Share via


Microsoft.KeyVault vaults 2023-02-01

Choose a deployment language

Bicep resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  properties: {
    accessPolicies: [
      {
        applicationId: 'string'
        objectId: 'string'
        permissions: {
          certificates: [
            'string'
          ]
          keys: [
            'string'
          ]
          secrets: [
            'string'
          ]
          storage: [
            'string'
          ]
        }
        tenantId: 'string'
      }
    ]
    createMode: 'string'
    enabledForDeployment: bool
    enabledForDiskEncryption: bool
    enabledForTemplateDeployment: bool
    enablePurgeProtection: bool
    enableRbacAuthorization: bool
    enableSoftDelete: bool
    networkAcls: {
      bypass: 'string'
      defaultAction: 'string'
      ipRules: [
        {
          value: 'string'
        }
      ]
      virtualNetworkRules: [
        {
          id: 'string'
          ignoreMissingVnetServiceEndpoint: bool
        }
      ]
    }
    provisioningState: 'string'
    publicNetworkAccess: 'string'
    sku: {
      family: 'A'
      name: 'string'
    }
    softDeleteRetentionInDays: int
    tenantId: 'string'
    vaultUri: 'string'
  }
}

Property values

vaults

Name Description Value
name The resource name string (required)

Character limit: 3-24

Valid characters:
Alphanumerics and hyphens.

Start with letter. End with letter or digit. Can't contain consecutive hyphens.

Resource name must be unique across Azure.
location The supported Azure location where the key vault should be created. string (required)
tags The tags that will be assigned to the key vault. Dictionary of tag names and values. See Tags in templates
properties Properties of the vault VaultProperties (required)

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
vaultUri The URI of the vault for performing operations on keys and secrets. string

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Sku

Name Description Value
family SKU family name 'A' (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy the Sports Analytics on Azure Architecture

Deploy to Azure
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault

Deploy to Azure
This module creates a KeyVault resource with apiVersion 2019-09-01.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
Create a new encrypted windows vm from gallery image

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
Create new encrypted managed disks win-vm from gallery image

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set
Enable encryption on a running Windows VM

Deploy to Azure
This template enables encryption on a running windows vm.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Create key vault, managed identity, and role assignment

Deploy to Azure
This template creates a key vault, managed identity, and role assignment.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Creates a Cross-tenant Private Endpoint resource

Deploy to Azure
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration.
Create Application Gateway with Certificates

Deploy to Azure
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway.
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

ARM template resource definition

The vaults resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Remarks

For guidance on using key vaults for secure values, see Manage secrets by using Bicep.

For a quickstart on creating a secret, see Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template.

For a quickstart on creating a key, see Quickstart: Create an Azure key vault and a key by using ARM template.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to your template.

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-02-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "properties": {
    "accessPolicies": [
      {
        "applicationId": "string",
        "objectId": "string",
        "permissions": {
          "certificates": [ "string" ],
          "keys": [ "string" ],
          "secrets": [ "string" ],
          "storage": [ "string" ]
        },
        "tenantId": "string"
      }
    ],
    "createMode": "string",
    "enabledForDeployment": "bool",
    "enabledForDiskEncryption": "bool",
    "enabledForTemplateDeployment": "bool",
    "enablePurgeProtection": "bool",
    "enableRbacAuthorization": "bool",
    "enableSoftDelete": "bool",
    "networkAcls": {
      "bypass": "string",
      "defaultAction": "string",
      "ipRules": [
        {
          "value": "string"
        }
      ],
      "virtualNetworkRules": [
        {
          "id": "string",
          "ignoreMissingVnetServiceEndpoint": "bool"
        }
      ]
    },
    "provisioningState": "string",
    "publicNetworkAccess": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "softDeleteRetentionInDays": "int",
    "tenantId": "string",
    "vaultUri": "string"
  }
}

Property values

vaults

Name Description Value
type The resource type 'Microsoft.KeyVault/vaults'
apiVersion The resource api version '2023-02-01'
name The resource name string (required)

Character limit: 3-24

Valid characters:
Alphanumerics and hyphens.

Start with letter. End with letter or digit. Can't contain consecutive hyphens.

