pulumi-azure-kotlin/com.pulumi.azure.keyvault.kotlin/ManagedHardwareSecurityModuleKeyArgs

ManagedHardwareSecurityModuleKeyArgs

data class ManagedHardwareSecurityModuleKeyArgs(val curve: Output<String>? = null, val expirationDate: Output<String>? = null, val keyOpts: Output<List<String>>? = null, val keySize: Output<Int>? = null, val keyType: Output<String>? = null, val managedHsmId: Output<String>? = null, val name: Output<String>? = null, val notBeforeDate: Output<String>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<ManagedHardwareSecurityModuleKeyArgs>

Manages a Key Vault Managed Hardware Security Module Key.

Note: The Azure Provider includes a Feature Toggle which will purge a Key Vault Managed Hardware Security Module Key resource on destroy, rather than the default soft-delete. See purge_soft_deleted_hardware_security_modules_on_destroy for more information.

resources:
  example:
    type: azure:keyvault:ManagedHardwareSecurityModule
    properties:
      name: example
      resourceGroupName: ${exampleAzurermResourceGroup.name}
      location: ${exampleAzurermResourceGroup.location}
      skuName: Standard_B1
      tenantId: ${current.tenantId}
      adminObjectIds:
        - ${current.objectId}
      purgeProtectionEnabled: false
      activeConfig:
        - securityDomainCertificate:
            - ${cert[0].id}
            - ${cert[1].id}
            - ${cert[2].id}
          securityDomainQuorum: 2
  # this gives your service principal the HSM Crypto User role which lets you create and destroy hsm keys
  hsm-crypto-user:
    type: azure:keyvault:ManagedHardwareSecurityModuleRoleAssignment
    properties:
      managedHsmId: ${test.id}
      name: 1e243909-064c-6ac3-84e9-1c8bf8d6ad22
      scope: /keys
      roleDefinitionId: /Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b
      principalId: ${current.objectId}
  # this gives your service principal the HSM Crypto Officer role which lets you purge hsm keys
  hsm-crypto-officer:
    type: azure:keyvault:ManagedHardwareSecurityModuleRoleAssignment
    properties:
      managedHsmId: ${test.id}
      name: 1e243909-064c-6ac3-84e9-1c8bf8d6ad23
      scope: /keys
      roleDefinitionId: /Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778
      principalId: ${current.objectId}
  exampleManagedHardwareSecurityModuleKey:
    type: azure:keyvault:ManagedHardwareSecurityModuleKey
    name: example
    properties:
      name: example
      managedHsmId: ${test.id}
      keyType: EC-HSM
      curve: P-521
      keyOpts:
        - sign
    options:
      dependsOn:
        - ${testAzurermKeyVaultManagedHardwareSecurityModuleRoleAssignment}
        - ${test1}
variables:
  current:
    fn::invoke:
      function: azure:core:getClientConfig
      arguments: {}
Content copied to clipboard

API Providers

This resource uses the following Azure API Providers:

  • Microsoft.KeyVault: 2023-07-01

Import

Key Vault Managed Hardware Security Module Key can be imported using the resource id, e.g.

$ pulumi import azure:keyvault/managedHardwareSecurityModuleKey:ManagedHardwareSecurityModuleKey example https://exampleHSM.managedhsm.azure.net/keys/exampleKey
Content copied to clipboard

Constructors

Link copied to clipboard
constructor(curve: Output<String>? = null, expirationDate: Output<String>? = null, keyOpts: Output<List<String>>? = null, keySize: Output<Int>? = null, keyType: Output<String>? = null, managedHsmId: Output<String>? = null, name: Output<String>? = null, notBeforeDate: Output<String>? = null, tags: Output<Map<String, String>>? = null)

Properties

Link copied to clipboard
val curve: Output<String>? = null

Specifies the curve to use when creating an EC-HSM key. Possible values are P-256, P-256K, P-384, and P-521. This field is required if key_type is EC-HSM. Changing this forces a new resource to be created.

Link copied to clipboard
val expirationDate: Output<String>? = null

Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). When this parameter gets changed on reruns, if newer date is ahead of current date, an update is performed. If the newer date is before the current date, resource will be force created.

Link copied to clipboard
val keyOpts: Output<List<String>>? = null

A list of JSON web key operations. Possible values include: decrypt, encrypt, sign, unwrapKey, verify, wrapKey and import. Please note these values are case-sensitive.

Link copied to clipboard
val keySize: Output<Int>? = null

Specifies the Size of the RSA key to create in bytes. For example, 1024 or 2048. Note: This field is required if key_type is RSA-HSM or oct-HSM. Changing this forces a new resource to be created.

Link copied to clipboard
val keyType: Output<String>? = null

Specifies the Key Type to use for this Key Vault Managed Hardware Security Module Key. Possible values are EC-HSM, oct-HSM and RSA-HSM. More details see HSM-protected keys. Changing this forces a new resource to be created.

Link copied to clipboard
val managedHsmId: Output<String>? = null

Specifies the ID of the Key Vault Managed Hardware Security Module that they key will be owned by. Changing this forces a new resource to be created.

Link copied to clipboard
val name: Output<String>? = null

Specifies the name of the Key Vault Managed Hardware Security Module Key. Changing this forces a new resource to be created.

Link copied to clipboard
val notBeforeDate: Output<String>? = null

Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').

Link copied to clipboard
val tags: Output<Map<String, String>>? = null

A mapping of tags to assign to the resource.

Functions

Link copied to clipboard
open override fun toJava(): ManagedHardwareSecurityModuleKeyArgs