Working with secure files (certs) in Azure DevOps and Terraform the easy way without compromising security.

The documentation from Hashicorp is great! If you are using your shell with terraform then the docs will save you lots of time but eventually you’ll want to use terraform in your pipelines and this is where things change, for better! In this article we show how you can save the steps of creating an Azure vault, setting permissions and uploading secrets or certs to use later on. Since we are using Azure DevOps pipelines we can use the secure file download task to get our cert on the agent and upload it directly to the app service in our case. We are not compromising security by making it simpler which is the best part.

I. Upload your cert to Azure DevOps as a secure file

Under your pipelines go to Library, click the secure files link and upload your cert. Once uploaded it cannot be downloaded and the contents will not be readable.

II. Add a step in your pipeline to download the file.

Click the + and look for “Download secure file” task and add it. Then under secure file select the certificate or secure file to download.

The contents of the secure files are encrypted and can only be used when you consume them from a task. Secure files are a protected resource. You can add approvals and checks to them and set pipeline permissions.

https://docs.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops

III. Consume the secure file

In order to open the certificate you must have the password so we create a placeholder variable so that we can pass the password in the Azure DevOps pipeline. The pfx blob will look for the local file which will be downloaded in the previous step. The file is deleted after each run to avoid leaving it behind.

IV. Use the secure file in your pipeline.

Add the variable to the pipeline variables, make sure to click the lock to secure the key, you can also use Azure Vault.

Call it in the tasks’ additional command arguments

After this you will be able to download the cert as a secure file from Azure DevOps to the agent and from the agent you will be running terraform to upload the cert without the need to create a vault, add permissions to your current user, upload the cert then use it. Your azure devops pipeline already is configured with the SPN that allows access so you can use it to do this step without adding extra permissions. When it comes time to renew you can simply replace the secure file and pass.