Terraform – Using Terraform with Azure Key Vault Firewall Without Specifying IP Address

azureterraform

I have several VMs in my Azure environment, and each has an associated encryption key. The encryption key is stored in an Azure Key Vault. All of these things are resources in my Terraform scripts. In the Azure Key Vault I have the firewall turned on, and my Azure AD user is in the Access Policy. I'm using Vault Policy/Firewall vs. RBAC so that I can add private endpoints to the key vault for private links to the aforementioned VMs.
The problem: when I run "terraform apply" for any change in my Azure environment (whether it's for a VM or something else entirely), my IP address has to be in the network_acl. Without it, Terraform doesn't "see" my key vault and wants to destroy my VMs. I'd rather not have to add, then remove, my IP address from the ACL every time I want to make a change.
I should note that my Terraform structure is pretty flat/simple. The state of EVERYTHING is checked/updated upon plan/apply.
Is there any other way to get around this IP requirement and keep my private endpoints?

Best Answer

If you have the Key Vault firewall enabled then any machine that needs to talk to it will need to be allowed in that firewall, it would be a pretty terrible firewall if that was not the case. There are a few ways you can work with this:

  1. Add your machines IP into the firewall permanently, maybe as part of your Terraform deployment
  2. Run your Terraform Pipelines from another machine, like a build agent, and allow this IP. Moving to using CI/CD tools for your Terraform is going to be beneficial in may other ways too
  3. As above, use a build agent, but instead of using adding it's external IP to the KV firewall, use private endpoints to allow access over the private network. This requires the machine to be in Azure, or connected to Azure over VPN/ExpressRoute
Related Topic