Unable to enable soft delete on Key Vault via ARM Template

Question

I'm attempting to enable soft delete on a pre-existing Key Vault via a ARM template (The KV was provisioned using ARM). I've checked the template reference documentation and I've added the enableSoftDelete property in the template.

Here's my full ARM template:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "keyVault_name": {
            "type": "string"
        },
        "keyVault_secrets": {
            "type": "array"
        },
        "keyVault_location": {
            "type": "string"
        },
        "accessPolicies": {
            "type": "array"
        },
        "tenant": {
            "type": "string"
        },
        "sku": {
            "type": "string"
        },
        "redeploy_keyVault_Instance": {
            "type": "bool"
        },
        "softDeleteRetentionPeriodInDays": {
            "type": "int"
        }
    },
    "variables": {},
    "resources": [
        {
            "apiVersion": "2016-10-01",
            "name": "[parameters('keyVault_name')]",
            "location": "[parameters('keyVault_location')]",
            "type": "Microsoft.KeyVault/vaults",
            "properties": {
                "enabledForDeployment": false,
                "enabledForTemplateDeployment": true,
                "enabledForDiskEncryption": false,
                "accessPolicies": "[parameters('accessPolicies')]",
                "enableSoftDelete": true,
                "softDeleteRetentionInDays": "[parameters('softDeleteRetentionPeriodInDays')]",
                "tenantId": "[parameters('tenant')]",
                "sku": {
                    "name": "[parameters('sku')]",
                    "family": "A"
                }
            },
            "condition": "[parameters('redeploy_keyVault_Instance')]"
        },
        {
            "apiVersion": "2016-10-01",
            "name": "[concat(parameters('keyVault_name'), '/', parameters('keyVault_secrets')[copyIndex()].secretName)]",
            "type": "Microsoft.KeyVault/vaults/secrets",
            "properties": {
                "attributes": {
                    "enabled": true
                },
                "contentType": "string",
                "value": "InvalidPassword"
            },
            "location": "[parameters('keyVault_location')]",
            "copy": {
                "name": "KeyVaultSecretCopy",
                "count": "[length(parameters('keyVault_secrets'))]"
            },
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVault_name'))]"
            ],
            "condition": "[parameters('keyVault_secrets')[copyIndex()].deployTemplate]"
        }
    ]
}

Despite adding the property, when I navigate to the portal, I see that Soft Delete is still disabled, along with Purge Protection.

I have a condition on the Key Vault that sets the Redeploy Key Vault instance to false. So with this in mind, I have two questions:

1. Is the condition that is set on the parameter preventing the ARM template to update the resource and if so, If I remove this condition, won't that redeploy the Key Vault and potentially remove any keys/secrets/certs that were uploaded manually?
2. If the condition property is not what's causing this, do I need to enable purge protection as well for the changes to take affect?

Answer 1

I too faced same issue sometime back. Suggest you to use latest API version as specified in below URL

https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=json