Terraform module for deploying Azure Key Vault with RBAC authorization, private endpoint integration, purge protection, HSM-backed keys with automatic rotation policies, secret and certificate management, network ACLs, and diagnostic settings. Designed for enterprise secrets management with zero-trust networking by default.
Key Vault, Keys, Secrets, Certs, RBAC, Private Endpoint, Diagnostics
Configurable input parameters
IDs, URIs, versions, private endpoint info
Basic, Advanced, Complete
| Resource | Purpose |
|---|---|
azurerm_key_vault | Core vault with SKU, RBAC, purge protection, soft delete, network ACLs |
azurerm_key_vault_key | Cryptographic keys (RSA/EC/HSM) with automatic rotation policies |
azurerm_key_vault_secret | Secrets with content types and expiration dates |
azurerm_key_vault_certificate | X.509 certificates with auto-renewal lifecycle actions |
azurerm_role_assignment | RBAC role assignments scoped to the Key Vault |
azurerm_private_endpoint | Private endpoint with DNS zone group for vault subresource |
azurerm_monitor_diagnostic_setting | Log and metric export to Log Analytics workspace |
1. Applications authenticate via Azure AD (Managed Identity / Service Principal). 2. Traffic flows through private endpoint within the VNet. 3. RBAC authorization validates permissions on the vault scope. 4. Key Vault returns secrets/keys/certificates. 5. All operations logged to Log Analytics via diagnostic settings.
- RBAC authorization enabled by default
- Role assignments scoped to vault
- Azure AD authentication required
- Public network access disabled by default
- Purge protection enabled (default)
- 90-day soft delete retention
- HSM-backed keys (Premium SKU)
- Automatic key rotation policies
- Certificate auto-renewal (30-day trigger)
- Private endpoint for VNet-isolated access
- Private DNS zone integration
- Network ACLs with IP and VNet rules
- Azure Services bypass option
- Diagnostic logs (AuditEvent, AllMetrics)
- Log Analytics workspace integration
- Key access and modification tracking
Premium SKU with HSM-backed keys, strict RBAC, private endpoint only, 90-day soft delete retention
HIPAA-compliant secrets management, key rotation policies, full audit logging, no public network access
Per-environment vaults, certificate management for custom domains, managed identity integration
Purge protection mandatory, HSM key storage, network ACL enforcement, diagnostic logging to SIEM
| Variable | Type | Default | Description |
|---|---|---|---|
name | string | -- | Key Vault name |
sku_name | string | standard | standard or premium |
enable_rbac_authorization | bool | true | Use RBAC instead of access policies |
purge_protection_enabled | bool | true | Prevent permanent deletion |
soft_delete_retention_days | number | 90 | Retention period (7-90 days) |
public_network_access_enabled | bool | false | Public access toggle |
keys | map(object) | {} | Keys with rotation policies |
secrets | map(object) | {} | Secrets with content types |
certificates | map(object) | {} | Certificates with auto-renewal |
enable_private_endpoint | bool | true | Create private endpoint |
enable_diagnostics | bool | true | Enable diagnostic settings |
terraform init terraform plan -var-file="keyvault.tfvars" terraform apply -var-file="keyvault.tfvars" # Verify vault az keyvault show --name kv-myapp-prod