Add a custom resource for Key Vault access policies

examples/examples_nodejs_test.go

@@ -6,10 +6,12 @@ package examples
 import (
 	"encoding/json"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestAccAppServiceTs(t *testing.T) {
@@ -195,6 +197,84 @@ func TestStorageAccountNetworkRule(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestAccKeyVaultAccessPoliciesTs(t *testing.T) {
+	skipIfShort(t)
+	test := getJSBaseOptions(t).
+		With(integration.ProgramTestOptions{
+			ExpectRefreshChanges: false,
+			Dir:                  filepath.Join(getCwd(t), "keyvault-accesspolicies"),
+			EditDirs: []integration.EditDir{
+				{
+					Dir:      filepath.Join("keyvault-accesspolicies", "2-update-keyvault"),
+					Additive: true,
+					// Check that the stand-alone AccessPolicies are still there, not deleted by the Vault update.
+					ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+						require.NotNil(t, stackInfo.Deployment)
+						require.NotNil(t, stackInfo.Deployment.Resources)
+
+						accessPolicies := 0
+						for _, resource := range stackInfo.Deployment.Resources {
+							if resource.Type == "azure-native:keyvault:AccessPolicy" {
+								accessPolicies++
+							}
+						}
+						assert.Equal(t, 2, accessPolicies)
+
+						// check the number of policies as returned by Azure directly via invoke
+						numberOfAPs, ok := stackInfo.Outputs["numberOfAPs"].(float64)
+						require.True(t, ok)
+						assert.Equal(t, 2.0, numberOfAPs)
+					},
+				},
+				{
+					Dir:      filepath.Join("keyvault-accesspolicies", "3-update-accesspolicies"),
+					Additive: true,
+					// Check that the stand-alone AccessPolicies were updated resp. deleted.
+					ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+						require.NotNil(t, stackInfo.Deployment)
+						require.NotNil(t, stackInfo.Deployment.Resources)
+
+						ap1Found := false
+						for _, resource := range stackInfo.Deployment.Resources {
+							urn := string(resource.URN)
+							if strings.HasSuffix(urn, "keyvault:AccessPolicy::ap1") {
+								ap1Found = true
+								accessPolicy, ok := resource.Outputs["policy"]
+								require.True(t, ok, "Property 'policy' not found")
+								accessPolicyObj, ok := accessPolicy.(map[string]interface{})
+								require.True(t, ok, "Property 'policy' is not an object")
+
+								permissions, ok := accessPolicyObj["permissions"]
+								require.True(t, ok, "Property 'policy.permissions' not found")
+								permissionsObj, ok := permissions.(map[string]interface{})
+								require.True(t, ok, "Property 'policy.permissions' is not an object")
+
+								keyPermissions, ok := permissionsObj["keys"]
+								require.True(t, ok, "Property 'policy.permissions.keys' not found")
+								keyPermissionsArray, ok := keyPermissions.([]any)
+								require.True(t, ok, "Property 'policy.permissions.keys' is not an array")
+
+								require.Equal(t, 1, len(keyPermissionsArray))
+								assert.Equal(t, "get", keyPermissionsArray[0].(string))
+							} else if strings.HasSuffix(urn, "keyvault:AccessPolicy::ap2") {
+								t.Errorf("AccessPolicy ap2 should have been deleted")
+							}
+						}
+						assert.True(t, ap1Found, "AccessPolicy ap1 not found")
+
+						// Check the number of policies as returned by Azure directly via invoke.
+						// This doesn't work here because we have no way of waiting for the deletion of ap2.
+						// numberOfAPs, ok := stackInfo.Outputs["numberOfAPs"].(float64)
+						// assert.True(t, ok)
+						// assert.Equal(t, 1.0, numberOfAPs)
+					},
+				},
+			},
+		})
+
+	integration.ProgramTest(t, &test)
+}
+
 func getJSBaseOptions(t *testing.T) integration.ProgramTestOptions {
 	base := getBaseOptions(t)
 	baseJS := base.With(integration.ProgramTestOptions{

