azurermCdnFrontdoorSecret
Manages a Front Door (standard/premium) Secret.
Required Key Vault Permissions
!>IMPORTANT: You must add an accessPolicy
to your azurermKeyVault
for the microsoftAzurefrontDoorCdn
Enterprise Application Object ID.
This can be created by running Az Powershell command like this:
newAzAdServicePrincipalApplicationId "00000000000000000000000000000000"
Object ID | Key Permissions | Secret Permissions | Certificate Permissions |
---|---|---|---|
microsoftAzureCdn Object ID | - | Get | - |
Your Personal AAD Object ID | - | Get and List | Get, List, Purge and Recover |
Terraform Service Principal | - | Get | Get, Import, Delete and Purge |
->NOTE: You only need to add the accessPolicy
for your personal AAD Object ID if you are planning to view the secrets
via the Azure Portal.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
import * as azuread from "./.gen/providers/azuread";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm, azuread.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.cdnFrontdoorSecret.CdnFrontdoorSecret(this, "example", {
cdn_frontdoor_profile_id: "${azurerm_cdn_frontdoor_profile.test.id}",
name: "example-customer-managed-secret",
secret: [
{
customer_certificate: [
{
key_vault_certificate_id: "${azurerm_key_vault_certificate.test.id}",
},
],
},
],
});
const azurermKeyVaultCertificateExample =
new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_1", {
certificate: [
{
contents: '${filebase64("my-certificate.pfx")}',
},
],
key_vault_id: "${azurerm_key_vault.test.id}",
name: "example-cert",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");
const dataAzureadServicePrincipalFrontdoor =
new azuread.dataAzureadServicePrincipal.DataAzureadServicePrincipal(
this,
"frontdoor",
{
display_name: "Microsoft.Azure.Cdn",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_4",
{
access_policy: [
{
object_id: dataAzureadServicePrincipalFrontdoor.objectId,
secret_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
{
certificate_permissions: ["Get", "Import", "Delete", "Purge"],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: "${azurerm_resource_group.example.location}",
name: "example-keyvault",
network_acls: [
{
bypass: "AzureServices",
default_action: "Deny",
ip_rules: ["10.0.0.0/24"],
},
],
resource_group_name: "${azurerm_resource_group.example.name}",
sku_name: "premium",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name which should be used for this Front Door Secret. Possible values must start with a letter or a number, only contain letters, numbers and hyphens and have a length of between 2 and 260 characters. Changing this forces a new Front Door Secret to be created. -
cdnFrontdoorProfileId
- (Required) The Resource ID of the Front Door Profile. Changing this forces a new Front Door Secret to be created. -
secret
- (Required) Asecret
block as defined below. Changing this forces a new Front Door Secret to be created.
A secret
block supports the following:
customerCertificate
- (Required) AcustomerCertificate
block as defined below. Changing this forces a new Front Door Secret to be created.
A customerCertificate
block supports the following:
keyVaultCertificateId
- (Required) The ID of the Key Vault certificate resource to use. Changing this forces a new Front Door Secret to be created.
->NOTE: If you would like to use the latest version of the Key Vault Certificate use the Key Vault Certificates versionlessId
attribute as the keyVaultCertificateId
fields value(e.g. keyVaultCertificateId =AzurermKeyVaultCertificateExampleVersionlessId
).
subjectAlternativeNames
- (Computed) One or moresubjectAlternativeNames
contained within the key vault certificate.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
-
id
- The ID of the Front Door Secret. -
cdnFrontdoorProfileName
- The name of the Front Door Profile containing this Front Door Secret.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Front Door Secret.read
- (Defaults to 5 minutes) Used when retrieving the Front Door Secret.delete
- (Defaults to 30 minutes) Used when deleting the Front Door Secret.
Import
Front Door Secrets can be imported using the resourceId
, e.g.