azurermKeyVaultSecret
Manages a Key Vault Secret.
\~> Note: All arguments including the secret value will be stored in the raw state as plain-text. Read more about sensitive data in state.
\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Secret resource on destroy, rather than the default soft-delete. See purgeSoftDeletedSecretsOnDestroy
for more information.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
features: [
{
key_vault: [
{
purge_soft_deleted_secrets_on_destroy: true,
recover_soft_deleted_secrets: true,
},
],
},
],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
access_policy: [
{
key_permissions: ["Create", "Get"],
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Set", "Get", "Delete", "Purge", "Recover"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
},
],
location: azurermResourceGroupExample.location,
name: "examplekeyvault",
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
soft_delete_retention_days: 7,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultSecretExample = new azurerm.keyVaultSecret.KeyVaultSecret(
this,
"example_4",
{
key_vault_id: azurermKeyVaultExample.id,
name: "secret-sauce",
value: "szechuan",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultSecretExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
name
- (Required) Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created. -
value
- (Required) Specifies the value of the Key Vault Secret.
\~> Note: Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with \n
or by base 64 encoding them with replace(file("mySecretFile"), "/\n/", "\n")
or base64Encode(file("mySecretFile"))
, respectively.
-
keyVaultId
- (Required) The ID of the Key Vault where the Secret should be created. Changing this forces a new resource to be created. -
contentType
- (Optional) Specifies the content type for the Key Vault Secret. -
tags
- (Optional) A mapping of tags to assign to the resource. -
notBeforeDate
- (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z'). -
expirationDate
- (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
Attributes Reference
The following attributes are exported:
id
- The Key Vault Secret ID.resourceId
- The (Versioned) ID for this Key Vault Secret. This property points to a specific version of a Key Vault Secret, as such using this won't auto-rotate values if used in other Azure Services.resourceVersionlessId
- The Versionless ID of the Key Vault Secret. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Secret is updated.version
- The current version of the Key Vault Secret.versionlessId
- The Base ID of the Key Vault Secret.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Key Vault Secret.update
- (Defaults to 30 minutes) Used when updating the Key Vault Secret.read
- (Defaults to 30 minutes) Used when retrieving the Key Vault Secret.delete
- (Defaults to 30 minutes) Used when deleting the Key Vault Secret.
Import
Key Vault Secrets which are Enabled can be imported using the resourceId
, e.g.