Skip to main content

Managing Manual Key Vault Secrets

Some secrets cannot be automated via Terraform and therefore we need to add them manually to the Key Vaults.

Please note that we would advise to always go down the Terraform route where possible.

Manual Secrets

The easiest option is to add the secrets manually directly to the project Key Vault. Using the CNP-Module-Key-Vault will grant the Developers group the correct permissions to enable you to add these.

We would also advise to tag your secrets to easily identify between Terraform and manually created secrets.

Secret Store

You can create a secret store much like how Azure DevOps has a Library for secure values.

The concept here is a separate Key Vault for your manually created secrets and then your project Key Vault which will only contain secrets created by Terraform.

Setup Secret Store

Start by creating your Secret Store Key Vault Repositories following Create a Github Repository. You can then add your Key Vault using the CNP-Module-Key-Vault for example PIP-Shared-Infrastructure-Bootstrap

Import Secrets to Project Key Vault

Now in your project Key Vault you can use the below example to import named secrets. These can be generic secrets shared between environments, or you can add environment specific secrets.

This can also be use for certficates as per this example PIP tf-kv-certs-bootstrap

locals {
  secret_store_secrets = ["example-secret", "environment-specific-secret-${var.env}"]
}

data "azurerm_key_vault" "secret_store" {
  name                = "${var.product}-store-kv-${var.env}"
  resource_group_name = "${var.product}-store-${var.env}-rg"
}

data "azurerm_key_vault_secret" "secret_store" {
  for_each     = { for secret in local.secret_store : secret => secret }
  name         = each.value
  key_vault_id = data.azurerm_key_vault.secret_store.id
}

resource "azurerm_key_vault_secret" "secret_store" {
  for_each        = data.azurerm_key_vault_secret.secret_store
  key_vault_id    = module.this.key_vault_id
  name            = each.value.name
  value           = each.value.value
  tags            = merge(var.tags, {
        "source" : "secret store ${data.azurerm_key_vault.bootstrap_kv.name} secrets"
      })
  content_type    = "Manual Secret"
}

You can also access these via Jenkins for Smoke and Functional Tests following the guide on cnp-jenkins-library

This page was last reviewed on 13 August 2024. It needs to be reviewed again on 13 February 2025 by the page owner platops-build-notices .
This page was set to be reviewed before 13 February 2025 by the page owner platops-build-notices. This might mean the content is out of date.