Helm charts managed through Terraform to deploy an Azure SecretProviderClass on AKS

Introduction

In this article we will see how to benefit from the advantages of two infrastructure and template management solutions: Helm charts and Terraform.

In order to make the exercise challenging and to prove that the use of these two features works well, I deliberately chose to use the SecretProviderClass because it is a complex Kubernetes resource type to model.

For more details on the SecretProviderClass, please consult the following article that points out how to create a SecretProviderClass using user-assigned identity to access your key vault.

All the code used in this article is available here on GitHub: JamesDLD/terraform-azurerm_kubernetes-helm-chart-SecretProviderClass

Prerequisite

Access to an existing Azure Kubernetes Service (AKS) cluster.
You already have configured the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster.

Terraform providers & authentication

The trick here is to retrieve the Kubernetes certificate from the azurerm_kubernetes_cluster resource and pass it to the helm provider.

# - # - Providers # - provider "azurerm" { subscription_id = var.subscription_id features {} } provider "helm" { kubernetes { host = data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.host client_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.client_certificate) client_key = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.client_key) cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.cluster_ca_certificate) } } # - # - Azure Kubernetes Service cluster # - data "azurerm_kubernetes_cluster" "aks" { name = var.aks_cluster.name resource_group_name = var.aks_cluster.resource_group_name }

Terraform Helm release

In this section we highlight the following tips:

Use Helm values files.
Pass parameters from Terraform to the Helm chart through the “set” function.
Dynamically retrieve the Azure Tenant ID from Terraform and pass it to the Helm chart.

variable "helm_release" { description = "A Release is an instance of a chart running in a Kubernetes cluster. https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release" default = { demo = { chart_path = "/charts/SecretProviderClass" values_paths = [ "/charts/SecretProviderClass/values.yaml", "/charts/SecretProviderClass/values-demo.yaml" ] set = [ { name = "tenantId" #Will calculated, see the below code }, { name = "userAssignedIdentityID" value = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" #Application ID of the managed identity "azurekeyvaultsecretsprovider-<AKS Cluster Name>" }, { name = "keyvaultName" value = "xxxxxxxxxxxx" } ] } } } data "azurerm_client_config" "current" {} # - # - Helm charts # - resource "helm_release" "helm_release" { for_each = var.helm_release name = lookup(each.value, "name", each.key) chart = "${path.module}${each.value.chart_path}" values = lookup(each.value, "values_paths", null) == null ? null : [for x in each.value.values_paths : file(format("%s%s", path.module, x))] recreate_pods = lookup(each.value, "recreate_pods", null) dynamic "set" { for_each = lookup(each.value, "set", []) content { name = set.value.name value = lookup(set.value, "name", null) == "tenantId" ? data.azurerm_client_config.current.tenant_id : set.value.value type = lookup(set.value, "type", null) } } }

Helm chart template

The following manifest file manages the Kubernetes SecretProviderClass object and was designed using the following requirements:

Ability to create multiple SecretProviderClass Kubernetes objects using the range action.
Use in order of preference the values provided by the current “range” (file “value-demo.yaml”), then the default values (file “value.yaml”) then those provided by Terraform (“set” function).

# Reference: Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver # Chapter: Use a user-assigned managed identity https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access?WT.mc_id=AZ-MVP-5003548#use-a-user-assigned-managed-identity {{- range $key, $value := .Values.secrets }} apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: {{ $value.name }} namespace: {{ $value.namespace }} spec: provider: azure parameters: {{ if $value.usePodIdentity }} usePodIdentity: "{{ $value.usePodIdentity }}" {{ else }} usePodIdentity: "{{ $.Values.usePodIdentity }}" {{ end }} {{ if $value.useVMManagedIdentity }} useVMManagedIdentity: "{{ $value.useVMManagedIdentity }}" {{ else }} useVMManagedIdentity: "{{ $.Values.useVMManagedIdentity }}" {{ end }} userAssignedIdentityID: {{ $.Values.userAssignedIdentityID }} {{ if $value.keyvaultName }} keyvaultName: {{ $value.keyvaultName }} {{ else }} keyvaultName: {{ $.Values.keyvaultName }} {{ end }} objects: | {{- $value.parameters.objects | nindent 6 }} tenantId: {{ $.Values.tenantId }} {{ if $value.secretObjects }} secretObjects: {{ $value.secretObjects | toYaml | nindent 2 -}} {{ end }} --- {{- end }}

Terraform plan

What’s interesting here with Terraform is that we can see the planned changes and we can pass Terraform known information like the Azure Tenant ID and core parameters like the target Azure Key Vault.

Conclusion

Using Terraform and Helm charts will help you reap the benefits of both worlds:

Make full use of your teams’ skills.
Pass calculated values from your cloud provider without writing them in your code.
Manage planned changes that new git commits plan to do before applying them in production.

See You in the Cloud

Jamesdld

Published on: April 02, 2024

Learn more

Azure Developer Community Blog articles

Announcing Azure MCP Server 1.0.0 Stable Release – A New Era for Agentic Workflows

Today marks a major milestone for agentic development on Azure: the stable release of the Azure MCP Server 1.0! The post Announcing Azure MCP ...

1 day ago

From Backup to Discovery: Veeam’s Search Engine Powered by Azure Cosmos DB

This article was co-authored by Zack Rossman, Staff Software Engineer, Veeam; Ashlie Martinez, Staff Software Engineer, Veeam; and James Nguye...

2 days ago

Powering the Enterprise AI Factory with NVIDIA Run:ai on Azure

2 days ago

Azure SDK Release (October 2025)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (October 2025)...

2 days ago

Microsoft Copilot (Microsoft 365): [Copilot Extensibility] No-Code Publishing for Azure AI Foundry Agents to Microsoft 365 Copilot Agent Store

Developers can now publish Azure AI Foundry Agents directly to the Microsoft 365 Copilot Agent Store with a simplified, no-code experience. Pr...

3 days ago

Blog image

Azure Developer Community Blog articles

Learn more

Helm charts managed through Terraform to deploy an Azure SecretProviderClass on AKS

Introduction

Prerequisite

Terraform providers & authentication

Terraform Helm release

Helm chart template

Terraform plan

Conclusion

Related posts

Announcing Azure MCP Server 1.0.0 Stable Release – A New Era for Agentic Workflows

From Backup to Discovery: Veeam’s Search Engine Powered by Azure Cosmos DB

Powering the Enterprise AI Factory with NVIDIA Run:ai on Azure

Azure SDK Release (October 2025)

Microsoft Copilot (Microsoft 365): [Copilot Extensibility] No-Code Publishing for Azure AI Foundry Agents to Microsoft 365 Copilot Agent Store

Azure Marketplace and AppSource: A Unified AI Apps and Agents Marketplace

Episode 413 – Simplifying Azure Files with a new file share-centric management model

Bringing Context to Copilot: Azure Cosmos DB Best Practices, Right in Your VS Code Workspace

Build an AI Agentic RAG search application with React, SQL Azure and Azure Static Web Apps

Announcing latest Azure Cosmos DB Python SDK: Powering the Future of AI with OpenAI