azurerm_cdn_frontdoor_secret

Manages a Front Door (standard/premium) Secret.

Required Key Vault Permissions

!>IMPORTANT: You must add an Access Policy to your azurerm_key_vault for the Microsoft.AzurefrontDoor-Cdn Enterprise Application Object ID.

This can be created by running Az Powershell command like this:

New-AzADServicePrincipal -ApplicationId "00000000-0000-0000-0000-000000000000"

Object ID Key Permissions Secret Permissions Certificate Permissions
Microsoft.Azure.Cdn Object ID - Get -
Your Personal AAD Object ID - Get and List Get, List, Purge and Recover
Terraform Service Principal - Get Get, Import, Delete and Purge

->NOTE: You only need to add the Access Policy for your personal AAD Object ID if you are planning to view the secrets via the Azure Portal.

Example Usage

data "azurerm_client_config" "current" {}
data "azuread_service_principal" "frontdoor" {
  display_name = "Microsoft.Azure.Cdn"
}

resource "azurerm_resource_group" "example" {
  name     = "example-cdn-frontdoor"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                       = "example-keyvault"
  location                   = azurerm_resource_group.example.location
  resource_group_name        = azurerm_resource_group.example.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7

  network_acls {
    default_action = "Deny"
    bypass         = "AzureServices"
    ip_rules       = ["10.0.0.0/24"]
  }

  # CDN Front Door Enterprise Application Object ID(e.g. Microsoft.Azure.Cdn)
  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azuread_service_principal.frontdoor.object_id

    secret_permissions = [
      "Get",
    ]
  }

  # Terraform Service Principal
  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id # <- Object Id of the Service Principal that Terraform is running as

    certificate_permissions = [
      "Get",
      "Import",
      "Delete",
      "Purge"
    ]

    secret_permissions = [
      "Get",
    ]
  }
}

resource "azurerm_key_vault_certificate" "example" {
  name         = "example-cert"
  key_vault_id = azurerm_key_vault.example.id

  certificate {
    contents = filebase64("my-certificate.pfx")
  }
}

resource "azurerm_cdn_frontdoor_profile" "example" {
  name                = "example-cdn-profile"
  resource_group_name = azurerm_resource_group.example.name
  sku_name            = "Standard_AzureFrontDoor"
}

resource "azurerm_cdn_frontdoor_secret" "example" {
  name                     = "example-customer-managed-secret"
  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.example.id

  secret {
    customer_certificate {
      key_vault_certificate_id = azurerm_key_vault_certificate.example.id
    }
  }
}

Arguments Reference

The following arguments are supported:


A secret block supports the following:


A customer_certificate block supports the following:

->NOTE: If you would like to use the latest version of the Key Vault Certificate use the Key Vault Certificates versionless_id attribute as the key_vault_certificate_id fields value(e.g. key_vault_certificate_id = azurerm_key_vault_certificate.example.versionless_id).


Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

Import

Front Door Secrets can be imported using the resource id, e.g.

terraform import azurerm_cdn_frontdoor_secret.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1/providers/Microsoft.Cdn/profiles/profile1/secrets/secrets1