Microsoft.KeyVault managedHSMs 2022-07-01

Bicep resource definition

The managedHSMs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/managedHSMs@2022-07-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    family: 'B'
    name: 'string'
  }
  properties: {
    createMode: 'string'
    enablePurgeProtection: bool
    enableSoftDelete: bool
    initialAdminObjectIds: [
      'string'
    ]
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          id: 'string'
        }
      ]
    }
    publicNetworkAccess: 'string'
    softDeleteRetentionInDays: int
    tenantId: 'string'
  }
}

Property values

managedHSMs

Name Description Value
name The resource name string (required)
location The supported Azure location where the managed HSM Pool should be created. string
tags Resource tags Dictionary of tag names and values. See Tags in templates
sku SKU details ManagedHsmSku
properties Properties of the managed HSM ManagedHsmProperties

ManagedHsmProperties

Name Description Value
createMode The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. 'default'
'recover'
enablePurgeProtection Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. bool
initialAdminObjectIds Array of initial administrators object ids for this managed hsm pool. string[]
networkAcls Rules governing the accessibility of the key vault from specific network locations. MhsmNetworkRuleSet
publicNetworkAccess Control permission to the managed HSM from public networks. 'Disabled'
'Enabled'
softDeleteRetentionInDays Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

MhsmNetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. MhsmipRule[]
virtualNetworkRules The list of virtual network rules. MhsmVirtualNetworkRule[]

MhsmipRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

MhsmVirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)

ManagedHsmSku

Name Description Value
family SKU Family of the managed HSM Pool 'B' (required)
name SKU of the managed HSM Pool 'Custom_B32'
'Custom_B6'
'Standard_B1' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure Key Vault Managed HSM

Deploy to Azure
This template creates an Azure Key Vault Managed HSM.

ARM template resource definition

The managedHSMs resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/managedHSMs",
  "apiVersion": "2022-07-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "family": "B",
    "name": "string"
  },
  "properties": {
    "createMode": "string",
    "enablePurgeProtection": "bool",
    "enableSoftDelete": "bool",
    "initialAdminObjectIds": [ "string" ],
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string"
        }
      ]
    },
    "publicNetworkAccess": "string",
    "softDeleteRetentionInDays": "int",
    "tenantId": "string"
  }
}

Property values

managedHSMs

Name Description Value
type The resource type 'Microsoft.KeyVault/managedHSMs'
apiVersion The resource api version '2022-07-01'
name The resource name string (required)
location The supported Azure location where the managed HSM Pool should be created. string
tags Resource tags Dictionary of tag names and values. See Tags in templates
sku SKU details ManagedHsmSku
properties Properties of the managed HSM ManagedHsmProperties

ManagedHsmProperties

Name Description Value
createMode The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. 'default'
'recover'
enablePurgeProtection Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. bool
initialAdminObjectIds Array of initial administrators object ids for this managed hsm pool. string[]
networkAcls Rules governing the accessibility of the key vault from specific network locations. MhsmNetworkRuleSet
publicNetworkAccess Control permission to the managed HSM from public networks. 'Disabled'
'Enabled'
softDeleteRetentionInDays Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

MhsmNetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. MhsmipRule[]
virtualNetworkRules The list of virtual network rules. MhsmVirtualNetworkRule[]

MhsmipRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

MhsmVirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)

ManagedHsmSku

Name Description Value
family SKU Family of the managed HSM Pool 'B' (required)
name SKU of the managed HSM Pool 'Custom_B32'
'Custom_B6'
'Standard_B1' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an Azure Key Vault Managed HSM

Deploy to Azure
This template creates an Azure Key Vault Managed HSM.

Terraform (AzAPI provider) resource definition

The managedHSMs resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/managedHSMs resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/managedHSMs@2022-07-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      createMode = "string"
      enablePurgeProtection = bool
      enableSoftDelete = bool
      initialAdminObjectIds = [
        "string"
      ]
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            value = "string"
          }
        ]
        virtualNetworkRules = [
          {
            id = "string"
          }
        ]
      }
      publicNetworkAccess = "string"
      softDeleteRetentionInDays = int
      tenantId = "string"
    }
    sku = {
      family = "B"
      name = "string"
    }
  })
}

Property values

managedHSMs

Name Description Value
type The resource type "Microsoft.KeyVault/managedHSMs@2022-07-01"
name The resource name string (required)
location The supported Azure location where the managed HSM Pool should be created. string
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags Dictionary of tag names and values.
sku SKU details ManagedHsmSku
properties Properties of the managed HSM ManagedHsmProperties

ManagedHsmProperties

Name Description Value
createMode The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. "default"
"recover"
enablePurgeProtection Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. bool
initialAdminObjectIds Array of initial administrators object ids for this managed hsm pool. string[]
networkAcls Rules governing the accessibility of the key vault from specific network locations. MhsmNetworkRuleSet
publicNetworkAccess Control permission to the managed HSM from public networks. "Disabled"
"Enabled"
softDeleteRetentionInDays Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

MhsmNetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. "AzureServices"
"None"
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. "Allow"
"Deny"
ipRules The list of IP address rules. MhsmipRule[]
virtualNetworkRules The list of virtual network rules. MhsmVirtualNetworkRule[]

MhsmipRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

MhsmVirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)

ManagedHsmSku

Name Description Value
family SKU Family of the managed HSM Pool "B" (required)
name SKU of the managed HSM Pool "Custom_B32"
"Custom_B6"
"Standard_B1" (required)