diff --git a/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_resource_test.go b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_resource_test.go index c51ea84afdc2..6a86e2cabcd7 100644 --- a/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_resource_test.go +++ b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_resource_test.go @@ -329,7 +329,7 @@ resource "azurerm_key_vault_managed_hardware_security_module" "test" { } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" @@ -337,7 +337,7 @@ resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "t } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test1" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778" diff --git a/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource.go b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource.go new file mode 100644 index 000000000000..72a9cda5c14c --- /dev/null +++ b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource.go @@ -0,0 +1,282 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package managedhsm + +import ( + "context" + "fmt" + "strings" + "time" + + "github.com/hashicorp/go-azure-helpers/lang/pointer" + "github.com/hashicorp/go-azure-helpers/lang/response" + validate2 "github.com/hashicorp/terraform-provider-azurerm/helpers/validate" + "github.com/hashicorp/terraform-provider-azurerm/internal/sdk" + "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/parse" + "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/validate" + "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" + "github.com/tombuildsstuff/kermit/sdk/keyvault/7.4/keyvault" +) + +type KeyVaultMHSMKeyRotationPolicyResource struct{} + +var _ sdk.ResourceWithUpdate = KeyVaultMHSMKeyRotationPolicyResource{} + +func (r KeyVaultMHSMKeyRotationPolicyResource) ModelObject() interface{} { + return &MHSMKeyRotationPolicyResourceSchema{} +} + +type MHSMKeyRotationPolicyResourceSchema struct { + ManagedHSMKeyID string `tfschema:"managed_hsm_key_id"` + ExpireAfter string `tfschema:"expire_after"` + TimeAfterCreation string `tfschema:"time_after_creation"` + TimeBeforeExpiry string `tfschema:"time_before_expiry"` +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) IDValidationFunc() pluginsdk.SchemaValidateFunc { + return validate.ManagedHSMDataPlaneVersionlessKeyID +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) ResourceType() string { + return "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy" +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Arguments() map[string]*pluginsdk.Schema { + return map[string]*pluginsdk.Schema{ + "managed_hsm_key_id": { + ForceNew: true, + Required: true, + Type: pluginsdk.TypeString, + }, + + "expire_after": { + Type: pluginsdk.TypeString, + Required: true, + ValidateFunc: validate2.ISO8601DurationBetween("P28D", "P100Y"), + }, + + // notify not supported in HSM Key, only rotate is supported + "time_after_creation": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validate2.ISO8601DurationBetween("P28D", "P100Y"), + ExactlyOneOf: []string{ + "time_after_creation", + "time_before_expiry", + }, + }, + + "time_before_expiry": { + Type: pluginsdk.TypeString, + Optional: true, + ValidateFunc: validate2.ISO8601Duration, + ExactlyOneOf: []string{ + "time_after_creation", + "time_before_expiry", + }, + }, + } +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Attributes() map[string]*pluginsdk.Schema { + return map[string]*pluginsdk.Schema{} +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Create() sdk.ResourceFunc { + return sdk.ResourceFunc{ + Timeout: 30 * time.Minute, + Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error { + client := metadata.Client.ManagedHSMs.DataPlaneKeysClient + domainSuffix, ok := metadata.Client.Account.Environment.ManagedHSM.DomainSuffix() + if !ok { + return fmt.Errorf("could not determine Managed HSM domain suffix for environment %q", metadata.Client.Account.Environment.Name) + } + + var config MHSMKeyRotationPolicyResourceSchema + if