2016-10-20 12:30:30 +02:00
|
|
|
---
|
|
|
|
layout: "azurerm"
|
|
|
|
page_title: "Azure Resource Manager: azurerm_key_vault"
|
|
|
|
sidebar_current: "docs-azurerm-resource-key-vault"
|
|
|
|
description: |-
|
|
|
|
Create a Key Vault.
|
|
|
|
---
|
|
|
|
|
|
|
|
# azurerm\_key\_vault
|
|
|
|
|
2016-10-25 14:56:22 +02:00
|
|
|
Create a Key Vault.
|
2016-10-20 12:30:30 +02:00
|
|
|
|
|
|
|
## Example Usage
|
|
|
|
|
2017-04-17 12:17:54 +02:00
|
|
|
```hcl
|
2016-10-20 12:30:30 +02:00
|
|
|
resource "azurerm_resource_group" "test" {
|
2017-02-18 23:48:50 +01:00
|
|
|
name = "resourceGroup1"
|
|
|
|
location = "West US"
|
2016-10-20 12:30:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "azurerm_key_vault" "test" {
|
2017-02-18 23:48:50 +01:00
|
|
|
name = "testvault"
|
|
|
|
location = "West US"
|
|
|
|
resource_group_name = "${azurerm_resource_group.test.name}"
|
2016-10-20 12:30:30 +02:00
|
|
|
|
2017-02-18 23:48:50 +01:00
|
|
|
sku {
|
|
|
|
name = "standard"
|
|
|
|
}
|
2016-10-20 12:30:30 +02:00
|
|
|
|
2017-02-18 23:48:50 +01:00
|
|
|
tenant_id = "d6e396d0-5584-41dc-9fc0-268df99bc610"
|
|
|
|
|
|
|
|
access_policy {
|
2016-10-20 12:30:30 +02:00
|
|
|
tenant_id = "d6e396d0-5584-41dc-9fc0-268df99bc610"
|
2017-02-18 23:48:50 +01:00
|
|
|
object_id = "d746815a-0433-4a21-b95d-fc437d2d475b"
|
|
|
|
|
|
|
|
key_permissions = [
|
|
|
|
"all",
|
|
|
|
]
|
|
|
|
|
|
|
|
secret_permissions = [
|
|
|
|
"get",
|
|
|
|
]
|
|
|
|
}
|
|
|
|
|
|
|
|
enabled_for_disk_encryption = true
|
2016-10-20 12:30:30 +02:00
|
|
|
|
2017-02-18 23:48:50 +01:00
|
|
|
tags {
|
|
|
|
environment = "Production"
|
|
|
|
}
|
2016-10-20 12:30:30 +02:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
The following arguments are supported:
|
|
|
|
|
2016-10-25 14:56:22 +02:00
|
|
|
* `name` - (Required) Specifies the name of the Key Vault resource. Changing this
|
|
|
|
forces a new resource to be created.
|
2016-10-20 12:30:30 +02:00
|
|
|
|
|
|
|
* `location` - (Required) Specifies the supported Azure location where the resource exists.
|
|
|
|
Changing this forces a new resource to be created.
|
|
|
|
|
|
|
|
* `resource_group_name` - (Required) The name of the resource group in which to
|
|
|
|
create the namespace. Changing this forces a new resource to be created.
|
|
|
|
|
|
|
|
* `sku` - (Required) An SKU block as described below.
|
|
|
|
|
|
|
|
* `tenant_id` - (Required) The Azure Active Directory tenant ID that should be
|
|
|
|
used for authenticating requests to the key vault.
|
|
|
|
|
|
|
|
* `access_policy` - (Required) An access policy block as described below. At least
|
|
|
|
one policy is required up to a maximum of 16.
|
|
|
|
|
|
|
|
* `enabled_for_deployment` - (Optional) Boolean flag to specify whether Azure Virtual
|
|
|
|
Machines are permitted to retrieve certificates stored as secrets from the key
|
|
|
|
vault. Defaults to false.
|
|
|
|
|
|
|
|
* `enabled_for_disk_encryption` - (Optional) Boolean flag to specify whether Azure
|
|
|
|
Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
|
|
|
|
Defaults to false.
|
|
|
|
|
|
|
|
* `enabled_for_template_deployment` - (Optional) Boolean flag to specify whether
|
|
|
|
Azure Resource Manager is permitted to retrieve secrets from the key vault.
|
|
|
|
Defaults to false.
|
|
|
|
|
|
|
|
* `tags` - (Optional) A mapping of tags to assign to the resource.
|
|
|
|
|
|
|
|
`sku` supports the following:
|
|
|
|
|
|
|
|
* `name` - (Required) SKU name to specify whether the key vault is a `standard`
|
|
|
|
or `premium` vault.
|
|
|
|
|
|
|
|
`access_policy` supports the following:
|
|
|
|
|
|
|
|
* `tenant_id` - (Required) The Azure Active Directory tenant ID that should be used
|
|
|
|
for authenticating requests to the key vault. Must match the `tenant_id` used
|
|
|
|
above.
|
|
|
|
|
|
|
|
* `object_id` - (Required) The object ID of a user, service principal or security
|
|
|
|
group in the Azure Active Directory tenant for the vault. The object ID must
|
|
|
|
be unique for the list of access policies.
|
|
|
|
|
|
|
|
* `key_permissions` - (Required) List of key permissions, must be one or more from
|
|
|
|
the following: `all`, `backup`, `create`, `decrypt`, `delete`, `encrypt`, `get`,
|
|
|
|
`import`, `list`, `restore`, `sign`, `unwrapKey`, `update`, `verify`, `wrapKey`.
|
|
|
|
|
|
|
|
* `secret_permissions` - (Required) List of secret permissions, must be one or more
|
|
|
|
from the following: `all`, `delete`, `get`, `list`, `set`.
|
|
|
|
|
|
|
|
## Attributes Reference
|
|
|
|
|
|
|
|
The following attributes are exported:
|
|
|
|
|
|
|
|
* `id` - The Vault ID.
|
|
|
|
* `vault_uri` - The URI of the vault for performing operations on keys and secrets.
|