states.azurerm.keyvault.vault

Azure Resource Manager (ARM) Key Vault State Module

New in version 2.0.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>
configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example acct setup for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.
idem_azurerm.states.azurerm.keyvault.vault.absent(hub, ctx, name, resource_group, connection_auth=None, **kwargs)

New in version 2.0.0.

Ensure a specified key vault does not exist.

Parameters:
  • name – The name of the vault.
  • resource_group – The name of the resource group to which the vault belongs.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure key vault is absent:
    azurerm.keyvault.vault.absent:
        - name: my_vault
        - resource_group: my_rg
idem_azurerm.states.azurerm.keyvault.vault.present(hub, ctx, name, resource_group, location, tenant_id, sku, access_policies=None, vault_uri=None, create_mode=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, soft_delete_retention=None, enable_purge_protection=None, enable_rbac_authorization=None, network_acls=None, tags=None, connection_auth=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Ensure a specified keyvault exists.

Parameters:
  • name – The name of the vault.
  • resource_group – The name of the resource group to which the vault belongs.
  • location – The supported Azure location where the key vault should be created.
  • tenant_id – The Azure Active Direction tenant ID that should be used for authenticating requests to the key vault.
  • sku – The SKU name to specify whether the key vault is a standard vault or a premium vault. Possible values include: ‘standard’ and ‘premium’.
  • access_policies

    A list of 0 to 16 dictionaries that represent AccessPolicyEntry objects. The AccessPolicyEntry objects represent identities that have access to the key vault. All identities in the list must use the same tenant ID as the key vault’s tenant ID. When createMode is set to “recover”, access policies are not required. Otherwise, access policies are required. Valid parameters are:

    • tenant_id: (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    • object_id: (Required) The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    • application_id: (Optional) Application ID of the client making request on behalf of a principal.
    • permissions: (Required) A dictionary representing permissions the identity has for keys, secrets, and certifications. Valid parameters include:
      • keys: A list that represents permissions to keys. Possible values include: ‘backup’, ‘create’, ‘decrypt’, ‘delete’, ‘encrypt’, ‘get’, ‘import_enum’, ‘list’, ‘purge’, ‘recover’, ‘restore’, ‘sign’, ‘unwrap_key’, ‘update’, ‘verify’, and ‘wrap_key’.
      • secrets: A list that represents permissions to secrets. Possible values include: ‘backup’, ‘delete’, ‘get’, ‘list’, ‘purge’, ‘recover’, ‘restore’, and ‘set’.
      • certificates: A list that represents permissions to certificates. Possible values include: ‘create’, ‘delete’, ‘deleteissuers’, ‘get’, ‘getissuers’, ‘import_enum’, ‘list’, ‘listissuers’, ‘managecontacts’, ‘manageissuers’, ‘purge’, ‘recover’, ‘setissuers’, and ‘update’.
      • storage: A list that represents permissions to storage accounts. Possible values include: ‘backup’, ‘delete’, ‘deletesas’, ‘get’, ‘getsas’, ‘list’, ‘listsas’, ‘purge’, ‘recover’, ‘regeneratekey’, ‘restore’, ‘set’, ‘setsas’, and ‘update’.
  • vault_uri – The URI of the vault for performing operations on keys and secrets.
  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.
  • enabled_for_deployment – A boolean value specifying whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
  • enabled_for_disk_encryption – A boolean value specifying whether Azure Disk Encrpytion is permitted to retrieve secrets from the vault and unwrap keys.
  • enabled_for_template_deployment – A boolean value specifying whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.
  • enable_soft_delete – A boolean value that specifies whether the ‘soft delete’ functionality is enabled for this key vault. If it’s not set to any value (True or False) when creating new key vault, it will be set to True by default. Once set to True, it cannot be reverted to False.
  • soft_delete_retention – The soft delete data retention period in days. It accepts values between 7-90, inclusive. Default value is 90.
  • enable_purge_protection – A boolean value specifying whether protection against purge is enabled for this vault. Setting this property to True activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible, that is, the property does not accept False as its value. This is only effective if soft delete has been enabled via the enable_soft_delete parameter.
  • enable_rbac_authorization – A boolean value that controls how data actions are authorized. When set to True, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When set as False, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. Defaults to False.
  • network_acls – A dictionary representing a NetworkRuleSet. Rules governing the accessibility of the key vault from specific network locations.
  • tags – The tags that will be assigned to the key vault.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure key vault exists:
    azurerm.keyvault.vault.present:
        - name: my_vault
        - resource_group: my_rg
        - location: my_location
        - tenant_id: my_tenant
        - sku: my_sku
        - access_policies:
          - tenant_id: my_tenant
            object_id: my_object
            permissions:
              keys:
                - perm1
                - perm2
                - perm3
              secrets:
                - perm1
                - perm2
                - perm3
              certificates:
                - perm1
                - perm2
                - perm3
        - tags:
            contact_name: Elmer Fudd Gantry