Resource name must be unique across Azure.
location The supported Azure location where the key vault should be created. string (required)
tags The tags that will be assigned to the key vault. Dictionary of tag names and values. See Tags in templates
properties Properties of the vault VaultProperties (required)

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. 'default'
'recover'
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. 'RegisteringDns'
'Succeeded'
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
vaultUri The URI of the vault for performing operations on keys and secrets. string

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
'all'
'backup'
'create'
'delete'
'deleteissuers'
'get'
'getissuers'
'import'
'list'
'listissuers'
'managecontacts'
'manageissuers'
'purge'
'recover'
'restore'
'setissuers'
'update'
keys Permissions to keys String array containing any of:
'all'
'backup'
'create'
'decrypt'
'delete'
'encrypt'
'get'
'getrotationpolicy'
'import'
'list'
'purge'
'recover'
'release'
'restore'
'rotate'
'setrotationpolicy'
'sign'
'unwrapKey'
'update'
'verify'
'wrapKey'
secrets Permissions to secrets String array containing any of:
'all'
'backup'
'delete'
'get'
'list'
'purge'
'recover'
'restore'
'set'
storage Permissions to storage accounts String array containing any of:
'all'
'backup'
'delete'
'deletesas'
'get'
'getsas'
'list'
'listsas'
'purge'
'recover'
'regeneratekey'
'restore'
'set'
'setsas'
'update'

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. 'AzureServices'
'None'
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. 'Allow'
'Deny'
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Sku

Name Description Value
family SKU family name 'A' (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. 'premium'
'standard' (required)

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Deploy the Sports Analytics on Azure Architecture

Deploy to Azure
Creates an Azure storage account with ADLS Gen 2 enabled, an Azure Data Factory instance with linked services for the storage account (an the Azure SQL Database if deployed), and an Azure Databricks instance. The AAD identity for the user deploying the template and the managed identity for the ADF instance will be granted the Storage Blob Data Contributor role on the storage account. There are also options to deploy an Azure Key Vault instance, an Azure SQL Database, and an Azure Event Hub (for streaming use cases). When an Azure Key Vault is deployed, the data factory managed identity and the AAD identity for the user deploying the template will be granted the Key Vault Secrets User role.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault

Deploy to Azure
This module creates a KeyVault resource with apiVersion 2019-09-01.
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Creates a Dapr pub-sub servicebus app using Container Apps

Deploy to Azure
Create a Dapr pub-sub servicebus app using Container Apps.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template, using custom storage IP
creates an Azure Stack HCI 23H2 cluster in Switchless-Dual-link Networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
creates an Azure Stack HCI 23H2 cluster in Switchless-SingleLink networking mode

Deploy to Azure
This template creates an Azure Stack HCI 23H2 cluster using an ARM template.
Create a new encrypted windows vm from gallery image

Deploy to Azure
This template creates a new encrypted windows vm using the server 2k12 gallery image.
Create new encrypted managed disks win-vm from gallery image

Deploy to Azure
This template creates a new encrypted managed disks windows vm using the server 2k12 gallery image.
This template encrypts a running Windows VMSS

Deploy to Azure
This template enables encryption on a running Windows VM Scale Set
Enable encryption on a running Windows VM

Deploy to Azure
This template enables encryption on a running windows vm.
Create and encrypt a new Windows VMSS with jumpbox

Deploy to Azure
This template allows you to deploy a simple VM Scale Set of Windows VMs using the lastest patched version of serveral Windows versions. This template also deploys a jumpbox with a public IP address in the same virtual network. You can connect to the jumpbox via this public IP address, then connect from there to VMs in the scale set via private IP addresses.This template enables encryption on the VM Scale Set of Windows VMs.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Key Vault with RBAC and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret. Instead of relying on access policies, it leverages Azure RBAC to manage authorization on secrets
Create key vault, managed identity, and role assignment

Deploy to Azure
This template creates a key vault, managed identity, and role assignment.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Creates a Cross-tenant Private Endpoint resource

Deploy to Azure
This template allows you to create Priavate Endpoint resource within the same or cross-tenant environment and add dns zone configuration.
Create Application Gateway with Certificates

Deploy to Azure
This template shows how to generate Key Vault self-signed certificates, then reference from Application Gateway.
Azure Storage Account Encryption with customer-managed key

Deploy to Azure
This template deploys a Storage Account with a customer-managed key for encryption that's generated and placed inside a Key Vault.
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
Azure Function app and an HTTP-triggered function

Deploy to Azure
This example deploys an Azure Function app and an HTTP-triggered function inline in the template. It also deploys a Key Vault and populates a secret with the function app's host key.
Application Gateway with internal API Management and Web App

Deploy to Azure
Application Gateway routing Internet traffic to a virtual network (internal mode) API Management instance which services a web API hosted in an Azure Web App.

