Introduction

Sometimes you need a safe place to store secrets like passwords or keys so only authorized apps or people can use them. Azure Key Vault is a service that helps you keep these secrets safe and easy to manage.

When you want to store database passwords securely instead of hardcoding them in your app.

When you need to manage encryption keys for your cloud applications.

When you want to control access to sensitive information with strict permissions.

When you want to audit who accessed your secrets and when.

When you want to centralize secret management for multiple applications.

Config File - main.tf

main.tf

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "eastus"
}

resource "azurerm_key_vault" "example" {
  name                        = "examplekeyvault12345"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  tenant_id                   = "00000000-0000-0000-0000-000000000000"
  sku_name                    = "standard"
  soft_delete_enabled         = true
  purge_protection_enabled    = false

  access_policy {
    tenant_id = "00000000-0000-0000-0000-000000000000"
    object_id = "11111111-1111-1111-1111-111111111111"

    secret_permissions = [
      "get",
      "list",
      "set"
    ]
  }
}

This Terraform file creates an Azure resource group and a Key Vault inside it.

provider: sets up Azure provider.

resource_group: creates a group to hold resources.

key_vault: creates the Key Vault with a unique name, location, and access policies.

tenant_id and object_id specify who can access the vault.

sku_name sets the pricing tier.

soft_delete_enabled keeps deleted vaults recoverable for safety.

Commands

This command initializes Terraform, downloads the Azure provider plugin, and prepares the working directory.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/azurerm... - Installing hashicorp/azurerm v3.64.0... - Installed hashicorp/azurerm v3.64.0 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.

This command shows what Terraform will create or change in Azure before applying it.

Terminal

terraform plan

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # azurerm_resource_group.example will be created + resource "azurerm_resource_group" "example" { + id = (known after apply) + location = "eastus" + name = "example-resources" } # azurerm_key_vault.example will be created + resource "azurerm_key_vault" "example" { + id = (known after apply) + location = "eastus" + name = "examplekeyvault12345" + resource_group_name = "example-resources" + sku_name = "standard" + soft_delete_enabled = true + tenant_id = "00000000-0000-0000-0000-000000000000" + purge_protection_enabled = false + access_policy = [ + { + object_id = "11111111-1111-1111-1111-111111111111" + secret_permissions = ["get", "list", "set"] + tenant_id = "00000000-0000-0000-0000-000000000000" }, ] } Plan: 2 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't specify an "-out" parameter to save this plan, so Terraform can't guarantee that exactly these actions will be performed if "terraform apply" is subsequently run.

This command applies the planned changes and creates the resource group and Key Vault in Azure automatically without asking for confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

azurerm_resource_group.example: Creating... azurerm_resource_group.example: Creation complete after 2s [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources] azurerm_key_vault.example: Creating... azurerm_key_vault.example: Creation complete after 15s [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault12345] Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

→

-auto-approve - Skips manual approval to apply changes immediately

This Azure CLI command retrieves details about the created Key Vault to verify it exists and check its properties.

Terminal

az keyvault show --name examplekeyvault12345 --resource-group example-resources

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.KeyVault/vaults/examplekeyvault12345", "location": "eastus", "name": "examplekeyvault12345", "properties": { "sku": { "family": "A", "name": "standard" }, "tenantId": "00000000-0000-0000-0000-000000000000", "accessPolicies": [ { "tenantId": "00000000-0000-0000-0000-000000000000", "objectId": "11111111-1111-1111-1111-111111111111", "permissions": { "secrets": [ "get", "list", "set" ] } } ], "enabledForDeployment": false, "enabledForDiskEncryption": false, "enabledForTemplateDeployment": false }, "resourceGroup": "example-resources", "type": "Microsoft.KeyVault/vaults" }

→

--name - Specifies the Key Vault name to show

→

--resource-group - Specifies the resource group where the Key Vault is located

Key Concept

If you remember nothing else from this pattern, remember: Azure Key Vault securely stores secrets and you create it by defining its settings and access rules, then applying them to your cloud environment.

Common Mistakes

Using a Key Vault name that is not globally unique.

Azure requires Key Vault names to be unique across all subscriptions, so creation fails if the name is taken.

Choose a unique name by adding random numbers or your company prefix.

Not specifying the correct tenant_id or object_id in access policies.

Without correct IDs, no one can access the secrets, making the vault unusable.

Use Azure CLI or portal to find your tenant and object IDs and set them properly.

Skipping terraform init before terraform apply.

Terraform won't have the Azure provider plugin ready, causing errors.

Always run terraform init first to prepare the environment.

Summary

Write a Terraform file to define an Azure resource group and a Key Vault with access policies.

Run 'terraform init' to prepare Terraform and download providers.

Use 'terraform plan' to preview changes and 'terraform apply -auto-approve' to create the Key Vault.

Verify the Key Vault creation with Azure CLI using 'az keyvault show'.