Terraform-provider-azurerm: Support for KeyVault Managed Storage SAS Definition
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Azure Key Vault supports creation of a AzKeyVaultManagedStorageAccount & AzKeyVaultManagedStorageSasDefinition. It would be great if the AzureRM terraform provider supported this too. This is needed to implement the same steps as outlined in https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-storage-keys-powershell
New or Affected Resource(s)
- azurerm_key_vault_managed_storage_account
- azurerm_key_vault_managed_storage_sasdefinition
Potential Terraform Configuration
resource "azurerm_resource_group" "testrg" {
name = "resourceGroupName"
location = "westus"
}
resource "azurerm_storage_account" "testsa" {
name = "storageaccountname"
resource_group_name = "${azurerm_resource_group.testrg.name}"
location = "westus"
account_tier = "Standard"
account_replication_type = "GRS"
tags = {
environment = "staging"
}
}
data "azurerm_storage_account_sas" "test" {
connection_string = "${azurerm_storage_account.testsa.primary_connection_string}"
https_only = true
resource_types {
service = true
container = false
object = false
}
services {
blob = true
queue = false
table = false
file = false
}
start = timestamp()
expiry = timeadd(timestamp(), "24h")
permissions {
read = true
write = true
delete = false
list = false
add = true
create = true
update = false
process = false
}
}
resource "azurerm_key_vault" "test" {
name = "testvault"
location = "${azurerm_resource_group.test.location}"
resource_group_name = "${azurerm_resource_group.test.name}"
sku_name = "standard"
tenant_id = "22222222-2222-2222-2222-222222222222"
enabled_for_disk_encryption = true
tags = {
environment = "staging"
}
}
resource "azurerm_key_vault_access_policy" "test" {
key_vault_id = "${azurerm_key_vault.test.id}"
tenant_id = "00000000-0000-0000-0000-000000000000"
object_id = "ae8494f6-67f2-4e56-b015-041a9ca4d0e8"
storage_permissions = [
"get",
"list",
"delete",
"set",
"update",
"regeneratekey",
"getsas",
"listsas",
"deletesas",
"setsas",
"recover",
"backup",
"restore",
"purge"
]
}
resource "azurerm_key_vault_managed_storage_account" "test" {
key_vault_id = "${azurerm_key_vault.test.id}"
storage_account_id = "${azurerm_storage_account.testsa.id}"
storage_account_key = "key1"
auto_regenerate_key = false
regeneration_period_days = 1
}
resource "azurerm_key_vault_managed_storage_sasdefinition" "test" {
key_vault_id = "${azurerm_key_vault.test.id}"
storage_account_id = "${azurerm_storage_account.testsa.id}"
sas_definition_name = "ExpireDaily"
sas_template_uri = "${azurerm_storage_account_sas.test.sas}"
}
References
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview-storage-keys-powershell#shared-access-signature-tokens
jeremie0
👍37
All 2 comments
Azure SDK for Go looks like it supports this now: https://github.com/Azure/azure-sdk-for-go/blob/master/services/keyvault/v7.0/keyvault/models.go#L3069
rudolphjacksonm
on 15 May 2020
👍7
Do we know when this feature/enhancement will be prioritized for release? Thanks.
usvgmani
on 15 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
rolandjohann
路
3Comments
jansepke
路
3Comments
Kanikamiglani31
路
3Comments
hashibot
路
3Comments
whytoe
路
3Comments
Most helpful comment
Azure SDK for Go looks like it supports this now: https://github.com/Azure/azure-sdk-for-go/blob/master/services/keyvault/v7.0/keyvault/models.go#L3069