{ "description": "Generator information:\n- Generated from: /keyvault/resource-manager/Microsoft.KeyVault/preview/2021-04-01-preview/keyvault.json\n- ARM URI: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "azureName": { "description": "AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it\ndoesn't have to be.", "pattern": "^[a-zA-Z0-9-]{3,24}$", "type": "string" }, "location": { "description": "Location: The supported Azure location where the key vault should be created.", "type": "string" }, "operatorSpec": { "description": "OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not\npassed directly to Azure", "properties": { "configMapExpressions": { "description": "ConfigMapExpressions: configures where to place operator written dynamic ConfigMaps (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "secretExpressions": { "description": "SecretExpressions: configures where to place operator written dynamic secrets (created with CEL expressions).", "items": { "description": "DestinationExpression is a CEL expression and a destination to store the result in. The destination may\nbe a secret or a configmap. The value of the expression is stored at the specified location in\nthe destination.", "properties": { "key": { "description": "Key is the key in the ConfigMap or Secret being written to. If the CEL expression in Value returns a string\nthis is required to identify what key to write to. If the CEL expression in Value returns a map[string]string\nKey must not be set, instead the keys written will be determined dynamically based on the keys of the resulting\nmap[string]string.", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap or secret to write to.\nThe configmap or secret will be created in the same namespace as the resource.", "type": "string" }, "value": { "description": "Value is a CEL expression. The CEL expression may return a string or a map[string]string. For more information\non CEL in ASO see https://azure.github.io/azure-service-operator/guide/expressions/", "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "owner": { "description": "Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also\ncontrols the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a\nreference to a resources.azure.com/ResourceGroup resource", "properties": { "armId": { "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "name": { "description": "This is the name of the Kubernetes resource to reference.", "type": "string" } }, "type": "object", "additionalProperties": false }, "properties": { "description": "Properties: Properties of the vault", "properties": { "accessPolicies": { "description": "AccessPolicies: An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use\nthe same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not\nrequired. Otherwise, access policies are required.", "items": { "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key\nvault's tenant ID.", "properties": { "applicationId": { "description": "ApplicationId: Application ID of the client making request on behalf of a principal", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$", "type": "string" }, "applicationIdFromConfig": { "description": "ApplicationIdFromConfig: Application ID of the client making request on behalf of a principal", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "objectId": { "description": "ObjectId: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the\nvault. The object ID must be unique for the list of access policies.", "type": "string" }, "objectIdFromConfig": { "description": "ObjectIdFromConfig: The object ID of a user, service principal or security group in the Azure Active Directory tenant\nfor the vault. The object ID must be unique for the list of access policies.", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "permissions": { "description": "Permissions: Permissions the identity has for keys, secrets and certificates.", "properties": { "certificates": { "description": "Certificates: Permissions to certificates", "items": { "enum": [ "backup", "create", "delete", "deleteissuers", "get", "getissuers", "import", "list", "listissuers", "managecontacts", "manageissuers", "purge", "recover", "restore", "setissuers", "update" ], "type": "string" }, "type": "array" }, "keys": { "description": "Keys: Permissions to keys", "items": { "enum": [ "backup", "create", "decrypt", "delete", "encrypt", "get", "import", "list", "purge", "recover", "release", "restore", "sign", "unwrapKey", "update", "verify", "wrapKey" ], "type": "string" }, "type": "array" }, "secrets": { "description": "Secrets: Permissions to secrets", "items": { "enum": [ "backup", "delete", "get", "list", "purge", "recover", "restore", "set" ], "type": "string" }, "type": "array" }, "storage": { "description": "Storage: Permissions to storage accounts", "items": { "enum": [ "backup", "delete", "deletesas", "get", "getsas", "list", "listsas", "purge", "recover", "regeneratekey", "restore", "set", "setsas", "update" ], "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "tenantId": { "description": "TenantId: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$", "type": "string" }, "tenantIdFromConfig": { "description": "TenantIdFromConfig: The Azure Active Directory tenant ID that should be used for authenticating requests to the key\nvault.", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false } }, "required": [ "permissions" ], "type": "object", "additionalProperties": false }, "type": "array" }, "createMode": { "description": "CreateMode: The vault's create mode to indicate whether the vault need to be recovered or not.", "enum": [ "createOrRecover", "default", "purgeThenCreate", "recover" ], "type": "string" }, "enablePurgeProtection": { "description": "EnablePurgeProtection: Property specifying whether protection against purge is enabled for this vault. Setting this\nproperty to true activates protection against purge for this vault and its content - only the Key Vault service may\ninitiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this\nfunctionality is irreversible - that is, the property does not accept false as its value.", "type": "boolean" }, "enableRbacAuthorization": { "description": "EnableRbacAuthorization: Property that controls how data actions are authorized. When true, the key vault will use Role\nBased Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties\nwill be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy\nstored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value\nof false. Note that management actions are always authorized with RBAC.", "type": "boolean" }, "enableSoftDelete": { "description": "EnableSoftDelete: Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not\nset to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it\ncannot be reverted to false.", "type": "boolean" }, "enabledForDeployment": { "description": "EnabledForDeployment: Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored\nas secrets from the key vault.", "type": "boolean" }, "enabledForDiskEncryption": { "description": "EnabledForDiskEncryption: Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the\nvault and unwrap keys.", "type": "boolean" }, "enabledForTemplateDeployment": { "description": "EnabledForTemplateDeployment: Property to specify whether Azure Resource Manager is permitted to retrieve secrets from\nthe key vault.", "type": "boolean" }, "networkAcls": { "description": "NetworkAcls: Rules governing the accessibility of the key vault from specific network locations.", "properties": { "bypass": { "description": "Bypass: Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the\ndefault is 'AzureServices'.", "enum": [ "AzureServices", "None" ], "type": "string" }, "defaultAction": { "description": "DefaultAction: The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after\nthe bypass property has been evaluated.", "enum": [ "Allow", "Deny" ], "type": "string" }, "ipRules": { "description": "IpRules: The list of IP address rules.", "items": { "description": "A rule governing the accessibility of a vault from a specific ip address or ip range.", "properties": { "value": { "description": "Value: An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all\naddresses that start with 124.56.78).", "type": "string" } }, "required": [ "value" ], "type": "object", "additionalProperties": false }, "type": "array" }, "virtualNetworkRules": { "description": "VirtualNetworkRules: The list of virtual network rules.", "items": { "description": "A rule governing the accessibility of a vault from a specific virtual network.", "properties": { "ignoreMissingVnetServiceEndpoint": { "description": "IgnoreMissingVnetServiceEndpoint: Property to specify whether NRP will ignore the check if parent subnet has\nserviceEndpoints configured.", "type": "boolean" }, "reference": { "description": "Reference: Full resource id of a vnet subnet, such as\n'/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.", "properties": { "armId": { "description": "ARMID is a string of the form /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.\nThe /resourcegroups/{resourceGroupName} bit is optional as some resources are scoped at the subscription level\nARMID is mutually exclusive with Group, Kind, Namespace and Name.", "pattern": "(?i)(^(/subscriptions/([^/]+)(/resourcegroups/([^/]+))?)?/providers/([^/]+)/([^/]+/[^/]+)(/([^/]+/[^/]+))*$|^/subscriptions/([^/]+)(/resourcegroups/([^/]+))?$)", "type": "string" }, "group": { "description": "Group is the Kubernetes group of the resource.", "type": "string" }, "kind": { "description": "Kind is the Kubernetes kind of the resource.", "type": "string" }, "name": { "description": "Name is the Kubernetes name of the resource.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "reference" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "provisioningState": { "description": "ProvisioningState: Provisioning state of the vault.", "enum": [ "RegisteringDns", "Succeeded" ], "type": "string" }, "sku": { "description": "Sku: SKU details", "properties": { "family": { "description": "Family: SKU family name", "enum": [ "A" ], "type": "string" }, "name": { "description": "Name: SKU name to specify whether the key vault is a standard vault or a premium vault.", "enum": [ "premium", "standard" ], "type": "string" } }, "required": [ "family", "name" ], "type": "object", "additionalProperties": false }, "softDeleteRetentionInDays": { "description": "SoftDeleteRetentionInDays: softDelete data retention days. It accepts >=7 and <=90.", "type": "integer" }, "tenantId": { "description": "TenantId: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$", "type": "string" }, "tenantIdFromConfig": { "description": "TenantIdFromConfig: The Azure Active Directory tenant ID that should be used for authenticating requests to the key\nvault.", "properties": { "key": { "description": "Key is the key in the Kubernetes configmap being referenced", "type": "string" }, "name": { "description": "Name is the name of the Kubernetes configmap being referenced.