This is a Terraform module to deploy a Vault instance on Azure Web App for Containers service. Vault is an open-source secrets management tool that generally is run in a high-availability (HA) cluster. This implementation is a single instance with auto-unseal and no HA support. Azure Web App for Containers is a way easily run a container on Azure without an orchestrator. This module makes use of the following Azure resources:
- Azure App Service
- Azure Storage
- Azure Key Vault
To get started, you'll need a resource group to deploy the resources. Due to various enterprise implementations of Azure access control, this module does not create its own resource group. A basic implementation would look like the following:
provider "azurerm" {}
resource "azurerm_resource_group" "vault" {
name = "vault-rg"
location = "eastus"
}
module "vault" {
source = "mbrancato/vault/azure"
name = "vault"
resource_group_name = azurerm_resource_group.vault.name
location = "eastus"
}
output "vault_addr" {
value = "${module.vault.vault_addr}"
}
After creating the resources, the Vault instance may be initialized.
Set the VAULT_ADDR environment variable.
$ export VAULT_ADDR=https://vault-8c48a910-as.azurewebsites.net
Ensure the vault is operational (might take a minute or two), uninitialized and sealed.
$ vault status
Key Value
--- -----
Recovery Seal Type azurekeyvault
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version n/a
HA Enabled false
Initialize the vault.
$ vault operator init
Recovery Key 1: ...
Recovery Key 2: ...
Recovery Key 3: ...
Recovery Key 4: ...
Recovery Key 5: ...
Initial Root Token: s....
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.
From here, Vault is operational. Configure the auth methods needed and other settings. The App Service may scale the container to zero, but the server configuration and unseal keys are configured. When restarting, the Vault should unseal itself automatically using the Azure Key Vault. For more information on deploying Vault, read Deploy Vault.
- Application name.
- Azure location where resources are to be created.
- Azure resource group where resources are to be created.
- Vault container image.
- See the official docker image.
- default -
"vault:1.6.1""
- Enable Vault UI.
- default -
false
- default -
- Full HTTP endpoint of Vault Server if using a custom domain name. Leave blank otherwise.
- default -
""
- default -
- Azure KeyVault service tier (Standard or Premium).
- default -
"Standard"
- default -
- Azure KeyVault key name.
- default -
"vault-key"
- default -
- Azure KeyVault cryptographic key type.
- Specify the key type.
- default -
"RSA"
- Azure KeyVault cryptographic key size.
- default -
2048
- default -
- Azure App Service Plan tier.
-default -
"Free"
- Azure App Service Plan size.
-default -
"F1"
- Enable continuous deployment of new container tags (e.g. latest).
- default -
false
- default -
- Azure Service Account kind.
- default -
"Storage"
- default -
- Azure Service Account tier.
-default -
"Free"
- Azure Service Account replication type.
-default -
"LRS"
The following things may be of concern from a security perspective:
- This is a publicly accessible Vault instance. Anyone with the DNS name can connect to it. If you are interested in private endpoint support, open an issue.
- App Service environment variables will contain secrets including credentials to read the unseal key. Once managed service identities are supported fully by Vault on App Service, this should go away.
- By default, Vault is running on a shared compute instance for the App Service plan.