states.azurerm.keyvault.key

Azure Resource Manager (ARM) Key State Module

New in version 2.0.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>
configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example acct setup for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.
idem_azurerm.states.azurerm.keyvault.key.absent(hub, ctx, name, vault_url, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure the specified key does not exist within the given key vault.

Parameters:
  • name – The name of the key to delete.
  • vault_url – The URL of the vault that the client will access.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure key is absent:
    azurerm.keyvault.key.absent:
        - name: my_key
        - vault_url: my_vault
idem_azurerm.states.azurerm.keyvault.key.present(hub, ctx, name, key_type, vault_url, key_operations=None, size=None, curve=None, hardware_protected=None, enabled=None, expires_on=None, not_before=None, tags=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure the specified key exists within the given key vault. Requires keys/create permission. Key properties can be specified as keyword arguments.

Parameters:
  • name – The name of the new key. Key names can only contain alphanumeric characters and dashes.
  • key_type – The type of key to create. Possible values include: ‘ec’, ‘ec_hsm’, ‘oct’, ‘rsa’, ‘rsa_hsm’.
  • vault_url – The URL of the vault that the client will access.
  • key_operations – A list of permitted key operations. Possible values include: ‘decrypt’, ‘encrypt’, ‘sign’, ‘unwrap_key’, ‘verify’, ‘wrap_key’.
  • size – RSA key size in bits, for example 2048, 3072, or 4096. Applies to RSA keys only.
  • curve – Elliptic curve name. Defaults to the NIST P-256 elliptic curve. Possible values include: “P-256”, “P-256K”, “P-384”, “P-521”.
  • enabled – Whether the key is enabled for use.
  • expires_on – When the key will expire, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
  • not_before – The time before which the key can not be used, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
  • tags – Application specific metadata in the form of key-value pairs.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure key exists:
    azurerm.keyvault.key.present:
        - name: my_key
        - key_type: my_type
        - vault_url: my_vault
        - tags:
            contact_name: Elmer Fudd Gantry