azurerm_key_vault_key: importing existing value (pem / pfx)

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs

Mozilla Public License 2.0

4.46k stars 4.54k forks source link

azurerm_key_vault_key: importing existing value (pem / pfx) #4283

Open jungopro opened 4 years ago

jungopro commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I can't find a way to import .pfx into azurerm_key_vault_key. I can do it via the portal or I can import that as a azurerm_key_vault_certifacet but not as azurerm_key_vault_key

New or Affected Resource(s)

azurerm_key_vault_key

Potential Terraform Configuration

resource "azurerm_key_vault_key" "generated" {
  name         = "generated-certificate"
  key_vault_id = "${azurerm_key_vault.test.id}"
  key_type     = "RSA"
  key_size     = 2048

  key = {
    contents = "${filebase64("certificate-to-import.pfx")}"
  }
}

References

nexxai commented 4 years ago

Why would you want to import a certificate as a "key" rather than a "certificate"?

jungopro commented 4 years ago

hi @nexxai The .pfx file holds both the cert and the key to open the cert I need to read them both as part of a process we have in a project we run on Azure, so I need both

Thanks

bcreynolds commented 4 years ago

This is our use case as well; importing a PFX file as a key is recommended for SQL Server TDE Extensible Key Management in Azure; re: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault?view=sql-server-ver15

steffencircle commented 4 years ago

Hi,

beside the "pfx" import, Is there any method available to import an existing key as a key in Key-Vault ?

I would like to import a RSA key that i can use as an Encryption-Key for a Storage Account.

Steffen

alikhtag commented 2 years ago

In our use case we would like to import the PEM file/string private key for a GitHub app RSA key to be used in one of Azure Apps.
Would love to see this importing key feature added to Terraform. az cli example:

az keyvault key import --vault-name VAULT_NAME  --name KEY_NAME --protection software --pem-file  PATH_TO_FILE

tspearconquest commented 2 years ago

Similar use case here. Terraform basically can't do anything with an azurerm_key_vault_key that Azure generates internally at the moment since nobody can access the private key, but I want to create a private key file locally and then use it during terraform apply:

resource "azurerm_key_vault_key" "default" {
  name         = "ssh-key"

  key_vault_id = var.key_vault_id
  private_key  = file("/User/tspear/.ssh/id_rsa_syslogvm") # This would be the new functionality
  public_key   = file("/User/tspear/.ssh/id_rsa_syslogvm.pub") # This would be the new functionality

  key_opts     = ["decrypt", "encrypt"]
}

resource "azurerm_network_interface" "default" {
  ...
}

resource "azurerm_linux_virtual_machine" "default" {
  ...
  admin_ssh_key {
    public_key = azurerm_key_vault_key.default.public_key_openssh
    username  = var.username
  }
}