Terraform module to create a Key Vault.
- Azure Resource Naming Convention
- Network ACLs Configuration
- Requirements
- Providers
- Modules
- Resources
- Inputs
- Outputs
Resource names should clearly indicate their type, workload, environment, and region. Using a consistent naming convention ensures clarity, uniformity, and easy identification across all repositories.
<resource_prefix>-<app_or_project>-<environment>-<region>-<optional_unique_suffix>
| Component | Description | Example |
|---|---|---|
resource_prefix |
Short abbreviation for the resource type. | rg (Resource Group) |
app_or_project |
Identifier for the application or project. | qoh |
environment |
Environment where the resource is deployed (prod, dev, test, etc.). |
prod |
region |
Azure region where the resource resides (e.g., cus for centralus). |
cus |
optional_unique_suffix |
Optional unique string for ensuring name uniqueness, often random or incremental. | abcd, a42n |
- Before adding the network_acls block, ensure that service endpoints are configured for the subnet. This is required for proper integration with Azure Key Vault.
service_endpoints = ["Microsoft.KeyVault"]network_acls = {
default_action = "Deny"
bypass = "AzureServices" # Must be a string, not a list
ip_rules = []
subnet_details = {
default = {
vnet_rg_name = "resource_group_name"
vnet_name = "virtual_network"
subnet_name = "subnet_name"
}
}
private_link_access = {}
}| Name | Version |
|---|---|
| terraform | >=0.13 |
| azurerm | >=4.0.0 |
| Name | Version |
|---|---|
| azurerm | >=4.0.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_key_vault.key_vault | resource |
| azurerm_client_config.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_policy | (Optional) A list of access_policy objects (up to 1024) describing access policies, as described below. | map |
{} |
no |
| enable_rbac_authorization | (Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions | bool |
null |
no |
| enabled_for_deployment | (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
null |
no |
| enabled_for_disk_encryption | (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
null |
no |
| enabled_for_template_deployment | (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
null |
no |
| location | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | string |
n/a | yes |
| name | (Required) Specifies the name of the Key Vault. Changing this forces a new resource to be created. The name must be globally unique. If the vault is in a recoverable state then the vault will need to be purged before reusing the name. | string |
n/a | yes |
| network_acls | (Optional) A network_acls block as defined below. | map |
{} |
no |
| public_network_access_enabled | (Optional) Whether public network access is allowed for this Key Vault. Defaults to true. | bool |
true |
no |
| purge_protection_enabled | (Optional) Is Purge Protection enabled for this Key Vault? | bool |
null |
no |
| resource_group_name | (Required) The name of the resource group in which to create the Key Vault. Changing this forces a new resource to be created. | string |
n/a | yes |
| sku_name | (Required) The Name of the SKU used for this Key Vault. Possible values are standard and premium. | string |
n/a | yes |
| soft_delete_retention_days | (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days. | string |
null |
no |
| tags | (Optional) A mapping of tags to assign to the resource. | map(any) |
{} |
no |
| Name | Description |
|---|---|
| id | The ID of the Key Vault. |
| name | The Name of the Key Vault. |
| vault_uri | The URI of the Key Vault, used for performing operations on keys and secrets. |