How to Import an Azure Key Vault Certificate into Terraform
terraback azure import --method bulk. Terraback writes the matching azurerm_key_vault_certificate resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the certificate's data-plane URI including its version (https://<vault>.vault.azure.net/certificates/<name>/<version>), NOT an ARM resource ID.Import Azure Key Vault Certificate with Terraback (recommended)
Terraback reverse-engineers your live infrastructure: it reads the Azure Security resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live Azure Key Vault Certificate to managed Terraform.
Scan your Azure account
terraback scan all azure --subscription-id YOUR_IDGenerate import blocks and import into state
terraback azure import --method bulkThe Terraform import block
Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.
import {
to = azurerm_key_vault_certificate.tls
id = "https://prod-kv.vault.azure.net/certificates/app-tls/fdf067c93bbb4b22bff4d8b7a9a56217"
}Example azurerm_key_vault_certificate configuration
Here is a realistic Azure Key Vault Certificate block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.
resource "azurerm_key_vault_certificate" "tls" {
name = "app-tls"
key_vault_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/prod-rg/providers/Microsoft.KeyVault/vaults/prod-kv"
certificate_policy {
issuer_parameters {
name = "Self"
}
key_properties {
exportable = true
key_size = 2048
key_type = "RSA"
reuse_key = true
}
secret_properties {
content_type = "application/x-pkcs12"
}
x509_certificate_properties {
subject = "CN=app.example.com"
validity_in_months = 12
}
}
}Gotchas when importing a Azure Key Vault Certificate
- Unlike most Azure resources, the import ID is the data-plane URI (https://<vault>.vault.azure.net/certificates/<name>/<version>), not an /subscriptions/... ARM ID.
- The 32-character hex version is required in the URI; importing without it will fail.
- Importing a certificate that was created by importing a PFX vs one generated by a policy behaves differently; the certificate block contents are sensitive and not returned, so Terraback emits a lifecycle ignore_changes for them.
- The vault must already exist and your principal needs certificate get/list permissions (access policy or RBAC) for the import to read it.
Doing it manually with terraform import
The native approach is to write the azurerm_key_vault_certificate block by hand, then run terraform import azurerm_key_vault_certificate.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.
Import other Azure resources
Import your whole Azure account in minutes
Terraback scans 80+ Azure resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.