Terraform: Adding Secrets To Azure Automation Accounts

3 minute read

Description:

Let’s say you have an Azure Automation Account you managed with Terraform and you need to add a secret from a Key Vault to the Automation Account as a variable for your runbooks.

I will display how you could do it by passing a secret called my-api-username and my-api-secret from your Azure Devops Libary that is linked to a Keyvault. It is assumed that you created these secrets and populated them with dummy data at first because we will display them in a runbook further down. Once you verify everything we will update them to the real values. Anyways, here are the steps:

To Resolve:

  1. Inside your pipeline, give it permissions to the keyvault in the variables - group area and then in the terraform plan and terraform apply sections add the new secret as an environmental variable like so:

    1
2

       TF_VAR_api_username: $(my-api-username)
   TF_VAR_api_password: $(my-api-secret)

  2. Then in the landing spot for your TF files, add the new variable definitions so that Terraform knows about them:

    1
2
3
4
5
6
7
8
9
10

    # Requried Vars
variable "api_username" {
description = "(Required) The Active Directory account that has My API Access."
type        = string
}

variable "api_password" {
description = "(Required) The Active Directory account password that has My API Access."
type        = string
}

  3. Then, in your aa-variables.tf add them like so:

    1
2
3
4
5
6
7

    resource "azurerm_automation_variable_string" "api_user_password" {
name                    = "api-user-password"
resource_group_name     = azurerm_resource_group.aa_rg.name
automation_account_name = azurerm_automation_account.aa.name
value                   = var.api_password
encrypted               = true
}

  4. Now create a runbook that will display them just to ensure the secret is being passed correctly.

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

    
# WARNING!!! This runbook shows values of encrypted variables and should only be used for troubleshooting only!!!

$ErrorActionPreference = "Stop"
Try
{
   "Logging in to Azure..."
   # https://docs.microsoft.com/en-us/azure/automation/enable-managed-identity-for-automation
   Disable-AzContextAutosave -Scope Process
   $AzureContext = (Connect-AzAccount -Identity).context
   $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext
   "Logging in to Azure...Completed"
}
Catch 
{
   Write-Error -Message $_.Exception
   throw $_.Exception
}

# get from Variables blade of Automation Account
Function Get-MyVar
{
   $val = (Get-AzAutomationVariable -Name "tfex-example-var-1" -AutomationAccountName "aa-sbx-scus-aa" -ResourceGroupName "aa-sbx-scus-aa-rg" -ErrorAction "Stop").value
   return $val
}

Function Get-MyVar2
{
   # https://learn.microsoft.com/en-us/azure/automation/shared-resources/variables?tabs=azure-powershell#powershell-cmdlets-to-access-variables
   $val = Get-AutomationVariable -Name "api-user-name"
   return $val
}

Function Get-MyVar3
{
   # https://learn.microsoft.com/en-us/azure/automation/shared-resources/variables?tabs=azure-powershell#powershell-cmdlets-to-access-variables
   $val = Get-AutomationVariable -Name "api-user-password"
   return $val
}


Write-Output "Example reading vars...."

Try
{
   Write-Output "Getting var..."
   $varValue = Get-MyVar
   Write-Output "Getting var...Completed"
}
Catch
{
   Write-Output "Error while reading variable..."
   Write-Error "Exit"
}

Write-Output "Variable value: $varValue"

Try
{
   Write-Output "Getting var2..."
   $varValue = Get-MyVar2
   Write-Output "Getting var2...Completed"
}
Catch
{
   Write-Output "Error while reading variable2..."
   Write-Error "Exit"
}

Write-Output "Variable2 value username: $varValue"

Try
{
   Write-Output "Getting var3..."
   $varValue = Get-MyVar3
   Write-Output "Getting var3...Completed"
}
Catch
{
   Write-Output "Error while reading variable3..."
   Write-Error "Exit"
}

Write-Output "Variable3 user pass value: $varValue"
    • Note that regular secrets can be accessed vai Get-AzAutomationVariable but encrypted ones are accessed via Get-AutomationVariable. Follow the footnote in the link where it says “You can’t use this cmdlet to retrieve the value of an encrypted variable. The only way to do this is by using the internal Get-AutomationVariable cmdlet in a runbook or DSC configuration.”.

Comments

You May Also Enjoy