azurermKeyVault
Manages a Key Vault.
Disclaimers
\~> Note: It's possible to define Key Vault Access Policies both within the azurermKeyVault resource via the accessPolicy block and by using the azurermKeyVaultAccessPolicy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.
\~> Note: It's possible to define Key Vault Certificate Contacts both within the azurermKeyVault resource via the contact block and by using the azurermKeyVaultCertificateContacts resource. However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts.
\~> Note: Terraform will automatically recover a soft-deleted Key Vault during Creation if one is found - you can opt out of this using the features block within the Provider block.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_delete_on_destroy: true,
recover_soft_deleted_key_vaults: true,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
access_policy: [
{
key_permissions: ["Get"],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Get"],
storage_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
enabled_for_disk_encryption: true,
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
purge_protection_enabled: false,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name- (Required) Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. -
location- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. -
resourceGroupName- (Required) The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. -
skuName- (Required) The Name of the SKU used for this Key Vault. Possible values arestandardandpremium. -
tenantId- (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
accessPolicy- (Optional) A list of up to 1024 objects describing access policies, as described below.
-> NOTE Since accessPolicy can be configured both inline and via the separate azurermKeyVaultAccessPolicy resource, we have to explicitly set it to empty slice ([]) to remove it.
-
enabledForDeployment- (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. -
enabledForDiskEncryption- (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. -
enabledForTemplateDeployment- (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. -
enableRbacAuthorization- (Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. -
networkAcls- (Optional) AnetworkAclsblock as defined below. -
purgeProtectionEnabled- (Optional) Is Purge Protection enabled for this Key Vault?
!> Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days - which will be configurable in Terraform in the future).
-
publicNetworkAccessEnabled- (Optional) Whether public network access is allowed for this Key Vault. Defaults totrue. -
softDeleteRetentionDays- (Optional) The number of days that items should be retained for once soft-deleted. This value can be between7and90(the default) days.
\~> Note: This field can only be configured one time and cannot be updated.
contact- (Optional) One or morecontactblock as defined below.
\~> Note: This field can only be set once user has managecontacts certificate permission.
tags- (Optional) A mapping of tags to assign to the resource.
A accessPolicy block supports the following:
-
tenantId- (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match thetenantIdused above. -
objectId- (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. -
applicationId- (Optional) The object ID of an Application in Azure Active Directory. -
certificatePermissions- (Optional) List of certificate permissions, must be one or more from the following:backup,create,delete,deleteIssuers,get,getIssuers,import,list,listIssuers,manageContacts,manageIssuers,purge,recover,restore,setIssuersandupdate. -
keyPermissions- (Optional) List of key permissions. Possible values arebackup,create,decrypt,delete,encrypt,get,import,list,purge,recover,restore,sign,unwrapKey,update,verify,wrapKey,release,rotate,getRotationPolicyandsetRotationPolicy. -
secretPermissions- (Optional) List of secret permissions, must be one or more from the following:backup,delete,get,list,purge,recover,restoreandset. -
storagePermissions- (Optional) List of storage permissions, must be one or more from the following:backup,delete,deleteSas,get,getSas,list,listSas,purge,recover,regenerateKey,restore,set,setSasandupdate.
A networkAcls block supports the following:
-
bypass- (Required) Specifies which traffic can bypass the network rules. Possible values areazureServicesandnone. -
defaultAction- (Required) The Default Action to use when no rules match fromipRules/virtualNetworkSubnetIds. Possible values areallowanddeny. -
ipRules- (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault. -
virtualNetworkSubnetIds- (Optional) One or more Subnet IDs which should be able to access this Key Vault.
A contact block supports the following:
-
email- (Required) E-mail address of the contact. -
name- (Optional) Name of the contact. -
phone- (Optional) Phone number of the contact.
Attributes Reference
The following attributes are exported:
-
id- The ID of the Key Vault. -
vaultUri- The URI of the Key Vault, used for performing operations on keys and secrets.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Key Vault.update- (Defaults to 30 minutes) Used when updating the Key Vault.read- (Defaults to 5 minutes) Used when retrieving the Key Vault.delete- (Defaults to 30 minutes) Used when deleting the Key Vault.
Import
Key Vault's can be imported using the resourceId, e.g.