Terraform Module for provisioning per-application secrets on Azure along with other related resources

[Lusengeri]

Terraform Module for Provisioning Per-Application Secrets on Azure

Overview

This issue proposes creating a Terraform module to handle the provisioning of secrets and associated resources for each application on Azure. This module will standardize secret management across applications and simplify infrastructure-as-code (IaC) practices for our secrets provisioning. It is important to note that the actual values of secrets shall be inserted from the Azure console with this module used to initialize placeholders along with IAM entities and permissions necessary for individual applications to utilize secrets that pertain to themselves.

Justification

Managing secrets securely and efficiently is crucial for applications that rely on sensitive configurations, credentials, and API keys. By building a reusable Terraform module for provisioning per-application secrets, we aim to achieve the following:

• Consistency: A single module for secret creation ensures a standardized approach across all applications, reducing inconsistencies and configuration errors.
• Reusability: By encapsulating the logic for secret creation and management in a Terraform module, we promote reuse, reducing duplication and saving development time.
• Scalability: This module will allow teams to create secrets specific to each application in a scalable manner without reimplementing setup steps for every new app.
• Compliance and Security: A centralized approach with enforced access controls will help meet compliance and security requirements by applying consistent policies across applications.

Proposed Module Scope

The Terraform module will provision the following resources per application:

1. Azure Key Vault for Secrets Management:

   • Create an Azure Key Vault for securely storing application-specific secrets.
   • Optionally, configure Key Vault policies to restrict access based on application-specific identities.

2. Application Service Principal or Managed Identity:

   • Create a service principal or managed identity specific to the application, granting it access to retrieve secrets from Key Vault.
   • Configure the required RBAC policies to control access.

3. Logging and Monitoring Configuration (Optional):

   • Enable diagnostics and logging for Key Vault to track access and potential security incidents.
   • Configure integration with Azure Monitor to receive alerts on access anomalies.

Usage

The module will take the following inputs:

• application_name: The name of the application for which secrets are being provisioned.
• environment: The deployment environment (e.g., development, staging, production).
• secrets: A map of secrets to be created within Key Vault, each specified with a name and dummy-value.

Example Usage

module "app_secrets" {
  source             = "./modules/azure_secrets"
  application_name   = "my-app"
  environment        = "production"
  secrets            = [
    { name = "db_password", value = var.db_password },
    { name = "api_key", value = var.api_key }
  ]
  use_private_endpoint = truesource = "./modules/app_vault"

  app_name                      = "<app_name>"
  environment                  = "<environment>" # sandbox, staging or production>
  resource_group_name = "<resource_group_name>"

  secrets = {
    SECRET_KEY_1        = "<dummy_secret_value_1>"
    SECRET_KEY_2        = "<dummy_secret_value_2>"
  }
}