Azure Key Vault 
Azure Key Vault is a cloud service for securely storing and accessing secrets. It provides a centralized cloud service for storing application secrets, such as passwords, connection strings, and certificates. Azure Key Vault helps to safeguard cryptographic keys and secrets used by cloud applications and services.
Prerequisites 
- An Azure account with an active subscription.
- OpenTofu installed on your local machine.
In the next section, we will learn how to provision an Azure Key Vault using OpenTofu.
Provisioning Azure Key Vault 
The hcl code below provisions an Azure Key Vault using OpenTofu:
hcl
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "vault" {
  name = "vault-${var.environment}"
  resource_group_name = azurerm_resource_group.default.name
  location = azurerm_resource_group.default.location
  tenant_id = data.azurerm_client_config.current.tenant_id
  sku_name = "standard"
  enabled_for_deployment = true
  enable_rbac_authorization = false
  enabled_for_template_deployment = true
  
  tags = {
    environment = "stage"
    associated_cluster = azurerm_kubernetes_cluster.default_aks.name
  }
  lifecycle {
    ignore_changes = [
      access_policy
    ]
  }
}
resource "azurerm_key_vault_access_policy" "vault_owner_policy" {
  key_vault_id = azurerm_key_vault.vault.id
  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id
  key_permissions = [
    "Backup",
    "Create",
    "Decrypt",
    "Delete",
    "Encrypt",
    "Get",
    "Import",
    "List",
    "Purge",
    "Recover",
    "Restore",
    "Sign",
    "UnwrapKey",
    "Update",
    "Verify",
    "WrapKey",
    "Release",
    "Rotate",
    "GetRotationPolicy",
    "SetRotationPolicy"
  ]
  secret_permissions = [
    "Get",
    "List",
    "Set",
    "Delete",
    "Backup",
    "Restore",
    "Recover",
  ]
}
resource "azurerm_key_vault_key" "vault_seal_key" {
  name = "vault-seal-key"
  key_vault_id = azurerm_key_vault.vault.id
  key_type = "RSA"
  key_size = 4096
  key_opts = [
    "wrapKey",
    "unwrapKey"
  ]
  depends_on = [
    azurerm_key_vault_access_policy.vault_owner_policy
  ]
}The code above provisions an Azure Key Vault with the following configurations:
- The name of the Azure Key Vault is vault-${var.environment}.
- The SKU name is standard.
- The Azure Key Vault is enabled for deployment and template deployment.
- The access policy is set to the current user.
- The key vault access policy is set to the current user.
- A key named vault-seal-keyis created with the key typeRSAand key size4096. The key is enabled forwrapKeyandunwrapKeyoperations.
All the available configuration options can be found from the providers documentation.