hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.63k forks source link

`azurerm_key_vault_key` support `oct-HSM` #25801

Open xli1996 opened 6 months ago

xli1996 commented 6 months ago

Is there an existing issue for this?

Community Note

Description

Can azurerm_key_vault_key be used with azurerm_key_vault_managed_hardware_security_module which has similar interface with azurerm_key_vault. There is an addtional key type AES-HSM that currently is not supported with azurerm_key_vault_key. Actually the key type is oct-HSM which is removed from https://github.com/hashicorp/terraform-provider-azurerm/pull/18608.

I wonder if there should be an extra resource like azurerm_key_vault_managed_hardware_security_module_key? Or we can use existing resources azurerm_key_vault_key but support more key types?

New or Affected Resource(s)/Data Source(s)

azurerm_key_vault_key

Potential Terraform Configuration

resource "azurerm_key_vault_key" "key" {
  name         = var.key_name
  key_vault_id = azurerm_key_vault_managed_hardware_security_module.vault.id
  key_type     = "oct-HSM"
  key_size     = 256
  key_opts = var.key_opts
  # rotate after 90 days
  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }
    notify_before_expiry = "P30D"
    expire_after         = "P120D"
  }
}

References

No response

aristosvo commented 6 months ago

Hi @xli1996!

Thanks for opening this issue. I was the one who removed the support for oct-HSM in #18608, as I couldn't make the tests work for it and documentation not showing anything about it.

Can you explain how this would work for you, with some accompanying az CLI or azapi examples of how you provision it now?

xli1996 commented 6 months ago

@aristosvo

Hi, thanks for the response.

I mostly followed this documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_managed_hardware_security_module and provisioned a hsm. After that I had to manually activate that as hsm requires to upload at least three RSA certs and download one security domain. That step can probably be replaced with local exec but I manually did this step.

After proper role assignments with local RBAC then I have to use azure cli to create oct-HSM keys and rotation policy like

## Create keys and set rotation policy
az keyvault key create \
    --hsm-name $VAULT_NAME \
    --name $KEY_NAME \
    --size 256 \
    --kty oct-HSM \
    --ops decrypt encrypt sign verify unwrapKey wrapKey

az keyvault key rotation-policy update \
    --hsm-name $VAULT_NAME \
    --name $KEY_NAME \
    --value $POLICY_NAME

Since it is not supported in the current providers.

Let me know if you need additional information.

wuxu92 commented 5 months ago

@xli1996 Actually az keyvault key create --hsm-name ... should/may be supported by a separate resource rather than in key_key_vault_key. Hashicorp is currently working on this new resource now, AFAIK.

wuxu92 commented 9 hours ago

This is supported by #25935. @xli1996, could you please close this issue?