mikhailshilkov
commented
3 years ago Our problem is that ARM API has no support for KeyVault Certificates, currently. We'd have to implement a custom resource using the data plane SDK.
Open headconnect opened 3 years ago
mikhailshilkov
commented
3 years ago Our problem is that ARM API has no support for KeyVault Certificates, currently. We'd have to implement a custom resource using the data plane SDK.
MatteoCalabro-TomTom
commented
3 years ago Hello @mikhailshilkov, the Azure SDK for Go has Certificate APIs (https://github.com/Azure/azure-sdk-for-go/blob/main/services/keyvault/v7.1/keyvault/keyvaultapi/interfaces.go) Do you think it would be possible to add them to the provider using the SDK?
mikhailshilkov
commented
3 years ago @matteocalabro-tomtom We could, however we'd have to define both the schema (the shape of resources) and the CRUD operations manually, with a unique way to authenticate, version etc. So, it's quite a departure from the current model of relying on ARM Open API specifications. But it is possible - we did something like that for Storage Blobs.
MatteoCalabro-TomTom
commented
3 years ago Given this:
it's quite a departure from the current model of relying on ARM Open API specifications
would you accept a PR for it, in case?
I have some experience integrating the Azure SDK for Go in my Pulumi Go code, I could take the time to produce the schema. The CRUD operations should be trivial as they are already supported by the SDK.
mikhailshilkov
commented
3 years ago Yes, we are happy to take a contribution. This is the closest to what it may look like: https://github.com/pulumi/pulumi-azure-native/blob/master/provider/pkg/resources/custom_storage.go
MatthewBettonMaif
commented
3 years ago Hello,
We also want to be able to take advantage of 'keyvault.certificate' with Pulumi Azure Native provider (SDK nodejs).
I'd like to understand "ARM API has no support for KeyVault".
Is 'ARM API' something different from 'Rest API' ?
I have found this documentation : https://docs.microsoft.com/en-us/rest/api/keyvault/#certificate-operations
Thanks
mikhailshilkov
commented
3 years ago Is 'ARM API' something different from 'Rest API' ?
ARM API is a subset of REST API. ARM stands for Azure Resource Manager and represents a unified API model for all resources of Azure control plane. The docs that you linked are to KeyVault's specific data plane API, you can see this based on URLs like POST {vaultBaseUrl}/certificates/{certificate-name}/create?api-version=7.2 as opposed to something like /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys/{keyName} in ARM.
MatthewBettonMaif
commented
3 years ago I understand, thanks @mikhailshilkov !
ddaniels-andmore
commented
2 years ago This is over a year old now. Any updates on a reasonable implementation? Having only a subset of the key vault implementation is not really acceptable.
It's really great that azure-native has keyvault.Key and Secret! But we're missing .Certificate to have complete control ;)
For me, it would be nice to be able to pre-load a certificate into the keyvaults of environments that I create so that it can be taken into full use without any further manual intervention.
Personally, I preferer to synchronize certificates from a keyvault to the various resources (including kubernetes secrets) that would need them. The alternative would be that the certificates are only on various resources directly and needs to be managed more carefully (instead of single place), or that I manually add the certificate(s) to the keyvault during an environment provisioning.
Affected feature
keyvault resource
extending: https://github.com/pulumi/pulumi-azure-native/pull/354