ARM Template for KeyVault to have AccessPolicies non-mandatory
It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.
It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.
ARM deployments is possible when using CreateMode (Recovery) and separate access policies.
Access policy - Add , replace and move
Lyndon Rumpel commented
I understand the motivation on wanting the requested ability. However, from a governance and security perspective, some kind of information security and/or auditor role will always have to receive some kind of minimal access. So just implement that purpose with the initial creation, which makes it compliant from the beginning.
McCraw, David commented
This makes it really hard to have zero-downtime deployments in any significant architecture where there are clients of a vault managed in separate repos/ARM templates. So far I have a fragile and elaborate powershell around this, but I really want the ARM deployment for vaults to respect 'incremental'.
+1. I don't understand why it is a requirement to include access policies.
It certainly complicated ARM template deployments for existing Key Vaults, since providing an empty access policies list just wipes out everything that is there.
Chris Neale commented
Support this suggestion vehemently!
Filip Scherwin Lindboe commented
I agree. I have a fully automated deployment using Azure DevOps. Here i have some access policies that needs to be assigned more dynamically according to context, so i am setting these through a script. Other access policies are static and is set using ARM template. But the fact that the access policies are being overwritten when deploying the ARM template has caused me some grief.
Toby Meyer commented
This breaks incremental deployments in a fundamental way. I use other deployment actions to manipulate KV permissions programmatically & this makes it substantially more complex.