Reputation: 2913
Azure ARM deployment of a keyVault with multiple accessPolicies in a copy-block
I'm trying to deploy an Azure KeyVault with multiple accessPolicies based on objectIds in an array. I want to use the copy block, as there might be some more Ids added in future and I do not want to copy the entire block multiple times in the template but pass them as a list of params.
I cannot add the copy-block of accessPolicies inside the KeyVault/vaults ressource as it would expect multiple keyVaults and not multiple accessPolicies. That's why I put the KeyVault/vaults/accessPolicies as a top-level resource with its own copy-block - following this documentation.
However, now I have the problem of naming the accessPolicies-block: according to this documentation I need to name the accessPolicies-block after the parent-keyVault-resource with the extension /add - but ARM also complains that I cannot have multiple resources with the same name.
I tried changing the name of the accessPolicies-block to:
concat('/add/', copyIndex())-> Error:incorrect segment lengthconcat('/add', copyIndex())-> Error:Provided concat params invalid. Either all or none of the parameters must be an array
I'm running out of ideas of how I can use the copy block in combination with the accessPolicies as a top-level resource. Any ideas how to solve this?
The JSON:
"parameters":{
"objectIdList": {
"type": "array"
}
},
"variables": {
"keyVaultName" : "[....]"
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"name": "[variables('keyVaultName')]",
"location": "[resourceGroup().location]",
"apiVersion": "2019-09-01",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "[subscription().tenantId]",
"enableRbacAuthorization": false,
"accessPolicies": [
],
"publicNetworkAccess": "Enabled",
"networkAcls": {
"defaultAction": "Allow",
"bypass": "AzureServices"
}
},
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"accessPolicies": [
{
"objectId": "[parameters('objectIdList')[copyIndex()]]",
"permissions": {
"certificates": [ "all" ],
"keys": [ "all" ],
"secrets": [ "all" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
]
},
"copy": {
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]"
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}
Upvotes: 1
Views: 485
Answers (1)
Reputation: 2913
Found the solution literally 15 minutes later... there is another syntax of the copy-block which can be used here.
I only have to /add one top-level accessPolicies resource with multiple policies inside and use a copy-block with accessPolicies as a name inside the properties block to iterate over my array.
JSON solution:
{
"type": "Microsoft.KeyVault/vaults/accessPolicies",
"apiVersion": "2019-09-01",
"name": "[concat(variables('keyVaultName'), '/add')]",
"properties": {
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('objectIdList'))]",
"input": {
"objectId": "[parameters('objectIdList')[copyIndex('accessPolicies')]]",
"permissions": {
"certificates": [ "all", "purge" ],
"keys": [ "all", "purge" ],
"secrets": [ "all", "purge" ],
"storage": [ "all" ]
},
"tenantId": "[subscription().tenantId]"
}
}
]
},
"dependsOn": [
"[variables('keyVaultName')]"
]
}
Upvotes: 3
Related Questions
- Adding a Key Vault Access Policy to an Existing Key Vault via ARM
- ARM KeyVault Access Policies Conditional Add
- How to add Access Policy to a Keyvault in different Resource Group through ARM Templates
- Azure ARM Template Keyvault Resources keeps removing other access policies
- Azure ARM Template - Create KeyVault Secrets in Keyvault in different Resource Group
- Creating multiple keyvault secrets in same arm template deployment
- ARM template dependsOn on a keyvault access policy
- KeyVault Template - Multiple AccesPolicies
- Azure Key Vault access from ARM Template
- ARM Deployment using KeyVault and certificates for Azure Data Lake Store