examples/go.mod

@@ -1,6 +1,6 @@
 module github.com/pulumi/pulumi-azure-native/examples
 
-go 1.19
+go 1.21
 
 require (
 	github.com/pulumi/pulumi/pkg/v3 v3.91.1

examples/go.sum

@@ -158,6 +158,7 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/GoogleCloudPlatform/cloudsql-proxy v1.31.2/go.mod h1:qR6jVnZTKDCW3j+fC9mOEPHm++1nKDMkqbbkD6KNsfo=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
+github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
@@ -212,6 +213,7 @@ github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8V
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
 github.com/alexflint/go-filemutex v1.1.0/go.mod h1:7P4iRhttt/nUvUOrYIhcpMzv2G6CY9UnI16Z+UJqRyk=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
@@ -271,6 +273,7 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.3.16/go.mod h1:CYmI+7x03jjJih8kBEEF
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6 h1:3L8pcjvgaSOs0zzZcMKzxDSkYKEpwJ2dNVDdxm68jAY=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.6/go.mod h1:O7Oc4peGZDEKlddivslfYFvAbgzvl/GH3J8j3JIGBXc=
 github.com/aws/aws-sdk-go-v2/service/iam v1.19.0 h1:9vCynoqC+dgxZKrsjvAniyIopsv3RZFsZ6wkQ+yxtj8=
+github.com/aws/aws-sdk-go-v2/service/iam v1.19.0/go.mod h1:OyAuvpFeSVNppcSsp1hFOVQcaTRc1LE24YIR7pMbbAA=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3 h1:4n4KCtv5SUoT5Er5XV41huuzrCqepxlW3SDI9qHQebc=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.3/go.mod h1:gkb2qADY+OHaGLKNTYxMaQNacfeyQpZ4csDTQMeFmcw=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.10 h1:7LJcuRalaLw+GYQTMGmVUl4opg2HrDZkvn/L3KvIQfw=
@@ -555,6 +558,7 @@ github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ=
 github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -610,12 +614,14 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
 github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
+github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
 github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -683,6 +689,7 @@ github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
+github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-zookeeper/zk v1.0.2/go.mod h1:nOB03cncLtlp4t+UAkGSV+9beXP/akpekBwL+UX1Qcw=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
 github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
@@ -1111,6 +1118,7 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
@@ -1294,6 +1302,7 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -2562,6 +2571,7 @@ lukechampine.com/frand v1.4.2 h1:RzFIpOvkMXuPMBb9maa4ND4wjBn71E1Jpf8BzJHMaVw=
 lukechampine.com/frand v1.4.2/go.mod h1:4S/TM2ZgrKejMcKMbeLjISpJMO+/eZ1zu3vYX9dtj3s=
 nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 pgregory.net/rapid v0.6.1 h1:4eyrDxyht86tT4Ztm+kvlyNBLIk071gR+ZQdhphc9dQ=
+pgregory.net/rapid v0.6.1/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

examples/keyvault-accesspolicies/2-update-keyvault/index.ts

@@ -0,0 +1,77 @@
+// Copyright 2021, Pulumi Corporation.  All rights reserved.
+
+import * as pulumi from "@pulumi/pulumi";
+import * as authorization from "@pulumi/azure-native/authorization";
+import * as keyvault from "@pulumi/azure-native/keyvault";
+import * as resources from "@pulumi/azure-native/resources";
+
+const resourceGroup = new resources.ResourceGroup("rg");
+
+const config = pulumi.output(authorization.getClientConfig());
+
+// enabledForDeployment (randomly picked) changed to true
+const vault = new keyvault.Vault("vault", {
+    resourceGroupName: resourceGroup.name,
+    location: resourceGroup.location,
+    properties: {
+        sku: {
+            family: keyvault.SkuFamily.A,
+            name: keyvault.SkuName.Standard,
+        },
+        tenantId: config.tenantId,
+        enabledForDeployment: true,
+    },
+});
+
+const ap1 = new keyvault.AccessPolicy("ap1", {
+    resourceGroupName: resourceGroup.name,
+    vaultName: vault.name,
+    policy: {
+        objectId: config.objectId,
+        permissions: {
+            keys: [
+                keyvault.KeyPermissions.Get,
+                keyvault.KeyPermissions.Create,
+                keyvault.KeyPermissions.Delete,
+                keyvault.KeyPermissions.List,
+            ],
+            secrets: [
+                keyvault.SecretPermissions.Get,
+                keyvault.SecretPermissions.List,
+                keyvault.SecretPermissions.Set,
+                keyvault.SecretPermissions.Delete,
+            ],
+        },
+        tenantId: config.tenantId,
+    }
+});
+
+const ap2 = new keyvault.AccessPolicy("ap2", {
+    resourceGroupName: resourceGroup.name,
+    vaultName: vault.name,
+    policy: {
+        objectId: "00000000-0000-0000-0000-000000000000",
+        permissions: {
+            keys: [
+                keyvault.KeyPermissions.Get,
+            ]
+        },
+        tenantId: config.tenantId,
+    }
+});
+
+export const rgName = resourceGroup.name;
+export const kvName = vault.name;
+
+// Read the Vault's state directly from Azure. We export it so the test can use it to make
+// additional assertions that Pulumi's view of the world matches Azure's.
+// We use `apply` here as a barrier, ensuring the invoke runs after the vault is updated.
+const newVaultState = vault.properties?.apply(_ => {
+    return keyvault.getVaultOutput({
+        resourceGroupName: resourceGroup.name,
+        vaultName: vault.name,
+    });
+})
+
+export const numberOfAPs = newVaultState.properties.accessPolicies?.apply(aps => aps?.length || 0 );
+export const aps = newVaultState.properties.accessPolicies;

