Support for network_acls data.azurerm_key_vault

[schwichti]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I want to manage my keyvault and secrets outside of Terraform, but would like to add firewall rules to the existing keyvault.

New or Affected Resource(s)/Data Source(s)

azurerm_keyvault_firewall_rule

Potential Terraform Configuration

data "azurerm_key_vault" "example" {
  name                = "mykeyvault"
  resource_group_name = "some-resource-group"
}

resource "azurerm_keyvault_firewall_rule" "example" {
  keyvault         = data.azurerm_key_vault.name
  cidr = "40.112.8.12/26"
}

References

No response

[Taha-cmd]

This is a needed change. It is common to have a centrally managed providing resource and multiple consuming resources. Ideally, the consuming resources can grant themselves access to the providing resource by attaching their own firewall rules and permissions. For permissions, it is possible to use a separate azurerm_key_vault_access_policy or an azurerm_role_assignment (depending of the authorization model) to achieve said behaviour. However, for network access, this is currently not possible. It would be great to have a separate azurerm_keyvault_firewall_rule resource that allows adding IPs and/or subnets to the ACL of the keyvault. For reference, this is possible with storage accounts using the azurerm_storage_account_network_rules resource and for sql servers using the azurerm_mssql_virtual_network_rule . It would be great if Key Vault had the same capabilities.