Manages a Key Vault.
provider "azurestack" {
features {}
}
data "azurestack_client_config" "current" {}
resource "azurestack_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurestack_key_vault" "example" {
name = "examplekeyvault"
location = azurestack_resource_group.example.location
resource_group_name = azurestack_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurestack_client_config.current.tenant_id
sku_name = "standard"
access_policy {
tenant_id = data.azurestack_client_config.current.tenant_id
object_id = data.azurestack_client_config.current.object_id
key_permissions = [
"Get",
]
secret_permissions = [
"Get",
]
storage_permissions = [
"Get",
]
}
}
The following arguments are supported:
name
- (Required) Specifies the name of the Key Vault. Changing this forces a new resource to be created.
location
- (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.
resource_group_name
- (Required) The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
sku_name
- (Required) The Name of the SKU used for this Key Vault. Possible values is standard
.
tenant_id
- (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
access_policy
- (Optional) A list of up to 16 objects describing access policies, as described below.enabled_for_deployment
- (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false
.
enabled_for_disk_encryption
- (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false
.
enabled_for_template_deployment
- (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false
.
enable_rbac_authorization
- (Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false
.
network_acls
- (Optional) A network_acls
block as defined below.
tags
- (Optional) A mapping of tags to assign to the resource.A access_policy
block supports the following:
tenant_id
- (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Must match the tenant_id
used above.
object_id
- (Required) The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
application_id
- (Optional) The object ID of an Application in Azure Active Directory.
certificate_permissions
- (Optional) List of certificate permissions, must be one or more from the following: Backup
, Create
, Delete
, DeleteIssuers
, Get
, GetIssuers
, Import
, List
, ListIssuers
, ManageContacts
, ManageIssuers
, Purge
, Recover
, Restore
, SetIssuers
and Update
.
key_permissions
- (Optional) List of key permissions, must be one or more from the following: Backup
, Create
, Decrypt
, Delete
, Encrypt
, Get
, Import
, List
, Purge
, Recover
, Restore
, Sign
, UnwrapKey
, Update
, Verify
and WrapKey
.
secret_permissions
- (Optional) List of secret permissions, must be one or more from the following: Backup
, Delete
, Get
, List
, Purge
, Recover
, Restore
and Set
.
storage_permissions
- (Optional) List of storage permissions, must be one or more from the following: Backup
, Delete
, DeleteSAS
, Get
, GetSAS
, List
, ListSAS
, Purge
, Recover
, RegenerateKey
, Restore
, Set
, SetSAS
and Update
.
A network_acls
block supports the following:
bypass
- (Required) Specifies which traffic can bypass the network rules. Possible values are AzureServices
and None
.
default_action
- (Required) The Default Action to use when no rules match from ip_rules
/ virtual_network_subnet_ids
. Possible values are Allow
and Deny
.
ip_rules
- (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Key Vault.
virtual_network_subnet_ids
- (Optional) One or more Subnet ID's which should be able to access this Key Vault.
The following attributes are exported:
id
- The ID of the Key Vault.
vault_uri
- The URI of the Key Vault, used for performing operations on keys and secrets.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Key Vault.update
- (Defaults to 30 minutes) Used when updating the Key Vault.read
- (Defaults to 5 minutes) Used when retrieving the Key Vault.delete
- (Defaults to 30 minutes) Used when deleting the Key Vault.Key Vault's can be imported using the resource id
, e.g.
terraform import azurestack_key_vault.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1