Terraform Deploy Key Vault with Private Endpoint

The purpose of Azure Key Vault is to store cryptographic keys and other secrets used by cloud applications and services in a HSM (Hardware security module).

In this example, we will create and mange Azure Key Vault using Terraform

First, we will create main configuration file for Key vault:

# Azure Provider#
##################################
##################################

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy = true
    }
  }
}
# To get/import Subscription details#
data "azurerm_client_config" "current" {}

# use existing subnet which it will be used to creare the private endpoint#
data "azurerm_subnet" "appsnet" {
  name                 = "app01-snet"
  virtual_network_name = "hub01-vnet"
  resource_group_name  = "vm02-rg"
}

data "azurerm_subnet" "devopssnet" {
  name                 = "default"
  virtual_network_name = "Devios01-rg-vnet"
  resource_group_name  = "Devios01-rg"
}

# Create Key vault#
resource "azurerm_key_vault" "key_vault" {
  name                            = var.name
  location                        = var.location
  resource_group_name             = var.resource_group_name
  tenant_id                       = data.azurerm_client_config.current.tenant_id
  sku_name                        = var.sku_name
  tags                            = var.tags
  enabled_for_deployment          = var.enabled_for_deployment
  enabled_for_disk_encryption     = var.enabled_for_disk_encryption
  enabled_for_template_deployment = var.enabled_for_template_deployment
  enable_rbac_authorization       = var.enable_rbac_authorization
  purge_protection_enabled        = var.purge_protection_enabled
  soft_delete_retention_days      = var.soft_delete_retention_days
  timeouts {
    delete = "60m"
  }
access_policy {
#to provide the current user with access to Key vault
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id
    key_permissions = [
      "create",
      "get",
      "create",
      "list"
    ]
    certificate_permissions = [
      "create",
      "get",
      "create",
      "list"
    ]
    secret_permissions = [
      "set",
      "get",
      "delete",
      "purge",
      "recover"
    ]
  }
#prvent external access/ from other subnet not declared in variables file#
  network_acls {
    bypass                     = var.bypass
    default_action             = var.default_action
    ip_rules                   = var.ip_rules
    virtual_network_subnet_ids = [data.azurerm_subnet.appsnet.id,data.azurerm_subnet.devopssnet.id]
  }
  lifecycle {
      ignore_changes = [
          tags
      ]
  }
}

# Create Private endpoint#
resource "azurerm_private_endpoint" "private_endpoint" {
  name                = var.private_end_name
  location            = var.location
  resource_group_name = var.resource_group_name
  subnet_id           = "${data.azurerm_subnet.appsnet.id}"
  tags                = var.tags
  private_service_connection {
    name                           = "${var.name}Connection"
    private_connection_resource_id = azurerm_key_vault.key_vault.id
    is_manual_connection           = var.is_manual_connection
    subresource_names              = try([var.subresource_name], null)
    request_message                = try(var.request_message, null)
  }
  private_dns_zone_group {
    name                 = var.private_dns_zone_group_name
    private_dns_zone_ids = [azurerm_private_dns_zone.main.id]
  }
  lifecycle {
    ignore_changes = [
      tags
    ]
  }
  depends_on = [azurerm_key_vault.key_vault]
}
#Create Private DNS Zone#
resource "azurerm_private_dns_zone" "main" {
  name                = "privatelink.vaultcore.azure.net"
  resource_group_name = var.resource_group_name
}

#Create Secrets#
resource "azurerm_key_vault_secret" "kv_secret" {
  name         = "secret1"
  value        = "P2ssw0rd123"
  key_vault_id = azurerm_key_vault.key_vault.id
}
resource "azurerm_key_vault_secret" "kv_secret2" {
  name         = "secret2"
  value        = "P2ssw0rd1234"
  key_vault_id = azurerm_key_vault.key_vault.id
}

Variables File

variable "name" {
  description = "(Required) Specifies the name of the key vault."
  type        = string
  default = "keyvault01"
}
variable "resource_group_name" {
  description = "(Required) Specifies the resource group name of the key vault."
  type        = string
  default = "vm02-rg"
}
variable "location" {
  description = "(Required) Specifies the location where the key vault will be deployed."
  type        = string
  default = "northeurope"
}
variable "sku_name" {
  description = "(Required) The Name of the SKU used for this Key Vault. Possible values are standard and premium."
  type        = string
  default     = "standard"
  validation {
    condition = contains(["standard", "premium" ], var.sku_name)
    error_message = "The value of the sku name property of the key vault is invalid."
  }
}

variable "tags" {
  description = "(Optional) Specifies the tags of the log analytics workspace"
  default     = {
    createdWith = "Terraform"
  }
}
variable "enabled_for_deployment" {
  description = "(Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false."
  type        = bool
  default     = false
}
variable "enabled_for_disk_encryption" {
  description = " (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false."
  type        = bool
  default     = false
}
variable "enabled_for_template_deployment" {
  description = "(Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false."
  type        = bool
  default     = false
}
variable "enable_rbac_authorization" {
  description = "(Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false."
  type        = bool
  default     = false
}
variable "purge_protection_enabled" {
  description = "(Optional) Is Purge Protection enabled for this Key Vault? Defaults to false."
  type        = bool
  default     = false
}
variable "soft_delete_retention_days" {
  description = "(Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days."
  type        = number
  default     = 30
}
variable "bypass" {
  description = "(Required) Specifies which traffic can bypass the network rules. Possible values are AzureServices and None."
  type        = string
  default     = "AzureServices"
  validation {
    condition = contains(["AzureServices", "None" ], var.bypass)
    error_message = "The valut of the bypass property of the key vault is invalid."
  }
}
variable "default_action" {
  description = "(Required) The Default Action to use when no rules match from ip_rules / virtual_network_subnet_ids. Possible values are Allow and Deny."
  type        = string
  default     = "Deny"
  validation {
    condition = contains(["Allow", "Deny" ], var.default_action)
    error_message = "The value of the default action property of the key vault is invalid."
  }
}
variable "ip_rules" {
  description = "(Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault."
  default     = ["10.0.0.5"]
}
variable "virtual_network_subnet_ids" {
  description = "(Optional) One or more Subnet ID's which should be able to access this Key Vault."
  default     = []
}

#####
variable "private_end_name" {
  description = "(Required) Specifies the name of the private endpoint. Changing this forces a new resource to be created."
  type        = string
  default = "Vault01PrivateEndpoint"
}


variable "is_manual_connection" {
  description = "(Optional) Specifies whether the private endpoint connection requires manual approval from the remote resource owner."
  type        = string
  default     = false  
}
variable "subresource_name" {
  description = "(Optional) Specifies a subresource name which the Private Endpoint is able to connect to."
  type        = string
  default     = "vault"
}
variable "request_message" {
  description = "(Optional) Specifies a message passed to the owner of the remote resource when the private endpoint attempts to establish the connection to the remote resource."
  type        = string
  default     = null
}
variable "private_dns_zone_group_name" {
  description = "(Required) Specifies the Name of the Private DNS Zone Group. Changing this forces a new private_dns_zone_group resource to be created."
  type        = string
  default = "KeyVaultPrivateDnsZoneGroup"
}
variable "private_dns" {
  default = {}
}

Result

Proof that External Access is not allowd