azurermKeyVaultKey
Manages a Key Vault Key.
Example Usage
\~> Note: To use this resource, your client should have RBAC roles with permissions like keyVaultCryptoOfficer or keyVaultAdministrator or an assigned Key Vault Access Policy with permissions create,delete,get,purge,recover,update and getRotationPolicy for keys without Rotation Policy. Include setRotationPolicy for keys with Rotation Policy.
\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Key resource on destroy, rather than the default soft-delete. See purgeSoftDeletedKeysOnDestroy for more information.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_deleted_keys_on_destroy: true,
recover_soft_deleted_keys: true,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
access_policy: [
{
key_permissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy",
],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Set"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
new azurerm.keyVaultKey.KeyVaultKey(this, "generated", {
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "generated-certificate",
rotation_policy: [
{
automatic: [
{
time_before_expiry: "P30D",
},
],
expire_after: "P90D",
notify_before_expiry: "P29D",
},
],
});
Argument Reference
The following arguments are supported:
-
name- (Required) Specifies the name of the Key Vault Key. Changing this forces a new resource to be created. -
keyVaultId- (Required) The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created. -
keyType- (Required) Specifies the Key Type to use for this Key Vault Key. Possible values areec(Elliptic Curve),ecHsm,rsaandrsaHsm. Changing this forces a new resource to be created. -
keySize- (Optional) Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required ifkeyTypeisrsaorrsaHsm. Changing this forces a new resource to be created. -
curve- (Optional) Specifies the curve to use when creating aneckey. Possible values arep256,p256K,p384, andp521. This field will be required in a future release ifkeyTypeisecorecHsm. The API will default top256if nothing is specified. Changing this forces a new resource to be created. -
keyOpts- (Required) A list of JSON web key operations. Possible values include:decrypt,encrypt,sign,unwrapKey,verifyandwrapKey. Please note these values are case sensitive. -
notBeforeDate- (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). -
expirationDate- (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). -
tags- (Optional) A mapping of tags to assign to the resource. -
rotationPolicy- (Optional) ArotationPolicyblock as defined below.
A rotationPolicy block supports the following:
-
expireAfter- (Optional) Expire a Key Vault Key after given duration as an ISO 8601 duration. -
automatic- (Optional) Anautomaticblock as defined below. -
notifyBeforeExpiry- (Optional) Notify at a given duration before expiry as an ISO 8601 duration. Default isp30D.
An automatic block supports the following:
-
timeAfterCreation- (Optional) Rotate automatically at a duration after create as an ISO 8601 duration. -
timeBeforeExpiry- (Optional) Rotate automatically at a duration before expiry as an ISO 8601 duration.
Attributes Reference
The following attributes are exported:
id- The Key Vault Key ID.resourceId- The (Versioned) ID for this Key Vault Key. This property points to a specific version of a Key Vault Key, as such using this won't auto-rotate values if used in other Azure Services.resourceVersionlessId- The Versionless ID of the Key Vault Key. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Key is updated.version- The current version of the Key Vault Key.versionlessId- The Base ID of the Key Vault Key.n- The RSA modulus of this Key Vault Key.e- The RSA public exponent of this Key Vault Key.x- The EC X component of this Key Vault Key.y- The EC Y component of this Key Vault Key.publicKeyPem- The PEM encoded public key of this Key Vault Key.publicKeyOpenssh- The OpenSSH encoded public key of this Key Vault Key.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Key Vault Key.update- (Defaults to 30 minutes) Used when updating the Key Vault Key.read- (Defaults to 30 minutes) Used when retrieving the Key Vault Key.delete- (Defaults to 30 minutes) Used when deleting the Key Vault Key.
Import
Key Vault Key which is Enabled can be imported using the resourceId, e.g.