1. Create Azure Keyvault with full access for AD group using native provider


    First, we'll need to use the azure-native.keyvault.Vault and azuread.Group resources.

    The azure-native.keyvault.Vault resource is used to create the Azure KeyVault in the specific location with the defined properties such as tenantId, sku, and policies. In accessPolicies we attach the AD group to the Vault.

    The azuread.Group resource is used to create an Active Directory (AD) Group which consists of the users that will have full access to the Key Vault.

    Below is the program:

    import * as azure from "@pulumi/azure-native"; import * as azuread from "@pulumi/azuread"; const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", { location: "WestUS", }); // Create an AD group const adGroup = new azuread.Group("adGroup", { displayName: "KeyVaultAccessGroup", owners: ["<Insert ObjectIDs of the owners>"], // add user ObjectIDs }); // Assign permissions to the AD group const permissions = { keys: ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"], secrets: ["Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge"], certificates: ["Get", "List", "Delete", "Create", "Import", "Update", "ManageContacts", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers", "ManageIssuers", "Recover", "Backup", "Restore", "Purge"], }; // Azure Key Vault const vault = new azure.keyvault.Vault("keyvault", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, properties: { sku: { family: "A", name: "standard", }, tenantId: "<Your Azure AD Tenant ID>", // Replace with your Tenant ID accessPolicies: [ { tenantId: "<Your Azure AD Tenant ID>", // Replace with your Tenant ID objectId: adGroup.objectId, permissions: permissions, } ], } }); export const keyVaultUri = vault.properties.vaultUri; export const adGroupId = adGroup.objectId;

    Replace "<Your Azure AD Tenant ID>" with your Azure Active Directory Tenant ID and "<Insert ObjectIDs of the owners>" with the Object IDs of the owners.

    This program creates an Azure Resource Group, a new AD group, and an Azure KeyVault in the specified resource group. It also assigns full access permissions to the AD group on the created Azure KeyVault.

    Access permissions are defined for keys, secrets, and certificates and these are attached to the accessPolicies of the Keyvault.

    After running the program, you can check the outputs keyVaultUri and adGroupId to check the created resources.

    The Azure Key Vault documentation can be found here and the Azure AD group documentation can be found here.