Azure Key Vault Key

This page shows how to write Terraform for Key Vault Key and write them securely.

azurerm_key_vault_key (Terraform)

The Key in Key Vault can be configured in Terraform with the resource name azurerm_key_vault_key. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

key_vault_key_test.tf#L29
resource "azurerm_key_vault_key" "pr_rsa2048" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.premium.id
  key_type     = "RSA"
  key_size     = 2048

key_vault_key_test.tf#L29
resource "azurerm_key_vault_key" "pr_rsa2048" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.premium.id
  key_type     = "RSA"
  key_size     = 2048

keyvault-ensure-key-expires.tf#L1
resource "azurerm_key_vault_key" "good_example" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  expiration_date = "1982-12-31T00:00:00Z"
azure_key_vault_key.tf#L2
resource "azurerm_key_vault_key" "generated" {
  name         = "vault-aks"
  key_vault_id = azurerm_key_vault.vault.id
  key_type     = "RSA"
  key_size     = 2048

resource.tf#L1
resource "azurerm_key_vault_key" "keyvault_key" {
  name         = var.res_kvencrypt_name
  key_vault_id = var.res_key_vault_id
  key_type     = "RSA"
  key_size     = 2048
  key_opts     = var.res_key_opts
azure_key_vault_key.tf#L2
resource "azurerm_key_vault_key" "generated" {
  name         = "vault-aks"
  key_vault_id = azurerm_key_vault.vault.id
  key_type     = "RSA"
  key_size     = 2048

main.tf#L1
resource "azurerm_key_vault_key" "key" {
  name         = var.kv_key_name
  key_vault_id = var.kv_vault_id
  key_type     = var.kv_key_type
  key_size     = var.kv_key_size
  key_opts     = var.kv_key_opts
positive.tf#L1
resource "azurerm_key_vault_key" "positive1" {
    name         = "generated-certificate"
    key_vault_id = azurerm_key_vault.example.id
    key_type     = "RSA"
    key_size     = 2048

azurerm_key_vault_key.example.tf#L1
resource "azurerm_key_vault_key" "example" {
  name            = "generated-certificate"
  key_vault_id    = azurerm_key_vault.example.id
  key_type        = "RSA-HSM"
  key_size        = 2048
  expiration_date = timeadd(timestamp(), "720h")
negative.tf#L1
resource "azurerm_key_vault_key" "negative1" {
    name         = "generated-certificate"
    key_vault_id = azurerm_key_vault.example.id
    key_type     = "RSA"
    key_size     = 2048

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for azurerm_key_vault_key

There is 1 setting in azurerm_key_vault_key that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to configure the expiration date on all keys

It is better to configure the expiration date on all keys which is not set by default.

Review your Azure Key Vault settings

You can check if the azurerm_key_vault_key setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages a Key Vault Key.

Tips: Best Practices for The Other Azure Key Vault Resources

In addition to the azurerm_key_vault, Azure Key Vault has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_key_vault

Ensure to specify a network ACL for the key vault

It is better to specify network ACL for the key vault. The default should be set to deny and Azure Services should be still accepted.

risk-label

azurerm_key_vault_secret

Ensure to set a content type

It is better to set a content type to aid interpretation on retrieval.

Review your Azure Key Vault settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Azure Resource Manager Example

Azure Resource Manager code does not have the related resource.

Frequently asked questions

What is Azure Key Vault Key?

Azure Key Vault Key is a resource for Key Vault of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Key Vault Key?

For Terraform, the gilyas/infracost, infracost/infracost and returntocorp/semgrep-rules source code examples are useful. See the Terraform Example section for further details.