azurermEventhubNamespaceCustomerManagedKey
Manages a Customer Managed Key for a EventHub Namespace.
!> Note: In 2.x versions of the Azure Provider during deletion this resource will delete and recreate the parent EventHub Namespace which may involve data loss as it's not possible to remove the Customer Managed Key from the EventHub Namespace once it's been added. Version 3.0 of the Azure Provider will change this so that the Delete operation is a noop, requiring the parent EventHub Namespace is deleted/recreated to remove the Customer Managed Key.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermEventhubClusterExample =
new azurerm.eventhubCluster.EventhubCluster(this, "example_2", {
location: azurermResourceGroupExample.location,
name: "example-cluster",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "Dedicated_1",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubClusterExample.overrideLogicalId("example");
const azurermEventhubNamespaceExample =
new azurerm.eventhubNamespace.EventhubNamespace(this, "example_3", {
dedicated_cluster_id: azurermEventhubClusterExample.id,
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "example-namespace",
resource_group_name: azurermResourceGroupExample.name,
sku: "Standard",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubNamespaceExample.overrideLogicalId("example");
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_4",
{
location: azurermResourceGroupExample.location,
name: "examplekv",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExample =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example_5", {
key_permissions: ["Get", "UnwrapKey", "WrapKey"],
key_vault_id: azurermKeyVaultExample.id,
object_id: `\${${azurermEventhubNamespaceExample.identity}.0.principal_id}`,
tenant_id: `\${${azurermEventhubNamespaceExample.identity}.0.tenant_id}`,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultAccessPolicyExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExample2 =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example2", {
key_permissions: [
"Create",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"GetRotationPolicy",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_7",
{
depends_on: [
`\${${azurermKeyVaultAccessPolicyExample.fqn}}`,
`\${${azurermKeyVaultAccessPolicyExample2.fqn}}`,
],
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "examplekvkey",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermEventhubNamespaceCustomerManagedKeyExample =
new azurerm.eventhubNamespaceCustomerManagedKey.EventhubNamespaceCustomerManagedKey(
this,
"example_8",
{
eventhub_namespace_id: azurermEventhubNamespaceExample.id,
key_vault_key_ids: [azurermKeyVaultKeyExample.id],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubNamespaceCustomerManagedKeyExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
eventhubNamespaceId- (Required) The ID of the EventHub Namespace. Changing this forces a new resource to be created. -
keyVaultKeyIds- (Required) The list of keys of Key Vault.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the EventHub Namespace.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the EventHub Namespace Customer Managed Key.read- (Defaults to 5 minutes) Used when retrieving the EventHub Namespace Customer Managed Key.update- (Defaults to 30 minutes) Used when updating the EventHub Namespace Customer Managed Key.delete- (Defaults to 30 minutes) Used when deleting the EventHub Namespace Customer Managed Key.
Import
Customer Managed Keys for a EventHub Namespace can be imported using the resourceId, e.g.