Quickstart: Manage Azure Key Vault certificate contacts with the AzAPI Terraform provider

Terraform enables the definition, preview, and deployment of cloud infrastructure. Using Terraform, you create configuration files using HCL syntax. The HCL syntax allows you to specify the cloud provider - such as Azure - and the elements that make up your cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure.

Use azapi_data_plane_resource to manage Azure data plane resources in Terraform. In this example, you configure certificate contacts for an Azure Key Vault.

For foundational concepts about how the data plane framework works and parent_id patterns, see Understand the AzAPI data plane framework.

Create a Key Vault with the AzureRM provider
Use azapi_data_plane_resource to configure certificate contacts

Prerequisites

Azure subscription: If you don't have an Azure subscription, create a free account before you begin.

Configure Terraform: If you haven't already done so, configure Terraform using one of the following options:

When you log in to the Azure portal with a Microsoft account, the default Azure subscription for that account is used.

Terraform automatically authenticates using information from the default Azure subscription.

Run az account show to verify the current Microsoft account and Azure subscription.

az account show

Any changes you make via Terraform are on the displayed Azure subscription. If that's what you want, skip the rest of this article.

Implement the Terraform code

Create a directory in which to test the sample Terraform code and make it the current directory.

Create a file named providers.tf and insert the following code:

terraform {
  required_providers {
    azapi = {
      source  = "Azure/azapi"
      version = "~> 2.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.0"
    }
  }
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_delete_on_destroy    = true
      recover_soft_deleted_key_vaults = true
    }
  }
}

provider "azapi" {}

Create a file named variables.tf and insert the following code:

variable "resource_group_location" {
  type        = string
  default     = "eastus"
  description = "Location of the resource group."
}

variable "resource_group_name_prefix" {
  type        = string
  default     = "rg"
  description = "Prefix of the resource group name that's combined with a random value to create a unique name."
}

Create a file named main.tf and insert the following code:

resource "random_pet" "rg_name" {
  prefix = var.resource_group_name_prefix
}

resource "random_string" "kv_suffix" {
  length  = 6
  upper   = false
  special = false
}

resource "azurerm_resource_group" "example" {
  location = var.resource_group_location
  name     = random_pet.rg_name.id
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "example" {
  name                = "kv-${random_string.kv_suffix.result}"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = data.azurerm_client_config.current.tenant_id
  sku_name            = "standard"

  access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    certificate_permissions = [
      "ManageContacts",
    ]
  }
}

resource "azapi_data_plane_resource" "certificate_contacts" {
  type      = "Microsoft.KeyVault/vaults/certificates/contacts@7.3"
  parent_id = trimsuffix(trimprefix(azurerm_key_vault.example.vault_uri, "https://"), "/")
  name      = "default"

  body = {
    contacts = [
      {
        emailAddress = "admin@contoso.com"
        name         = "Admin Contact"
        phone        = "555-555-0100"
      },
      {
        emailAddress = "ops@contoso.com"
        name         = "Operations"
      }
    ]
  }
}

Key points about azapi_data_plane_resource:

The type field uses the format <resource-type>@<api-version> for the data plane API.
The parent_id is the data plane endpoint hostname (without the https:// prefix), not an ARM resource ID.
The name field identifies the specific resource within the parent. For Key Vault certificate contacts, the value is always default.

Create a file named outputs.tf and insert the following code:

output "resource_group_name" {
  value = azurerm_resource_group.example.name
}

output "key_vault_name" {
  value = azurerm_key_vault.example.name
}

output "certificate_contacts" {
  value = azapi_data_plane_resource.certificate_contacts.output
}

Run terraform init to initialize the Terraform deployment. This command downloads the Azure provider required to manage your Azure resources.

terraform init -upgrade

Key points:

The -upgrade parameter upgrades the necessary provider plugins to the newest version that complies with the configuration's version constraints.

Run terraform plan to create an execution plan.

terraform plan -out main.tfplan

Key points:

The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.

Run terraform apply to apply the execution plan to your cloud infrastructure.

terraform apply main.tfplan

Key points:

The example terraform apply command assumes you previously ran terraform plan -out main.tfplan.
If you specified a different filename for the -out parameter, use that same filename in the call to terraform apply.
If you didn't use the -out parameter, call terraform apply without any parameters.

Run az keyvault certificate contact list to retrieve the certificate contacts.

```azurecli
az keyvault certificate contact list --vault-name <key_vault_name>
```

Run Get-AzKeyVaultCertificateContact to retrieve the certificate contacts.

```powershell
Get-AzKeyVaultCertificateContact -VaultName <key_vault_name>
```

Clean up resources

When you no longer need the resources created via Terraform, do the following steps:

Run terraform plan and specify the destroy flag.
```
terraform plan -destroy -out main.destroy.tfplan
```
Key points:
- The terraform plan command creates an execution plan, but doesn't execute it. Instead, it determines what actions are necessary to create the configuration specified in your configuration files. This pattern allows you to verify whether the execution plan matches your expectations before making any changes to actual resources.
- The optional -out parameter allows you to specify an output file for the plan. Using the -out parameter ensures that the plan you reviewed is exactly what is applied.
Run terraform apply to apply the execution plan.
```
terraform apply main.destroy.tfplan
```

Troubleshoot Terraform on Azure

Troubleshoot common problems when using Terraform on Azure

Next steps

Terraform AzAPI provider overview

Learn how to use the AzAPI resource

Additional reading

Feedback

Was this page helpful?

Last updated on 2026-05-06

Quickstart: Manage Azure Key Vault certificate contacts with the AzAPI Terraform provider

Prerequisites

Implement the Terraform code

Verify the results

Clean up resources

Troubleshoot Terraform on Azure

Next steps

Additional reading

Feedback

Additional resources