search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.69k stars 5.12k forks source link

Key Vault property enablePurgeProtection does not allow false value #18106

Open jlichwa opened 2 years ago

jlichwa commented 2 years ago

Service call :

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2021-10-01

{ "location": "westus", "properties": { "tenantId": "{tenantId}", "sku": { "family": "A", "name": "standard" }, "accessPolicies": [ {

  }
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enablePurgeProtection" : false,
"publicNetworkAccess": "Enabled"

} }

Result: "message": "The property \"enablePurgeProtection\" cannot be set to false. Enabling the purge protection for a vault is an irreversible action."

Related issues: https://github.com/Azure/ResourceModules/issues/1038 https://github.com/Azure/azure-cli/issues/13006

ghost commented 2 years ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @RandalliLama, @schaabs, @jlichwa.

Issue Details
Service call : PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2021-10-01 { "location": "westus", "properties": { "tenantId": "{tenantId}", "sku": { "family": "A", "name": "standard" }, "accessPolicies": [ { } ], "enabledForDeployment": true, "enabledForDiskEncryption": true, "enabledForTemplateDeployment": true, "enablePurgeProtection" : false, "publicNetworkAccess": "Enabled" } } Result: "message": "The property \"enablePurgeProtection\" cannot be set to false. Enabling the purge protection for a vault is an irreversible action." Related issues: https://github.com/Azure/ResourceModules/issues/1038 https://github.com/Azure/azure-cli/issues/13006
Author: jlichwa
Assignees: -
Labels: `KeyVault`, `Service Attention`
Milestone: -
dgancho commented 2 years ago

Can we expect a resolution in the foreseen future?

coolhome commented 2 years ago

A workaround was provided in the Bicep project - https://github.com/Azure/bicep/issues/5223 - I personally just ran into this issue. It is confusing and I'm not sure if I fully understand. From an API standpoint the validator makes no sense and is very misleading.

In bicep we have to do something like this now:

@allowed([
  'pre-production'
  'production'
])
param workloadType string = 'production'

resource keyVault 'Microsoft.KeyVault/vaults@2021-10-01' = {
  name: name
  location: location
  properties: {
    // ....
    enablePurgeProtection: workloadType == 'production' ? true : null
    // ....
  }
}

Instead of:

    enablePurgeProtection: workloadType == 'production'
flavienbwk commented 3 months ago

I ran into the same problem, the solution is indeed to set whether true or null.