\nThe configmap must be in the same namespace as the resource", "type": "string" } }, "required": [ "key", "name" ], "type": "object", "additionalProperties": false }, "vaultUri": { "description": "VaultUri: The URI of the vault for performing operations on keys and secrets.", "type": "string" } }, "required": [ "sku" ], "type": "object", "additionalProperties": false }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: The tags that will be assigned to the key vault.", "type": "object" }, "additionalProperties": false }, "required": [ "location", "owner", "properties" ], "type": "object", "additionalProperties": false }, "status": { "description": "Resource information with extended details.", "properties": { "conditions": { "description": "Conditions: The observed state of the resource", "items": { "description": "Condition defines an extension to status (an observation) of a resource", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "Message is a human readable message indicating details about the transition. This field may be empty.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the .metadata.generation that the condition was set based upon. For instance, if\n.metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "Reason for the condition's last transition.\nReasons are upper CamelCase (PascalCase) with no spaces. A reason is always provided, this field will not be empty.", "type": "string" }, "severity": { "description": "Severity with which to treat failures of this type of condition.\nFor conditions which have positive polarity (Status == True is their normal/healthy state), this will be omitted when Status == True\nFor conditions which have negative polarity (Status == False is their normal/healthy state), this will be omitted when Status == False.\nThis is omitted in all cases when Status == Unknown", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, or Unknown.", "type": "string" }, "type": { "description": "Type of condition.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "id": { "description": "Id: Fully qualified identifier of the key vault resource.", "type": "string" }, "location": { "description": "Location: Azure location of the key vault resource.", "type": "string" }, "name": { "description": "Name: Name of the key vault resource.", "type": "string" }, "properties": { "description": "Properties: Properties of the vault", "properties": { "accessPolicies": { "description": "AccessPolicies: An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use\nthe same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not\nrequired. Otherwise, access policies are required.", "items": { "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key\nvault's tenant ID.", "properties": { "applicationId": { "description": "ApplicationId: Application ID of the client making request on behalf of a principal", "type": "string" }, "objectId": { "description": "ObjectId: The object ID of a user, service principal or security group in the Azure Active Directory tenant for the\nvault. The object ID must be unique for the list of access policies.", "type": "string" }, "permissions": { "description": "Permissions: Permissions the identity has for keys, secrets and certificates.", "properties": { "certificates": { "description": "Certificates: Permissions to certificates", "items": { "type": "string" }, "type": "array" }, "keys": { "description": "Keys: Permissions to keys", "items": { "type": "string" }, "type": "array" }, "secrets": { "description": "Secrets: Permissions to secrets", "items": { "type": "string" }, "type": "array" }, "storage": { "description": "Storage: Permissions to storage accounts", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "tenantId": { "description": "TenantId: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "createMode": { "description": "CreateMode: The vault's create mode to indicate whether the vault need to be recovered or not.", "type": "string" }, "enablePurgeProtection": { "description": "EnablePurgeProtection: Property specifying whether protection against purge is enabled for this vault. Setting this\nproperty to true activates protection against purge for this vault and its content - only the Key Vault service may\ninitiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this\nfunctionality is irreversible - that is, the property does not accept false as its value.", "type": "boolean" }, "enableRbacAuthorization": { "description": "EnableRbacAuthorization: Property that controls how data actions are authorized. When true, the key vault will use Role\nBased Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties\nwill be ignored. When false, the key vault will use the access policies specified in vault properties, and any policy\nstored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value\nof false. Note that management actions are always authorized with RBAC.", "type": "boolean" }, "enableSoftDelete": { "description": "EnableSoftDelete: Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not\nset to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it\ncannot be reverted to false.", "type": "boolean" }, "enabledForDeployment": { "description": "EnabledForDeployment: Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored\nas secrets from the key vault.", "type": "boolean" }, "enabledForDiskEncryption": { "description": "EnabledForDiskEncryption: Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the\nvault