By default, if you want to deploy a VM on Azure with Terraform, you must give the username and password in clear in the variable file (see my previous article). But a solution exists, to secure all this 🙂 Just use an Azure Keyvault, and store your password in:
Then, you have to add these lines, at the beginning of your code:
// Get Keyvault Data
data "azurerm_resource_group" "rg_keyvault" {
name = "${var.rg_keyvault}"
}
data "azurerm_key_vault" "keyvault" {
name = "${var.keyvault_name}"
resource_group_name = "${data.azurerm_resource_group.rg_keyvault.name}"
}
data "azurerm_key_vault_secret" "secret_Default-Admin-Windows-Linux-VM" {
name = "Default-Admin-Windows-Linux-VM"
vault_uri = "${data.azurerm_key_vault.keyvault.vault_uri}"
}
|
Here we will get the RG, the Keyvault, and the secret that has the Default-Admin-Windows-Linux-VM name in my keyvault and that contains my default password for my VMs. We must then adapt the code so that our admin_password variable takes the value that is in the keyvault:
admin_password = "${data.azurerm_key_vault_secret.secret_Default-Admin-Windows-Linux-VM.value}"
|
You can now do a terraform init and terraform plan. You should have the following error:
This is normal. In fact, you must give the Get and List secrets privileges to the application that is used to deploy the resources in Azure via Terraform in the keyvault:
You can do again a terraform plan and terraform apply to deploy your resources in a secure way. Note this error message, which will disappear when updating to version 2 of the provider, but where you have to adapt the code:
This code is available on my Github:
https://github.com/Flodu31/Terraform/tree/master/Deploy_New_Environment_Keyvault
