26 ‐ Store and Encrypt Terraform Files in Azure - SanjeevOCI/Azure GitHub Wiki

Steps to Store Terraform Files in Azure Storage Encrypted with Your Own Customer-Managed Key (CMK) via Azure Portal

1. Create a Resource Group - tf-rg

26_Store and Encrypt Terraform Files in Azure_1

2. Create a Key Vault and Generate a Key (CMK)

  • Go to Key Vaults and click Create.
  • Fill in the details (resource group, name, region).
  • Click Review + create and Create.
  • After deployment, open the Key Vault.
  • Go to Keys > Generate/Import.
  • Choose Generate, enter a name, and click Create.

26_Store and Encrypt Terraform Files in Azure_7

26_Store and Encrypt Terraform Files in Azure_8

26_Store and Encrypt Terraform Files in Azure_9

Create a Managed Identity and assign "Key Vault Crypto Service Encryption User role". This allows Azure Storage Account to use a Customer Managed Key (CMK) stored in Azure Key Vault for encryption.

26_Store and Encrypt Terraform Files in Azure_10

26_Store and Encrypt Terraform Files in Azure_11

3. Create a Storage Account with Encryption Using Your CMK

  • Go to Storage accounts and click Create.
  • Fill in the details (resource group, name, region).
  • Under Advanced > Encryption, select Customer-managed keys.
  • Choose Select from Key Vault.
  • Select your Key Vault and the key you created.
  • Complete the wizard and click Review + create and Create.

26_Store and Encrypt Terraform Files in Azure_2

26_Store and Encrypt Terraform Files in Azure_3

26_Store and Encrypt Terraform Files in Azure_4

26_Store and Encrypt Terraform Files in Azure_5

26_Store and Encrypt Terraform Files in Azure_6

26_Store and Encrypt Terraform Files in Azure_12

26_Store and Encrypt Terraform Files in Azure_13

26_Store and Encrypt Terraform Files in Azure_14

4. Create a Blob Container for Terraform Files

  • Open your storage account.
  • Go to Containers under Data storage.
  • Click + Container, enter a name (e.g., terraform), and set the access level to Private.
  • Click Create.

26_Store and Encrypt Terraform Files in Azure_15

26_Store and Encrypt Terraform Files in Azure_16

26_Store and Encrypt Terraform Files in Azure_17

5. Assign Permissions to Storage Account for Key Vault Access

  • In the Key Vault, go to Access policies > + Add Access Policy.
  • Select Key permissions: Get, Wrap Key, Unwrap Key.
  • Under Principal, search for and select Microsoft Storage (or the storage account’s managed identity if using one).
  • Click Add, then Save.

26_Store and Encrypt Terraform Files in Azure_18

We are getting this error because the Azure Storage Account is currently set to restrict access through its network rules (firewall settings), and our IP address(49.43.27.252) is not whitelisted.

To fix this error

  • Go to the Storage Account in Azure Portal.
  • Select Networking → Firewalls and virtual networks.
  • Under Firewall, click + Add your client IP address.
  • Click Save.

26_Store and Encrypt Terraform Files in Azure_19

26_Store and Encrypt Terraform Files in Azure_20

6. Upload Terraform Files

  • Open the container you just created.
  • Click Upload.
  • Select your Terraform files (.tf, .tfvars, etc.) and click Upload.

26_Store and Encrypt Terraform Files in Azure_21

26_Store and Encrypt Terraform Files in Azure_22

Summary Diagram

+-------------------+      +-------------------+      +-------------------+
|   Key Vault       |----->| Storage Account   |----->|   Blob Container  |
| (CMK generated)   |      | (CMK encryption)  |      | (Terraform files) |
+-------------------+      +-------------------+      +-------------------+

Result:
Your Terraform files are now stored in an Azure Storage Account, encrypted at rest with your own customer-managed key (CMK) from Azure Key Vault.