Skip to content

Data Source: azurermKeyVaultCertificate

Use this data source to access information about an existing Key Vault Certificate.

\~> Note: All arguments including the secret value will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const dataAzurermKeyVaultExample =
  new azurerm.dataAzurermKeyVault.DataAzurermKeyVault(this, "example", {
    name: "examplekv",
    resource_group_name: "some-resource-group",
  });
const dataAzurermKeyVaultCertificateExample =
  new azurerm.dataAzurermKeyVaultCertificate.DataAzurermKeyVaultCertificate(
    this,
    "example_1",
    {
      key_vault_id: dataAzurermKeyVaultExample.id,
      name: "secret-sauce",
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAzurermKeyVaultCertificateExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "certificate_thumbprint", {
  value: dataAzurermKeyVaultCertificateExample.thumbprint,
});

Argument Reference

The following arguments are supported:

  • name - Specifies the name of the Key Vault Certificate.

  • keyVaultId - Specifies the ID of the Key Vault instance where the Secret resides, available on the azurermKeyVault Data Source / Resource.

  • version - (Optional) Specifies the version of the certificate to look up. (Defaults to latest)

NOTE: The vault must be in the same subscription as the provider. If the vault is in another subscription, you must create an aliased provider for that subscription.

Attributes Reference

The following attributes are exported:

  • id - The Key Vault Certificate ID.

  • name - Specifies the name of the Key Vault Certificate.

  • secretId - The ID of the associated Key Vault Secret.

  • version - The current version of the Key Vault Certificate.

  • versionlessId - The Base ID of the Key Vault Certificate.

  • versionlessSecretId - The Base ID of the Key Vault Secret.

  • certificateData - The raw Key Vault Certificate data represented as a hexadecimal string.

  • certificateDataBase64 - The raw Key Vault Certificate data represented as a base64 string.

  • thumbprint - The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.

  • certificatePolicy - A certificatePolicy block as defined below.

  • expires - Expiry date of certificate in RFC3339 format.

  • notBefore - Not Before date of certificate in RFC3339 format.

  • tags - A mapping of tags to assign to the resource.

certificatePolicy exports the following:

  • issuerParameters - A issuerParameters block as defined below.
  • keyProperties - A keyProperties block as defined below.
  • lifetimeAction - A lifetimeAction block as defined below.
  • secretProperties - A secretProperties block as defined below.
  • x509CertificateProperties - An x509CertificateProperties block as defined below.

issuerParameters exports the following:

  • name - The name of the Certificate Issuer.

keyProperties exports the following:

  • exportable - Is this Certificate Exportable?
  • keySize - The size of the Key used in the Certificate.
  • keyType - Specifies the Type of Key, for example rsa.
  • reuseKey - Is the key reusable?

lifetimeAction exports the following:

  • action - A action block as defined below.
  • trigger - A trigger block as defined below.

action exports the following:

  • actionType - The Type of action to be performed when the lifetime trigger is triggerec.

trigger exports the following:

  • daysBeforeExpiry - The number of days before the Certificate expires that the action associated with this Trigger should run.
  • lifetimePercentage - The percentage at which during the Certificates Lifetime the action associated with this Trigger should run.

secretProperties exports the following:

  • contentType - The Content-Type of the Certificate, for example application/xPkcs12 for a PFX or application/xPemFile for a PEM.

x509CertificateProperties exports the following:

  • extendedKeyUsage - A list of Extended/Enhanced Key Usages.
  • keyUsage - A list of uses associated with this Key.
  • subject - The Certificate's Subject.
  • subjectAlternativeNames - A subjectAlternativeNames block as defined below.
  • validityInMonths - The Certificates Validity Period in Months.

subjectAlternativeNames exports the following:

  • dnsNames - A list of alternative DNS names (FQDNs) identified by the Certificate.
  • emails - A list of email addresses identified by this Certificate.
  • upns - A list of User Principal Names identified by the Certificate.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • read - (Defaults to 30 minutes) Used when retrieving the Key Vault Certificate.