err := metadata.Decode(&config); err != nil { + return fmt.Errorf("decoding: %+v", err) + } + + keyID, err := parse.ManagedHSMDataPlaneVersionlessKeyID(config.ManagedHSMKeyID, domainSuffix) + if err != nil { + return fmt.Errorf("parsing Managed HSM Key ID: %+v", err) + } + + if _, err = client.GetKey(ctx, keyID.BaseUri(), keyID.KeyName, ""); err != nil { + return fmt.Errorf("checking for the presence of an existing %s: %+v", keyID, err) + } + + // check key has rotation policy + respPolicy, err := client.GetKeyRotationPolicy(ctx, keyID.BaseUri(), keyID.KeyName) + if err != nil { + switch { + case response.WasForbidden(respPolicy.Response.Response): + // If client is not authorized to access the policy: + return fmt.Errorf("current client lacks permissions to read Key Rotation Policy for Key %q: %v", keyID, err) + + case response.WasNotFound(respPolicy.Response.Response): + break + default: + return err + } + } + + if respPolicy.Attributes != nil && respPolicy.Attributes.ExpiryTime != nil { + if respPolicy.LifetimeActions != nil && len(*respPolicy.LifetimeActions) > 0 { + return metadata.ResourceRequiresImport(r.ResourceType(), keyID) + } + } + + if _, err := client.UpdateKeyRotationPolicy(ctx, keyID.BaseUri(), keyID.KeyName, expandKeyRotationPolicy(config)); err != nil { + return fmt.Errorf("creating HSM Key Rotation Policy for Key %q: %v", keyID, err) + } + + metadata.SetID(keyID) + return nil + }, + } +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Read() sdk.ResourceFunc { + return sdk.ResourceFunc{ + Timeout: 5 * time.Minute, + Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error { + client := metadata.Client.ManagedHSMs.DataPlaneKeysClient + domainSuffix, ok := metadata.Client.Account.Environment.ManagedHSM.DomainSuffix() + if !ok { + return fmt.Errorf("could not determine Managed HSM domain suffix for environment %q", metadata.Client.Account.Environment.Name) + } + + id, err := parse.ManagedHSMDataPlaneVersionlessKeyID(metadata.ResourceData.Id(), domainSuffix) + if err != nil { + return err + } + + resp, err := client.GetKeyRotationPolicy(ctx, id.BaseUri(), id.KeyName) + if err != nil { + if response.WasNotFound(resp.Response.Response) { + return metadata.MarkAsGone(*id) + } + return fmt.Errorf("retrieving %s: %+v", *id, err) + } + schema := flattenKeyRotationPolicy(resp) + schema.ManagedHSMKeyID = id.ID() + + return metadata.Encode(&schema) + }, + } +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Update() sdk.ResourceFunc { + return sdk.ResourceFunc{ + Timeout: 30 * time.Minute, + Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error { + client := metadata.Client.ManagedHSMs.DataPlaneRoleAssignmentsClient + domainSuffix, ok := metadata.Client.Account.Environment.ManagedHSM.DomainSuffix() + if !ok { + return fmt.Errorf("could not determine Managed HSM domain suffix for environment %q", metadata.Client.Account.Environment.Name) + } + + var config MHSMKeyRotationPolicyResourceSchema + if err := metadata.Decode(&config); err != nil { + return fmt.Errorf("decoding: %+v", err) + } + + id, err := parse.ManagedHSMDataPlaneVersionlessKeyID(metadata.ResourceData.Id(), domainSuffix) + if err != nil { + return err + } + + if _, err := client.UpdateKeyRotationPolicy(ctx, id.BaseUri(), id.KeyName, expandKeyRotationPolicy(config)); err != nil { + return fmt.Errorf("updating HSM Key Rotation Policy for Key %q: %v", id, err) + } + + return nil + }, + } +} + +func (r KeyVaultMHSMKeyRotationPolicyResource) Delete() sdk.ResourceFunc { + return sdk.ResourceFunc{ + Timeout: 30 * time.Minute, + Func: func(ctx context.Context, metadata sdk.ResourceMetaData) error { + client := metadata.Client.ManagedHSMs.DataPlaneKeysClient + + domainSuffix, ok := metadata.Client.Account.Environment.ManagedHSM.DomainSuffix() + if !ok { + return fmt.Errorf("could not determine Managed HSM domain suffix for environment %q", metadata.Client.Account.Environment.Name) + } + + id, err := parse.ManagedHSMDataPlaneVersionlessKeyID(metadata.ResourceData.Id(), domainSuffix) + if