Skip to content

azurermKeyVaultSecret

Manages a Key Vault Secret.

\~> Note: All arguments including the secret value will be stored in the raw state as plain-text. Read more about sensitive data in state.

\~> Note: the Azure Provider includes a Feature Toggle which will purge a Key Vault Secret resource on destroy, rather than the default soft-delete. See purgeSoftDeletedSecretsOnDestroy for more information.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
new azurerm.provider.AzurermProvider(this, "azurerm", {
  features: [
    {
      key_vault: [
        {
          purge_soft_deleted_secrets_on_destroy: true,
          recover_soft_deleted_secrets: true,
        },
      ],
    },
  ],
});
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_3",
  {
    access_policy: [
      {
        key_permissions: ["Create", "Get"],
        object_id: dataAzurermClientConfigCurrent.objectId,
        secret_permissions: ["Set", "Get", "Delete", "Purge", "Recover"],
        tenant_id: dataAzurermClientConfigCurrent.tenantId,
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "examplekeyvault",
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "premium",
    soft_delete_retention_days: 7,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultSecretExample = new azurerm.keyVaultSecret.KeyVaultSecret(
  this,
  "example_4",
  {
    key_vault_id: azurermKeyVaultExample.id,
    name: "secret-sauce",
    value: "szechuan",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultSecretExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required) Specifies the name of the Key Vault Secret. Changing this forces a new resource to be created.

  • value - (Required) Specifies the value of the Key Vault Secret.

\~> Note: Key Vault strips newlines. To preserve newlines in multi-line secrets try replacing them with \n or by base 64 encoding them with replace(file("mySecretFile"), "/\n/", "\n") or base64Encode(file("mySecretFile")), respectively.

  • keyVaultId - (Required) The ID of the Key Vault where the Secret should be created. Changing this forces a new resource to be created.

  • contentType - (Optional) Specifies the content type for the Key Vault Secret.

  • tags - (Optional) A mapping of tags to assign to the resource.

  • notBeforeDate - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

  • expirationDate - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').

Attributes Reference

The following attributes are exported:

  • id - The Key Vault Secret ID.
  • resourceId - The (Versioned) ID for this Key Vault Secret. This property points to a specific version of a Key Vault Secret, as such using this won't auto-rotate values if used in other Azure Services.
  • resourceVersionlessId - The Versionless ID of the Key Vault Secret. This property allows other Azure Services (that support it) to auto-rotate their value when the Key Vault Secret is updated.
  • version - The current version of the Key Vault Secret.
  • versionlessId - The Base ID of the Key Vault Secret.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Key Vault Secret.
  • update - (Defaults to 30 minutes) Used when updating the Key Vault Secret.
  • read - (Defaults to 30 minutes) Used when retrieving the Key Vault Secret.
  • delete - (Defaults to 30 minutes) Used when deleting the Key Vault Secret.

Import

Key Vault Secrets which are Enabled can be imported using the resourceId, e.g.

terraform import azurerm_key_vault_secret.example "https://example-keyvault.vault.azure.net/secrets/example/fdf067c93bbb4b22bff4d8b7a9a56217"