azurermKeyVaultCertificate

Manages a Key Vault Certificate.

\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Certificate resource on destroy, rather than the default soft-delete. See purgeSoftDeletedCertificatesOnDestroy for more information.

Example Usage (Importing a PFX)

\~> Note: this example assumed the PFX file is located in the same directory at certificateToImportPfx.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [
    {
      key_vault: [
        {
          purge_soft_deleted_certificates_on_destroy: true,
          recover_soft_deleted_certificates: true,
        },
      ],
    },
  ],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_3",
  {
    access_policy: [
      {
        certificate_permissions: [
          "Create",
          "Delete",
          "DeleteIssuers",
          "Get",
          "GetIssuers",
          "Import",
          "List",
          "ListIssuers",
          "ManageContacts",
          "ManageIssuers",
          "SetIssuers",
          "Update",
        ],
        key_permissions: [
          "Backup",
          "Create",
          "Decrypt",
          "Delete",
          "Encrypt",
          "Get",
          "Import",
          "List",
          "Purge",
          "Recover",
          "Restore",
          "Sign",
          "UnwrapKey",
          "Update",
          "Verify",
          "WrapKey",
        ],
        object_id: dataAzurermClientConfigCurrent.objectId,
        secret_permissions: [
          "Backup",
          "Delete",
          "Get",
          "List",
          "Purge",
          "Recover",
          "Restore",
          "Set",
        ],
        tenant_id: dataAzurermClientConfigCurrent.tenantId,
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "examplekeyvault",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "premium",
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultCertificateExample =
  new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_4", {
    certificate: [
      {
        contents: '${filebase64("certificate-to-import.pfx")}',
        password: "",
      },
    ],
    key_vault_id: azurermKeyVaultExample.id,
    name: "imported-cert",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");

Example Usage (Generating a new certificate)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_2",
  {
    access_policy: [
      {
        certificate_permissions: [
          "Create",
          "Delete",
          "DeleteIssuers",
          "Get",
          "GetIssuers",
          "Import",
          "List",
          "ListIssuers",
          "ManageContacts",
          "ManageIssuers",
          "Purge",
          "SetIssuers",
          "Update",
        ],
        key_permissions: [
          "Backup",
          "Create",
          "Decrypt",
          "Delete",
          "Encrypt",
          "Get",
          "Import",
          "List",
          "Purge",
          "Recover",
          "Restore",
          "Sign",
          "UnwrapKey",
          "Update",
          "Verify",
          "WrapKey",
        ],
        object_id: dataAzurermClientConfigCurrent.objectId,
        secret_permissions: [
          "Backup",
          "Delete",
          "Get",
          "List",
          "Purge",
          "Recover",
          "Restore",
          "Set",
        ],
        tenant_id: dataAzurermClientConfigCurrent.tenantId,
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "examplekeyvault",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "standard",
    soft_delete_retention_days: 7,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultCertificateExample =
  new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_3", {
    certificate_policy: [
      {
        issuer_parameters: [
          {
            name: "Self",
          },
        ],
        key_properties: [
          {
            exportable: true,
            key_size: 2048,
            key_type: "RSA",
            reuse_key: true,
          },
        ],
        lifetime_action: [
          {
            action: [
              {
                action_type: "AutoRenew",
              },
            ],
            trigger: [
              {
                days_before_expiry: 30,
              },
            ],
          },
        ],
        secret_properties: [
          {
            content_type: "application/x-pkcs12",
          },
        ],
        x509_certificate_properties: [
          {
            extended_key_usage: ["1.3.6.1.5.5.7.3.1"],
            key_usage: [
              "cRLSign",
              "dataEncipherment",
              "digitalSignature",
              "keyAgreement",
              "keyCertSign",
              "keyEncipherment",
            ],
            subject: "CN=hello-world",
            subject_alternative_names: [
              {
                dns_names: ["internal.contoso.com", "domain.hello.world"],
              },
            ],
            validity_in_months: 12,
          },
        ],
      },
    ],
    key_vault_id: azurermKeyVaultExample.id,
    name: "generated-cert",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

name - (Required) Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created.
keyVaultId - (Required) The ID of the Key Vault where the Certificate should be created. Changing this forces a new resource to be created.
certificate - (Optional) A certificate block as defined below, used to Import an existing certificate.
certificatePolicy - (Optional) A certificatePolicy block as defined below. Changing this forces a new resource to be created.

\~> NOTE: When creating a Key Vault Certificate, at least one of certificate or certificatePolicy is required. Provide certificate to import an existing certificate, certificatePolicy to generate a new certificate.

tags - (Optional) A mapping of tags to assign to the resource.

