Microsoft.KeyVault managedHSMs
Bicep resource definition
The managedHSMs resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/managedHSMs resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.KeyVault/managedHSMs@2023-07-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
sku: {
family: 'B'
name: 'string'
}
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
properties: {
createMode: 'string'
enablePurgeProtection: bool
enableSoftDelete: bool
initialAdminObjectIds: [
'string'
]
networkAcls: {
bypass: 'string'
defaultAction: 'string'
ipRules: [
{
value: 'string'
}
]
virtualNetworkRules: [
{
id: 'string'
}
]
}
publicNetworkAccess: 'string'
regions: [
{
isPrimary: bool
name: 'string'
}
]
softDeleteRetentionInDays: int
tenantId: 'string'
}
}
Property values
managedHSMs
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| location | The supported Azure location where the managed HSM Pool should be created. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| sku | SKU details | ManagedHsmSku |
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| properties | Properties of the managed HSM | ManagedHsmProperties |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentity |
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedHsmProperties
| Name | Description | Value |
|---|---|---|
| createMode | The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. | 'default' 'recover' |
| enablePurgeProtection | Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. | bool |
| enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. | bool |
| initialAdminObjectIds | Array of initial administrators object ids for this managed hsm pool. | string[] |
| networkAcls | Rules governing the accessibility of the key vault from specific network locations. | MhsmNetworkRuleSet |
| publicNetworkAccess | Control permission to the managed HSM from public networks. | 'Disabled' 'Enabled' |
| regions | List of all regions associated with the managed hsm pool. | MhsmGeoReplicatedRegion[] |
| softDeleteRetentionInDays | Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. | int |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
MhsmNetworkRuleSet
| Name | Description | Value |
|---|---|---|
| bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
| ipRules | The list of IP address rules. | MhsmipRule[] |
| virtualNetworkRules | The list of virtual network rules. | MhsmVirtualNetworkRule[] |
MhsmipRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
MhsmVirtualNetworkRule
| Name | Description | Value |
|---|---|---|
| id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
MhsmGeoReplicatedRegion
| Name | Description | Value |
|---|---|---|
| isPrimary | A boolean value that indicates whether the region is the primary region or a secondary region. | bool |
| name | Name of the geo replicated region. | string |
ManagedHsmSku
| Name | Description | Value |
|---|---|---|
| family | SKU Family of the managed HSM Pool | 'B' (required) |
| name | SKU of the managed HSM Pool | 'Custom_B32' 'Custom_B6' 'Standard_B1' (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Create an Azure Key Vault Managed HSM |
This template creates an Azure Key Vault Managed HSM. |
ARM template resource definition
The managedHSMs resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/managedHSMs resource, add the following JSON to your template.
{
"type": "Microsoft.KeyVault/managedHSMs",
"apiVersion": "2023-07-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"sku": {
"family": "B",
"name": "string"
},
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {}
}
},
"properties": {
"createMode": "string",
"enablePurgeProtection": "bool",
"enableSoftDelete": "bool",
"initialAdminObjectIds": [ "string" ],
"networkAcls": {
"bypass": "string",
"defaultAction": "string",
"ipRules": [
{
"value": "string"
}
],
"virtualNetworkRules": [
{
"id": "string"
}
]
},
"publicNetworkAccess": "string",
"regions": [
{
"isPrimary": "bool",
"name": "string"
}
],
"softDeleteRetentionInDays": "int",
"tenantId": "string"
}
}
Property values
managedHSMs
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.KeyVault/managedHSMs' |
| apiVersion | The resource api version | '2023-07-01' |
| name | The resource name | string (required) |
| location | The supported Azure location where the managed HSM Pool should be created. | string |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| sku | SKU details | ManagedHsmSku |
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| properties | Properties of the managed HSM | ManagedHsmProperties |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentity |
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedHsmProperties
| Name | Description | Value |
|---|---|---|
| createMode | The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. | 'default' 'recover' |
| enablePurgeProtection | Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. | bool |
| enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. | bool |
| initialAdminObjectIds | Array of initial administrators object ids for this managed hsm pool. | string[] |
| networkAcls | Rules governing the accessibility of the key vault from specific network locations. | MhsmNetworkRuleSet |
| publicNetworkAccess | Control permission to the managed HSM from public networks. | 'Disabled' 'Enabled' |
