azurermKeyVaultCertificate
Manages a Key Vault Certificate.
\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Certificate resource on destroy, rather than the default soft-delete. See purgeSoftDeletedCertificatesOnDestroy
for more information.
Example Usage (Importing a PFX)
\~> Note: this example assumed the PFX file is located in the same directory at certificateToImportPfx
.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_deleted_certificates_on_destroy: true,
recover_soft_deleted_certificates: true,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
access_policy: [
{
certificate_permissions: [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"SetIssuers",
"Update",
],
key_permissions: [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultCertificateExample =
new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_4", {
certificate: [
{
contents: '${filebase64("certificate-to-import.pfx")}',
password: "",
},
],
key_vault_id: azurermKeyVaultExample.id,
name: "imported-cert",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");
Example Usage (Generating a new certificate)
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_2",
{
access_policy: [
{
certificate_permissions: [
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"SetIssuers",
"Update",
],
key_permissions: [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey",
],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set",
],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultCertificateExample =
new azurerm.keyVaultCertificate.KeyVaultCertificate(this, "example_3", {
certificate_policy: [
{
issuer_parameters: [
{
name: "Self",
},
],
key_properties: [
{
exportable: true,
key_size: 2048,
key_type: "RSA",
reuse_key: true,
},
],
lifetime_action: [
{
action: [
{
action_type: "AutoRenew",
},
],
trigger: [
{
days_before_expiry: 30,
},
],
},
],
secret_properties: [
{
content_type: "application/x-pkcs12",
},
],
x509_certificate_properties: [
{
extended_key_usage: ["1.3.6.1.5.5.7.3.1"],
key_usage: [
"cRLSign",
"dataEncipherment",
"digitalSignature",
"keyAgreement",
"keyCertSign",
"keyEncipherment",
],
subject: "CN=hello-world",
subject_alternative_names: [
{
dns_names: ["internal.contoso.com", "domain.hello.world"],
},
],
validity_in_months: 12,
},
],
},
],
key_vault_id: azurermKeyVaultExample.id,
name: "generated-cert",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultCertificateExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) Specifies the name of the Key Vault Certificate. Changing this forces a new resource to be created. -
keyVaultId
- (Required) The ID of the Key Vault where the Certificate should be created. Changing this forces a new resource to be created. -
certificate
- (Optional) Acertificate
block as defined below, used to Import an existing certificate. -
certificatePolicy
- (Optional) AcertificatePolicy
block as defined below. Changing this forces a new resource to be created.
\~> NOTE: When creating a Key Vault Certificate, at least one of certificate
or certificatePolicy
is required. Provide certificate
to import an existing certificate, certificatePolicy
to generate a new certificate.
tags
- (Optional) A mapping of tags to assign to the resource.
The certificate
block supports the following:
contents
- (Required) The base64-encoded certificate contents.password
- (Optional) The password associated with the certificate.
The certificatePolicy
block supports the following:
issuerParameters
- (Required) AissuerParameters
block as defined below.keyProperties
- (Required) AkeyProperties
block as defined below.lifetimeAction
- (Optional) AlifetimeAction
block as defined below.secretProperties
- (Required) AsecretProperties
block as defined below.x509CertificateProperties
- (Optional) Ax509CertificateProperties
block as defined below. Required whencertificate
block is not specified.
The issuerParameters
block supports the following:
name
- (Required) The name of the Certificate Issuer. Possible values includeself
(for self-signed certificate), orunknown
(for a certificate issuing authority likelet'sEncrypt
and Azure direct supported ones). Changing this forces a new resource to be created.
