resource "azurerm_key_vault" "this" { name = "kv${var.prefix}green${random_integer.this.result}" location = azurerm_resource_group.this.location resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" soft_delete_retention_days = 7 purge_protection_enabled = true tags = var.tags } resource "azurerm_key_vault_access_policy" "client" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = var.object_id key_permissions = [ "Create", "Get", "Purge", "Delete", "Recover", "List", "Update", "Verify", "WrapKey", "UnwrapKey", "Restore", "Decrypt", "Backup" ] } resource "azurerm_key_vault_access_policy" "user_identity" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = azurerm_user_assigned_identity.this.principal_id key_permissions = [ "Get", "WrapKey", "UnwrapKey" ] } resource "azurerm_key_vault_key" "key" { name = "key${random_integer.this.result}green" key_vault_id = azurerm_key_vault.this.id key_type = "RSA" key_size = 2048 key_opts = [ "decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey", ] depends_on = [ azurerm_key_vault_access_policy.client, azurerm_key_vault_access_policy.user_identity ] }