Create Azure Keyvault with full access for AD group using native provider

Question

Pulumi · Accepted Answer

First, we'll need to use the `azure-native.keyvault.Vault` and `azuread.Group` resources. The `azure-native.keyvault.Vault` resource is used to create the Azure KeyVault in the specific location with the defined properties such as tenantId, sku, and policies. In accessPolicies we attach the AD group to the Vault. The `azuread.Group` resource is used to create an Active Directory (AD) Group which consists of the users that will have full access to the Key Vault. Below is the program: ```typescript import * as azure from "@pulumi/azure-native"; import * as azuread from "@pulumi/azuread"; const resourceGroup = new azure.resources.ResourceGroup("resourceGroup", { location: "WestUS", }); // Create an AD group const adGroup = new azuread.Group("adGroup", { displayName: "KeyVaultAccessGroup", owners: [""], // add user ObjectIDs }); // Assign permissions to the AD group const permissions = { keys: ["Get", "List", "Update", "Create", "Import", "Delete", "Recover", "Backup", "Restore", "Decrypt", "Encrypt", "UnwrapKey", "WrapKey", "Verify", "Sign", "Purge"], secrets: ["Get", "List", "Set", "Delete", "Recover", "Backup", "Restore", "Purge"], certificates: ["Get", "List", "Delete", "Create", "Import", "Update", "ManageContacts", "GetIssuers", "ListIssuers", "SetIssuers", "DeleteIssuers", "ManageIssuers", "Recover", "Backup", "Restore", "Purge"], }; // Azure Key Vault const vault = new azure.keyvault.Vault("keyvault", { resourceGroupName: resourceGroup.name, location: resourceGroup.location, properties: { sku: { family: "A", name: "standard", }, tenantId: "", // Replace with your Tenant ID accessPolicies: [ { tenantId: "", // Replace with your Tenant ID objectId: adGroup.objectId, permissions: permissions, } ], } }); export const keyVaultUri = vault.properties.vaultUri; export const adGroupId = adGroup.objectId; ``` Replace `""` with your Azure Active Directory Tenant ID and `""` with the Object IDs of the owners. This program creates an Azure Resource Group, a new AD group, and an Azure KeyVault in the specified resource group. It also assigns full access permissions to the AD group on the created Azure KeyVault. Access permissions are defined for keys, secrets, and certificates and these are attached to the accessPolicies of the Keyvault. After running the program, you can check the outputs `keyVaultUri` and `adGroupId` to check the created resources. The Azure Key Vault documentation can be found [here](https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/) and the Azure AD group documentation can be found [here](https://www.pulumi.com/registry/packages/azuread/api-docs/group/).