azurerm_keyvault_vault#

Azure Resource Manager Key Vault Execution Module

New in version 2.1.0.

maintainer:

<devops@eitr.tech>

configuration:

This module requires Azure Resource Manager credentials to be passed as keyword arguments to every function in order to work properly.

Required provider parameters:

if using username and password:

  • subscription_id

  • username

  • password

if using a service principal:

  • subscription_id

  • tenant

  • client_id

  • secret

if using managed identity:

  • subscription_id

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud.

Possible values:

  • AZURE_PUBLIC_CLOUD (default)

  • AZURE_CHINA_CLOUD

  • AZURE_US_GOV_CLOUD

  • AZURE_GERMAN_CLOUD

saltext.azurerm.modules.azurerm_keyvault_vault.check_name_availability(name, **kwargs)[source]#

New in version 2.1.0.

Checks that the vault name is valid and is not already in use.

Parameters:

name – The vault name.

CLI Example:

salt-call azurerm_keyvault_vault.check_name_availability test_name
saltext.azurerm.modules.azurerm_keyvault_vault.create_or_update(name, resource_group, location, tenant_id, sku, access_policies=None, vault_uri=None, create_mode=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, soft_delete_retention=None, enable_purge_protection=None, enable_rbac_authorization=None, network_acls=None, tags=None, **kwargs)[source]#

New in version 2.1.0.

Create or update a key vault in the specified subscription.

Parameters:

  • name – The vault name.

  • resource_group – The name of the resource group to which the vault belongs.

  • location – The supported Azure location where the key vault should be created.

  • tenant_id – The Azure Active Direction tenant ID that should be used for authenticating requests to the key vault.

  • sku – The SKU name to specify whether the key vault is a standard vault or a premium vault. Possible values include: ‘standard’ and ‘premium’.

  • access_policies

    A list of 0 to 16 dictionaries that represent AccessPolicyEntry objects. The AccessPolicyEntry objects represent identities that have access to the key vault. All identities in the list must use the same tenant ID as the key vault’s tenant ID. When createMode is set to “recover”, access policies are not required. Otherwise, access policies are required. Valid parameters are:

    • tenant_id: (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

    • object_id: (Required) The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

    • application_id: (Optional) Application ID of the client making request on behalf of a principal.

    • permissions: (Required) A dictionary representing permissions the identity has for keys, secrets, and certifications. Valid parameters include:

      • keys: A list that represents permissions to keys. Possible values include: ‘backup’, ‘create’, ‘decrypt’, ‘delete’, ‘encrypt’, ‘get’, ‘import_enum’, ‘list’, ‘purge’, ‘recover’, ‘restore’, ‘sign’, ‘unwrap_key’, ‘update’, ‘verify’, and ‘wrap_key’.

      • secrets: A list that represents permissions to secrets. Possible values include: ‘backup’, ‘delete’, ‘get’, ‘list’, ‘purge’, ‘recover’, ‘restore’, and ‘set’.

      • certificates: A list that represents permissions to certificates. Possible values include: ‘create’, ‘delete’, ‘deleteissuers’, ‘get’, ‘getissuers’, ‘import_enum’, ‘list’, ‘listissuers’, ‘managecontacts’, ‘manageissuers’, ‘purge’, ‘recover’, ‘setissuers’, and ‘update’.

      • storage: A list that represents permissions to storage accounts. Possible values include: ‘backup’, ‘delete’, ‘deletesas’, ‘get’, ‘getsas’, ‘list’, ‘listsas’, ‘purge’, ‘recover’, ‘regeneratekey’, ‘restore’, ‘set’, ‘setsas’, and ‘update’.

  • vault_uri – The URI of the vault for performing operations on keys and secrets.

  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.

  • enabled_for_deployment – A boolean value specifying whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.

  • enabled_for_disk_encryption – A boolean value specifying whether Azure Disk Encrpytion is permitted to retrieve secrets from the vault and unwrap keys.

  • enabled_for_template_deployment – A boolean value specifying whether Azure Resource Manager is permitted to retrieve secrets from the key vault.

  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.

  • enable_soft_delete – A boolean value that specifies whether the ‘soft delete’ functionality is enabled for this key vault. If it’s not set to any value (True or False) when creating new key vault, it will be set to True by default. Once set to True, it cannot be reverted to False.

  • soft_delete_retention – The soft delete data retention period in days. It accepts values between 7-90, inclusive. Default value is 90.

  • enable_purge_protection – A boolean value specifying whether protection against purge is enabled for this vault. Setting this property to True activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible, that is, the property does not accept False as its value. This is only effective if soft delete has been enabled via the enable_soft_delete parameter.

  • enable_rbac_authorization – A boolean value that controls how data actions are authorized. When set to True, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When set as False, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. Defaults to False.

  • network_acls – A dictionary representing a NetworkRuleSet. Rules governing the accessibility of the key vault from specific network locations.

  • tags – The tags that will be assigned to the key vault.

