azurermKeyVaultKey
Manages a Key Vault Key.
Example Usage
\~> Note: To use this resource, your client should have RBAC roles with permissions like keyVaultCryptoOfficer
or keyVaultAdministrator
or an assigned Key Vault Access Policy with permissions create
,delete
,get
,purge
,recover
,update
and getRotationPolicy
for keys without Rotation Policy. Include setRotationPolicy
for keys with Rotation Policy.
\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Key resource on destroy, rather than the default soft-delete. See purgeSoftDeletedKeysOnDestroy
for more information.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_deleted_keys_on_destroy: true,
recover_soft_deleted_keys: true,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
access_policy: [
{
key_permissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"GetRotationPolicy",
"SetRotationPolicy",
],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Set"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
new azurerm.keyVaultKey.KeyVaultKey(this, "generated", {
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "generated-certificate",
rotation_policy: [
{
automatic: [
{
time_before_expiry: "P30D",
},
],
expire_after: "P90D",
notify_before_expiry: "P29D",
},
],
});
Argument Reference
The following arguments are supported:
-
name
- (Required) Specifies the name of the Key Vault Key. Changing this forces a new resource to be created. -
keyVaultId
- (Required) The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created. -
keyType
- (Required) Specifies the Key Type to use for this Key Vault Key. Possible values areec
(Elliptic Curve),ecHsm
,rsa
andrsaHsm
. Changing this forces a new resource to be created. -
keySize
- (Optional) Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required ifkeyType
isrsa
orrsaHsm
. Changing this forces a new resource to be created. -
curve
- (Optional) Specifies the curve to use when creating anec
key. Possible values arep256
,p256K
,p384
, andp521
. This field will be required in a future release ifkeyType
isec
orecHsm
. The API will default top256
if nothing is specified. Changing this forces a new resource to be created. -
keyOpts
- (Required) A list of JSON web key operations. Possible values include:decrypt
,encrypt
,sign
,unwrapKey
,verify
andwrapKey
. Please note these values are case sensitive. -
notBeforeDate
- (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). -
expirationDate
- (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). -
tags
- (Optional) A mapping of tags to assign to the resource. -
rotationPolicy
- (Optional) ArotationPolicy
block as defined below.
A rotationPolicy
block supports the following:
-
expireAfter
- (Optional) Expire a Key Vault Key after given duration as an ISO 8601 duration. -
automatic
- (Optional) Anautomatic
block as defined below. -
notifyBeforeExpiry
- (Optional) Notify at a given duration before expiry as an ISO 8601 duration. Default isp30D
.
An automatic
block supports the following:
-
timeAfterCreation
- (Optional) Rotate automatically at a duration after create as an ISO 8601 duration. -
timeBeforeExpiry
- (Optional) Rotate automatically at a duration before expiry as an ISO 8601 duration.
Attributes Reference
The following attributes are exported:
id
- The Key Vault Key ID.resourceId
- The (Versioned) ID for this Key Vault Key. This property points to a specific version of a Key Vault Key, as such using this won't auto-rotate values if used in other Azure Services.resourceVersionlessId
- The Versionless ID of the Key Vault Key. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Key is updated.version
- The current version of the Key Vault Key.versionlessId
- The Base ID of the Key Vault Key.n
- The RSA modulus of this Key Vault Key.e
- The RSA public exponent of this Key Vault Key.x
- The EC X component of this Key Vault Key.y
- The EC Y component of this Key Vault Key.publicKeyPem
- The PEM encoded public key of this Key Vault Key.publicKeyOpenssh
- The OpenSSH encoded public key of this Key Vault Key.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Key Vault Key.update
- (Defaults to 30 minutes) Used when updating the Key Vault Key.read
- (Defaults to 30 minutes) Used when retrieving the Key Vault Key.delete
- (Defaults to 30 minutes) Used when deleting the Key Vault Key.
Import
Key Vault Key which is Enabled can be imported using the resourceId
, e.g.