Terraform Azure Key Vault

With our comprehensive DevOps toolkit - streamline operations, automate workflows, enhance collaboration and, most importantly, deploy with confidence.

---

We are a group of DevOps engineers and architects collaborating to build standardized, scalable, and secure infrastructure in today's ever-evolving digital landscape. Rooted in a strong belief in automation and modular design—much like microservices—we focus on decomposing infrastructure into smaller, reusable components such as databases, clusters, and more. These components are built to follow industry best practices and are easy to manage, scale, and secure.

This repository is part of the terraform-az-modules organization and provides open-source, reusable Terraform modules. It includes practical examples and workflows to help users quickly understand, implement, and improve their infrastructure with minimal configuration and high maintainability.

Prerequisites and Providers

This table contains both Prerequisites and Providers:

Description	Name	Version
Prerequisite	Terraform	>= 1.6.6
Provider	azure	>= 3.90.0

Modules

Name	Source	Version
labels	terraform-az-modules/tags/azure	1.0.0

Resources

Name	Type
azurerm_key_vault.key_vault	resource
azurerm_key_vault_managed_hardware_security_module.keyvault_hsm	resource
azurerm_key_vault_secret.secrets	resource
azurerm_monitor_diagnostic_setting.az_monitor_diag	resource
azurerm_monitor_diagnostic_setting.pe_kv_nic	resource
azurerm_private_endpoint.pep	resource
azurerm_role_assignment.rbac_keyvault_administrator	resource
azurerm_role_assignment.rbac_other_keyvault_roles	resource
azurerm_client_config.current_client_config	data source

Inputs

Name	Description	Type	Default	Required
access_policies	List of access policies to be applied to the Key Vault. Each policy can specify permissions for keys, secrets, certificates, and storage.	map(object({ tenant_id = string object_id = string application_id = optional(string, null) key_permissions = optional(list(string), []) secret_permissions = optional(list(string), []) certificate_permissions = optional(list(string), []) storage_permissions = optional(list(string), []) }))	{}	no
admin_objects_ids	IDs of the objects that can do all operations on all keys, secrets and certificates.	list(string)	[]	no
certificate_contacts	Contact information to send notifications triggered by certificate lifetime events	list(object({ email = string name = optional(string) phone = optional(string) }))	[]	no
custom_name	Override default naming convention	string	null	no
deployment_mode	Specifies how the infrastructure/resource is deployed	string	"terraform"	no
diagnostic_setting_enable	Boolean flag to specify whether Diagnostic Settings should be enabled for the Key Vault. Defaults to false.	bool	false	no
enable_access_policies	Boolean flag to specify whether access policies should be enabled for the Key Vault. Defaults to true.	bool	false	no
enable_private_endpoint	Manages a Private Endpoint to Azure database for MySQL	bool	true	no
enable_rbac_authorization	(Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.	bool	true	no
enabled	Set to false to prevent the module from creating any resources.	bool	true	no
enabled_for_deployment	Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.	bool	false	no
enabled_for_disk_encryption	Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false	bool	true	no
enabled_for_template_deployment	Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.	bool	false	no
environment	Environment (e.g. prod, dev, staging).	string	""	no
eventhub_authorization_rule_id	Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data.	string	null	no
eventhub_name	Specifies the name of the Event Hub where Diagnostics Data should be sent.	string	null	no
existing_private_dns_zone	Name of the existing private DNS zone	string	null	no
existing_private_dns_zone_id	The ID of an existing private DNS zone.	string	null	no
extra_tags	Variable to pass extra tags.	map(string)	null	no
kv_logs	values for Key Vault logs. The category attribute is optional and can be used to specify which categories of logs to enable. If not specified, all categories will be enabled.	object({ enabled = bool category = optional(list(string)) category_group = optional(list(string)) })	{ "category_group": [ "AllLogs" ], "enabled": true }	no
label_order	Order of labels in the resource name. The order of labels in the resource name. The default order is ['name', 'environment', 'location']. You can change this to ['environment', 'name', 'location'] or any other order as per your requirements.	list(any)	[ "name", "environment", "location" ]	no
location	The location/region where the key vault is created. Changing this forces a new resource to be created.	string	""	no
log_analytics_destination_type	Possible values are AzureDiagnostics and Dedicated, default to AzureDiagnostics. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table.	string	"AzureDiagnostics"	no
log_analytics_workspace_id	The ID of the Log Analytics Workspace where logs should be sent.	string	null	no
managed_hardware_security_module_enabled	Create a KeyVault Managed HSM resource if enabled. Changing this forces a new resource to be created.	bool	false	no
managedby	ManagedBy, eg 'terraform-az-modules'.	string	"terraform-az-modules"	no
metric_enabled	Boolean flag to specify whether Metrics should be enabled for the Key Vault. Defaults to true.	bool	true	no
name	Name (e.g. app or cluster).	string	""	no
network_acls	Network ACLs for the Key Vault. The bypass attribute can be set to 'AzureServices' to allow Azure services to bypass the firewall. - The default_action attribute can be set to 'Allow' or 'Deny', - The ip_rules attribute is a list of IP addresses or CIDR ranges that are allowed access, - the virtual_network_subnet_ids attribute is a list of subnet IDs that are allowed access.	object({ bypass = optional(string, "None"), default_action = optional(string, "Deny"), ip_rules = optional(list(string)), virtual_network_subnet_ids = optional(list(string)), })	{ "bypass": "AzureServices", "default_action": "Allow", "ip_rules": [ "0.0.0.0/0" ], "virtual_network_subnet_ids": [] }	no
private_dns_zone_ids	The ID of the private DNS zone.	string	null	no
public_network_access_enabled	(Optional) Whether public network access is allowed for this Key Vault. Defaults to true	bool	false	no
purge_protection_enabled	Boolean flag to specify whether purge protection is enabled for the Key Vault. Defaults to true. When enabled, the Key Vault cannot be permanently deleted until the purge protection is disabled.	bool	true	no
reader_objects_ids	IDs of the objects that can read all keys, secrets and certificates.	map(object({ role_definition_name = string principal_id = string }))	{}	no
repository	Terraform current module repo	string	"https://github.com/terraform-az-modules/terraform-azure-key-vault"	no
resource_group_name	The name of the resource group in which to create the network security group.	string	""	no
resource_position_prefix	Controls the placement of the resource type keyword (e.g., "vnet", "ddospp") in the resource name. - If true, the keyword is prepended: "vnet-core-dev". - If false, the keyword is appended: "core-dev-vnet". This helps maintain naming consistency based on organizational preferences.	bool	true	no
secrets	List of objects that represent the configuration of each secrect.	list(object({ name = string value = string content_type = optional(string) not_before_date = optional(string) expiration_date = optional(string) }))	[]	no
sku_name	The Name of the SKU used for this Key Vault. Possible values are standard and premium	string	"standard"	no
sku_name_hsm	The Name of the SKU used for this Key Vault hsm.	string	"Standard_B1"	no
soft_delete_retention_days	The number of days that items should be retained for once soft-deleted. The valid value can be between 7 and 90 days	number	90	no
storage_account_id	The ID of the Storage Account where logs should be sent.	string	null	no
subnet_id	The resource ID of the subnet	string	""	no

