Key Vault - Feature request

[JasonNguyenTX]

azurerm_key_vault needs to be updated to include the following permission:
for Key permission: Recover
for Secret permission: Recover, Backup, Restore

It also needs to allow multiple assignment of object_id, right now, only a single object_id can be assigned to access policy

It would be nice as well to be able to copy key vault access from configuration from template.

[tombuildsstuff]

Hey @JasonNguyenTX

Thanks for opening this issue :)

azurerm_key_vault needs to be updated to include the following permission:
for Key permission: Recover
for Secret permission: Recover, Backup, Restore

I've included this work in #367 - which we'll look into progressing with in the near future

It also needs to allow multiple assignment of object_id, right now, only a single object_id can be assigned to access policy

Unfortunately we're limited by Azure here in that the Azure API only allows for submitting a single Object ID per Access Policy - however it's possible to specify multiple Access Policies per key-vault - so it should be possible to achieve this like so:

resource "azurerm_key_vault" "test" {
  # ...

  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${var.first_object_id}"

    key_permissions = [
      "all",
    ]

    secret_permissions = [
      "all",
    ]
  }

  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${var.second_object_id}"

    key_permissions = [
      "all",
    ]

    secret_permissions = [
      "all",
    ]
  }
}

It would be nice as well to be able to copy key vault access from configuration from template.

Would it be possible to give some more context here? Are you referring to the drop-down available in the Portal?

Thanks!

[JasonNguyenTX]

Thanks @tombuildsstuff for a quick update. I'm referring to the drop down from the portal where existing sets of template for access policy can be used instead of selecting each set of permissions.

For assigning multiple policy, how would you assign multiple policy if you don't have a fix number of object_id? Example, when building multiple key vaults, one might have 2 object_id, another might have 4 object_id, is there something similar to "count" that can be used to set up this policy?

[tombuildsstuff]

@JasonNguyenTX

I'm referring to the drop down from the portal where existing sets of template for access policy can be used instead of selecting each set of permissions.

🤔 this may make sense as a Data Source to expose the default values - we'll take a look into what we can do here.

For assigning multiple policy, how would you assign multiple policy if you don't have a fix number of object_id? Example, when building multiple key vaults, one might have 2 object_id, another might have 4 object_id, is there something similar to "count" that can be used to set up this policy?

Unfortunately due to the way the API's designed (it's all one large body containing one Object ID per Access Policy) that's not possible at this time - and after some thought I don't believe a Data Source would solve this sufficiently either.

Instead my suggestion for this would be to file an feature request on the Rest API Specs Repository where the KeyVault team could investigate supporting multiple Object ID's per Access Policy (which would allow Terraform, ARM Templates and the Azure Portal to support multiple Object ID's per access policy).

Thanks!

[mbfrahry]

The access policies will have a data source in #423

[tombuildsstuff]

Fixed via #423

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!