User Story 60501: 101-key-vault-key (#203)

* New sample (converted from Bicep via OpenAI)

quickstart/101-key-vault-key/main.tf

@@ -0,0 +1,65 @@
+resource "random_pet" "rg_name" {
+  prefix = var.resource_group_name_prefix
+}
+
+resource "azurerm_resource_group" "rg" {
+  name     = random_pet.rg_name.id
+  location = var.resource_group_location
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "random_string" "azurerm_key_vault_name" {
+  length  = 13
+  lower   = true
+  numeric = false
+  special = false
+  upper   = false
+}
+
+locals {
+  current_user_id = coalesce(var.msi_id, data.azurerm_client_config.current.object_id)
+}
+
+resource "azurerm_key_vault" "vault" {
+  name                       = coalesce(var.vault_name, "vault-${random_string.azurerm_key_vault_name.result}")
+  location                   = azurerm_resource_group.rg.location
+  resource_group_name        = azurerm_resource_group.rg.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = var.sku_name
+  soft_delete_retention_days = 7
+
+  access_policy {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    object_id = local.current_user_id
+
+    key_permissions    = var.key_permissions
+    secret_permissions = var.secret_permissions
+  }
+}
+
+resource "random_string" "azurerm_key_vault_key_name" {
+  length  = 13
+  lower   = true
+  numeric = false
+  special = false
+  upper   = false
+}
+
+resource "azurerm_key_vault_key" "key" {
+  name = coalesce(var.key_name, "key-${random_string.azurerm_key_vault_key_name.result}")
+
+  key_vault_id = azurerm_key_vault.vault.id
+  key_type     = var.key_type
+  key_size     = var.key_size
+  key_opts     = var.key_ops
+
+  rotation_policy {
+    automatic {
+      time_before_expiry = "P30D"
+    }
+
+    expire_after         = "P90D"
+    notify_before_expiry = "P29D"
+  }
+}

quickstart/101-key-vault-key/outputs.tf

@@ -0,0 +1,11 @@
+output "resource_group_name" {
+  value = azurerm_resource_group.rg.name
+}
+
+output "azurerm_key_vault_name" {
+  value = azurerm_key_vault.vault.name
+}
+
+output "azurerm_key_vault_id" {
+  value = azurerm_key_vault.vault.id
+}

quickstart/101-key-vault-key/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">=1.0"
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~>3.0"
+    }
+  }
+}
+provider "azurerm" {
+  features {}
+}

quickstart/101-key-vault-key/readme.md

@@ -0,0 +1,31 @@
+# Azure Key Vault
+
+This template deploys an Azure Key Vault.
+
+## Terraform resource types
+
+- [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet)
+- [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)
+- [random_string](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string)
+- [azurerm_key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault)
+- [azurerm_key_vault_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key)
+
+## Variables
+
+| Name | Description | Default |
+|-|-|-|
+| `resource_group_name_prefix` | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | rg |
+| `resource_group_location` | Location of the resource group. | eastus |
+| `vault_name` | The name of the key vault to be created. The value is randomly generated if not specified or blank. | "" |
+| `key_name` | The name of the key to be created. | The value is randomly generated if not specified or blank. |
+| `sku_name` | The SKU of the vault to be created. | standard |
+| `key_permissions` | List of key permissions. | ["List", "Create", "Delete", "Get", "Purge", "Recover", "Update", "GetRotationPolicy", "SetRotationPolicy"] |
+| `secret_permissions` | List of secret permissions. | ["Set"] |
+| `key_type` | The JsonWebKeyType of the key to be created. | RSA |
+| `key_ops` | The permitted JSON web key operations of the key to be created. | Empty list of strings. |
+| `key_size` | The size in bits of the key to be created. | 2048 |
+| `msi_id` | The Managed Service Identity ID. If this value isn't null (the default), the Azure Key Vault Object ID will be set to this value. | null |
+
+## Example
+
+To see how to run this example, see [Create an Azure key vault and a key by using Terraform](https://learn.microsoft.com/azure/key-vault/keys/quick-create-terraform).

quickstart/101-key-vault-key/variables.tf

@@ -0,0 +1,73 @@
+variable "resource_group_location" {
+  type        = string
+  description = "Location for all resources."
+  default     = "eastus"
+}
+
+variable "resource_group_name_prefix" {
+  type        = string
+  description = "Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription."
+  default     = "rg"
+}
+
+variable "vault_name" {
+  type        = string
+  description = "The name of the key vault to be created. The value will be randomly generated if blank."
+  default     = ""
+}
+
+variable "key_name" {
+  type        = string
+  description = "The name of the key to be created. The value will be randomly generated if blank."
+  default     = ""
+}
+
+variable "sku_name" {
+  type        = string
+  description = "The SKU of the vault to be created."
+  default     = "standard"
+  validation {
+    condition     = contains(["standard", "premium"], var.sku_name)
+    error_message = "The sku_name must be one of the following: standard, premium."
+  }
+}
+
+variable "key_permissions" {
+  type        = list(string)
+  description = "List of key permissions."
+  default     = ["List", "Create", "Delete", "Get", "Purge", "Recover", "Update", "GetRotationPolicy", "SetRotationPolicy"]
+}
+
+variable "secret_permissions" {
+  type        = list(string)
+  description = "List of secret permissions."
+  default     = ["Set"]
+}
+
+variable "key_type" {
+  description = "The JsonWebKeyType of the key to be created."
+  default     = "RSA"
+  type        = string
+  validation {
+    condition     = contains(["EC", "EC-HSM", "RSA", "RSA-HSM"], var.key_type)
+    error_message = "The key_type must be one of the following: EC, EC-HSM, RSA, RSA-HSM."
+  }
+}
+
+variable "key_ops" {
+  type        = list(string)
+  description = "The permitted JSON web key operations of the key to be created."
+  default     = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"]
+}
+
+variable "key_size" {
+  type        = number
+  description = "The size in bits of the key to be created."
+  default     = 2048
+}
+
+variable "msi_id" {
+  type        = string
+  description = "The Managed Service Identity ID. If this value isn't null (the default), 'data.azurerm_client_config.current.object_id' will be set to this value."
+  default     = null
+}