Store OCI Terraform Provider Variables as Secrets in Azure Key Vault and Execute via Azure DevOps Pipeline

Question

I'm using Azure Key Vault, Git and DevOps Pipelines and my intention is to execute Terraform code against Oracle Cloud Infrastructure (OCI). I've configured the necessary resource group, storage account, container, uploaded the OCI provider variables into Key Vault.

I've tried storing the API signing key as a secret, and as a key, but Terraform throws provider-related errors regarding the private key. I'm looking for the proper way to get the content of the private key from Azure Key Vault and pass it to the OCI provider. Or just the proper way to leverage Key Vault with the OCI provider.

This is the error I'm getting during Terraform Plan:

Error: Incorrect attribute value type. Inappropriate value for attribute "private_key": string required.

My code looks as follows:

provider "oci" {
  ### Tenancy Connectivity variables
  tenancy_ocid = "${data.azurerm_key_vault_secret.tenancy-ocid.value}"
  user_ocid    = "${data.azurerm_key_vault_secret.dev-user-ocid.value}"
  fingerprint  = "${data.azurerm_key_vault_secret.key-fprint.value}"
  private_key = "${data.azurerm_key_vault_key.oci-private-key}"
  private_key_password = ""
  region = var.home_region
}

The Terraform Plan operation only seems to complain about the private key, while the other secrets are read successuflly. Any help would be appreciated!

score 0 · Answer 1 · answered May 28 '22 at 10:28

0

For the first three pairs, you retrieve the value, which is translated to a string. The provider is not complaining, as these are accepted values.

However, it looks like for the private key, you are not passing the key contents (value attribute might be missing). I am no expert in how to retrieve the contents of the private key from Azure, but you have to pass the "value" of the key...

answered May 28 '22 at 10:28

ssolbach

96
2

Key Vault keys don't have a 'value' attribute and only the following are available: `id`, `version`, `versionless_id`, `n`, `e`, `x`, `y`, `public_key_pem`, `public_key_openssh` See Terraform documentation [link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) – Andreas Z May 28 '22 at 13:29
Unfortunately, this will require the private key contents. Looking at the doc you linked it doesn't seem that can be "exported". – ssolbach May 28 '22 at 14:38
PS: https://stackoverflow.com/questions/51940248/is-it-possible-to-get-the-private-key-out-of-azure-key-vault-keys there seems to be no possibility to export the key... and as the OCI terraform provider requires either the key content or a key file (containing the private key), I don't think there is a way to use it the way your intention was... – ssolbach May 28 '22 at 14:44

Store OCI Terraform Provider Variables as Secrets in Azure Key Vault and Execute via Azure DevOps Pipeline

1 Answers1