Search code examples
azureterraformazure-storageazure-keyvaultterraform-provider-azure

Add primary acces key to KV from storage by terraform

I have a Terraform file called 'main.tf' that creates an RG (resource group), a storage account, an event hub namespace, and a key vault. Is it possible to configure the key vault to write the primary secret from the storage account that was created? All of this should be done within the context of a single file, of course.

I tried add code like this:

resource "azurerm_storage_account" "storage" {
  name                     = "mystorageaccount"
  resource_group_name      = azurerm_resource_group.rg.name
  location                 = azurerm_resource_group.rg.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

output "storage_account_key" {
  value = azurerm_storage_account.storage.primary_access_key
}

resource "azurerm_key_vault_secret" "storage_account_key" {
  name         = "storageAccountKey"
  value        = azurerm_storage_account.storage.primary_access_key
  key_vault_id = azurerm_key_vault.kv.id
}

But when I run terraform plan, it requires me to type in storage_account_key in the terminal.

Solution

  • Add primary acces key to KV from storage by terraform

    I have created a RG , Storage account, Event hub namespace, and a key vault and stored Storage account access key in Key vault using below terraform code.

    provider  "azurerm"  {
features  {}
}
data  "azurerm_client_config"  "current"  {}
resource  "azurerm_resource_group"  "sample-rg"  {
name = "sample-resources"
location = "West Europe"
}
resource  "azurerm_storage_account"  "storage"  {
name = "vijaystorageaccounttest"
resource_group_name = azurerm_resource_group.sample-rg.name
location = azurerm_resource_group.sample-rg.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource  "azurerm_key_vault"  "example"  {
name = "venkatdemosamplevault"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = false
sku_name = "standard"
access_policy  {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Backup",  "Create",  "Decrypt",  "Delete",  "Encrypt",  "Get",  "Import",  "List",  "Purge",  "Recover",  "Restore",  "Sign",  "UnwrapKey",  "Update",  "Verify",  "WrapKey",  ]
secret_permissions = ["Backup",  "Delete",  "Get",  "List",  "Purge",  "Recover",  "Restore",  "Set",  ]
storage_permissions = ["Backup",  "Delete",  "DeleteSAS",  "Get",  "GetSAS",  "List",  "ListSAS",  "Purge",  "Recover",  "RegenerateKey",  "Restore",  "Set",  "SetSAS",  "Update",  ]
}
}
resource  "azurerm_key_vault_secret"  "storage_account_key"  {
name = "storageAccountKey"
value = azurerm_storage_account.storage.primary_access_key
key_vault_id = azurerm_key_vault.example.id
depends_on = [
azurerm_storage_account.storage
]
}
resource  "azurerm_eventhub_namespace"  "example"  {
name = "venkat-namespace"
location = azurerm_resource_group.sample-rg.location
resource_group_name = azurerm_resource_group.sample-rg.name
sku = "Standard"
capacity = 2
tags = {
environment = "Production"
}
}

    Terraform Apply:

    enter image description here

    Once ran the above terraform code, resources are created successfully in portal.

    enter image description here

    Successfully stored storage account access key in Key vault secret.

    enter image description here