and unwrap keys.", "type": "boolean" }, "enabledForTemplateDeployment": { "description": "EnabledForTemplateDeployment: Property to specify whether Azure Resource Manager is permitted to retrieve secrets from\nthe key vault.", "type": "boolean" }, "hsmPoolResourceId": { "description": "HsmPoolResourceId: The resource id of HSM Pool.", "type": "string" }, "networkAcls": { "description": "NetworkAcls: Rules governing the accessibility of the key vault from specific network locations.", "properties": { "bypass": { "description": "Bypass: Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the\ndefault is 'AzureServices'.", "type": "string" }, "defaultAction": { "description": "DefaultAction: The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after\nthe bypass property has been evaluated.", "type": "string" }, "ipRules": { "description": "IpRules: The list of IP address rules.", "items": { "description": "A rule governing the accessibility of a vault from a specific ip address or ip range.", "properties": { "value": { "description": "Value: An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all\naddresses that start with 124.56.78).", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "virtualNetworkRules": { "description": "VirtualNetworkRules: The list of virtual network rules.", "items": { "description": "A rule governing the accessibility of a vault from a specific virtual network.", "properties": { "id": { "description": "Id: Full resource id of a vnet subnet, such as\n'/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.", "type": "string" }, "ignoreMissingVnetServiceEndpoint": { "description": "IgnoreMissingVnetServiceEndpoint: Property to specify whether NRP will ignore the check if parent subnet has\nserviceEndpoints configured.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "privateEndpointConnections": { "description": "PrivateEndpointConnections: List of private endpoint connections associated with the key vault.", "items": { "description": "Private endpoint connection item.", "properties": { "etag": { "description": "Etag: Modified whenever there is a change in the state of private endpoint connection.", "type": "string" }, "id": { "description": "Id: Id of private endpoint connection.", "type": "string" }, "privateEndpoint": { "description": "PrivateEndpoint: Properties of the private endpoint object.", "properties": { "id": { "description": "Id: Full identifier of the private endpoint resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "privateLinkServiceConnectionState": { "description": "PrivateLinkServiceConnectionState: Approval state of the private link connection.", "properties": { "actionsRequired": { "description": "ActionsRequired: A message indicating if changes on the service provider require any updates on the consumer.", "type": "string" }, "description": { "description": "Description: The reason for approval or rejection.", "type": "string" }, "status": { "description": "Status: Indicates whether the connection has been approved, rejected or removed by the key vault owner.", "type": "string" } }, "type": "object", "additionalProperties": false }, "provisioningState": { "description": "ProvisioningState: Provisioning state of the private endpoint connection.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "provisioningState": { "description": "ProvisioningState: Provisioning state of the vault.", "type": "string" }, "sku": { "description": "Sku: SKU details", "properties": { "family": { "description": "Family: SKU family name", "type": "string" }, "name": { "description": "Name: SKU name to specify whether the key vault is a standard vault or a premium vault.", "type": "string" } }, "type": "object", "additionalProperties": false }, "softDeleteRetentionInDays": { "description": "SoftDeleteRetentionInDays: softDelete data retention days. It accepts >=7 and <=90.", "type": "integer" }, "tenantId": { "description": "TenantId: The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.", "type": "string" }, "vaultUri": { "description": "VaultUri: The URI of the vault for performing operations on keys and secrets.", "type": "string" } }, "type": "object", "additionalProperties": false }, "systemData": { "description": "SystemData: System metadata for the key vault.", "properties": { "createdAt": { "description": "CreatedAt: The timestamp of the key vault resource creation (UTC).", "type": "string" }, "createdBy": { "description": "CreatedBy: The identity that created the key vault resource.", "type": "string" }, "createdByType": { "description": "CreatedByType: The type of identity that created the key vault resource.", "type": "string" }, "lastModifiedAt": { "description": "LastModifiedAt: The timestamp of the key vault resource last modification (UTC).", "type": "string" }, "lastModifiedBy": { "description": "LastModifiedBy: The identity that last modified the key vault resource.", "type": "string" }, "lastModifiedByType": { "description": "LastModifiedByType: The type of identity that last modified the key vault resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tags": { "additionalProperties": { "type": "string" }, "description": "Tags: Tags assigned to the key vault resource.", "type": "object" }, "type": { "description": "Type: Resource type of the key vault resource.", "type": "string" }, "additionalProperties": false }, "type": "object", "additionalProperties": false } }, "type": "object" }