By default, if you want to deploy a VM on Azure with Terraform, you must give the username and password in clear in the variable file (see my previous article). But a solution exists, to secure all this 🙂 Just use an Azure Keyvault, and store your password in:

Then, you have to add these lines, at the beginning of your code:

// Get Keyvault Data data "azurerm_resource_group" "rg_keyvault" { name = "${var.rg_keyvault}" } data "azurerm_key_vault" "keyvault" { name = "${var.keyvault_name}" resource_group_name = "${data.azurerm_resource_group.rg_keyvault.name}" } data "azurerm_key_vault_secret" "secret_Default-Admin-Windows-Linux-VM" { name = "Default-Admin-Windows-Linux-VM" vault_uri = "${data.azurerm_key_vault.keyvault.vault_uri}" } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 // Get Keyvault Data data "azurerm_resource_group" "rg_keyvault" { name = "${var.rg_keyvault}" } data "azurerm_key_vault" "keyvault" { name = "${var.keyvault_name}" resource_group_name = "${data.azurerm_resource_group.rg_keyvault.name}" } data "azurerm_key_vault_secret" "secret_Default-Admin-Windows-Linux-VM" { name = "Default-Admin-Windows-Linux-VM" vault_uri = "${data.azurerm_key_vault.keyvault.vault_uri}" }

Here we will get the RG, the Keyvault, and the secret that has the Default-Admin-Windows-Linux-VM name in my keyvault and that contains my default password for my VMs. We must then adapt the code so that our admin_password variable takes the value that is in the keyvault:

admin_password = "${data.azurerm_key_vault_secret.secret_Default-Admin-Windows-Linux-VM.value}" 1 admin_password = "${data.azurerm_key_vault_secret.secret_Default-Admin-Windows-Linux-VM.value}"

You can now do a terraform init and terraform plan. You should have the following error:

This is normal. In fact, you must give the Get and List secrets privileges to the application that is used to deploy the resources in Azure via Terraform in the keyvault:

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses. Learn more about ➡ VSAN from StarWind

You can do again a terraform plan and terraform apply to deploy your resources in a secure way. Note this error message, which will disappear when updating to version 2 of the provider, but where you have to adapt the code:

This code is available on my Github:

https://github.com/Flodu31/Terraform/tree/master/Deploy_New_Environment_Keyvault

Related materials:

Views All Time Views All Time 2 Views Today Views Today 15

Appreciate how useful this article was to you?

5 out of 5, based on 1 review 5 out of 5, based on 1 review

Loading... Loading...