Feature: Additional KeyVault resources

[theunrepentantgeek]

Requesting the following additional resources from Microsoft.KeyVault:

• AccessPolicy
• PrivateEndpointConnection

[super-harsh]

Looks like AccessPolicy is not supported as a resource in the API specs. Although, I did try to update and delete the KeyVault resource AccessPoliciesEntries with a new AccessPolicy which works fine.

Also, PrivateEndpointConnection is not a resource, to create a PrivateEndpoint to KeyVault, user must create a PrivateEndpoint resource which we support and specify the KeyVault in privateLinkReference as how we do for StorageAccount here. The PrivateEndpointConnection resource you mentioned looks more like a PrivateEndpointConnection approval/denial template.

[theunrepentantgeek]

Moving to v2.2.0 - possibly we just close this if there's nothing to do @super-harsh

[matthchr]

It might also make sense to support the sorts of secrets AKV generates

[theunrepentantgeek]

A specific customer request is for AccessPolicy as a separate resource so it can be managed with a different lifecycle - and by a different team.

[matthchr]

It looks like AccessPolicies is there, but it's a bit weirdly shaped

[matthchr]

We should doublecheck the KV RBAC vs KV AccessPolicies discussion too - which is now recommended or do they both serve different purposes?

edit: It looks like we need to do some research into KV AccessPolicies vs RBAC and understand what the difference is -- possibly we can talk to somebody on the KV team after reading their docs more carefully.

[matthchr]

No change from above.

[matthchr]

No change from above still - not seeing a lot of user complaints about this missing capability at the moment.