Manages a Key Vault Key.
data "azurestack_client_config" "current" {}
resource "azurestack_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurestack_key_vault" "example" {
name = "examplekeyvault"
location = azurestack_resource_group.example.location
resource_group_name = azurestack_resource_group.example.name
tenant_id = data.azurestack_client_config.current.tenant_id
sku_name = "premium"
access_policy {
tenant_id = data.azurestack_client_config.current.tenant_id
object_id = data.azurestack_client_config.current.object_id
key_permissions = [
"create",
"get",
"purge",
"recover"
]
secret_permissions = [
"set",
]
}
}
resource "azurestack_key_vault_key" "generated" {
name = "generated-certificate"
key_vault_id = azurestack_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
The following arguments are supported:
name
- (Required) Specifies the name of the Key Vault Key. Changing this forces a new resource to be created.
key_vault_id
- (Required) The ID of the Key Vault where the Key should be created. Changing this forces a new resource to be created.
key_type
- (Required) Specifies the Key Type to use for this Key Vault Key. Possible values are EC
(Elliptic Curve), Oct
(Octet), and RSA
. Changing this forces a new resource to be created.
key_size
- (Optional) Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type
is RSA
. Changing this forces a new resource to be created.
curve
- (Optional) Specifies the curve to use when creating an EC
key. Possible values are P-256
, P-384
, P-521
, and SECP256K1
. This field will be required in a future release if key_type
is EC
. The API will default to P-256
if nothing is specified. Changing this forces a new resource to be created.
key_opts
- (Required) A list of JSON web key operations. Possible values include: decrypt
, encrypt
, sign
, unwrapKey
, verify
and wrapKey
. Please note these values are case sensitive.
not_before_date
- (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
expiration_date
- (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
tags
- (Optional) A mapping of tags to assign to the resource.
The following attributes are exported:
id
- The Key Vault Key ID.version
- The current version of the Key Vault Key.versionless_id
- The Base ID of the Key Vault Key.n
- The RSA modulus of this Key Vault Key.e
- The RSA public exponent of this Key Vault Key.x
- The EC X component of this Key Vault Key.y
- The EC Y component of this Key Vault Key.The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Key Vault Key.update
- (Defaults to 30 minutes) Used when updating the Key Vault Key.read
- (Defaults to 5 minutes) Used when retrieving the Key Vault Key.delete
- (Defaults to 30 minutes) Used when deleting the Key Vault Key.Key Vault Key which is Enabled can be imported using the resource id
, e.g.
terraform import azurestack_key_vault_key.example "https://example-keyvault.vault.azure.net/keys/example/fdf067c93bbb4b22bff4d8b7a9a56217"