π Overview
In this guide, weβll build a verbose and reusable Terraform module for provisioning an Azure Key Vault using RBAC-based access control β the recommended model by Microsoft.
We’ll also show how to call the module from a Terragrunt config file, keeping inputs clean and environment-friendly.
π€ Access Policy vs. RBAC Model
Azure Key Vault supports two access models:
| Model | Description | Recommended? |
|---|---|---|
| Access Policy | Classic model where you explicitly define what each principal can do | β Legacy |
| RBAC | Uses Azureβs Role-Based Access Control via Azure AD | β Yes! |
Microsoft recommends using RBAC-based authorization for improved security, flexibility, and centralized role management.
β This post uses RBAC-based Key Vaults only. No
access_policyblocks will be used in the module.
π§± Module Code Repository
Terraform module: π tf-brickstack:azure-kv-module
Terragrunt config: π tg-brickflow:azure-kv
βοΈ What This Module Covers
The module provisions:
- A secure Azure Key Vault (RBAC-based)
- Network restrictions using
network_acls - Soft delete retention
- Tagging
- Public network access toggle
- Optional private access via subnet
π References
π Terraform for Azure Key Vault