Open somebears opened 10 months ago
Hi @somebears, thank you for submitting this! The secret name of the certificate is actually identical to the certificate itself. Therefore, we can utilize the azurerm_key_vault_secret
data source directly. You may try using the following configuration:
data "azurerm_key_vault_secret" "test" {
name = azureazurerm_key_vault_certificate.this.name
key_vault_id = azurerm_key_vault.this.id
}
output secret_id {
value = data.azurerm_key_vault_secret.test.resource_id
}
output secret_versionless_id {
value = data.azurerm_key_vault_secret.test.resource_versionless_id
}
Hello @wuxu92 , Thank you for your reply. I am using the following workaround at the moment (mostly because I was not sure if the secret name is always identical to the certificate name)
locals {
certificate_secret = regex("^${azurerm_key_vault.this.vault_uri}secrets/(?P<name>[\\w-]*)$", azurerm_key_vault_certificate.this.versionless_secret_id)
}
data "azurerm_key_vault_secret" "this" {
name = local.certificate_secret.name
key_vault_id = azurerm_key_vault_certificate.this.key_vault_id
}
The impact here is minimal, It just felt like this parameter should be there.
Hi @somebears According to the Azure document, the secret name is the same with the cetificate name: https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#composition-of-a-certificate
When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations, and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public X.509 certificate metadata.
In case the "waiting-response" label is for me: I still think that this attribute should be added. I completely agree that there is an easy workaround and the topic is very minor.
Is there an existing issue for this?
Community Note
Description
When working with Azure Key Vault Certificates I want to use certificate/secret level permissions. To do this, I need to access the secret that belongs to the Certificate. The provider exposes the "secret_id", but this is not the value I need, I need the resource ID of the secret. A similar thing already exists for the ID of the certificate in the form of the "id" and "resource_manager_id". I am proposing additional attributes "resource_manager_secret_id" (or "secret_resource_manager_id") and their "_versionless" variations.
New or Affected Resource(s)/Data Source(s)
azurerm_key_vault_certificate
Potential Terraform Configuration
References
No response