Dr Schizo
Dr Schizo

Reputation: 4386

ARM KeyVault Access Policies Conditional Add

Is it possible to add an access policy via a conditional statement? Basically, if environment == production I don't want to add the registration.

I have the following in my template however I don't want the application called foobarApplicationId to be added if the environment is production. Can I do this inline or do I need a seperate template? Will setting foobarApplicationId to be an empty string work?

    {
      "name": "[variables('keyVault-name')]",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('keyVaultOwner')]",
            "permissions": {
              "keys": [
                "all"
              ],
              "secrets": [
                "all"
              ],
              "certificates": [
                "all"
              ],
              "storage": [
              ]
            }
          },
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('foobarApplicationId')]",
            "permissions": {
              "keys": [
                "get",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "list"
              ],
              "secrets": [
                "get",
                "list"
              ],
              "certificates": [
                "get",
                "list"
              ],
              "storage": [
              ]
            }
          },

Upvotes: 2

Views: 1298

Answers (3)

joniba
joniba

Reputation: 3531

Add the access policies separately, conditionally. You can see an explanation here.

{
  "resources": [
    {
      "name": "[variables('keyVault-name')]",
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2016-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('keyVaultOwner')]",
            "permissions": {
              "keys": [
                "all"
              ],
              "secrets": [
                "all"
              ],
              "certificates": [
                "all"
              ],
              "storage": []
            }
          }
        ]
      }
    },
    {
      "name": "[concat(variables('keyVault-name'), '/add')]",
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2016-10-01",
      "condition": "[not(startsWith(parameters('environmentName'), 'PROD'))]",
      "location": "[resourceGroup().location]",
      "properties": {
        "tenantId": "[subscription().tenantId]",
        "sku": {
          "family": "A",
          "name": "standard"
        },
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('foobarApplicationId')]",
            "permissions": {
              "keys": [
                "get",
                "wrapKey",
                "unwrapKey",
                "sign",
                "verify",
                "list"
              ],
              "secrets": [
                "get",
                "list"
              ],
              "certificates": [
                "get",
                "list"
              ],
              "storage": []
            }
          }
        ]
      }
    }
  ]
}

Upvotes: 1

14207973
14207973

Reputation: 599

"condition" within "accessPolicies" doesn't seem to have any effect for me. It doesn't cause any validation or deployment error, but the access policies got added even when the condition evaluated to false.

I found the following trick works better: Use an if clause for your "objectId" and "permissions", such that if the condition is false, you would assign an empty set of permissions to the empty GUID, effectively becoming a no-op.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",

  "variables": {
    "keyVaultNoPermissions": { },
    "keyVaultAppReadPermissions": {
      "keys": [ "get", "wrapKey", "unwrapKey", "sign", "verify", "list" ],
      "secrets": [ "get", "list" ],
      "certificates": [ "get", "list" ]
    }
  },

  "resources": [
    // ...
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "apiVersion": "2016-10-01",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[parameters('keyVaultName')]"
      ],
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[if(not(equals(parameters('environment'), 'PROD')), parameters('foobarApplicationId'), '00000000-0000-0000-0000-000000000000')]",
            "permissions": "[if(not(equals(parameters('environment'), 'PROD')), variables('keyVaultAppReadPermissions'), variables('keyVaultNoPermissions'))]"
          }
        ]
      }
    }
  ]
}

Upvotes: 1

DreadedFrost
DreadedFrost

Reputation: 2998

It would be in the individual access policy adding a condition section that will take an environment parameter like:

 {
        "condition": "[not(equals(parameters('environment'),'PROD'))]"
        "tenantId": "[subscription().tenantId]",
        "objectId": "[parameters('foobarApplicationId')]",
        "permissions": {
          "keys": [
            "get",
            "wrapKey",
            "unwrapKey",
            "sign",
            "verify",
            "list"
          ],
          "secrets": [
            "get",
            "list"
          ],
          "certificates": [
            "get",
            "list"
          ],
          "storage": [
          ]
        }
      }

Upvotes: 0

Related Questions