Reputation: 4386
ARM KeyVault Access Policies Conditional Add
Is it possible to add an access policy via a conditional statement? Basically, if environment == production I don't want to add the registration.
I have the following in my template however I don't want the application called foobarApplicationId to be added if the environment is production. Can I do this inline or do I need a seperate template? Will setting foobarApplicationId to be an empty string work?
{
"name": "[variables('keyVault-name')]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('keyVaultOwner')]",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
],
"certificates": [
"all"
],
"storage": [
]
}
},
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('foobarApplicationId')]",
"permissions": {
"keys": [
"get",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"list"
],
"secrets": [
"get",
"list"
],
"certificates": [
"get",
"list"
],
"storage": [
]
}
},
Upvotes: 2
Views: 1298
Answers (3)
Reputation: 3531
Add the access policies separately, conditionally. You can see an explanation here.
{
"resources": [
{
"name": "[variables('keyVault-name')]",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('keyVaultOwner')]",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
],
"certificates": [
"all"
],
"storage": []
}
}
]
}
},
{
"name": "[concat(variables('keyVault-name'), '/add')]",
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2016-10-01",
"condition": "[not(startsWith(parameters('environmentName'), 'PROD'))]",
"location": "[resourceGroup().location]",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('foobarApplicationId')]",
"permissions": {
"keys": [
"get",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"list"
],
"secrets": [
"get",
"list"
],
"certificates": [
"get",
"list"
],
"storage": []
}
}
]
}
}
]
}
Upvotes: 1
Reputation: 599
"condition" within "accessPolicies" doesn't seem to have any effect for me. It doesn't cause any validation or deployment error, but the access policies got added even when the condition evaluated to false.
I found the following trick works better: Use an if clause for your "objectId" and "permissions", such that if the condition is false, you would assign an empty set of permissions to the empty GUID, effectively becoming a no-op.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"keyVaultNoPermissions": { },
"keyVaultAppReadPermissions": {
"keys": [ "get", "wrapKey", "unwrapKey", "sign", "verify", "list" ],
"secrets": [ "get", "list" ],
"certificates": [ "get", "list" ]
}
},
"resources": [
// ...
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2016-10-01",
"name": "[concat(parameters('keyVaultName'), '/add')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[parameters('keyVaultName')]"
],
"properties": {
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[if(not(equals(parameters('environment'), 'PROD')), parameters('foobarApplicationId'), '00000000-0000-0000-0000-000000000000')]",
"permissions": "[if(not(equals(parameters('environment'), 'PROD')), variables('keyVaultAppReadPermissions'), variables('keyVaultNoPermissions'))]"
}
]
}
}
]
}
Upvotes: 1
Reputation: 2998
It would be in the individual access policy adding a condition section that will take an environment parameter like:
{
"condition": "[not(equals(parameters('environment'),'PROD'))]"
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('foobarApplicationId')]",
"permissions": {
"keys": [
"get",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"list"
],
"secrets": [
"get",
"list"
],
"certificates": [
"get",
"list"
],
"storage": [
]
}
}
Upvotes: 0
Related Questions
- KeyVault Template - Multiple AccesPolicies
- Adding a Key Vault Access Policy to an Existing Key Vault via ARM
- Azure ARM template how to get dynamic keyvault appsettings to function
- How to add Access Policy to a Keyvault in different Resource Group through ARM Templates
- Azure ARM Template Keyvault Resources keeps removing other access policies
- ARM template dependsOn on a keyvault access policy
- How to dynamically create Azure KeyVault reference in ARM template?
- ARM template Key vault access policy to group instead of identity principle
- Azure ARM template - check for existing Key Vault access policies
- Azure ARM template keyvault override in Azure DevOps