Terraform module for Microsoft Azure to manage Key Vault resource.
HCLMIT
Azure Key Vault - Terraform Module
Version compatibility
Module version
Terraform version
AzureRM version
>= 2.x.x
>= 1.3.x
>= 3.69.0
>= 1.x.x
>= 0.13.x
>= 2.34.0
Parameters
The following parameters are supported:
Name
Description
Type
Default
Required
name
Specifies the name of the Key Vault. Changing this forces a new resource to be created.
string
n/a
yes
resource_group_name
The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.
string
n/a
yes
location
The location/region where the Key Vault is created.
string
n/a
yes
tags
A mapping of tags to assign to the resource.
map(string)
{}
no
sku_name
The Name of the SKU used for this Key Vault. Possible values are standard and premium.
string
n/a
yes
tenant_id
The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
string
n/a
yes
soft_delete_retention_days
The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days.
number
90
no
purge_protection_enabled
Is Purge Protection enabled for this Key Vault?
bool
false
no
enabled_for_deployment
Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
bool
false
no
enabled_for_disk_encryption
Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
bool
false
no
enabled_for_template_deployment
Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
bool
false
no
enable_rbac_authorization
Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.
bool
false
no
access_policies
List of objects that represent the configuration of each access policies.
list(object({}))
[]
no
keys
List of objects that represent the configuration of each key.
list(object({}))
[]
no
secrets
List of objects that represent the configuration of each secrect.
list(object({}))
[]
no
contacts
List of objects that represent each contact.
list(object({}))
[]
no
The access_policies supports the following:
Name
Description
Type
Default
Required
object_id
The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
string
n/a
yes
application_id
The object ID of an Application in Azure Active Directory.
string
null
no
key_permissions
List of certificate permissions, must be one or more from the following: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore, Decrypt, Encrypt, UnwrapKey, WrapKey, Verify, Sign and Purge.
list(string)
[]
no
secret_permissions
List of key permissions, must be one or more from the following: Get, List, Set, Delete, Recover, Backup, Restore and Purge.
list(string)
[]
no
certificate_permissions
List of certificate permissions, must be one or more from the following: Get, List, Update, Create, Import, Delete, Recover, Backup, Restore, GetIssuers, SetIssuers, ListIssuers, DeleteIssuers, ManageContacts, ManageIssuers and Purge.
list(string)
[]
no
storage_permissions
List of storage permissions, must be one or more from the following: Get, List, Update, Set, Delete, Recover, Backup, Restore, GetSAS, ListSAS, SetSAS, DeleteSAS, RegenerateKey and Purge.
list(string)
[]
no
The keys supports the following:
Name
Description
Type
Default
Required
name
Specifies the name of the Key Vault Key.
string
n/a
yes
key_type
Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM.
number
n/a
yes
key_size
Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA or RSA-HSM.
string
null
no
curve
Specifies the curve to use when creating an EC key. Possible values are: P-256, P-384, P-521 and SECP256K1.
string
null
no
key_opts
A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify and wrapKey.
list(string)
[]
yes
not_before_date
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
string
null
no
expiration_date
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
string
null
no
The secrets supports the following:
Name
Description
Type
Default
Required
name
Specifies the name of the Key Vault Secret.
string
n/a
yes
value
Specifies the value of the Key Vault Secret.
string
null
yes
content_type
Specifies the content type for the Key Vault Secret.
string
null
no
not_before_date
Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
string
null
no
expiration_date
Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
string
null
yes
The contacts supports the following:
Name
Description
Type
Default
Required
email
E-mail address of the contact.
string
n/a
yes
name
Name of the contact.
string
null
no
phone
Phone number of the contact.
string
null
no
Outputs
The following outputs are exported:
Name
Description
Sensitive
id
The virtual network configuration ID.
no
name
The name of the virtual network.
no
resource_group_name
The name of the resource group in which to create the virtual network.
no
location
The location/region where the virtual network is created.
no
tags
The tags assigned to the resource.
no
contacts
Blocks containing each contact.
no
access_policies
Blocks containing configuration of each access policy.