Azure Azure - Terraform templates

KeyVault

Last updated: December 14, 2024
The following snippet will create an Azure KeyVault with purge protection enabled and soft delete retention set to 7 days to allow recovery of the KeyVault and its content in case of accidental deletion. By default, it is configured with RBAC access policy, meaning you give access to secrets, keys and certificates through Azure IAM.

module "keyvault" {
  source  = "Azure/avm-res-keyvault-vault/azurerm"
  version = "0.9.1"

  name                           = "${local.resource_prefix_short}"
  enable_telemetry               = true
  location                       = local.location
  resource_group_name            = module.rg.name
  tenant_id                      = var.tenant_id

  soft_delete_retention_days = 7
  purge_protection_enabled = true
}


KeyVault Access Policy


If you want to use key vault access policy, then you can configure it:

module "keyvault" {
  source  = "Azure/avm-res-keyvault-vault/azurerm"
  version = "0.9.1"

  name                           = "${local.resource_prefix_short}"
  enable_telemetry               = true
  location                       = local.location
  resource_group_name            = module.rg.name
  tenant_id                      = var.tenant_id

  legacy_access_policies_enabled = true
  legacy_access_policies = {
    test = {
      object_id               = var.client_id
      certificate_permissions = ["Get", "List"]
    }
  }
  
  soft_delete_retention_days = 7
  purge_protection_enabled = true
}

Further reading