azurermCdnFrontdoorSecret

Manages a Front Door (standard/premium) Secret.

Required Key Vault Permissions

!>IMPORTANT: You must add an accessPolicy to your azurermKeyVault for the microsoftAzurefrontDoorCdn Enterprise Application Object ID.

This can be created by running Az Powershell command like this:

newAzAdServicePrincipalApplicationId "00000000000000000000000000000000"

Object ID	Key Permissions	Secret Permissions	Certificate Permissions
`microsoftAzureCdn` Object ID	-	Get	-
Your Personal AAD Object ID	-	Get and List	Get, List, Purge and Recover
Terraform Service Principal	-	Get	Get, Import, Delete and Purge

->NOTE: You only need to add the accessPolicy for your personal AAD Object ID if you are planning to view the secrets via the Azure Portal.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.cdnFrontdoorSecret.CdnFrontdoorSecret(this, "example", {
  cdn_frontdoor_profile_id: "${azurerm_cdn_frontdoor_profile.test.id}",
  name: "example-customer-managed-secret",
  secret: [
    {
      customer_certificate: [
        {
          key_vault_certificate_id: "${azurerm_key_vault_certificate.test.id}",
        },
      ],
    },
  ],
});
const azurermKeyVaultCertificateExample =
  new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_1", {
    certificate: [
      {
        contents: '${filebase64("my-certificate.pfx")}',
      },
    ],
    key_vault_id: "${azurerm_key_vault.test.id}",
    name: "example-cert",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");
const dataAzureadServicePrincipalFrontdoor =
  new azuread.dataAzureadServicePrincipal.DataAzureadServicePrincipal(
    this,
    "frontdoor",
    {
      display_name: "Microsoft.Azure.Cdn",
    }
  );
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_4",
  {
    access_policy: [
      {
        object_id: dataAzureadServicePrincipalFrontdoor.objectId,
        secret_permissions: ["Get"],
        tenant_id: dataAzurermClientConfigCurrent.tenantId,
      },
      {
        certificate_permissions: ["Get", "Import", "Delete", "Purge"],
        object_id: dataAzurermClientConfigCurrent.objectId,
        secret_permissions: ["Get"],
        tenant_id: dataAzurermClientConfigCurrent.tenantId,
      },
    ],
    location: "${azurerm_resource_group.example.location}",
    name: "example-keyvault",
    network_acls: [
      {
        bypass: "AzureServices",
        default_action: "Deny",
        ip_rules: ["10.0.0.0/24"],
      },
    ],
    resource_group_name: "${azurerm_resource_group.example.name}",
    sku_name: "premium",
    soft_delete_retention_days: 7,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

name - (Required) The name which should be used for this Front Door Secret. Possible values must start with a letter or a number, only contain letters, numbers and hyphens and have a length of between 2 and 260 characters. Changing this forces a new Front Door Secret to be created.
cdnFrontdoorProfileId - (Required) The Resource ID of the Front Door Profile. Changing this forces a new Front Door Secret to be created.
secret - (Required) A secret block as defined below. Changing this forces a new Front Door Secret to be created.

A secret block supports the following:

customerCertificate - (Required) A customerCertificate block as defined below. Changing this forces a new Front Door Secret to be created.

A customerCertificate block supports the following:

keyVaultCertificateId - (Required) The ID of the Key Vault certificate resource to use. Changing this forces a new Front Door Secret to be created.

->NOTE: If you would like to use the latest version of the Key Vault Certificate use the Key Vault Certificates versionlessId attribute as the keyVaultCertificateId fields value(e.g. keyVaultCertificateId =AzurermKeyVaultCertificateExampleVersionlessId).

subjectAlternativeNames - (Computed) One or more subjectAlternativeNames contained within the key vault certificate.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

id - The ID of the Front Door Secret.
cdnFrontdoorProfileName - The name of the Front Door Profile containing this Front Door Secret.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 30 minutes) Used when creating the Front Door Secret.
read - (Defaults to 5 minutes) Used when retrieving the Front Door Secret.
delete - (Defaults to 30 minutes) Used when deleting the Front Door Secret.

Import

Front Door Secrets can be imported using the resourceId, e.g.

terraform import azurerm_cdn_frontdoor_secret.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Cdn/profiles/profile1/secrets/secrets1