Blog Post

Azure Infrastructure Blog
2 MIN READ

Syncing Secrets Between HashiCorp Vault and Azure Key Vault with Terraform

Siddhi_Singh's avatar
Siddhi_Singh
Icon for Microsoft rankMicrosoft
Apr 23, 2025

In today's cloud-native world, managing secrets securely across different platforms is crucial. HashiCorp Vault and Azure Key Vault are two popular tools for secret management. In this blog post, we'll walk you through creating a Terraform module to copy a secret from HashiCorp Vault to Azure Key Vault. This module will use the Terraform providers for Vault (hashicorp/vault) and Azure (hashicorp/azurerm).

Task Overview:

  • Configure the Vault and AzureRM providers.
  • Accept input parameters such as Vault secret path, Azure Key Vault name, and secret name.
  • Fetch the secret from HashiCorp Vault.
  • Create a secret in Azure Key Vault using the fetched secret.

 

Steps to Create the Terraform Module

1. Configure Providers: Ensure you have configured the Vault and AzureRM providers

provider "vault" {
 # Assuming Vault address and token are provided via environment variables
address = var.vault_address
}
provider "azurerm" {
features {}
}

 

2. Module Inputs: Accept input parameters such as Vault secret path, Azure Key Vault name, and secret name.

variable "vault_address" {
  description = "The address of the Vault server"
  type        = string
}

variable "vault_secret_path" {
  description = "Path of the secret in Vault"
  type        = string
}

variable "vault_secret_key" {
  description = "Key of the secret in Vault to retrieve"
  type        = string
}

variable "azure_key_vault_id" {
  description = "The ID of the Azure Key Vault"
  type        = string
}

variable "azure_secret_name" {
  description = "Name of the secret in Azure Key Vault"
  type        = string
}

variable "tags" {
  description = "Tags to associate with the Azure Key Vault secret"
  type        = map(string)
  default     = {}
}

3. Read Secret from Vault: Use the Vault provider to fetch the secret.

data "vault_generic_secret" "vault_secret" {
    path = var.vault_secret_path
 }

4. Write Secret to Azure Key Vault: Use the AzureRM provider to create a secret in Azure Key Vault.

resource "azurerm_key_vault_secret" "azure_secret" {
  name         = var.azure_secret_name
  value        = data.vault_generic_secret.vault_secret.data[var.vault_secret_key]
  key_vault_id = var.azure_key_vault_id
}

5. Outputs: Define the output for the created Azure Key Vault secret.

output "azure_secret_id" {
  description = "The ID of the created Azure Key Vault secret"
  value       = azurerm_key_vault_secret.azure_secret.id
}

 

Key Considerations

  • Authentication: Ensure you have configured authentication for both Vault and Azure (e.g., Vault tokens or Azure AD credentials).
  • Security: Avoid hardcoding sensitive data (e.g., Vault tokens) in Terraform files. Use secure state storage for sensitive outputs.
  • Environment Setup: Ensure the Vault secret exists and the Azure Key Vault is correctly configured.

Conclusion

This module provides a solid foundation that can be extended to meet specific organizational needs. By following these steps, you can securely sync secrets between HashiCorp Vault and Azure Key Vault using Terraform, ensuring a streamlined and secure process.

Updated Apr 13, 2025
Version 1.0
No CommentsBe the first to comment