terraform/ecc-azure-356-api_mgmt_client_cert/green/key

resource "azurerm_key_vault" "this" { name = "kv${var.prefix}green${random_integer.this.result}" location = azurerm_resource_group.this.location resource_group_name = azurerm_resource_group.this.name tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "premium" purge_protection_enabled = true } resource "azurerm_key_vault_access_policy" "api" { key_vault_id = azurerm_key_vault.this.id tenant_id = azurerm_api_management.this.identity[0].tenant_id object_id = azurerm_api_management.this.identity[0].principal_id key_permissions = ["Get", "UnwrapKey", "WrapKey"] secret_permissions = ["Get"] certificate_permissions = [ "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "SetIssuers", "Update", ] } resource "azurerm_key_vault_access_policy" "client" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy", "SetRotationPolicy"] secret_permissions = ["Get"] certificate_permissions = [ "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "SetIssuers", "Update", "Purge", ] } resource "azurerm_key_vault_certificate" "this" { name = "green-cert" key_vault_id = azurerm_key_vault.this.id certificate_policy { issuer_parameters { name = "Self" } key_properties { exportable = true key_size = 2048 key_type = "RSA" reuse_key = true } lifetime_action { action { action_type = "AutoRenew" } trigger { days_before_expiry = 30 } } secret_properties { content_type = "application/x-pkcs12" } x509_certificate_properties { # Server Authentication = 1.3.6.1.5.5.7.3.1 # Client Authentication = 1.3.6.1.5.5.7.3.2 extended_key_usage = ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"] key_usage = [ "cRLSign", "dataEncipherment", "digitalSignature", "keyAgreement", "keyCertSign", "keyEncipherment", ] # subject_alternative_names { # dns_names = ["internal.contoso.com", "domain.hello.world"] # } subject = "CN=yourorg.com" validity_in_months = 12 } } }

terraform/ecc-azure-356-api_mgmt_client_cert/green/key_vault.tf (90 lines of code) (raw):