Support for decrypt secrets from data encrypted with Azure keyvault key

[saranshlamba]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AWS provider has this data source which decrypts cipherblob and then stores it in plain text within secrets manager. Need similar functionality for azurerm, which will decrypt the cipherblob (using keyvault key) and then store it in plain text in keyvault secrets.

https://www.terraform.io/docs/providers/aws/d/kms_secrets.html

[tombuildsstuff]

hey @saranshlamba

Thanks for opening this issue.

So that we can better understand the use-case/requirements here, would you be able to give a little more context on the use-case your looking to solve with this functionality?

Thanks!

[saranshlamba]

@tombuildsstuff With this functionality it will be easier to store encrypted secrets in github as a source of truth. Right now there isn't an easy way to store and track secrets in git.

[saranshlamba]

@tombuildsstuff Any updates on it, please?

[IanMoroney]

@saranshlamba, correct me if I'm wrong, but just so I understand this use case:

1. Encrypt a static secret either manually, or using azurerm_key_vault_key_encrypt
2. Decrypt a secret using a azurerm_key_vault_key_decrypt data block, for use in other resources.

This encrypts the contents of secrets in key vault so if you go to show secret value in the key vault, it shows you an encrypted string instead of the plain text.