pulumi-azure-kotlin/com.pulumi.azure.keyvault.kotlin/KeyVault

KeyVault

class KeyVault : KotlinCustomResource

Manages a Key Vault.

Disclaimers

Note: It's possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. Note: It's possible to define Key Vault Certificate Contacts both within the azure.keyvault.KeyVault resource via the contact block and by using the azure.keyvault.CertificateContacts resource. However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts.

Example Usage

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var current = CoreFunctions.getClientConfig();
        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
            .location("West Europe")
            .build());
        var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .enabledForDiskEncryption(true)
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .softDeleteRetentionDays(7)
            .purgeProtectionEnabled(false)
            .skuName("standard")
            .accessPolicies(KeyVaultAccessPolicyArgs.builder()
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .keyPermissions("Get")
                .secretPermissions("Get")
                .storagePermissions("Get")
                .build())
            .build());
    }
}

Import

Key Vault's can be imported using the resource id, e.g.

$ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1

Properties

accessPolicies

val accessPolicies: Output<List<KeyVaultAccessPolicy>>

A list of up to 1024 objects describing access policies, as described below.

contacts

val contacts: Output<List<KeyVaultContact>>?

One or more contact block as defined below.

enabledForDeployment

val enabledForDeployment: Output<Boolean>?

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

enabledForDiskEncryption

val enabledForDiskEncryption: Output<Boolean>?

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

enabledForTemplateDeployment

val enabledForTemplateDeployment: Output<Boolean>?

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

enableRbacAuthorization

val enableRbacAuthorization: Output<Boolean>?

Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.

val id: Output<String>

location

val location: Output<String>

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

name

val name: Output<String>

Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.

networkAcls

val networkAcls: Output<KeyVaultNetworkAcls>

A network_acls block as defined below.

publicNetworkAccessEnabled

val publicNetworkAccessEnabled: Output<Boolean>?

Whether public network access is allowed for this Key Vault. Defaults to true.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

purgeProtectionEnabled

val purgeProtectionEnabled: Output<Boolean>?

Is Purge Protection enabled for this Key Vault? !>Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

resourceGroupName

val resourceGroupName: Output<String>

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

skuName

val skuName: Output<String>

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

softDeleteRetentionDays

val softDeleteRetentionDays: Output<Int>?

The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.