Skip to content

azurermStorageAccountCustomerManagedKey

Manages a Customer Managed Key for a Storage Account.

\~> NOTE: It's possible to define a Customer Managed Key both within the azurermStorageAccount resource via the customerManagedKey block and by using the azurermStorageAccountCustomerManagedKey resource. However it's not possible to use both methods to manage a Customer Managed Key for a Storage Account, since there'll be conflicts.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermStorageAccountExample = new azurerm.storageAccount.StorageAccount(
  this,
  "example_1",
  {
    account_replication_type: "GRS",
    account_tier: "Standard",
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "examplestor",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountExample.overrideLogicalId("example");
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_3",
  {
    location: azurermResourceGroupExample.location,
    name: "examplekv",
    purge_protection_enabled: true,
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "standard",
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyClient =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "client", {
    key_permissions: [
      "Get",
      "Create",
      "Delete",
      "List",
      "Restore",
      "Recover",
      "UnwrapKey",
      "WrapKey",
      "Purge",
      "Encrypt",
      "Decrypt",
      "Sign",
      "Verify",
      "GetRotationPolicy",
    ],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzurermClientConfigCurrent.objectId,
    secret_permissions: ["Get"],
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultAccessPolicyStorage =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "storage", {
    key_permissions: [
      "Get",
      "Create",
      "List",
      "Restore",
      "Recover",
      "UnwrapKey",
      "WrapKey",
      "Purge",
      "Encrypt",
      "Decrypt",
      "Sign",
      "Verify",
    ],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: `\${${azurermStorageAccountExample.identity}.0.principal_id}`,
    secret_permissions: ["Get"],
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
  this,
  "example_6",
  {
    depends_on: [
      `\${${azurermKeyVaultAccessPolicyClient.fqn}}`,
      `\${${azurermKeyVaultAccessPolicyStorage.fqn}}`,
    ],
    key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
    key_size: 2048,
    key_type: "RSA",
    key_vault_id: azurermKeyVaultExample.id,
    name: "tfex-key",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermStorageAccountCustomerManagedKeyExample =
  new azurerm.storageAccountCustomerManagedKey.StorageAccountCustomerManagedKey(
    this,
    "example_7",
    {
      key_name: azurermKeyVaultKeyExample.name,
      key_vault_id: azurermKeyVaultExample.id,
      storage_account_id: azurermStorageAccountExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermStorageAccountCustomerManagedKeyExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • storageAccountId - (Required) The ID of the Storage Account. Changing this forces a new resource to be created.

  • keyVaultId - (Required) The ID of the Key Vault.

  • keyName - (Required) The name of Key Vault Key.

  • keyVersion - (Optional) The version of Key Vault Key. Remove or omit this argument to enable Automatic Key Rotation.

  • userAssignedIdentityId - (Optional) The ID of a user assigned identity.

Attributes Reference

The following attributes are exported in addition to the arguments listed above:

  • id - The ID of the Storage Account.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the Storage Account Customer Managed Keys.
  • update - (Defaults to 30 minutes) Used when updating the Storage Account Customer Managed Keys.
  • read - (Defaults to 5 minutes) Used when retrieving the Storage Account Customer Managed Keys.
  • delete - (Defaults to 30 minutes) Used when deleting the Storage Account Customer Managed Keys.

Import

Customer Managed Keys for a Storage Account can be imported using the resourceId of the Storage Account, e.g.

terraform import azurerm_storage_account_customer_managed_key.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/myaccount