| regions | List of all regions associated with the managed hsm pool. | MhsmGeoReplicatedRegion[] |
| softDeleteRetentionInDays | Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. | int |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
MhsmNetworkRuleSet
| Name | Description | Value |
|---|---|---|
| bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | 'AzureServices' 'None' |
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
| ipRules | The list of IP address rules. | MhsmipRule[] |
| virtualNetworkRules | The list of virtual network rules. | MhsmVirtualNetworkRule[] |
MhsmipRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
MhsmVirtualNetworkRule
| Name | Description | Value |
|---|---|---|
| id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
MhsmGeoReplicatedRegion
| Name | Description | Value |
|---|---|---|
| isPrimary | A boolean value that indicates whether the region is the primary region or a secondary region. | bool |
| name | Name of the geo replicated region. | string |
ManagedHsmSku
| Name | Description | Value |
|---|---|---|
| family | SKU Family of the managed HSM Pool | 'B' (required) |
| name | SKU of the managed HSM Pool | 'Custom_B32' 'Custom_B6' 'Standard_B1' (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Create an Azure Key Vault Managed HSM |
This template creates an Azure Key Vault Managed HSM. |
Terraform (AzAPI provider) resource definition
The managedHSMs resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.KeyVault/managedHSMs resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.KeyVault/managedHSMs@2023-07-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
identity {
type = "string"
identity_ids = []
}
body = jsonencode({
properties = {
createMode = "string"
enablePurgeProtection = bool
enableSoftDelete = bool
initialAdminObjectIds = [
"string"
]
networkAcls = {
bypass = "string"
defaultAction = "string"
ipRules = [
{
value = "string"
}
]
virtualNetworkRules = [
{
id = "string"
}
]
}
publicNetworkAccess = "string"
regions = [
{
isPrimary = bool
name = "string"
}
]
softDeleteRetentionInDays = int
tenantId = "string"
}
sku = {
family = "B"
name = "string"
}
})
}
Property values
managedHSMs
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.KeyVault/managedHSMs@2023-07-01" |
| name | The resource name | string (required) |
| location | The supported Azure location where the managed HSM Pool should be created. | string |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags | Dictionary of tag names and values. |
| sku | SKU details | ManagedHsmSku |
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| properties | Properties of the managed HSM | ManagedHsmProperties |
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | "SystemAssigned" "SystemAssigned,UserAssigned" "UserAssigned" (required) |
| identity_ids | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | Array of user identity IDs. |
UserAssignedIdentities
| Name | Description | Value |
|---|---|---|
| {customized property} | UserAssignedIdentity |
UserAssignedIdentity
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
ManagedHsmProperties
| Name | Description | Value |
|---|---|---|
| createMode | The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. | "default" "recover" |
| enablePurgeProtection | Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible. | bool |
| enableSoftDelete | Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled by default for all managed HSMs and is immutable. | bool |
| initialAdminObjectIds | Array of initial administrators object ids for this managed hsm pool. | string[] |
| networkAcls | Rules governing the accessibility of the key vault from specific network locations. | MhsmNetworkRuleSet |
| publicNetworkAccess | Control permission to the managed HSM from public networks. | "Disabled" "Enabled" |
| regions | List of all regions associated with the managed hsm pool. | MhsmGeoReplicatedRegion[] |
| softDeleteRetentionInDays | Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention period or for a default period of 90 days. It accepts values between 7 and 90. | int |
| tenantId | The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool. | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
MhsmNetworkRuleSet
| Name | Description | Value |
|---|---|---|
| bypass | Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. | "AzureServices" "None" |
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | "Allow" "Deny" |
| ipRules | The list of IP address rules. | MhsmipRule[] |
| virtualNetworkRules | The list of virtual network rules. | MhsmVirtualNetworkRule[] |
MhsmipRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). | string (required) |
MhsmVirtualNetworkRule
| Name | Description | Value |
|---|---|---|
| id | Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. | string (required) |
MhsmGeoReplicatedRegion
| Name | Description | Value |
|---|---|---|
| isPrimary | A boolean value that indicates whether the region is the primary region or a secondary region. | bool |
| name | Name of the geo replicated region. | string |
ManagedHsmSku
| Name | Description | Value |
|---|---|---|
| family | SKU Family of the managed HSM Pool | "B" (required) |
| name | SKU of the managed HSM Pool | "Custom_B32" "Custom_B6" "Standard_B1" (required) |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for