Manages a Key Vault.
Key Vault's soft-delete feature allows recovery of the deleted vaults and deleted key vault objects (for example, keys, secrets, certificates), known as soft-delete. In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users will no longer be able to opt out of or turn off soft-delete.
- Format and validate Terraform code before commit.
terraform init -upgrade \
&& terraform init -reconfigure -upgrade \
&& terraform fmt -recursive . \
&& terraform fmt -check \
&& terraform validate .- Always fetch latest changes from upstream and rebase from it. Terraform documentation will always be updated with GitHub Actions. See also .github/workflows/terraform.yml GitHub Actions workflow.
git fetch --all --tags --prune --prune-tags \
&& git pull --rebase --all --prune --tags| Name | Version |
|---|---|
| terraform | >= 1.3.1 |
| azurerm | >= 3.33.0, < 4.0.0 |
| Name | Version |
|---|---|
| azurerm | 3.37.0 |
No modules.
| Name | Type |
|---|---|
| azurerm_key_vault.key_vault | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| app_name | (Required) Name of this resource within the system it belongs to (see naming convention guidelines). Will be part of the final name of the deployed resource. |
string |
n/a | yes |
| configuration | (Optional) The configuration for block type arguments. | any |
null |
no |
| enable_rbac_authorization | (Optional) Boolean flag to specify whether Azure Key Vault uses Role Based Access Control (RBAC) for authorization of data actions. Defaults to false. |
bool |
false |
no |
| enabled_for_deployment | (Optional) Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. Defaults to false. |
bool |
false |
no |
| enabled_for_disk_encryption | (Optional) Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. Defaults to false. |
bool |
false |
no |
| enabled_for_template_deployment | (Optional) Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. Defaults to false. |
bool |
false |
no |
| environment | (Required) The name of the environment. | string |
n/a | yes |
| override_location | (Optional) Override the location of the resource. Under normal circumstances, it should not be used. | string |
null |
no |
| override_name | (Optional) Override the name of the resource. Under normal circumstances, it should not be used. | string |
null |
no |
| public_network_access_enabled | (Optional) Whether public network access is allowed for this Key Vault. Defaults to true. |
bool |
true |
no |
| purge_protection_enabled | (Optional) Is Purge Protection enabled for this Key Vault? Upstream defaults to false. Defaults to true in this module. |
bool |
false |
no |
| resource_group | (Required) The resource group where this resource should exist. | any |
n/a | yes |
| sku_name | (Optional) The Name of the SKU used for this Key Vault. Possible values are standard and premium. |
string |
"standard" |
no |
| soft_delete_retention_days | (Optional) The number of days that items should be retained for once soft-deleted. This value can be between 7 and 90 (the default) days. |
number |
90 |
no |
| system_short_name | (Required) Short abbreviation (to-three letters) of the system name that this resource belongs to (see naming convention guidelines). Will be part of the final name of the deployed resource. |
string |
n/a | yes |
| tags | (Optional) A mapping of tags to assign to the resource. | map(string) |
{} |
no |
| tenant_id | (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Changing this forces a new resource to be created. | string |
n/a | yes |
| Name | Description |
|---|---|
| azurerm_key_vault | The Azure Key Vault resource. |