azurerm_key_vault_key support oct-HSM

[xli1996]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Can azurerm_key_vault_key be used with azurerm_key_vault_managed_hardware_security_module which has similar interface with azurerm_key_vault. There is an addtional key type AES-HSM that currently is not supported with azurerm_key_vault_key. Actually the key type is oct-HSM which is removed from #18608.

I wonder if there should be an extra resource like azurerm_key_vault_managed_hardware_security_module_key? Or we can use existing resources azurerm_key_vault_key but support more key types?

New or Affected Resource(s)/Data Source(s)

azurerm_key_vault_key

Potential Terraform Configuration

resource "azurerm_key_vault_key" "key" {
  name         = var.key_name
  key_vault_id = azurerm_key_vault_managed_hardware_security_module.vault.id
  key_type     = "oct-HSM"
  key_size     = 256
  key_opts = var.key_opts
  # rotate after 90 days
  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }
    notify_before_expiry = "P30D"
    expire_after         = "P120D"
  }
}

References

No response

[aristosvo]

Hi @xli1996!

Thanks for opening this issue. I was the one who removed the support for oct-HSM in #18608, as I couldn't make the tests work for it and documentation not showing anything about it.

Can you explain how this would work for you, with some accompanying az CLI or azapi examples of how you provision it now?

[xli1996]

@aristosvo

Hi, thanks for the response.

I mostly followed this documentation https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_managed_hardware_security_module and provisioned a hsm.
After that I had to manually activate that as hsm requires to upload at least three RSA certs and download one security domain. That step can probably be replaced with local exec but I manually did this step.

After proper role assignments with local RBAC then I have to use azure cli to create oct-HSM keys and rotation policy like

## Create keys and set rotation policy
az keyvault key create \
    --hsm-name $VAULT_NAME \
    --name $KEY_NAME \
    --size 256 \
    --kty oct-HSM \
    --ops decrypt encrypt sign verify unwrapKey wrapKey

az keyvault key rotation-policy update \
    --hsm-name $VAULT_NAME \
    --name $KEY_NAME \
    --value $POLICY_NAME

Since it is not supported in the current providers.

Let me know if you need additional information.

[wuxu92]

@xli1996 Actually az keyvault key create --hsm-name ... should/may be supported by a separate resource rather than in key_key_vault_key. Hashicorp is currently working on this new resource now, AFAIK.