### Terraform Registry Module Source Example Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md This example shows how to reference an AVM module from the Terraform Registry. Remember to replace placeholder values with actual module names and versions. ```terraform source = "https://registry.terraform.io/modules/Azure/{module}/azurerm/latest" ``` -------------------------------- ### Terraform GitHub Module Source Example Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md This example demonstrates how to reference an AVM module directly from a GitHub repository. Ensure the URL correctly points to the AVM module's location. ```terraform source = "https://github.com/Azure/terraform-azurerm-avm-{type}-{service}-{resource}" ``` -------------------------------- ### Terraform Versions API Module Source Example Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md This example illustrates how to query the Terraform Versions API for AVM modules. This can be useful for dynamic version management or integration with CI/CD pipelines. ```terraform source = "https://registry.terraform.io/v1/modules/Azure/{module}/[azurerm|azure]/versions" ``` -------------------------------- ### Deploy Key Vault with Diagnostic Settings Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/diagnostic-settings/README.md This Terraform configuration deploys an Azure Key Vault and configures diagnostic settings to send logs to a specified Log Analytics workspace. It includes setup for required providers, resource group creation, and naming conventions. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } random = { source = "hashicorp/random" version = "~> 3.5" } } } provider "azurerm" { features {} } # We need the tenant id for the key vault. data "azurerm_client_config" "this" {} # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.3.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } resource "azurerm_log_analytics_workspace" "this" { location = azurerm_resource_group.this.location name = module.naming.log_analytics_workspace.name_unique resource_group_name = azurerm_resource_group.this.name } # This is the module call module "keyvault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.this.tenant_id diagnostic_settings = { to_la = { name = "to-la" workspace_resource_id = azurerm_log_analytics_workspace.this.id } } enable_telemetry = var.enable_telemetry } ``` -------------------------------- ### Terraform Configuration for Key Vault and Key Creation Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/create-key/README.md This Terraform configuration sets up the necessary providers and modules to deploy an Azure Key Vault. It defines a key with specific cryptographic operations and configures network access rules, including IP restrictions based on the current public IP address. Role assignments are also configured for access control. ```hcl provider "azurerm" { features {} } terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } http = { source = "hashicorp/http" version = "~> 3.4" } random = { source = "hashicorp/random" version = "~> 3.5" } } } module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.9.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } # Get current IP address for use in KV firewall rules data "http" "ip" { url = "https://api.ipify.org/" retry { attempts = 5 max_delay_ms = 1000 min_delay_ms = 500 } } data "azurerm_client_config" "current" {} module "key_vault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.current.tenant_id enable_telemetry = var.enable_telemetry keys = { cmk_for_storage_account = { key_opts = [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey" ] key_type = "RSA" name = "cmk-for-storage-account" key_size = 2048 } } network_acls = { bypass = "AzureServices" ip_rules = ["${data.http.ip.response_body}/32"] } public_network_access_enabled = true role_assignments = { deployment_user_kv_admin = { role_definition_id_or_name = "Key Vault Administrator" principal_id = data.azurerm_client_config.current.object_id } } wait_for_rbac_before_key_operations = { create = "60s" } } ``` -------------------------------- ### Setting Provider Version Constraints Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md For Terraform providers used with AVM modules, it is recommended to use pessimistic version constraints. This helps in managing provider updates and avoiding compatibility issues. ```terraform version = "~> 1.0" ``` -------------------------------- ### Terraform Configuration for Azure Key Vault Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/default/README.md This configuration sets up the Azure provider, required Terraform version, and necessary providers like azurerm and random. It also defines data sources for client configuration and modules for region and naming conventions, culminating in the deployment of an Azure Resource Group and the Key Vault module. ```hcl provider "azurerm" { features {} } terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } random = { source = "hashicorp/random" version = "~> 3.5" } } } # We need the tenant id for the key vault. data "azurerm_client_config" "this" {} # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.3.