Skip to content

azurermKeyVaultManagedHardwareSecurityModule

Manages a Key Vault Managed Hardware Security Module.

\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Managed Hardware Security Module resource on destroy, rather than the default soft-delete. See purgeSoftDeletedHardwareSecurityModulesOnDestroy for more information.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [
    {
      key_vault: [
        {
          purge_soft_deleted_hardware_security_modules_on_destroy: true,
        },
      ],
    },
  ],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultManagedHardwareSecurityModuleExample =
  new azurerm.keyVaultManagedHardwareSecurityModule.KeyVaultManagedHardwareSecurityModule(
    this,
    "example_3",
    {
      admin_object_ids: [dataAzurermClientConfigCurrent.objectId],
      location: azurermResourceGroupExample.location,
      name: "exampleKVHsm",
      purge_protection_enabled: false,
      resource_group_name: azurermResourceGroupExample.name,
      sku_name: "Standard_B1",
      soft_delete_retention_days: 90,
      tags: {
        Env: "Test",
      },
      tenant_id: dataAzurermClientConfigCurrent.tenantId,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultManagedHardwareSecurityModuleExample.overrideLogicalId(
  "example"
);

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the Key Vault Managed Hardware Security Module. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the Key Vault Managed Hardware Security Module. Changing this forces a new resource to be created.

  • location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

  • adminObjectIds - (Required) Specifies a list of administrators object IDs for the key vault Managed Hardware Security Module. Changing this forces a new resource to be created.

  • skuName - (Required) The Name of the SKU used for this Key Vault Managed Hardware Security Module. Possible value is standardB1. Changing this forces a new resource to be created.

  • tenantId - (Required) The Azure Active Directory Tenant ID that should be used for authenticating requests to the key vault Managed Hardware Security Module. Changing this forces a new resource to be created.

  • purgeProtectionEnabled - (Optional) Is Purge Protection enabled for this Key Vault Managed Hardware Security Module? Changing this forces a new resource to be created.

  • softDeleteRetentionDays - (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. Defaults to 90. Changing this forces a new resource to be created.

  • publicNetworkAccessEnabled - (Optional) Whether traffic from public networks is permitted. Defaults to true. Changing this forces a new resource to be created.

  • networkAcls - (Optional) A networkAcls block as defined below.

  • tags - (Optional) A mapping of tags to assign to the resource. Changing this forces a new resource to be created.

A networkAcls block supports the following:

  • bypass - (Required) Specifies which traffic can bypass the network rules. Possible values are azureServices and none.

  • defaultAction - (Required) The Default Action to use. Possible values are allow and deny.

Attributes Reference

The following attributes are exported:

  • id - The Key Vault Secret Managed Hardware Security Module ID.

  • hsmUri - The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Key Vault Managed Hardware Security Module.
  • read - (Defaults to 5 minutes) Used when retrieving the Key Vault Managed Hardware Security Module.
  • delete - (Defaults to 60 minutes) Used when deleting the Key Vault Managed Hardware Security Module.

Import

Key Vault Managed Hardware Security Module can be imported using the resourceId, e.g.

terraform import azurerm_key_vault_managed_hardware_security_module.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/managedHSMs/hsm1