Conditional Whitelisting of IPs in Azure Key Vault with Terraform

Azure key vaults protected by vNet (vitual network) need to be added with local IP addreses, to allowed IP list,  if need to access secrets etc. in the key vault from the local machines (not considering VPN and private endpoints).  How to use dynamic list of IPs need to be whitelisted in the key vault, conditionally via terraform  IaC (infrastructure as code) is bit tricky to implement. In this post let's explore how to dynamically whitelist, set of IPs in Azure key vault using terraform, with an example.

Consider a situation, where few IPs need to be whitelisted in key vault always and few other IPs (let's say set of developer machine IPs), only in development environment.

In order to support above requirement we can define a variable (or a local variable) to supply the developer IPs.  The values of IPs should created as a comma separated list. There can be a variable to determine the environment.

variable "DEVELOPERIPS" {

  description = "Developer IPs to whitelist"

  type        = string

  default     = "99.999.99.999,77.777.777.77"

}

variable "ENV" {

  description = "Environment"

  type        = string

  default     = "dev"

}

For the IPs that need to be added to all environments we can create a local variable. For idetifying, our environments by comparing with var.ENV we can define locals for each env as well.

locals {

  dev_environment = "dev"

  qa_environment  = "qa"

  kv_allowed_ips = "88.0.88.888/32,88.888.888.88/32"

}

Then in  the key vault terraform resource in the network_acls block we can define a logic to achive the scenario we mentioned above. If the  env is dev then we are joining the defalt allowed IPs and developer IPs together, then split them all by comma to create the IP array to white list. If it is not the dev environment we only use the default set of IPs to allow.  

Full key vault resource code block is as below. This will allow you to add additional IPs conditionally based on env to the whitelist set of IPs in key vault.

resource "azurerm_key_vault" "keyvault" {

  name                        = "my-demo-${var.ENV}-kv"

  location                    = azurerm_resource_group.rg.location

  resource_group_name         = azurerm_resource_group.rg.name

  tenant_id                   = data.azurerm_client_config.current.tenant_id

  sku_name                    = "standard"

  enabled_for_deployment      = false

  enabled_for_disk_encryption = false

  purge_protection_enabled    = true

  network_acls {

    bypass         = "AzureServices"

    default_action = "Deny"

    ip_rules       = split(",", join(",", (var.ENV == local.dev_environment ? [

      local.kv_allowed_ips, var.DEVELOPERIPS

      ] : [

        local.kv_allowed_ips])))

    virtual_network_subnet_ids = [

      "${azurerm_subnet.aks.id}",

      "${azurerm_subnet.subnet.id}"

    ]

  }

  # Developers

  access_policy {

    tenant_id          = var.TENANTID

    object_id          = data.azuread_group.devs.object_id

    secret_permissions = var.ENV == local.dev_environment ? ["Get", "List"] : []

  }

  # Containers in AKS via user assigned identity

  access_policy {

    tenant_id          = var.TENANTID

    object_id          = azurerm_user_assigned_identity.aks.principal_id

    secret_permissions = ["Get", "List", ]

  }

}