Azure DevOps: Terraform variables with Azure Key Vault

Azure DevOps: Terraform variables with Azure Key Vault

Walkthrough of using Key Vault secrets as variables for Terraform in Azure DevOps

Subscribe to my newsletter and never miss my upcoming articles

Listen to this article

We use variables when creating Terraform configuration files to be able to change and adapt our code to be reusable. When configuring variables, the best method for me was selecting a single location for both sensitive (secrets) and non-sensitive (resource names, etc..) information, allowing me to manage variables in one place. In this post I will cover how to use variables in Terraform, how to store variables in Azure Key Vault and how to use these variables in Azure DevOps as part of a deployment.

How to configure variables using Terraform

First you need to declare a variable in the Terraform code you are writing. For example:

variable "VMPASS"{
    type = string

I would usually put all my variables in a separate file but in the same directory to make it easier for myself to locate and manage them.

Once configured, you can use the variable in the code by replacing the string you would enter with the variable, for example:

password = var.VMPASS

Make sure you commit your code to a repository in Azure DevOps.

Storing variables in Azure Key Vault

Very simple, create your Azure Key Vault if you haven't done so already. From within the Key Vault resource you will need to create a secret by selecting Secrets from the side menu.


Now select Generate/Import.

generate and import.png

And here create the name of the secret for the variable and the value you require for your code. Please note Azure Key Vault does not support curtain characters, for example underscore which is something we require when using external sources for variables. Click here for more information but we will cover in the next section how we remap these.

We now need to link our Azure DevOps to Azure Key Vault. Open your project within Azure DevOps and from the side menu select Pipelines then Library. Here select Variable group.

variable group.png

Give your Variable Group a name and enable the Link secrets from an Azure key vault as variables toggle. From here you want to select the Azure Subscription and Key Vault you created your Terraform variables in (if you haven't linked your Azure subscription to Azure DevOps, use the Manage link to create a Service Principal).

link key vault.png

You might be asked to Authorize the access to the Key Vault but once this is done, you can select the Add option to add secrets to your variable library.


Now click Save to complete the library creation.

How to use variables in your pipeline

Finally we need to either edit an existing pipeline or create a new one. We need to include the variable library we created that connects to Key Vault, to do this you need to select the Variables tab and then select Variable groups.


Here select the Link variable group and select the newly created variable group.

Now we need to add a Bash Script task to run remap commands so the Azure Key Vault variables are in the supported format. Terraform expects from an external source the format to be TF_VAR_NAME (underscores not supported in Azure Key Vault and why we have to remap), where name is the variable name. Below is an example of the command we need to add to the bash script task, repeated for each variable that needs to be remapped for Terraform.

echo "##vso[task.setvariable variable=TF_VAR_VMPASS;]$tf-var-vmpass"

Once this is done, you can add the Terraform tasks to install, initialize and plan/deploy. Once the pipeline runs, the script will map the Azure Key Vault variables to new names that can be identified by Terraform.

Did you find this article valuable?

Support James Cook by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors
Share this