Ability to manage Firewall Rules for a Key Vault that is not a part of the stack

pulumi / pulumi-azure-native

Azure Native Provider

Apache License 2.0

126 stars 33 forks source link

Ability to manage Firewall Rules for a Key Vault that is not a part of the stack #3435

Open bosh-3shape opened 1 month ago

bosh-3shape commented 1 month ago

Hello!

Vote on this issue by adding a 👍 reaction
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Right now, it's possible to manage the Key Vault's network ACLs when creating the Key Vault resource, e.g.:

kv= new Vault(
                "key-vault",
                new VaultArgs
                {
                    Properties = new VaultPropertiesArgs
                    {
                        NetworkAcls = new NetworkRuleSetArgs
                        {
                            Bypass = NetworkRuleBypassOptions.None,
                            DefaultAction = NetworkRuleAction.Deny,
                            VirtualNetworkRules =
                            [
                                new VirtualNetworkRuleArgs
                                {
                                    Id = subnetId,
                                    IgnoreMissingVnetServiceEndpoint = false,
                                },
                            ],
                        }
                    }
                },

However, it's not possible to manage these ACLs (VNET Rules, to be more specific) as independent resources. This would be useful in certain scenarios, e.g. when a VNET that needs to be added to the KV's ACL is not in the same stack as the KV.

There exists a separate resource for Access Policies (AccessPolicy), so it seems reasonable to have this ability for the ACLs as well.

thomas11 commented 1 month ago

Hi @bosh-3shape, just to clarify: you'd like the ability to manage firewall rules as stand-alone resources. Based on the issue title, are you also hitting any trouble with updating the firewall rules of an existing vault, editing them as part of the Vault? Or is that working ok? You should be able to add and remove rules from an existing vault and pulumi up should update the vault accordingly.

The reason we have access policies as an independent resource was that that was the only way to support them properly, since their API works in a non-standard way. As we don't have this problem here, it's unlikely we'll implement firewall rules as stand-alone resource, but we can certainly look into it.

bosh-3shape commented 1 month ago

Hi @thomas11 Apologies for a somewhat misleading title - I have updated it to better reflect the intent here.

I am not hitting any issues with updating the firewall rules for an existing KV - that works just fine. However, it's not possible to manage the firewall rules for a KV that is not a part of the "current" stack, since the FW rules are not a separate resource type but just a property on the KV resource itself. For example, it is possible to do so for the Access Policies, as they're represented as a separate resource, meaning I can simply manage the access policies from a different stack, not the one where the KV is managed originally.

Having the ability to update the FW rules independently of the KV would be helpful, e.g. if I am creating a new stack that contains a VNET, and I need to give access to an already existing KV from some other stack from that VNET. Today, it's not possible to do so purely via Pulumi, and the existing workarounds are sub-par as well.

thomas11 commented 1 month ago

Thank you for the clarification! We'll look into this idea.