Open xli1996 opened 6 months ago
Hi @xli1996!
Thanks for opening this issue. I was the one who removed the support for oct-HSM
in #18608, as I couldn't make the tests work for it and documentation not showing anything about it.
Can you explain how this would work for you, with some accompanying az
CLI or azapi
examples of how you provision it now?
@aristosvo
Hi, thanks for the response.
I mostly followed this documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_managed_hardware_security_module and provisioned a hsm. After that I had to manually activate that as hsm requires to upload at least three RSA certs and download one security domain. That step can probably be replaced with local exec but I manually did this step.
After proper role assignments with local RBAC then I have to use azure cli to create oct-HSM
keys and rotation policy like
## Create keys and set rotation policy
az keyvault key create \
--hsm-name $VAULT_NAME \
--name $KEY_NAME \
--size 256 \
--kty oct-HSM \
--ops decrypt encrypt sign verify unwrapKey wrapKey
az keyvault key rotation-policy update \
--hsm-name $VAULT_NAME \
--name $KEY_NAME \
--value $POLICY_NAME
Since it is not supported in the current providers.
Let me know if you need additional information.
@xli1996 Actually az keyvault key create --hsm-name ...
should/may be supported by a separate resource rather than in key_key_vault_key. Hashicorp is currently working on this new resource now, AFAIK.
This is supported by #25935. @xli1996, could you please close this issue?
Is there an existing issue for this?
Community Note
Description
Can
azurerm_key_vault_key
be used withazurerm_key_vault_managed_hardware_security_module
which has similar interface withazurerm_key_vault
.There is an addtional key typeActually the key type isAES-HSM
that currently is not supported withazurerm_key_vault_key
.oct-HSM
which is removed from https://github.com/hashicorp/terraform-provider-azurerm/pull/18608.I wonder if there should be an extra resource like
azurerm_key_vault_managed_hardware_security_module_key
? Or we can use existing resourcesazurerm_key_vault_key
but support more key types?New or Affected Resource(s)/Data Source(s)
azurerm_key_vault_key
Potential Terraform Configuration
References
No response