The certificate block supports the following:

contents - (Required) The base64-encoded certificate contents.
password - (Optional) The password associated with the certificate.

The certificatePolicy block supports the following:

issuerParameters - (Required) A issuerParameters block as defined below.
keyProperties - (Required) A keyProperties block as defined below.
lifetimeAction - (Optional) A lifetimeAction block as defined below.
secretProperties - (Required) A secretProperties block as defined below.
x509CertificateProperties - (Optional) A x509CertificateProperties block as defined below. Required when certificate block is not specified.

The issuerParameters block supports the following:

name - (Required) The name of the Certificate Issuer. Possible values include self (for self-signed certificate), or unknown (for a certificate issuing authority like let'sEncrypt and Azure direct supported ones). Changing this forces a new resource to be created.

The keyProperties block supports the following:

curve - (Optional) Specifies the curve to use when creating an ec key. Possible values are p256, p256K, p384, and p521. This field will be required in a future release if keyType is ec or ecHsm. Changing this forces a new resource to be created.
exportable - (Required) Is this certificate exportable? Changing this forces a new resource to be created.
keySize - (Optional) The size of the key used in the certificate. Possible values include 2048, 3072, and 4096 for rsa keys, or 256, 384, and 521 for ec keys. This property is required when using RSA keys. Changing this forces a new resource to be created.
keyType - (Required) Specifies the type of key. Possible values are ec, ecHsm, rsa, rsaHsm and oct. Changing this forces a new resource to be created.
reuseKey - (Required) Is the key reusable? Changing this forces a new resource to be created.

The lifetimeAction block supports the following:

action - (Required) A action block as defined below.
trigger - (Required) A trigger block as defined below.

The action block supports the following:

actionType - (Required) The Type of action to be performed when the lifetime trigger is triggerec. Possible values include autoRenew and emailContacts. Changing this forces a new resource to be created.

The trigger block supports the following:

daysBeforeExpiry - (Optional) The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with lifetimePercentage.
lifetimePercentage - (Optional) The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts with daysBeforeExpiry.

The secretProperties block supports the following:

contentType - (Required) The Content-Type of the Certificate, such as application/xPkcs12 for a PFX or application/xPemFile for a PEM. Changing this forces a new resource to be created.

The x509CertificateProperties block supports the following:

extendedKeyUsage - (Optional) A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.
keyUsage - (Required) A list of uses associated with this Key. Possible values include cRlSign, dataEncipherment, decipherOnly, digitalSignature, encipherOnly, keyAgreement, keyCertSign, keyEncipherment and nonRepudiation and are case-sensitive. Changing this forces a new resource to be created.
subject - (Required) The Certificate's Subject. Changing this forces a new resource to be created.
subjectAlternativeNames - (Optional) A subjectAlternativeNames block as defined below. Changing this forces a new resource to be created.
validityInMonths - (Required) The Certificates Validity Period in Months. Changing this forces a new resource to be created.

The subjectAlternativeNames block supports the following:

dnsNames - (Optional) A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.
emails - (Optional) A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.
upns - (Optional) A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.

Attributes Reference

The following attributes are exported:

id - The Key Vault Certificate ID.
secretId - The ID of the associated Key Vault Secret.
version - The current version of the Key Vault Certificate.
versionlessId - The Base ID of the Key Vault Certificate.
versionlessSecretId - The Base ID of the Key Vault Secret.
certificateData - The raw Key Vault Certificate data represented as a hexadecimal string.
certificateDataBase64 - The Base64 encoded Key Vault Certificate data.
thumbprint - The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.
certificateAttribute - A certificateAttribute block as defined below.

A certificateAttribute block exports the following:

created - The create time of the Key Vault Certificate.
enabled - whether the Key Vault Certificate is enabled.
expires - The expires time of the Key Vault Certificate.
notBefore - The not before valid time of the Key Vault Certificate.
recoveryLevel - The deletion recovery level of the Key Vault Certificate.
updated - The recent update time of the Key Vault Certificate.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 60 minutes) Used when creating the Key Vault Certificate.
update - (Defaults to 30 minutes) Used when updating the Key Vault Certificate.
read - (Defaults to 30 minutes) Used when retrieving the Key Vault Certificate.
delete - (Defaults to 30 minutes) Used when deleting the Key Vault Certificate.

Import

Key Vault Certificates can be imported using the resourceId, e.g.

terraform import azurerm_key_vault_certificate.example "https://example-keyvault.vault.azure.net/certificates/example/fdf067c93bbb4b22bff4d8b7a9a56217"