terraform-provider-azuredevops icon indicating copy to clipboard operation
terraform-provider-azuredevops copied to clipboard

Published 20 hours ago verified publisher icon microsoft

[Documentation Update] Variable Groups Sourced from Azure Key Vault

Open straubt1 opened this issue 5 years ago • 6 comments

Description

Update documentation to highlight this feature.

~Currently the resource azuredevops_variable_group only supports ADO hosted variables.~

~Feature request for adding the ability to connect the variable group to Azure Key Vault.~

Affected Resource(s)

  • azuredevops_variable_group

Sample Terraform Configuration

azuredevops_variable_group

resource "azuredevops_variable_group" "this" {
  project_id   = azuredevops_project.this.id
  name         = "configuration"
  description  = "configuration"
  allow_access = true

  key_vault {
    name                = azurerm_key_vault.this.name
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.this.id
  }

  variable {
    name = "kv-secret"
  }
}

References

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

straubt1 avatar Jun 21 '20 16:06 straubt1

This is actually the documentation issue, variable groups sourced from KV are supported.

Here is a sample code:

resource "azuredevops_variable_group" "this" {
  project_id   = azuredevops_project.this.id
  name         = "configuration"
  description  = "configuration"
  allow_access = true

  key_vault {
    name                = azurerm_key_vault.this.name
    service_endpoint_id = azuredevops_serviceendpoint_azurerm.this.id
  }

  variable {
    name = "kv-secret"
  }
}

logachev avatar Jun 22 '20 03:06 logachev

Thank you @logachev, this is great new!

I changed this issue to focus on updating the documentation.

straubt1 avatar Jun 22 '20 12:06 straubt1

@straubt1 can we please include some example code for the Key Vault. From the example provided, it implies that Terraform is creating the Key Vault vs linking to an existing Key Vault.

Also, seeing an example of how to programmatically authorize the Pipeline to have the required permissions on the Key Vault would be helpful as well. KeyVaultConn

AErmie avatar Jul 17 '20 18:07 AErmie

The feature ask is to mimic what you can do in the ADO project via the UI, and would assume that the key vault had the proper permissions already. This is not a Terraform or AzKV detail, but whatever ADO is requiring (in your screen shot you can see it needs at least "Get and List" secret management.

I did play around with creating the AzKV in Terraform, but as you will see, there is a lot of configuration that goes into it. Here is a rough gist of what you could do: https://gist.github.com/straubt1/f631dde08d4e875b2f829d203a5a1f17

Hope this helps :)

straubt1 avatar Jul 20 '20 13:07 straubt1

Just a perfect example of the power of Terraform: multiple providers create a combined infrastructure! Stretching over multiple systems which even don't have to be native cloud providers like AWS, Azure or Google but as long as a provider is available for backend you can do the craziest things 😁

tmeckel avatar Jul 20 '20 15:07 tmeckel

Is there any particular blocker for this issue? Seems like the feature has been available for a long time, but still not represented in documentation

jemag avatar Sep 21 '21 17:09 jemag