azurermStorageAccountCustomerManagedKey
Manages a Customer Managed Key for a Storage Account.
\~> NOTE: It's possible to define a Customer Managed Key both within the azurermStorageAccount
resource via the customerManagedKey
block and by using the azurermStorageAccountCustomerManagedKey
resource. However it's not possible to use both methods to manage a Customer Managed Key for a Storage Account, since there'll be conflicts.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
this,
"example_1",
{
account_replication_type: "GRS",
account_tier: "Standard",
identity: [
{
type: "SystemAssigned",
},
],
location: azurermResourceGroupExample.location,
name: "examplestor",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_3",
{
location: azurermResourceGroupExample.location,
name: "examplekv",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "standard",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyClient =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "client", {
key_permissions: [
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
"GetRotationPolicy",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
secret_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultAccessPolicyStorage =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "storage", {
key_permissions: [
"Get",
"Create",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: `\${${azurermStorageAccountExample.identity}.0.principal_id}`,
secret_permissions: ["Get"],
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_6",
{
depends_on: [
`\${${azurermKeyVaultAccessPolicyClient.fqn}}`,
`\${${azurermKeyVaultAccessPolicyStorage.fqn}}`,
],
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "tfex-key",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermStorageAccountCustomerManagedKeyExample =
new azurerm.storageAccountCustomerManagedKey.StorageAccountCustomerManagedKey(
this,
"example_7",
{
key_name: azurermKeyVaultKeyExample.name,
key_vault_id: azurermKeyVaultExample.id,
storage_account_id: azurermStorageAccountExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountCustomerManagedKeyExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
storageAccountId
- (Required) The ID of the Storage Account. Changing this forces a new resource to be created. -
keyVaultId
- (Required) The ID of the Key Vault. -
keyName
- (Required) The name of Key Vault Key. -
keyVersion
- (Optional) The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation. -
userAssignedIdentityId
- (Optional) The ID of a user assigned identity.
Attributes Reference
The following attributes are exported in addition to the arguments listed above:
id
- The ID of the Storage Account.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Storage Account Customer Managed Keys.update
- (Defaults to 30 minutes) Used when updating the Storage Account Customer Managed Keys.read
- (Defaults to 5 minutes) Used when retrieving the Storage Account Customer Managed Keys.delete
- (Defaults to 30 minutes) Used when deleting the Storage Account Customer Managed Keys.
Import
Customer Managed Keys for a Storage Account can be imported using the resourceId
of the Storage Account, e.g.