examples/keyvault-accesspolicies/3-update-accesspolicies/index.ts

@@ -0,0 +1,60 @@
+// Copyright 2021, Pulumi Corporation.  All rights reserved.
+
+import * as pulumi from "@pulumi/pulumi";
+import * as authorization from "@pulumi/azure-native/authorization";
+import * as keyvault from "@pulumi/azure-native/keyvault";
+import * as resources from "@pulumi/azure-native/resources";
+
+const resourceGroup = new resources.ResourceGroup("rg");
+
+const config = pulumi.output(authorization.getClientConfig());
+
+// enabledForDeployment changed back to false
+const vault = new keyvault.Vault("vault", {
+    resourceGroupName: resourceGroup.name,
+    location: resourceGroup.location,
+    properties: {
+        sku: {
+            family: keyvault.SkuFamily.A,
+            name: keyvault.SkuName.Standard,
+        },
+        tenantId: config.tenantId,
+        enabledForDeployment: false,
+    },
+});
+
+// ap1 has different permissions
+const ap1 = new keyvault.AccessPolicy("ap1", {
+    resourceGroupName: resourceGroup.name,
+    vaultName: vault.name,
+    policy: {
+        objectId: config.objectId,
+        permissions: {
+            keys: [
+                keyvault.KeyPermissions.Get,
+            ],
+            secrets: [
+                keyvault.SecretPermissions.Get,
+            ]
+        },
+        tenantId: config.tenantId,
+    }
+});
+
+// ap2 is deleted
+
+export const rgName = resourceGroup.name;
+export const kvName = vault.name;
+
+// Read the Vault's state directly from Azure. We export it so the test can use it to make
+// additional assertions that Pulumi's view of the world matches Azure's.
+// We use `apply` here as a barrier, ensuring the invoke runs after the vault is updated.
+const newVaultState = vault.properties?.apply(_ => {
+    return keyvault.getVaultOutput({
+        resourceGroupName: resourceGroup.name,
+        vaultName: vault.name,
+    });
+})
+
+export const numberOfAPs = newVaultState.properties.accessPolicies?.apply(aps => aps?.length || 0 );
+export const aps = newVaultState.properties.accessPolicies;

examples/keyvault-accesspolicies/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: keyvault-accesspolicies
+runtime: nodejs
+description: KeyVault resources

examples/keyvault-accesspolicies/index.ts

@@ -0,0 +1,63 @@
+// Copyright 2021, Pulumi Corporation.  All rights reserved.
+
+import * as pulumi from "@pulumi/pulumi";
+import * as authorization from "@pulumi/azure-native/authorization";
+import * as keyvault from "@pulumi/azure-native/keyvault";
+import * as resources from "@pulumi/azure-native/resources";
+
+const resourceGroup = new resources.ResourceGroup("rg");
+
+const config = pulumi.output(authorization.getClientConfig());
+
+const vault = new keyvault.Vault("vault", {
+    resourceGroupName: resourceGroup.name,
+    location: resourceGroup.location,
+    properties: {
+        sku: {
+            family: keyvault.SkuFamily.A,
+            name: keyvault.SkuName.Standard,
+        },
+        tenantId: config.tenantId,
+        enabledForDeployment: false,
+    },
+});
+
+const ap1 = new keyvault.AccessPolicy("ap1", {
+    resourceGroupName: resourceGroup.name,
+    vaultName: vault.name,
+    policy: {
+        objectId: config.objectId,
+        permissions: {
+            keys: [
+                keyvault.KeyPermissions.Get,
+                keyvault.KeyPermissions.Create,
+                keyvault.KeyPermissions.Delete,
+                keyvault.KeyPermissions.List,
+            ],
+            secrets: [
+                keyvault.SecretPermissions.Get,
+                keyvault.SecretPermissions.List,
+                keyvault.SecretPermissions.Set,
+                keyvault.SecretPermissions.Delete,
+            ],
+        },
+        tenantId: config.tenantId,
+    }
+});
+
+const ap2 = new keyvault.AccessPolicy("ap2", {
+    resourceGroupName: resourceGroup.name,
+    vaultName: vault.name,
+    policy: {
+        objectId: "00000000-0000-0000-0000-000000000000",
+        permissions: {
+            keys: [
+                keyvault.KeyPermissions.Get,
+            ]
+        },
+        tenantId: config.tenantId,
+    }
+}, {dependsOn: [ap1]});
+
+export const rgName = resourceGroup.name;
+export const kvName = vault.name;