Azure key vaults protected by vNet (vitual network) need to be added with local IP addreses, to allowed IP list, if need to access secrets etc. in the key vault from the local machines (not considering VPN and private endpoints). How to use dynamic list of IPs need to be whitelisted in the key vault, conditionally via terraform IaC (infrastructure as code) is bit tricky to implement. In this post let's explore how to dynamically whitelist, set of IPs in Azure key vault using terraform, with an example.
Consider a situation, where few IPs need to be whitelisted in key vault always and few other IPs (let's say set of developer machine IPs), only in development environment.
In order to support above requirement we can define a variable (or a local variable) to supply the developer IPs. The values of IPs should created as a comma separated list. There can be a variable to determine the environment.
For the IPs that need to be added to all environments we can create a local variable. For idetifying, our environments by comparing with var.ENV we can define locals for each env as well.
Then in the key vault terraform resource in the network_acls block we can define a logic to achive the scenario we mentioned above. If the env is dev then we are joining the defalt allowed IPs and developer IPs together, then split them all by comma to create the IP array to white list. If it is not the dev environment we only use the default set of IPs to allow.
Full key vault resource code block is as below. This will allow you to add additional IPs conditionally based on env to the whitelist set of IPs in key vault.
No comments:
Post a Comment