err != nil { + return err + } + + // setting a blank policy to delete the existing policy + if _, err := client.UpdateKeyRotationPolicy(ctx, id.BaseUri(), id.KeyName, keyvault.KeyRotationPolicy{ + LifetimeActions: pointer.To([]keyvault.LifetimeActions{}), + Attributes: &keyvault.KeyRotationPolicyAttributes{}, + }); err != nil { + return fmt.Errorf("deleting HSM Key Rotation Policy for Key %q: %v", id, err) + } + + return nil + }, + } +} + +func expandKeyRotationPolicy(policy MHSMKeyRotationPolicyResourceSchema) keyvault.KeyRotationPolicy { + + var expiryTime *string // = nil // needs to be set to nil if not set + if policy.ExpireAfter != "" { + expiryTime = pointer.To(policy.ExpireAfter) + } + + lifetimeActions := make([]keyvault.LifetimeActions, 0) + + lifetimeActionRotate := keyvault.LifetimeActions{ + Action: &keyvault.LifetimeActionsType{ + Type: keyvault.ActionTypeRotate, + }, + Trigger: &keyvault.LifetimeActionsTrigger{}, + } + + if policy.TimeAfterCreation != "" { + lifetimeActionRotate.Trigger.TimeAfterCreate = pointer.To(policy.TimeAfterCreation) + lifetimeActions = append(lifetimeActions, lifetimeActionRotate) + } else if policy.TimeBeforeExpiry != "" { + lifetimeActionRotate.Trigger.TimeBeforeExpiry = pointer.To(policy.TimeBeforeExpiry) + lifetimeActions = append(lifetimeActions, lifetimeActionRotate) + } + + return keyvault.KeyRotationPolicy{ + LifetimeActions: &lifetimeActions, + Attributes: &keyvault.KeyRotationPolicyAttributes{ + ExpiryTime: expiryTime, + }, + } +} + +func flattenKeyRotationPolicy(p keyvault.KeyRotationPolicy) MHSMKeyRotationPolicyResourceSchema { + var res MHSMKeyRotationPolicyResourceSchema + if p.Attributes != nil { + res.ExpireAfter = pointer.From(p.Attributes.ExpiryTime) + } + + if p.LifetimeActions != nil { + for _, ltAction := range *p.LifetimeActions { + action := ltAction.Action + trigger := ltAction.Trigger + + if action != nil && trigger != nil { + if strings.EqualFold(string(action.Type), string(keyvault.ActionTypeRotate)) { + res.TimeAfterCreation = pointer.From(trigger.TimeAfterCreate) + res.TimeBeforeExpiry = pointer.From(trigger.TimeBeforeExpiry) + } + } + } + } + + return res +} diff --git a/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource_test.go b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource_test.go new file mode 100644 index 000000000000..6d831eb4691f --- /dev/null +++ b/internal/services/managedhsm/key_vault_managed_hardware_security_module_key_rotation_policy_resource_test.go @@ -0,0 +1,234 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +package managedhsm_test + +import ( + "context" + "fmt" + "testing" + + "github.com/hashicorp/go-azure-helpers/resourcemanager/commonids" + "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance" + "github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check" + "github.com/hashicorp/terraform-provider-azurerm/internal/clients" + "github.com/hashicorp/terraform-provider-azurerm/internal/services/managedhsm/parse" + "github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk" + "github.com/hashicorp/terraform-provider-azurerm/utils" +) + +type MHSMKeyRotationPolicyTestResource struct{} + +func testAccMHSMKeyRotationPolicy_all(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy", "test") + r := MHSMKeyRotationPolicyTestResource{} + + data.ResourceTest(t, r, []acceptance.TestStep{ + { + Config: r.basic(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + { + Config: r.update(data), + Check: acceptance.ComposeTestCheckFunc( + check.That(data.ResourceName).ExistsInAzure(r), + ), + }, + data.ImportStep(), + }) +} + +func (r MHSMKeyRotationPolicyTestResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) { + domainSuffix, ok := clients.Account.Environment.ManagedHSM.DomainSuffix() + if !ok { + return nil, fmt.Errorf("could not determine Managed HSM domain suffix for environment %q", clients.Account.Environment.Name) + } + id, err := parse.ManagedHSMDataPlaneVersionlessKeyID(state.ID, domainSuffix) + if