AInfraMinds

πŸ” Overview

In this guide, we’ll build a verbose and reusable Terraform module for provisioning an Azure Key Vault using RBAC-based access control β€” the recommended model by Microsoft.

We’ll also show how to call the module from a Terragrunt config file, keeping inputs clean and environment-friendly.


πŸ€” Access Policy vs. RBAC Model

Azure Key Vault supports two access models:

ModelDescriptionRecommended?
Access PolicyClassic model where you explicitly define what each principal can do❌ Legacy
RBACUses Azure’s Role-Based Access Control via Azure ADβœ… Yes!

Microsoft recommends using RBAC-based authorization for improved security, flexibility, and centralized role management.

βœ… This post uses RBAC-based Key Vaults only. No access_policy blocks will be used in the module.


🧱 Module Code Repository

Terraform module: πŸ‘‰ tf-brickstack:azure-kv-module

Terragrunt config: πŸ‘‰ tg-brickflow:azure-kv


βš™οΈ What This Module Covers

The module provisions:


πŸ“Œ References

πŸ“˜ Terraform for Azure Key Vault

πŸ“˜ Best practices for using Azure Key Vault

πŸ“˜ Provide access to Key Vault objects with Azure RBAC

πŸ‘‰ Return to Code in Action πŸ“¦ Return to Infra World 🏠 Take Me Home

Copyright 2026. All rights reserved.