CLI Example:

salt-call azurerm_keyvault_vault.create_or_update tst_name tst_rg tst_location tst_tenant tst_sku tst_policies
saltext.azurerm.modules.azurerm_keyvault_vault.delete(name, resource_group, **kwargs)[source]#

New in version 2.1.0.

Deletes the specified Azure key vault.

Parameters:

  • name – The vault name.

  • resource_group – The name of the resource group to which the vault belongs.

CLI Example:

salt-call azurerm_keyvault_vault.delete test_name test_rg
saltext.azurerm.modules.azurerm_keyvault_vault.get(name, resource_group, **kwargs)[source]#

New in version 2.1.0.

Gets the specified Azure key vault.

Parameters:

  • name – The vault name.

  • resource_group – The name of the resource group to which the vault belongs.

CLI Example:

salt-call azurerm_keyvault_vault.get test_name test_rg
saltext.azurerm.modules.azurerm_keyvault_vault.get_deleted(name, location, **kwargs)[source]#

New in version 2.1.0.

Gets the deleted Azure key vault.

Parameters:

  • name – The vault name.

  • location – The location of the deleted vault.

CLI Example:

salt-call azurerm_keyvault_vault.get_deleted test_name test_location
saltext.azurerm.modules.azurerm_keyvault_vault.list_(resource_group=None, top=None, **kwargs)[source]#

New in version 2.1.0.

Gets information about the vaults associated with the subscription.

Parameters:

  • resource_group – The name of the resource group to limit the results.

  • top – Maximum number of results to return.

CLI Example:

salt-call azurerm_keyvault_vault.list
saltext.azurerm.modules.azurerm_keyvault_vault.list_by_subscription(top=None, **kwargs)[source]#

New in version 2.1.0.

The List operation gets information about the vaults associated with the subscription.

Parameters:

top – Maximum number of results to return.

CLI Example:

salt-call azurerm_keyvault_vault.list_by_subscription
saltext.azurerm.modules.azurerm_keyvault_vault.list_deleted(**kwargs)[source]#

New in version 2.1.0.

Gets information about the deleted vaults in a subscription.

CLI Example:

salt-call azurerm_keyvault_vault.list_deleted
saltext.azurerm.modules.azurerm_keyvault_vault.purge_deleted(name, location, **kwargs)[source]#

New in version 2.1.0.

Permanently deletes (purges) the specified Azure key vault.

Parameters:

  • name – The name of the soft-deleted vault.

  • location – The location of the soft-deleted vault.

CLI Example:

salt-call azurerm_keyvault_vault.purge_deleted test_name test_location
saltext.azurerm.modules.azurerm_keyvault_vault.update_access_policy(name, resource_group, operation_kind, access_policies, **kwargs)[source]#

New in version 2.1.0.

Update access policies in a key vault in the specified subscription.

Parameters:

  • name – The name of the vault.

  • resource_group – The name of the resource group to which the server belongs.

  • operation_kind – Name of the operation. Possible values include: ‘add’, ‘replace’, and ‘remove’.

  • access_policies

    A list of 0 to 16 dictionaries that represent AccessPolicyEntry objects. The AccessPolicyEntry objects represent identities that have access to the key vault. All identities in the list must use the same tenant ID as the key vault’s tenant ID. When createMode is set to “recover”, access policies are not required. Otherwise, access policies are required. Valid parameters are:

    • tenant_id: (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.

    • object_id: (Required) The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.

    • application_id: (Optional) Application ID of the client making request on behalf of a principal.

    • permissions: (Required) A dictionary representing permissions the identity has for keys, secrets, and certifications. Valid parameters include:

      • keys: A list that represents permissions to keys. Possible values include: ‘backup’, ‘create’, ‘decrypt’, ‘delete’, ‘encrypt’, ‘get’, ‘import_enum’, ‘list’, ‘purge’, ‘recover’, ‘restore’, ‘sign’, ‘unwrap_key’, ‘update’, ‘verify’, and ‘wrap_key’.

      • secrets: A list that represents permissions to secrets. Possible values include: ‘backup’, ‘delete’, ‘get’, ‘list’, ‘purge’, ‘recover’, ‘restore’, and ‘set’.

      • certificates: A list that represents permissions to certificates. Possible values include: ‘create’, ‘delete’, ‘deleteissuers’, ‘get’, ‘getissuers’, ‘import_enum’, ‘list’, ‘listissuers’, ‘managecontacts’, ‘manageissuers’, ‘purge’, ‘recover’, ‘setissuers’, and ‘update’.

      • storage: A list that represents permissions to storage accounts. Possible values include: ‘backup’, ‘delete’, ‘deletesas’, ‘get’, ‘getsas’, ‘list’, ‘listsas’, ‘purge’, ‘recover’, ‘regeneratekey’, ‘restore’, ‘set’, ‘setsas’, and ‘update’.

CLI Example:

salt-call azurerm_keyvault_vault.update_access_policy test_name test_rg test_kind test_policies