New resource: azurerm_key_vault_certificate_contact

[Tailzip]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Setting certificate contact block as part as azurerm_key_vault resource requires to also set Managecontacts certificate permission in access_policy block in that same Key Vault resource which prevents splitting access policies configuration into dedicated azurerm_key_vault_access_policy resources because of the conflicts it creates.

From azurerm_key_vault documentation.

It's possible to define Key Vault Access Policies both within the azurerm_key_vault resource via the access_policy block and by using the azurerm_key_vault_access_policy resource. However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.

Having a dedicated resource to set certificate contact would allow users to manage access policies with dedicated azurerm_key_vault_access_policy resources, which is particularly useful when splitting Terraform code into layers.

I've noticed there's been a PR (#8674) to add that new resource, but it has been abandoned.

Our Use Case

• In a first layer, we create a Key Vault and a Let's Encrypt certificate stored in that Key Vault.
• In a second layer, we create base infrastructure components for a Web App. That includes, among other components, an App Gateway, that needs to access that certificate in the Key Vault, so we need to give App Gateway's identity appropriate certificate permissions with azurerm_key_vault_access_policy resource. However, we can't because we had to use access_policy block when creating the Key Vault, to give Managecontacts certificate permission to be able to set contact infos.
• In a third layer, we create required resources for Web App.

New or Affected Resource(s)

• azurerm_key_vault
• azurerm_key_vault_certificate_contact (new)

Potential Terraform Configuration

resource "azurerm_key_vault_certificate_contact" "example" {
  key_vault_id = data.azurerm_key_vault.example.id
  contact {
    email = "example@example.com"
    name  = "example"
    phone = "0123456789"
  }
}

References

• new resource: azurerm_key_vault_certificate_contact #8674
• Specifying Email Contacts for azurerm_key_vault_certificate #1301

[mkemmerz]

Any plans to do this in the future?

[joshwright10]

I don't understand why the idea of the previous PR #8674 was not accepted. I believe this to be a very useful resource. Without this, we need to define all of the policy in-line and are limited to 16 access policies.

@njuCZ, if your code is still valid, could you re-submit the PR again please? It seems like the hard work has already been done.

[myc2h6o]

I've created a new pr #19743 based on #8674, to add the new resource azurerm_key_vault_certificate_contacts. Using plural form _contacts as it configures multiple contacts in this single resource.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.