DEVHIDE
Login Or Sign up

Rotate Azure storage account access keys using terraform

2.1k Views Asked by At

I have below requirments.

  1. Rotate Storage account access keys (primary_access_key and secondary_access_key both) via a terraform.
  2. add the new regenerated keys as a new version to Secrets created in keyvault for both primary and secondary access keys.
resource "azurerm_storage_account" "example" {
  name                     = "storageaccrotatekeys"
  resource_group_name      = "accessrotate"
  location                 = "East US"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  public_network_access_enabled = false
}

Below azure_storage_account resource only contains attributes for primary_access_key and secondary_access_key that too sensitive values. I couldn't find any option to rotate keys. Please help https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#import

azure terraform azure-storage-account access-keys
Original Q&A
1

There are 1 best solutions below

1
kavyaS On

It may directly be not happening with terraform to rotate the access keys AFAIK but please check this customer_managed_key block that can be given in resource azurerm_storage_account block where auto rotation can be enabled with keyvaultId and version.This customer_managed_key which contains the argument key_version which is Optional to mention the version of Key Vault Key. To enable Automatic Key Rotation you can avoid this option.

  • To manually rotate , give the version in the block key_version.
  • If separate block is created for customer_managed_key , you can provide required argument key_vault_key_id where in giving version-less key ID will enable auto-rotation of this key.

Note: customer_managed_key needs account_kind to be StorageV2 UserAssigned as the identity type.

Code: from azurerm_storage_account_customer_managed_key | Resources | hashicorp/azurerm | Terraform Registry

provider "azurerm" {
  features {
resource_group {
  prevent_deletion_if_contains_resources = false
  }

}
}

resource "azurerm_resource_group" "example" {
  name     = "<resource group>"  
 location = "westus2"
}

provider "azurerm" {
 features {}
 alias = "cloud_operations"
}

data "azurerm_client_config" "current" {}



resource "azurerm_key_vault" "example" {
  name                = "ka-examplekv"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  purge_protection_enabled = true
}

resource "azurerm_key_vault_access_policy" "storage" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = azurerm_storage_account.example.identity.0.principal_id
  key_permissions    = ["Get", "Create", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
  secret_permissions = ["Get"]

}

resource "azurerm_key_vault_access_policy" "client" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azurerm_client_config.current.object_id

  key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"]
  secret_permissions = ["Get","List"]
}


resource "azurerm_key_vault_key" "example" {
  name         = "ka-tfexkey"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]

  depends_on = [
    azurerm_key_vault_access_policy.client,
    azurerm_key_vault_access_policy.storage,
  ]
}


resource "azurerm_storage_account" "example" {
  name                     = "kaexamplestor"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_storage_account_customer_managed_key" "example" {
  storage_account_id = azurerm_storage_account.example.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
}

enter image description here
Also check this time rotaing resource which rotates UTC timestamp stored in the Terraform state and recreates resource when the current time in the locally stored source is beyond the rotation time. This occurs only when Terraform is executed

Reference: customer_managed_key in azurerm_storage_account | Resources | hashicorp/azurerm | Terraform Registry

Related Questions in AZURE

Related Questions in TERRAFORM

Related Questions in AZURE-STORAGE-ACCOUNT

Related Questions in ACCESS-KEYS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.