I have several VMs in my Azure environment, and each has an associated encryption key. The encryption key is stored in an Azure Key Vault. All of these things are resources in my Terraform scripts. In the Azure Key Vault I have the firewall turned on, and my Azure AD user is in the Access Policy. I'm using Vault Policy/Firewall vs. RBAC so that I can add private endpoints to the key vault for private links to the aforementioned VMs.
The problem: when I run "terraform apply" for any change in my Azure environment (whether it's for a VM or something else entirely), my IP address has to be in the network_acl. Without it, Terraform doesn't "see" my key vault and wants to destroy my VMs. I'd rather not have to add, then remove, my IP address from the ACL every time I want to make a change.
I should note that my Terraform structure is pretty flat/simple. The state of EVERYTHING is checked/updated upon plan/apply.
Is there any other way to get around this IP requirement and keep my private endpoints?
Terraform – Using Terraform with Azure Key Vault Firewall Without Specifying IP Address
azureterraform
Best Answer
If you have the Key Vault firewall enabled then any machine that needs to talk to it will need to be allowed in that firewall, it would be a pretty terrible firewall if that was not the case. There are a few ways you can work with this: