Azure Key Vault Certificate

azurerm_key_vault_certificate (Terraform)

The Certificate in Key Vault can be configured in Terraform with the resource name azurerm_key_vault_certificate. The following sections describe 7 examples of how to use the resource and its parameters.

Example Usage from GitHub

gilyas/infracost

resource "azurerm_key_vault_certificate" "non-usage" {
  name         = "imported-cert"
  key_vault_id = azurerm_key_vault.standard.id

  certificate {
    contents = ""

oliverhernandezmoreno/SourcesOH

resource "azurerm_key_vault_certificate" "minio" {
  name         = "bucket"
  key_vault_id = azurerm_key_vault.key.id

  certificate {
    contents = filebase64("./cert/pem/minio.contratoagil.cl/cert-minio.pfx")

oliverhernandezmoreno/SourcesOH

resource "azurerm_key_vault_certificate" "minio" {
  name         = "bucket"
  key_vault_id = azurerm_key_vault.key.id

  certificate {
    contents = filebase64("./cert/pem/minio.contratoagil.cl/cert-minio.pfx")

oliverhernandezmoreno/SourcesOH

resource "azurerm_key_vault_certificate" "minio" {
  name         = "bucket"
  key_vault_id = azurerm_key_vault.key.id

  certificate {
    contents = filebase64("./cert/pem/minio.onr.cl/cert-minio.pfx")

oliverhernandezmoreno/SourcesOH

resource "azurerm_key_vault_certificate" "minio" {
  name         = "bucket"
  key_vault_id = azurerm_key_vault.key.id

  certificate {
    contents = filebase64("./cert/pem/minio.onr.cl/cert-minio.pfx")

prashant101386/devops

resource "azurerm_key_vault_certificate" "key_vault_certificate" {
  name         = var.certificate_name
  key_vault_id = var.key_vault_id

  certificate {
    contents = filebase64(var.certificate)

psmanika/azure-terraform-landing-zone

resource "azurerm_key_vault_certificate" "base" {
  name         = "P2SRootCert"
  key_vault_id = var.key_vault_id

  certificate {
    contents = var.certificate_contents

Parameters

• certificate_attribute optional computed - list of object
  • created - string
  • enabled - bool
  • expires - string
  • not_before - string
  • recovery_level - string
  • updated - string
• certificate_data optional computed - string
• certificate_data_base64 optional computed - string
• id optional computed - string
• key_vault_id required - string
• name required - string
• secret_id optional computed - string
• tags optional - map from string to string
• thumbprint optional computed - string
• version optional computed - string
• certificate list block
  • contents required - string
  • password optional - string
• certificate_policy list block
  • issuer_parameters list block
    • name required - string
  • key_properties list block
    • exportable required - bool
    • key_size required - number
    • key_type required - string
    • reuse_key required - bool
  • lifetime_action list block
    • action list block
      • action_type required - string
    • trigger list block
      • days_before_expiry optional - number
      • lifetime_percentage optional - number
  • secret_properties list block
    • content_type required - string
  • x509_certificate_properties list block
    • extended_key_usage optional computed - list of string
    • key_usage required - list of string
    • subject required - string
    • validity_in_months required - number
    • subject_alternative_names list block
      • dns_names optional - set of string
      • emails optional - set of string
      • upns optional - set of string
• timeouts single block
  • create optional - string
  • delete optional - string
  • read optional - string

Explanation in Terraform Registry

Manages a Key Vault Certificate.

Tips: Best Practices for The Other Azure Key Vault Resources

In addition to the azurerm_key_vault, Azure Key Vault has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

azurerm_key_vault

Ensure to specify a network ACL for the key vault

It is better to specify network ACL for the key vault. The default should be set to deny and Azure Services should be still accepted.

azurerm_key_vault_key

Ensure to configure the expiration date on all keys

It is better to configure the expiration date on all keys which is not set by default.

azurerm_key_vault_secret

Ensure to set a content type

It is better to set a content type to aid interpretation on retrieval.