Azure Key Vault Managed Hardware Security Module

azurerm_key_vault_managed_hardware_security_module (Terraform)

The Managed Hardware Security Module in Key Vault can be configured in Terraform with the resource name azurerm_key_vault_managed_hardware_security_module. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

gilyas/infracost

resource "azurerm_key_vault_managed_hardware_security_module" "my_module" {
  name                       = "exampleKVHsm"
  resource_group_name        = azurerm_resource_group.example.name
  location                   = "eastus"
  sku_name                   = "Standard_B1"
  purge_protection_enabled   = false

infracost/infracost

resource "azurerm_key_vault_managed_hardware_security_module" "my_module" {
  name                       = "exampleKVHsm"
  resource_group_name        = azurerm_resource_group.example.name
  location                   = "eastus"
  sku_name                   = "Standard_B1"
  purge_protection_enabled   = false

Parameters

The following arguments are supported:

• name - (Required) Specifies the name of the Key Vault Managed Hardware Security Module. Changing this forces a new resource to be created.

• resource_group_name - (Required) The name of the resource group in which to create the Key Vault Managed Hardware Security Module. Changing this forces a new resource to be created.

• location - (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created.

• admin_object_ids - (Required) Specifies a list of administrators object IDs for the key vault Managed Hardware Security Module. Changing this forces a new resource to be created.

• sku_name - (Required) The Name of the SKU used for this Key Vault Managed Hardware Security Module. Possible value is Standard_B1. Changing this forces a new resource to be created.

• tenant_id - (Required) The Azure Active Directory Tenant ID that should be used for authenticating requests to the key vault Managed Hardware Security Module. Changing this forces a new resource to be created.

• purge_protection_enabled - (Optional) Is Purge Protection enabled for this Key Vault Managed Hardware Security Module? Defaults to false. Changing this forces a new resource to be created.

• soft_delete_retention_days - (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 days. Defaults to 90. Changing this forces a new resource to be created.

• tags - (Optional) A mapping of tags to assign to the resource. Changing this forces a new resource to be created.

The following attributes are exported:

• id - The Key Vault Secret Managed Hardware Security Module ID.

• hsm_uri - The URI of the Key Vault Managed Hardware Security Module, used for performing operations on keys.

Explanation in Terraform Registry

Manages a Key Vault Managed Hardware Security Module.

Tips: Best Practices for The Other Azure Key Vault Resources

In addition to the azurerm_key_vault, Azure Key Vault has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

azurerm_key_vault

Ensure to specify a network ACL for the key vault

It is better to specify network ACL for the key vault. The default should be set to deny and Azure Services should be still accepted.

azurerm_key_vault_key

Ensure to configure the expiration date on all keys

It is better to configure the expiration date on all keys which is not set by default.

azurerm_key_vault_secret

Ensure to set a content type

It is better to set a content type to aid interpretation on retrieval.