azurermCognitiveAccountCustomerManagedKey
Manages a Customer Managed Key for a Cognitive Services Account.
\~> NOTE: It's possible to define a Customer Managed Key both within the azurermCognitiveAccount resource via the customerManagedKey block and by using the azurermCognitiveAccountCustomerManagedKey resource. However it's not possible to use both methods to manage a Customer Managed Key for a Cognitive Account, since there'll be conflicts.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West US",
name: "example-resources",
}
);
const azurermUserAssignedIdentityExample =
new azurerm.userAssignedIdentity.UserAssignedIdentity(this, "example_1", {
location: azurermResourceGroupExample.location,
name: "example-identity",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermUserAssignedIdentityExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermCognitiveAccountExample =
new azurerm.cognitiveAccount.CognitiveAccount(this, "example_3", {
custom_subdomain_name: "example-account",
identity: [
{
identity_ids: [azurermUserAssignedIdentityExample.id],
type: "UserAssigned",
},
],
kind: "Face",
location: azurermResourceGroupExample.location,
name: "example-account",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "E0",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCognitiveAccountExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_4",
{
access_policy: [
{
key_permissions: [
"Get",
"Create",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
],
object_id: `\${${azurermCognitiveAccountExample.identity}.0.principal_id}`,
secret_permissions: ["Get"],
tenant_id: `\${${azurermCognitiveAccountExample.identity}.0.tenant_id}`,
},
{
key_permissions: [
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
"GetRotationPolicy",
],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
{
key_permissions: [
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
],
object_id: azurermUserAssignedIdentityExample.principalId,
secret_permissions: ["Get"],
tenant_id: azurermUserAssignedIdentityExample.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "example-vault",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_5",
{
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "example-key",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermCognitiveAccountCustomerManagedKeyExample =
new azurerm.cognitiveAccountCustomerManagedKey.CognitiveAccountCustomerManagedKey(
this,
"example_6",
{
cognitive_account_id: azurermCognitiveAccountExample.id,
identity_client_id: azurermUserAssignedIdentityExample.clientId,
key_vault_key_id: azurermKeyVaultKeyExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermCognitiveAccountCustomerManagedKeyExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
cognitiveAccountId- (Required) The ID of the Cognitive Account. Changing this forces a new resource to be created. -
keyVaultKeyId- (Required) The ID of the Key Vault Key which should be used to Encrypt the data in this Cognitive Account. -
identityClientId- (Optional) The Client ID of the User Assigned Identity that has access to the key. This property only needs to be specified when there're multiple identities attached to the Cognitive Account.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the Cognitive Account.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Cognitive Account Customer Managed Key.read- (Defaults to 5 minutes) Used when retrieving the Cognitive Account Customer Managed Key.update- (Defaults to 30 minutes) Used when updating the Cognitive Account Customer Managed Key.delete- (Defaults to 30 minutes) Used when deleting the Cognitive Account Customer Managed Key.
Import
Customer Managed Keys for a Cognitive Account can be imported using the resourceId, e.g.