Is it possible to use Terraform and an Azure Key Vault Firewall without having to specify my IP address every time I want to make a change?
Solution 1:
If you have the Key Vault firewall enabled then any machine that needs to talk to it will need to be allowed in that firewall, it would be a pretty terrible firewall if that was not the case. There are a few ways you can work with this:
- Add your machines IP into the firewall permanently, maybe as part of your Terraform deployment
- Run your Terraform Pipelines from another machine, like a build agent, and allow this IP. Moving to using CI/CD tools for your Terraform is going to be beneficial in may other ways too
- As above, use a build agent, but instead of using adding it's external IP to the KV firewall, use private endpoints to allow access over the private network. This requires the machine to be in Azure, or connected to Azure over VPN/ExpressRoute