AzureAzure Securityazurerm_key_vaultPro

How to Import an Azure Key Vault into Terraform

To import an existing Azure Key Vault into Terraform, scan it with Terraback and run terraback azure import --method bulk. Terraback writes the matching azurerm_key_vault resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the full resource ID (.../providers/Microsoft.KeyVault/vaults/<name>).

Import Azure Key Vault with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Azure Security resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Azure Key Vault to managed Terraform.

1

Scan your Azure account

terraback scan all azure --subscription-id YOUR_ID
2

Generate import blocks and import into state

terraback azure import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = azurerm_key_vault.app
  id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/prod-rg/providers/Microsoft.KeyVault/vaults/prod-kv"
}

Example azurerm_key_vault configuration

Here is a realistic Azure Key Vault block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "azurerm_key_vault" "app" {
  name                = "prod-kv"
  resource_group_name = "prod-rg"
  location            = "eastus"
  tenant_id           = "00000000-0000-0000-0000-000000000000"
  sku_name            = "standard"
}

Gotchas when importing a Azure Key Vault

  • Secrets, keys, and certificates inside the vault are separate resources and are not imported with the vault.
  • Access policies can be inline or separate azurerm_key_vault_access_policy resources; mixing the two causes drift.
  • If the vault uses RBAC (enable_rbac_authorization = true), do not declare access_policy blocks.
  • purge_protection_enabled cannot be disabled once it is turned on.

Doing it manually with terraform import

The native approach is to write the azurerm_key_vault block by hand, then run terraform import azurerm_key_vault.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole Azure account in minutes

Terraback scans 80+ Azure resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.