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } # This is the module call module "keyvault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.this.tenant_id enable_telemetry = var.enable_telemetry } ``` -------------------------------- ### Terraform Configuration for Key Vault with Access Policies Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/access-policies/README.md This configuration sets up the necessary Terraform providers, data sources, and modules to deploy an Azure Key Vault. It specifically configures legacy access policies by defining object IDs and certificate permissions. ```hcl provider "azurerm" { features {} } terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } random = { source = "hashicorp/random" version = "~> 3.5" } } } # We need the tenant id for the key vault. data "azurerm_client_config" "this" {} # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.3.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } # This is the module call module "keyvault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.this.tenant_id enable_telemetry = var.enable_telemetry legacy_access_policies = { test = { object_id = data.azurerm_client_config.this.object_id certificate_permissions = ["Get", "List"] } } legacy_access_policies_enabled = true } ``` -------------------------------- ### Configuring Telemetry for AVM Modules Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md Map the 'enable_telemetry' setting to a root variable to control telemetry collection for AVM modules. This allows for centralized management of telemetry across your Terraform deployments. ```terraform enable_telemetry = var.enable_telemetry ``` -------------------------------- ### Terraform Configuration for Key Vault with Secret Creation Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/create-secret/README.md This HCL code configures Terraform providers, modules, and resources to deploy an Azure Key Vault. It sets up network access rules, assigns an administrator role using Azure RBAC, and defines a secret with its value. The configuration includes dependencies on modules for regions, naming, and the Key Vault itself. ```hcl provider "azurerm" { features {} } terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } http = { source = "hashicorp/http" version = "~> 3.4" } random = { source = "hashicorp/random" version = "~> 3.5" } } } module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.3.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } # Get current IP address for use in KV firewall rules data "http" "ip" { url = "https://api.ipify.org/" retry { attempts = 5 max_delay_ms = 1000 min_delay_ms = 500 } } data "azurerm_client_config" "current" {} module "key_vault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.current.tenant_id enable_telemetry = var.enable_telemetry network_acls = { bypass = "AzureServices" ip_rules = ["${data.http.ip.response_body}/32"] } public_network_access_enabled = true role_assignments = { deployment_user_kv_admin = { role_definition_id_or_name = "Key Vault Administrator" principal_id = data.azurerm_client_config.current.object_id } } secrets = { test_secret = { name = "test-secret" } } secrets_value = { test_secret = "secret-value" } wait_for_rbac_before_secret_operations = { create = "60s" } } ``` -------------------------------- ### Pinning AVM Module Version Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/AGENTS.md When using AVM modules, it's crucial to pin to a specific version for predictable deployments. This ensures that your infrastructure does not break due to unexpected changes in newer module versions. ```terraform version = "1.2.3" ``` -------------------------------- ### Diagnostic Settings Configuration Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/README.md Defines a map of diagnostic settings for a Key Vault. Supports configuring log categories, log groups, metric categories, and various destination types like Log Analytics, Storage Accounts, or Event Hubs. The map key is arbitrary to avoid plan-time issues. ```hcl map(object({ name = optional(string, null) log_categories = optional(set(string), []) log_groups = optional(set(string), ["allLogs"]) metric_categories = optional(set(string), ["AllMetrics"]) log_analytics_destination_type = optional(string, "Dedicated") workspace_resource_id = optional(string, null) storage_account_resource_id = optional(string, null) event_hub_authorization_rule_resource_id = optional(string, null) event_hub_name = optional(string, null) marketplace_partner_resource_id = optional(string, null) })) ``` -------------------------------- ### Legacy Access Policies for Azure Key Vault Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/README.md Configures legacy access policies for an Azure Key Vault. Requires `var.legacy_access_policies_enabled` to be true. Specifies permissions for object ID, application