pulumi-azure-kotlin/com.pulumi.azure.keyvault.kotlin/KeyVault

KeyVault

class KeyVault : KotlinCustomResource

Manages a Key Vault.

Disclaimers

Note: It's possible to define Key Vault Access Policies both within the azure.keyvault.KeyVault resource via the access_policy block and by using the azure.keyvault.AccessPolicy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts. Note: It's possible to define Key Vault Certificate Contacts both within the azure.keyvault.KeyVault resource via the contact block and by using the azure.keyvault.CertificateContacts resource. However it's not possible to use both methods to manage Certificate Contacts within a KeyVault, since there'll be conflicts.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
    name: "example-resources",
    location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
    name: "examplekeyvault",
    location: example.location,
    resourceGroupName: example.name,
    enabledForDiskEncryption: true,
    tenantId: current.then(current => current.tenantId),
    softDeleteRetentionDays: 7,
    purgeProtectionEnabled: false,
    skuName: "standard",
    accessPolicies: [{
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: ["Get"],
        secretPermissions: ["Get"],
        storagePermissions: ["Get"],
    }],
});
Content copied to clipboard
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
    name="example-resources",
    location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
    name="examplekeyvault",
    location=example.location,
    resource_group_name=example.name,
    enabled_for_disk_encryption=True,
    tenant_id=current.tenant_id,
    soft_delete_retention_days=7,
    purge_protection_enabled=False,
    sku_name="standard",
    access_policies=[{
        "tenant_id": current.tenant_id,
        "object_id": current.object_id,
        "key_permissions": ["Get"],
        "secret_permissions": ["Get"],
        "storage_permissions": ["Get"],
    }])
Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
    var current = Azure.Core.GetClientConfig.Invoke();
    var example = new Azure.Core.ResourceGroup("example", new()
    {
        Name = "example-resources",
        Location = "West Europe",
    });
    var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
    {
        Name = "examplekeyvault",
        Location = example.Location,
        ResourceGroupName = example.Name,
        EnabledForDiskEncryption = true,
        TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
        SoftDeleteRetentionDays = 7,
        PurgeProtectionEnabled = false,
        SkuName = "standard",
        AccessPolicies = new[]
        {
            new Azure.KeyVault.Inputs.KeyVaultAccessPolicyArgs
            {
                TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
                ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                KeyPermissions = new[]
                {
                    "Get",
                },
                SecretPermissions = new[]
                {
                    "Get",
                },
                StoragePermissions = new[]
                {
                    "Get",
                },
            },
        },
    });
});
Content copied to clipboard
package main
import (
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
			Name:     pulumi.String("example-resources"),
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		_, err = keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
			Name:                     pulumi.String("examplekeyvault"),
			Location:                 example.Location,
			ResourceGroupName:        example.Name,
			EnabledForDiskEncryption: pulumi.Bool(true),
			TenantId:                 pulumi.String(current.TenantId),
			SoftDeleteRetentionDays:  pulumi.Int(7),
			PurgeProtectionEnabled:   pulumi.Bool(false),
			SkuName:                  pulumi.String("standard"),
			AccessPolicies: keyvault.KeyVaultAccessPolicyArray{
				&keyvault.KeyVaultAccessPolicyArgs{
					TenantId: pulumi.String(current.TenantId),
					ObjectId: pulumi.String(current.ObjectId),
					KeyPermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
					SecretPermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
					StoragePermissions: pulumi.StringArray{
						pulumi.String("Get"),
					},
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.inputs.KeyVaultAccessPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var current = CoreFunctions.getClientConfig();
        var example = new ResourceGroup("example", ResourceGroupArgs.builder()
            .name("example-resources")
            .location("West Europe")
            .build());
        var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
            .name("examplekeyvault")
            .location(example.location())
            .resourceGroupName(example.name())
            .enabledForDiskEncryption(true)
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .softDeleteRetentionDays(7)
            .purgeProtectionEnabled(false)
            .skuName("standard")
            .accessPolicies(KeyVaultAccessPolicyArgs.builder()
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .keyPermissions("Get")
                .secretPermissions("Get")
                .storagePermissions("Get")
                .build())
            .build());
    }
}
Content copied to clipboard
resources:
  example:
    type: azure:core:ResourceGroup
    properties:
      name: example-resources
      location: West Europe
  exampleKeyVault:
    type: azure:keyvault:KeyVault
    name: example
    properties:
      name: examplekeyvault
      location: ${example.location}
      resourceGroupName: ${example.name}
      enabledForDiskEncryption: true
      tenantId: ${current.tenantId}
      softDeleteRetentionDays: 7
      purgeProtectionEnabled: false
      skuName: standard
      accessPolicies:
        - tenantId: ${current.tenantId}
          objectId: ${current.objectId}
          keyPermissions:
            - Get
          secretPermissions:
            - Get
          storagePermissions:
            - Get
variables:
  current:
    fn::invoke:
      function: azure:core:getClientConfig
      arguments: {}
Content copied to clipboard

Import

Key Vault's can be imported using the resource id, e.g.

$ pulumi import azure:keyvault/keyVault:KeyVault example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.KeyVault/vaults/vault1
Content copied to clipboard

Properties

Link copied to clipboard
val accessPolicies: Output<List<KeyVaultAccessPolicy>>

A list of up to 1024 objects describing access policies, as described below.

Link copied to clipboard
val contacts: Output<List<KeyVaultContact>>
Link copied to clipboard
val enabledForDeployment: Output<Boolean>?

Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

Link copied to clipboard
val enabledForDiskEncryption: Output<Boolean>?

Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.

Link copied to clipboard
val enabledForTemplateDeployment: Output<Boolean>?

Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

Link copied to clipboard
val enableRbacAuthorization: Output<Boolean>?

Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val location: Output<String>

Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

Link copied to clipboard
val name: Output<String>

Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name.

Link copied to clipboard
val networkAcls: Output<KeyVaultNetworkAcls>

A network_acls block as defined below.

Link copied to clipboard
val publicNetworkAccessEnabled: Output<Boolean>?

Whether public network access is allowed for this Key Vault. Defaults to true.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val purgeProtectionEnabled: Output<Boolean>?

Is Purge Protection enabled for this Key Vault? !>Note: Once Purge Protection has been Enabled it's not possible to Disable it. Support for disabling purge protection is being tracked in this Azure API issue. Deleting the Key Vault with Purge Protection Enabled will schedule the Key Vault to be deleted (which will happen by Azure in the configured number of days, currently 90 days).

Link copied to clipboard
val resourceGroupName: Output<String>

The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created.

Link copied to clipboard
val skuName: Output<String>

The Name of the SKU used for this Key Vault. Possible values are standard and premium.

Link copied to clipboard
val softDeleteRetentionDays: Output<Int>?

The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days.

Link copied to clipboard
val tags: Output<Map<String, String>>?

A mapping of tags to assign to the resource.

Link copied to clipboard
val tenantId: Output<String>

The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

Link copied to clipboard
val urn: Output<String>
Link copied to clipboard
val vaultUri: Output<String>

The URI of the Key Vault, used for performing operations on keys and secrets.