err != nil { + return nil, err + } + + subscriptionId := commonids.NewSubscriptionID(clients.Account.SubscriptionId) + resourceManagerId, err := clients.ManagedHSMs.ManagedHSMIDFromBaseUrl(ctx, subscriptionId, id.BaseUri(), domainSuffix) + if err != nil { + return nil, fmt.Errorf("determining Resource Manager ID for %q: %+v", id, err) + } + if resourceManagerId == nil { + return nil, fmt.Errorf("unable to determine the Resource Manager ID for %s", id) + } + + resp, err := clients.ManagedHSMs.DataPlaneKeysClient.GetKeyRotationPolicy(ctx, id.BaseUri(), id.KeyName) + if err != nil { + return nil, fmt.Errorf("reading %s: %+v", *id, err) + } + + return utils.Bool(resp.Attributes != nil), nil +} + +func (r MHSMKeyRotationPolicyTestResource) basic(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy" "test" { + managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.test.id + time_before_expiry = "P30D" + expire_after = "P60D" +} +`, r.template(data)) +} + +func (r MHSMKeyRotationPolicyTestResource) update(data acceptance.TestData) string { + return fmt.Sprintf(` +provider "azurerm" { + features {} +} + +%s + +resource "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy" "test" { + managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.test.id + expire_after = "P60D" + time_after_creation = "P28D" +} +`, r.template(data)) +} + +func (r MHSMKeyRotationPolicyTestResource) template(data acceptance.TestData) string { + return fmt.Sprintf(` +data "azurerm_client_config" "current" { +} + +resource "azurerm_resource_group" "test" { + name = "acctestRG-KV-%[1]s" + location = "%[2]s" +} + +resource "azurerm_key_vault" "test" { + name = "acc%[3]d" + location = azurerm_resource_group.test.location + resource_group_name = azurerm_resource_group.test.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "standard" + soft_delete_retention_days = 7 + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + key_permissions = [ + "Create", + "Delete", + "Get", + "Purge", + "Recover", + "Update", + "GetRotationPolicy", + ] + secret_permissions = [ + "Delete", + "Get", + "Set", + ] + certificate_permissions = [ + "Create", + "Delete", + "DeleteIssuers", + "Get", + "Purge", + "Update" + ] + } + tags = { + environment = "Production" + } +} + +resource "azurerm_key_vault_certificate" "cert" { + count = 3 + name = "acchsmcert${count.index}" + key_vault_id = azurerm_key_vault.test.id + certificate_policy { + issuer_parameters { + name = "Self" + } + key_properties { + exportable = true + key_size = 2048 + key_type = "RSA" + reuse_key = true + } + lifetime_action { + action { + action_type = "AutoRenew" + } + trigger { + days_before_expiry = 30 + } + } + secret_properties { + content_type = "application/x-pkcs12" + } + x509_certificate_properties { + extended_key_usage = [] + key_usage = [ + "cRLSign", + "dataEncipherment", + "digitalSignature", + "keyAgreement", + "keyCertSign", + "keyEncipherment", + ] + subject = "CN=hello-world" + validity_in_months = 12 + } + } +} + +resource "azurerm_key_vault_managed_hardware_security_module" "test" { + name = "kvHsm%[3]d" + resource_group_name = azurerm_resource_group.test.name + location = azurerm_resource_group.test.location + sku_name = "Standard_B1" + tenant_id = data.azurerm_client_config.current.tenant_id + admin_object_ids = [data.azurerm_client_config.current.object_id] + purge_protection_enabled = false + + security_domain_key_vault_certificate_ids = [for cert in azurerm_key_vault_certificate.cert : cert.id] + security_domain_quorum = 3 +} + +resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id + name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22" + scope = "/keys" + role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test1" { + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id + name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23" + scope = "/keys" + role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778" + principal_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_key_vault_managed_hardware_security_module_key" "test" { + name = "acctestHSMK-%[1]s" + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id + key_type = "EC-HSM" + curve = "P-521" + key_opts = ["sign"] + + depends_on = [ + azurerm_key_vault_managed_hardware_security_module_role_assignment.test, + azurerm_key_vault_managed_hardware_security_module_role_assignment.test1 + ] +} +`, data.RandomString, data.Locations.Primary, data.RandomInteger) +} diff --git a/internal/services/managedhsm/key_vault_managed_hardware_security_module_resource_test.go b/internal/services/managedhsm/key_vault_managed_hardware_security_module_resource_test.go index 4f6fb6385340..33551fc3b58b 100644 --- a/internal/services/managedhsm/key_vault_managed_hardware_security_module_resource_test.go +++ b/internal/services/managedhsm/key_vault_managed_hardware_security_module_resource_test.go @@ -55,6 +55,7 @@ func TestAccKeyVaultManagedHardwareSecurityModule(t *testing.T) { "complete": testAccKeyVaultMHSMKey_complete, "purge": testAccKeyVaultHSMKey_purge, "softDeleteRecovery": testAccKeyVaultHSMKey_softDeleteRecovery, + "rotationPolicy": testAccMHSMKeyRotationPolicy_all, }, }) } diff --git a/internal/services/managedhsm/key_vault_managed_hardware_security_module_role_assignment_resource_test.go b/internal/services/managedhsm/key_vault_managed_hardware_security_module_role_assignment_resource_test.go index 65f1a2fec541..23283c8e3689 100644 --- a/internal/services/managedhsm/key_vault_managed_hardware_security_module_role_assignment_resource_test.go +++ b/internal/services/managedhsm/key_vault_managed_hardware_security_module_role_assignment_resource_test.go @@ -161,7 +161,7 @@ data "azurerm_key_vault_managed_hardware_security_module_role_definition" "offic } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = local.assignmentOfficerName scope = "/keys" role_definition_id = data.azurerm_key_vault_managed_hardware_security_module_role_definition.officer.resource_manager_id @@ -179,7 +179,7 @@ locals { } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = local.assignmentTestName scope = "/keys" role_definition_id = azurerm_key_vault_managed_hardware_security_module_role_definition.test.resource_manager_id diff --git a/internal/services/managedhsm/registration.go b/internal/services/managedhsm/registration.go index 304f69bee06a..bb7f2fb5e62b 100644 --- a/internal/services/managedhsm/registration.go +++ b/internal/services/managedhsm/registration.go @@ -57,5 +57,6 @@ func (r Registration) Resources() []sdk.Resource { KeyVaultMHSMKeyResource{}, KeyVaultMHSMRoleDefinitionResource{}, KeyVaultManagedHSMRoleAssignmentResource{}, + KeyVaultMHSMKeyRotationPolicyResource{}, } } diff --git a/internal/services/storage/storage_account_resource_test.go b/internal/services/storage/storage_account_resource_test.go index 0fb433f9cd28..2c88afa756cb 100644 --- a/internal/services/storage/storage_account_resource_test.go +++ b/internal/services/storage/storage_account_resource_test.go @@ -5185,7 +5185,7 @@ resource "azurerm_user_assigned_identity" "test" { } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" @@ -5193,7 +5193,7 @@ resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "t } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "test1" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778" @@ -5201,7 +5201,7 @@ resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "t } resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "user" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad20" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" diff --git a/website/docs/r/key_vault_managed_hardware_security_module_key.html.markdown b/website/docs/r/key_vault_managed_hardware_security_module_key.html.markdown index 1d5b882f16bf..9545ea9eb9ca 100644 --- a/website/docs/r/key_vault_managed_hardware_security_module_key.html.markdown +++ b/website/docs/r/key_vault_managed_hardware_security_module_key.html.markdown @@ -36,7 +36,7 @@ resource "azurerm_key_vault_managed_hardware_security_module" "example" { // this gives your service principal the HSM Crypto User role which lets you create and destroy hsm keys resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "hsm-crypto-user" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad22" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b" @@ -45,7 +45,7 @@ resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "h // this gives your service principal the HSM Crypto Officer role which lets you purge hsm keys resource "azurerm_key_vault_managed_hardware_security_module_role_assignment" "hsm-crypto-officer" { - vault_base_url = azurerm_key_vault_managed_hardware_security_module.test.hsm_uri + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.test.id name = "1e243909-064c-6ac3-84e9-1c8bf8d6ad23" scope = "/keys" role_definition_id = "/Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778" diff --git a/website/docs/r/key_vault_managed_hardware_security_module_key_rotation_policy.html.markdown b/website/docs/r/key_vault_managed_hardware_security_module_key_rotation_policy.html.markdown new file mode 100644 index 000000000000..752781da44ce --- /dev/null +++ b/website/docs/r/key_vault_managed_hardware_security_module_key_rotation_policy.html.markdown @@ -0,0 +1,64 @@ +--- +subcategory: "Key Vault" +layout: "azurerm" +page_title: "Azure Resource Manager: azurerm_key_vault_managed_hardware_security_module_key_rotation_policy" +description: |- + Manages a Managed HSM Key rotation policy. +--- + +# azurerm_key_vault_managed_hardware_security_module_key_rotation_policy + +Manages a Managed HSM Key rotation policy. + +## Example Usage + +```hcl +resource "azurerm_key_vault_managed_hardware_security_module_key" "example" { + name = "example-key" + managed_hsm_id = azurerm_key_vault_managed_hardware_security_module.example.id + key_type = "EC-HSM" + curve = "P-521" + key_opts = ["sign"] +} + +resource "azurerm_key_vault_managed_hardware_security_module_key_rotation_policy" "example" { + managed_hsm_key_id = azurerm_key_vault_managed_hardware_security_module_key.example.id + expire_after = "P60D" + time_before_expiry = "P30D" +} +``` + +## Arguments Reference + +The following arguments are supported: + +* `managed_hsm_key_id` - (Required) The ID of the Managed HSM Key. Changing this forces a new Managed HSM Key rotation policy to be created. + +* `expire_after` - (Required) Specify the expiration duration on a newly rotated key as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). The minimum duration is `P28D`. + +* `time_after_creation` - (Optional) Rotate automatically at a duration after key creation as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). Exactly one of `time_after_creation` or `time_before_expiry` should be specified. + +* `time_before_expiry` - (Optional) Rotate automatically at a duration before key expiry as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). Exactly one of `time_after_creation` or `time_before_expiry` should be specified. + +## Attributes Reference + +In addition to the Arguments listed above - the following Attributes are exported: + +* `id` - The ID of the Managed HSM Key Rotation policy. + +## Timeouts + +The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/language/resources/syntax#operation-timeouts) for certain actions: + +* `create` - (Defaults to 30 minutes) Used when creating the Managed HSM Key rotation policy. +* `read` - (Defaults to 5 minutes) Used when retrieving the Managed HSM Key rotation policy. +* `update` - (Defaults to 30 minutes) Used when updating the Managed HSM Key rotation policy. +* `delete` - (Defaults to 30 minutes) Used when deleting the Managed HSM Key rotation policy. + +## Import + +Managed HSM Key rotation policy can be imported using the `resource id`, e.g. + +```shell +terraform import azurerm_key_vault_managed_hardware_security_module_key_rotation_policy.example https://example-hsm.managedhsm.azure.net/keys/example +```