states.azurerm.keyvault.secret

Azure Resource Manager (ARM) Key Vault Secret State Module

New in version 2.4.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>

configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example acct setup for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.

idem_azurerm.states.azurerm.keyvault.secret.absent(hub, ctx, name, vault_url, purge=False, wait=False, connection_auth=None, **kwargs)

New in version 2.4.0.

Ensure the specified secret does not exist within the given key vault.

Parameters:
  • name – The name of the secret to delete.
  • vault_url – The URL of the vault that the client will access.
  • purge – Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled. Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify ‘Purgeable’.
  • wait – When this method returns, Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. Setting this parameter to True enables you to wait for deletion to complete.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure secret is absent:
    azurerm.keyvault.secret.absent:
        - name: secretname
        - vault_url: "https://myvault.vault.azure.net/"
idem_azurerm.states.azurerm.keyvault.secret.present(hub, ctx, name, value, vault_url, content_type=None, enabled=None, expires_on=None, not_before=None, tags=None, version=None, connection_auth=None, **kwargs)

New in version 2.4.0.

Changed in version 4.0.0.

Ensure the specified secret exists within the given key vault. Requires secrets/set permission. Secret properties can be specified as keyword arguments.

Parameters:
  • name – The name of the secret. Secret names can only contain alphanumeric characters and dashes.
  • value – The value of the secret.
  • vault_url – The URL of the vault that the client will access.
  • content_type – An arbitrary string indicating the type of the secret.
  • enabled – Whether the secret is enabled for use.
  • expires_on – When the secret will expire, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
  • not_before – The time before which the secret cannot be used, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
  • tags – A dictionary of strings can be passed as tag metadata to the secret.
  • version – The version of the secret. By default, a new version of the secret will not be created if the name is already in use UNLESS the value of the secret is changed. Secret properties will be updated on the latest version unless otherwise specified with this parameter.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure secret exists:
    azurerm.keyvault.secret.present:
        - name: secretname
        - value: supersecret
        - content_type: "text/plain"
        - vault_url: "https://myvault.vault.azure.net/"
        - tags:
            contact_name: Elmer Fudd Gantry