azurerm_key_vault_key: importing existing value (pem / pfx)

[jungopro]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I can't find a way to import .pfx into azurerm_key_vault_key. I can do it via the portal or I can import that as a azurerm_key_vault_certifacet but not as azurerm_key_vault_key

New or Affected Resource(s)

• azurerm_key_vault_key

Potential Terraform Configuration

resource "azurerm_key_vault_key" "generated" {
  name         = "generated-certificate"
  key_vault_id = "${azurerm_key_vault.test.id}"
  key_type     = "RSA"
  key_size     = 2048

  key = {
    contents = "${filebase64("certificate-to-import.pfx")}"
  }
}

References

[nexxai]

Why would you want to import a certificate as a "key" rather than a "certificate"?

[jungopro]

hi @nexxai The .pfx file holds both the cert and the key to open the cert I need to read them both as part of a process we have in a project we run on Azure, so I need both

Thanks

[bcreynolds]

This is our use case as well; importing a PFX file as a key is recommended for SQL Server TDE Extensible Key Management in Azure; re: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?view=sql-server-ver15

[steffencircle]

Hi,

beside the "pfx" import, Is there any method available to import an existing key as a key in Key-Vault ?

I would like to import a RSA key that i can use as an Encryption-Key for a Storage Account.

Steffen

[alikhtag]

In our use case we would like to import the PEM file/string private key for a GitHub app RSA key to be used in one of Azure Apps.
Would love to see this importing key feature added to Terraform. az cli example:

az keyvault key import --vault-name VAULT_NAME  --name KEY_NAME --protection software --pem-file  PATH_TO_FILE

[tspearconquest]

Similar use case here. Terraform basically can't do anything with an azurerm_key_vault_key that Azure generates internally at the moment since nobody can access the private key, but I want to create a private key file locally and then use it during terraform apply:

resource "azurerm_key_vault_key" "default" {
  name         = "ssh-key"

  key_vault_id = var.key_vault_id
  private_key  = file("/User/tspear/.ssh/id_rsa_syslogvm") # This would be the new functionality
  public_key   = file("/User/tspear/.ssh/id_rsa_syslogvm.pub") # This would be the new functionality

  key_opts     = ["decrypt", "encrypt"]
}

resource "azurerm_network_interface" "default" {
  ...
}

resource "azurerm_linux_virtual_machine" "default" {
  ...
  admin_ssh_key {
    public_key = azurerm_key_vault_key.default.public_key_openssh
    username  = var.username
  }
}

[valugi]

I just started with Azure and this is the first thing I want to do. How come this is not implemented 6 years later??!!

[cassdeckard]

It is extremely frustrating that this functionality is missing. Without it, and without the ability to access the private key of an existing azurerm_key_vault_key resource, it is essentially impossible to add both a certificate and its associated keypair to a keyvault, which is a use case my team currently needs. It looks like our only way forward is to generate the key and cert manually using openssl, import the cert using terraform, and the key using Azure CLI in our pipeline. Not ideal!