New resource azurerm_key_vault_key

examples/apply_main.tf

@@ -1,3 +1,7 @@
+provider "azurerm" {
+  features {}
+}
+
 data "azurerm_subscription" "current" {}
 
 resource "random_password" "password" {
@@ -11,9 +15,10 @@ module "key_vault" {
   source = "registry.terraform.io/telekom-mms/key-vault/azurerm"
   key_vault = {
     kv-mms = {
-      location            = "westeurope"
-      resource_group_name = "rg-mms-github"
-      tenant_id           = data.azurerm_subscription.current.tenant_id
+      location                 = "westeurope"
+      resource_group_name      = "rg-mms-github"
+      tenant_id                = data.azurerm_subscription.current.tenant_id
+      purge_protection_enabled = false
     }
   }
   key_vault_secret = {
@@ -22,4 +27,9 @@ module "key_vault" {
       key_vault_id = module.key_vault.key_vault["kv-mms"].id
     }
   }
+  key_vault_key = {
+    mms-key = {
+      key_vault_id = module.key_vault.key_vault["kv-mms"].id
+    }
+  }
 }

examples/full_main.tf

@@ -1,3 +1,7 @@
+provider "azurerm" {
+  features {}
+}
+
 data "azurerm_subscription" "current" {}
 
 resource "random_password" "password" {
@@ -37,4 +41,24 @@ module "key_vault" {
       }
     }
   }
+  key_vault_key = {
+    mms-key = {
+      key_vault_id = module.key_vault.key_vault["kv-mms"].id
+      key_type     = "EC"
+      key_size     = null
+      curve        = "P-384"
+      rotation_policy = {
+        expire_after         = "P90D"
+        notify_before_expiry = "P29D"
+        automatic = {
+          time_before_expiry = "P30D"
+        }
+      }
+      tags = {
+        project     = "mms-github"
+        environment = terraform.workspace
+        managed-by  = "terraform"
+      }
+    }
+  }
 }

examples/min_main.tf

@@ -1,3 +1,7 @@
+provider "azurerm" {
+  features {}
+}
+
 data "azurerm_subscription" "current" {}
 
 resource "random_password" "password" {
@@ -22,4 +26,9 @@ module "key_vault" {
       key_vault_id = module.key_vault.key_vault["kv-mms"].id
     }
   }
+  key_vault_key = {
+    mms-key = {
+      key_vault_id = module.key_vault.key_vault["kv-mms"].id
+    }
+  }
 }

main.tf

@@ -72,3 +72,36 @@ resource "azurerm_key_vault_secret" "key_vault_secret" {
   expiration_date = local.key_vault_secret[each.key].expiration_date
   tags            = local.key_vault_secret[each.key].tags
 }
+
+resource "azurerm_key_vault_key" "key_vault_key" {
+  for_each = var.key_vault_key
+
+  name            = local.key_vault_key[each.key].name == "" ? each.key : local.key_vault_key[each.key].name
+  key_vault_id    = local.key_vault_key[each.key].key_vault_id
+  key_type        = local.key_vault_key[each.key].key_type
+  key_size        = local.key_vault_key[each.key].key_size
+  curve           = local.key_vault_key[each.key].curve
+  key_opts        = local.key_vault_key[each.key].key_opts
+  not_before_date = local.key_vault_key[each.key].not_before_date
+  expiration_date = local.key_vault_key[each.key].expiration_date
+
+  dynamic "rotation_policy" {
+    for_each = length(compact(concat([for key in setsubtract(keys(local.key_vault_key[each.key].rotation_policy), ["automatic"]) : local.key_vault_key[each.key].rotation_policy[key]], values(local.key_vault_key[each.key].rotation_policy["automatic"])))) > 0 ? [0] : []
+
+    content {
+      expire_after         = local.key_vault_key[each.key].rotation_policy.expire_after
+      notify_before_expiry = local.key_vault_key[each.key].rotation_policy.notify_before_expiry
+
+      dynamic "automatic" {
+        for_each = length(compact(values(local.key_vault_key[each.key].rotation_policy.automatic))) > 0 ? [0] : []
+
+        content {
+          time_after_creation = local.key_vault_key[each.key].rotation_policy.automatic.time_after_creation
+          time_before_expiry  = local.key_vault_key[each.key].rotation_policy.automatic.time_before_expiry
+        }
+      }
+    }
+  }
+
+  tags = local.key_vault_key[each.key].tags
+}

outputs.tf

@@ -20,6 +20,17 @@ output "key_vault_secret" {
   }
 }
 
+output "key_vault_key" {
+  description = "Outputs all attributes of resource_type."
+  value = {
+    for key_vault_key in keys(azurerm_key_vault_key.key_vault_key) :
+    key_vault_key => {
+      for key, value in azurerm_key_vault_key.key_vault_key[key_vault_key] :
+      key => value
+    }
+  }
+}
+
 output "variables" {
   description = "Displays all configurable variables passed by the module. __default__ = predefined values per module. __merged__ = result of merging the default values and custom values passed to the module"
   value = {
@@ -36,6 +47,10 @@ output "variables" {
         for key in keys(var.key_vault_secret) :
         key => local.key_vault_secret[key]
       }
+      key_vault_key = {
+        for key in keys(var.key_vault_key) :
+        key => local.key_vault_key[key]
+      }
     }
   }
 }

variables.tf

@@ -8,6 +8,11 @@ variable "key_vault_secret" {
   default     = {}
   description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)."
 }
+variable "key_vault_key" {
+  type        = any
+  default     = {}
+  description = "Resource definition, default settings are defined within locals and merged with var settings. For more information look at [Outputs](#Outputs)."
+}
 
 locals {
   default = {
@@ -48,13 +53,40 @@ locals {
       expiration_date = null
       tags            = {}
     }
+    key_vault_key = {
+      name     = ""
+      key_type = "RSA" // defined default
+      key_size = 4096  // defined default
+      curve    = null
+      key_opts = [
+        "decrypt",
+        "encrypt",
+        "sign",
+        "verify",
+        "wrapKey",
+        "unwrapKey"
+      ] // defined default
+      not_before_date = null
+      expiration_date = null
+      rotation_policy = {
+        automatic = {
+          time_after_creation = null
+          time_before_expiry  = null
+        }
+      }
+      tags = {}
+    }
   }
 
   // compare and merge custom and default values
   key_vault_values = {
     for key_vault in keys(var.key_vault) :
     key_vault => merge(local.default.key_vault, var.key_vault[key_vault])
   }
+  key_vault_key_values = {
+    for key_vault_key in keys(var.key_vault_key) :
+    key_vault_key => merge(local.default.key_vault_key, var.key_vault_key[key_vault_key])
+  }
 
   // deep merge of all custom and default values
   key_vault = {
@@ -78,4 +110,20 @@ locals {
     for key_vault_secret in keys(var.key_vault_secret) :
     key_vault_secret => merge(local.default.key_vault_secret, var.key_vault_secret[key_vault_secret])
   }
+  key_vault_key = {
+    for key_vault_key in keys(var.key_vault_key) :
+    key_vault_key => merge(
+      local.key_vault_key_values[key_vault_key],
+      {
+        for config in ["rotation_policy"] :
+        config => merge(
+          merge(local.default.key_vault_key[config], local.key_vault_key_values[key_vault_key][config]),
+          {
+            for subconfig in ["automatic"] :
+            subconfig => merge(local.default.key_vault_key[config][subconfig], lookup(local.key_vault_key_values[key_vault_key][config], subconfig, {}))
+          }
+        )
+      }
+    )
+  }
 }