ID, certificates, keys, secrets, and storage. ```hcl map(object({ object_id = string application_id = optional(string, null) certificate_permissions = optional(set(string), []) key_permissions = optional(set(string), []) secret_permissions = optional(set(string), []) storage_permissions = optional(set(string), []) })) ``` -------------------------------- ### Enable Telemetry Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/README.md Controls whether telemetry is enabled for the module. Set to false to disable telemetry collection. ```hcl bool ``` -------------------------------- ### Key Configuration for Azure Key Vault Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/README.md Defines the structure for configuring keys within an Azure Key Vault. Supports RSA and EC key types with various options, sizes, curves, dates, tags, and rotation policies. Role assignments can also be specified. ```hcl map(object({ name = string key_type = string key_opts = optional(list(string), ["sign", "verify"]) key_size = optional(number, null) curve = optional(string, null) not_before_date = optional(string, null) expiration_date = optional(string, null) tags = optional(map(any), null) role_assignments = optional(map(object({ role_definition_id_or_name = string principal_id = string description = optional(string, null) skip_service_principal_aad_check = optional(bool, false) condition = optional(string, null) condition_version = optional(string, null) delegated_managed_identity_resource_id = optional(string, null) principal_type = optional(string, null) })), {}) rotation_policy = optional(object({ automatic = optional(object({ time_after_creation = optional(string, null) time_before_expiry = optional(string, null) }), null) expire_after = optional(string, null) notify_before_expiry = optional(string, null) }), null) })) ``` -------------------------------- ### Deploy Key Vault with Private Endpoint using Terraform Source: https://github.com/azure/terraform-azurerm-avm-res-keyvault-vault/blob/main/examples/private-endpoint/README.md This Terraform configuration deploys an Azure Key Vault with a private endpoint. It requires a virtual network, subnet, and private DNS zone to be pre-configured or deployed alongside. Public network access is disabled to enforce private connectivity. ```hcl terraform { required_version = ">= 1.9, < 2.0" required_providers { azurerm = { source = "hashicorp/azurerm" version = ">= 3.117" } random = { source = "hashicorp/random" version = "~> 3.5" } } } provider "azurerm" { features {} } # We need the tenant id for the key vault. data "azurerm_client_config" "this" {} # This allows us to randomize the region for the resource group. module "regions" { source = "Azure/avm-utl-regions/azurerm" version = "0.3.0" } # This allows us to randomize the region for the resource group. resource "random_integer" "region_index" { max = length(module.regions.regions) - 1 min = 0 } # This ensures we have unique CAF compliant names for our resources. module "naming" { source = "Azure/naming/azurerm" version = "0.3.0" } # This is required for resource modules resource "azurerm_resource_group" "this" { location = module.regions.regions[random_integer.region_index.result].name name = module.naming.resource_group.name_unique } # A vnet is required for the private endpoint. resource "azurerm_virtual_network" "this" { location = azurerm_resource_group.this.location name = module.naming.virtual_network.name_unique resource_group_name = azurerm_resource_group.this.name address_space = ["192.168.0.0/24"] } resource "azurerm_subnet" "this" { address_prefixes = ["192.168.0.0/24"] name = module.naming.subnet.name_unique resource_group_name = azurerm_resource_group.this.name virtual_network_name = azurerm_virtual_network.this.name } resource "azurerm_private_dns_zone" "this" { name = "privatelink.vaultcore.azure.net" resource_group_name = azurerm_resource_group.this.name } # This is the module call module "keyvault" { source = "../../" location = azurerm_resource_group.this.location # source = "Azure/avm-res-keyvault-vault/azurerm" name = module.naming.key_vault.name_unique resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.this.tenant_id enable_telemetry = var.enable_telemetry private_endpoints = { primary = { private_dns_zone_resource_ids = [azurerm_private_dns_zone.this.id] subnet_resource_id = azurerm_subnet.this.id } } public_network_access_enabled = false } # Removed as this causes the idempotent check to fail. # # check "dns" { # data "azurerm_private_dns_a_record" "assertion" { # name = module.naming.key_vault.name_unique # zone_name = "privatelink.vaultcore.azure.net" # resource_group_name = azurerm_resource_group.this.name # } # assert { # condition = one(data.azurerm_private_dns_a_record.assertion.records) == one(module.keyvault.private_endpoints["primary"].private_service_connection).private_ip_address # error_message = "The private DNS A record for the private endpoint is not correct." # } # } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.