Closed Alfonso-Rey closed 1 year ago
Hi @Alfonso-Rey , I checked the log, the command did set soft delete retention days to 90
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/ps-keyvault01?api-version=2022-07-01
Headers:
x-ms-client-request-id : 01d6eb7d-e6c3-47ec-9693-573cc584520c
accept-language : en-US
Body:
{
"location": "uksouth",
"properties": {
"tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"sku": {
"name": "standard",
"family": "A"
},
"accessPolicies": [
{
"tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"objectId": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e",
"permissions": {
"keys": [
"all"
],
"secrets": [
"all"
],
"certificates": [
"all"
],
"storage": [
"all"
]
}
}
],
"vaultUri": "",
"softDeleteRetentionInDays": 90, <-------------- here
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Allow"
}
}
}
Could you double check the detail of the policy?
Hi Yeming, good day.
Thanks for the prompt reply. This is the condition of the policy:
"if": { "allOf": [ { "field": "type", "equals": "Microsoft.KeyVault/vaults" }, { "anyOf": [ { "field": "Microsoft.KeyVault/vaults/enableSoftDelete", "exists": "false" }, { "field": "Microsoft.KeyVault/vaults/enableSoftDelete", "equals": "false" }, { "field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays", "less": 90 } ] } ] }, "then": { "effect": "deny" }
With AZ CLI (Shell) If I force the policy to kick in by setting a lower number of retention days, it works as expected: [cid:b92b2481-a6aa-4ea6-9968-9e1a00b21481] If I set 90 days, it creates the keyvault with no issues. [cid:27ec623b-39b6-4791-ae6d-d00da5fca191]
Looking forward to your comments.
Thanks
Alfonso Rey
From: Yeming Liu @.> Sent: Friday, March 17, 2023 11:28 AM To: Azure/azure-powershell @.> Cc: Alfonso Rey Pardinas @.>; Mention @.> Subject: Re: [Azure/azure-powershell] SoftDeleteRetentionInDays parameter value not being passed to ARM (Issue #21231)
Hi @Alfonso-Reyhttps://github.com/Alfonso-Rey , I checked the log, the command did set soft delete retention days to 90
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: PUT
Headers: x-ms-client-request-id : 01d6eb7d-e6c3-47ec-9693-573cc584520c accept-language : en-US
Body: { "location": "uksouth", "properties": { "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "sku": { "name": "standard", "family": "A" }, "accessPolicies": [ { "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "objectId": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e", "permissions": { "keys": [ "all" ], "secrets": [ "all" ], "certificates": [ "all" ], "storage": [ "all" ] } } ], "vaultUri": "", "softDeleteRetentionInDays": 90, <-------------- here "networkAcls": { "bypass": "AzureServices", "defaultAction": "Allow" } } }
Could you double check the detail of the policy?
— Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-powershell/issues/21231#issuecomment-1473623828, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A3IJRCTEQU34VY6VCQ6WLJDW4Q4FHANCNFSM6AAAAAAV6KQNU4. You are receiving this because you were mentioned.Message ID: @.***>
Hi Alfonso, it's this part of the policy blocked the creation
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"exists": "false"
},
Truth is, since 2020, newly created key vaults have soft delete turned on by default. So it doesn't make sense to check "exists": "false"
.
Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
Description
When we deploy KeyVaults via PS on Windows or Azure Shell
New-AzKeyVault -Name "ps-keyvault01" -ResourceGroupName "terrformKeyvault" -Location "uksouth" -SoftDeleteRetentionInDays 90
Issue script & Debug output
Environment data
Module versions
Error output