Resources

In addition to the azurerm_key_vault_key, Azure Key Vault has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_key_vault_key

Ensure to configure the expiration date on all keys

It is better to configure the expiration date on all keys which is not set by default.

risk-label

azurerm_key_vault_secret

Ensure to set a content type

It is better to set a content type to aid interpretation on retrieval.

Review your Azure Key Vault settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.KeyVault/vaults (Azure Resource Manager)

The vaults in Microsoft.KeyVault can be configured in Azure Resource Manager with the resource name Microsoft.KeyVault/vaults. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

honeytokenSolution.json#L2004
                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-04-01-preview",
                            "name": "[parameters('KeyVaultNameStoringAppSecret')]",
                            "location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
                            "properties": {
                                "tenantId": "[subscription().tenantId]",
mainTemplate.json#L2037
                            "type": "Microsoft.KeyVault/vaults",
                            "apiVersion": "2021-04-01-preview",
                            "name": "[parameters('KeyVaultNameStoringAppSecret')]",
                            "location": "[parameters('LocationNameOfKeyVaultStoringAppSecret')]",
                            "properties": {
                                "tenantId": "[subscription().tenantId]",
template.json
{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

  • apiVersion required - string
  • location required - string

    The supported Azure location where the key vault should be created.

  • name required - string

    Name of the vault

  • properties required
      • accessPolicies optional array
          • applicationId optional - string

            Application ID of the client making request on behalf of a principal

          • objectId required - string

            The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

          • permissions required
              • certificates optional - array

                Permissions to certificates

              • keys optional - array

                Permissions to keys

              • secrets optional - array

                Permissions to secrets

              • storage optional - array

                Permissions to storage accounts

          • tenantId required - string

            The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

      • createMode optional - string

        The vault's create mode to indicate whether the vault need to be recovered or not.

      • enabledForDeployment optional - boolean

        Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

      • enabledForDiskEncryption optional - boolean

        Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

      • enabledForTemplateDeployment optional - boolean

        Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

      • enablePurgeProtection optional - boolean

        Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value.

      • enableRbacAuthorization optional - boolean

        Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC.

      • enableSoftDelete optional - boolean

        Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false.

      • networkAcls optional
          • bypass optional - string

            Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.

          • defaultAction optional - string

            The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated.

          • ipRules optional array
              • value required - string

                An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78).

          • virtualNetworkRules optional array
              • id required - string

                Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.

              • ignoreMissingVnetServiceEndpoint optional - boolean

                Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured.

      • provisioningState optional - string

        Provisioning state of the vault.

      • sku required
          • family required - string

            SKU family name

          • name required - string

            SKU name to specify whether the key vault is a standard vault or a premium vault.

      • softDeleteRetentionInDays optional - integer

        softDelete data retention days. It accepts >=7 and <=90.

      • tenantId required - string

        The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

      • vaultUri optional - string

        The URI of the vault for performing operations on keys and secrets. This property is readonly

  • tags optional - string

    The tags that will be assigned to the key vault.

  • type required - string

Frequently asked questions

What is Azure Key Vault Key Vault?

Azure Key Vault Key Vault is a resource for Key Vault of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Key Vault Key Vault?

For Terraform, the returntocorp/semgrep-rules, returntocorp/semgrep-rules and fortunkam/aks-public-cluster source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the OTRF/Microsoft-Sentinel2Go, seanstark/Sentinel and VJchand-star/Azure source code examples are useful. See the Azure Resource Manager Example section for further details.