Is it possible to use Terraform and an Azure Key Vault Firewall without having to specify my IP address every time I want to make a change?

bandarr3000

4/15/23, 2:10 AM

I have several VMs in my Azure environment, and each has an associated encryption key. The encryption key is stored in an Azure Key Vault. All of these things are resources in my Terraform scripts. In the Azure Key Vault I have the firewall turned on, and my Azure AD user is in the Access Policy. I'm using Vault Policy/Firewall vs. RBAC so that I can add private endpoints to the key vault for private links to the aforementioned VMs.
The problem: when I run "terraform apply" for any change in my Azure environment (whether it's for a VM or something else entirely), my IP address has to be in the network_acl. Without it, Terraform doesn't "see" my key vault and wants to destroy my VMs. I'd rather not have to add, then remove, my IP address from the ACL every time I want to make a change. I should note that my Terraform structure is pretty flat/simple. The state of EVERYTHING is checked/updated upon plan/apply.
Is there any other way to get around this IP requirement and keep my private endpoints?

249

0 + 0

azure

terraform

Score:1

Server

Sam Cogan

4/15/23, 8:40 AM

If you have the Key Vault firewall enabled then any machine that needs to talk to it will need to be allowed in that firewall, it would be a pretty terrible firewall if that was not the case. There are a few ways you can work with this:

Add your machines IP into the firewall permanently, maybe as part of your Terraform deployment
Run your Terraform Pipelines from another machine, like a build agent, and allow this IP. Moving to using CI/CD tools for your Terraform is going to be beneficial in may other ways too
As above, use a build agent, but instead of using adding it's external IP to the KV firewall, use private endpoints to allow access over the private network. This requires the machine to be in Azure, or connected to Azure over VPN/ExpressRoute

0 + 0

bandarr3000

4/15/23, 3:17 PM

I think this is it. It's simple enough to have a build machine in its own VNET that can reach into the key vaults and storage accounts via a private endpoint. Thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to use Terraform and an Azure Key Vault Firewall without having to specify my IP address every time I want to make a change?

TH: เป็นไปได้ไหมที่จะใช้ Terraform และไฟร์วอลล์ Azure Key Vault โดยไม่ต้องระบุที่อยู่ IP ทุกครั้งที่ต้องการเปลี่ยนแปลง

RO: Este posibil să utilizez Terraform și un paravan de protecție Azure Key Vault fără a fi necesar să îmi specific adresa IP de fiecare dată când vreau să fac o modificare?

RU: Можно ли использовать Terraform и брандмауэр Azure Key Vault без необходимости указывать свой IP-адрес каждый раз, когда я хочу внести изменения?

VI: Có thể sử dụng Terraform và Tường lửa Azure Key Vault mà không phải chỉ định địa chỉ IP của tôi mỗi khi tôi muốn thực hiện thay đổi không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.