Terraform (AzAPI provider) resource definition

The vaults resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.KeyVault/vaults resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.KeyVault/vaults@2023-02-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      accessPolicies = [
        {
          applicationId = "string"
          objectId = "string"
          permissions = {
            certificates = [
              "string"
            ]
            keys = [
              "string"
            ]
            secrets = [
              "string"
            ]
            storage = [
              "string"
            ]
          }
          tenantId = "string"
        }
      ]
      createMode = "string"
      enabledForDeployment = bool
      enabledForDiskEncryption = bool
      enabledForTemplateDeployment = bool
      enablePurgeProtection = bool
      enableRbacAuthorization = bool
      enableSoftDelete = bool
      networkAcls = {
        bypass = "string"
        defaultAction = "string"
        ipRules = [
          {
            value = "string"
          }
        ]
        virtualNetworkRules = [
          {
            id = "string"
            ignoreMissingVnetServiceEndpoint = bool
          }
        ]
      }
      provisioningState = "string"
      publicNetworkAccess = "string"
      sku = {
        family = "A"
        name = "string"
      }
      softDeleteRetentionInDays = int
      tenantId = "string"
      vaultUri = "string"
    }
  })
}

Property values

vaults

Name Description Value
type The resource type "Microsoft.KeyVault/vaults@2023-02-01"
name The resource name string (required)

Character limit: 3-24

Valid characters:
Alphanumerics and hyphens.

Start with letter. End with letter or digit. Can't contain consecutive hyphens.

Resource name must be unique across Azure.
location The supported Azure location where the key vault should be created. string (required)
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags The tags that will be assigned to the key vault. Dictionary of tag names and values.
properties Properties of the vault VaultProperties (required)

VaultProperties

Name Description Value
accessPolicies An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When createMode is set to recover, access policies are not required. Otherwise, access policies are required. AccessPolicyEntry[]
createMode The vault's create mode to indicate whether the vault need to be recovered or not. "default"
"recover"
enabledForDeployment Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. bool
enabledForDiskEncryption Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. bool
enabledForTemplateDeployment Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. bool
enablePurgeProtection Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value. bool
enableRbacAuthorization Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. bool
enableSoftDelete Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false. bool
networkAcls Rules governing the accessibility of the key vault from specific network locations. NetworkRuleSet
provisioningState Provisioning state of the vault. "RegisteringDns"
"Succeeded"
publicNetworkAccess Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor the rules. string
sku SKU details Sku (required)
softDeleteRetentionInDays softDelete data retention days. It accepts >=7 and <=90. int
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
vaultUri The URI of the vault for performing operations on keys and secrets. string

AccessPolicyEntry

Name Description Value
applicationId Application ID of the client making request on behalf of a principal string

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$
objectId The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. string (required)
permissions Permissions the identity has for keys, secrets and certificates. Permissions (required)
tenantId The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. string (required)

Constraints:
Min length = 36
Max length = 36
Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$

Permissions

Name Description Value
certificates Permissions to certificates String array containing any of:
"all"
"backup"
"create"
"delete"
"deleteissuers"
"get"
"getissuers"
"import"
"list"
"listissuers"
"managecontacts"
"manageissuers"
"purge"
"recover"
"restore"
"setissuers"
"update"
keys Permissions to keys String array containing any of:
"all"
"backup"
"create"
"decrypt"
"delete"
"encrypt"
"get"
"getrotationpolicy"
"import"
"list"
"purge"
"recover"
"release"
"restore"
"rotate"
"setrotationpolicy"
"sign"
"unwrapKey"
"update"
"verify"
"wrapKey"
secrets Permissions to secrets String array containing any of:
"all"
"backup"
"delete"
"get"
"list"
"purge"
"recover"
"restore"
"set"
storage Permissions to storage accounts String array containing any of:
"all"
"backup"
"delete"
"deletesas"
"get"
"getsas"
"list"
"listsas"
"purge"
"recover"
"regeneratekey"
"restore"
"set"
"setsas"
"update"

NetworkRuleSet

Name Description Value
bypass Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'. "AzureServices"
"None"
defaultAction The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. "Allow"
"Deny"
ipRules The list of IP address rules. IPRule[]
virtualNetworkRules The list of virtual network rules. VirtualNetworkRule[]

IPRule

Name Description Value
value An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). string (required)

VirtualNetworkRule

Name Description Value
id Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'. string (required)
ignoreMissingVnetServiceEndpoint Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured. bool

Sku

Name Description Value
family SKU family name "A" (required)
name SKU name to specify whether the key vault is a standard vault or a premium vault. "premium"
"standard" (required)