The keyProperties
block supports the following:
curve
- (Optional) Specifies the curve to use when creating anec
key. Possible values arep256
,p256K
,p384
, andp521
. This field will be required in a future release ifkeyType
isec
orecHsm
. Changing this forces a new resource to be created.exportable
- (Required) Is this certificate exportable? Changing this forces a new resource to be created.keySize
- (Optional) The size of the key used in the certificate. Possible values include2048
,3072
, and4096
forrsa
keys, or256
,384
, and521
forec
keys. This property is required when using RSA keys. Changing this forces a new resource to be created.keyType
- (Required) Specifies the type of key. Possible values areec
,ecHsm
,rsa
,rsaHsm
andoct
. Changing this forces a new resource to be created.reuseKey
- (Required) Is the key reusable? Changing this forces a new resource to be created.
The lifetimeAction
block supports the following:
action
- (Required) Aaction
block as defined below.trigger
- (Required) Atrigger
block as defined below.
The action
block supports the following:
actionType
- (Required) The Type of action to be performed when the lifetime trigger is triggerec. Possible values includeautoRenew
andemailContacts
. Changing this forces a new resource to be created.
The trigger
block supports the following:
daysBeforeExpiry
- (Optional) The number of days before the Certificate expires that the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts withlifetimePercentage
.lifetimePercentage
- (Optional) The percentage at which during the Certificates Lifetime the action associated with this Trigger should run. Changing this forces a new resource to be created. Conflicts withdaysBeforeExpiry
.
The secretProperties
block supports the following:
contentType
- (Required) The Content-Type of the Certificate, such asapplication/xPkcs12
for a PFX orapplication/xPemFile
for a PEM. Changing this forces a new resource to be created.
The x509CertificateProperties
block supports the following:
extendedKeyUsage
- (Optional) A list of Extended/Enhanced Key Usages. Changing this forces a new resource to be created.keyUsage
- (Required) A list of uses associated with this Key. Possible values includecRlSign
,dataEncipherment
,decipherOnly
,digitalSignature
,encipherOnly
,keyAgreement
,keyCertSign
,keyEncipherment
andnonRepudiation
and are case-sensitive. Changing this forces a new resource to be created.subject
- (Required) The Certificate's Subject. Changing this forces a new resource to be created.subjectAlternativeNames
- (Optional) AsubjectAlternativeNames
block as defined below. Changing this forces a new resource to be created.validityInMonths
- (Required) The Certificates Validity Period in Months. Changing this forces a new resource to be created.
The subjectAlternativeNames
block supports the following:
dnsNames
- (Optional) A list of alternative DNS names (FQDNs) identified by the Certificate. Changing this forces a new resource to be created.emails
- (Optional) A list of email addresses identified by this Certificate. Changing this forces a new resource to be created.upns
- (Optional) A list of User Principal Names identified by the Certificate. Changing this forces a new resource to be created.
Attributes Reference
The following attributes are exported:
id
- The Key Vault Certificate ID.secretId
- The ID of the associated Key Vault Secret.version
- The current version of the Key Vault Certificate.versionlessId
- The Base ID of the Key Vault Certificate.versionlessSecretId
- The Base ID of the Key Vault Secret.certificateData
- The raw Key Vault Certificate data represented as a hexadecimal string.certificateDataBase64
- The Base64 encoded Key Vault Certificate data.thumbprint
- The X509 Thumbprint of the Key Vault Certificate represented as a hexadecimal string.certificateAttribute
- AcertificateAttribute
block as defined below.
A certificateAttribute
block exports the following:
created
- The create time of the Key Vault Certificate.enabled
- whether the Key Vault Certificate is enabled.expires
- The expires time of the Key Vault Certificate.notBefore
- The not before valid time of the Key Vault Certificate.recoveryLevel
- The deletion recovery level of the Key Vault Certificate.updated
- The recent update time of the Key Vault Certificate.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the Key Vault Certificate.update
- (Defaults to 30 minutes) Used when updating the Key Vault Certificate.read
- (Defaults to 30 minutes) Used when retrieving the Key Vault Certificate.delete
- (Defaults to 30 minutes) Used when deleting the Key Vault Certificate.
Import
Key Vault Certificates can be imported using the resourceId
, e.g.