Outputs

Name	Description
id	value of the Key Vault ID
vault_uri	value of the Key Vault URI

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we recommend using the release versions.

📌 For additional usage examples, check the complete list under examples/ directory.

Module Dependencies

This module has dependencies on:

• Labels Module: Provides resource tagging.

📑 Changelog

Refer here.

✨ Contributors

Big thanks to our contributors for elevating our project with their dedication and expertise! But, we do not wish to stop there, would like to invite contributions from the community in improving these projects and making them more versatile for better reach. Remember, every bit of contribution is immensely valuable, as, together, we are moving in only 1 direction, i.e. forward.

If you're considering contributing to our project, here are a few quick guidelines that we have been following (Got a suggestion? We are all ears!):

• Fork the Repository: Create a new branch for your feature or bug fix.
• Coding Standards: You know the drill.
• Clear Commit Messages: Write clear and concise commit messages to facilitate understanding.
• Thorough Testing: Test your changes thoroughly before submitting a pull request.
• Documentation Updates: Include relevant documentation updates if your changes impact it.

Feedback

Spot a bug or have thoughts to share with us? Let's squash it together! Log it in our issue tracker, feel free to drop us an email at [email protected]).

Show some love with a ★ on our GitHub! if our work has brightened your day! – your feedback fuels our journey!

🚀 Our Accomplishment

We have 50+ Azure Terraform modules 🙌. You could consider them finished, but, with enthusiasts like yourself, we are able to ever improve them, so we call our status - improvement in progress.

• Terraform Module Registry: Discover our Terraform modules here.

Tap into our capabilities

We provide a platform for organizations to engage with experienced, top-tier DevOps and Cloud professionals. Tap into our pool of certified engineers and architects to elevate your DevOps and Cloud solutions.

At Azure Terraform Modules Organisation, we have extensive experience in designing, building, and migrating environments; securing infrastructure; consulting; monitoring; optimizing; automating; and maintaining complex, large-scale modern systems. With a strong client presence across American and European regions, our certified experts deliver robust and scalable cloud solutions.

Write to us at [email protected].

We are The Cloud Experts!

---

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.