diff --git a/schemas/2015-06-01/Microsoft.KeyVault.json b/schemas/2015-06-01/Microsoft.KeyVault.json index cfd4854c34..af969a96c9 100644 --- a/schemas/2015-06-01/Microsoft.KeyVault.json +++ b/schemas/2015-06-01/Microsoft.KeyVault.json @@ -4,147 +4,68 @@ "title": "Microsoft.KeyVault", "description": "Microsoft KeyVault Resource Types", "resourceDefinitions": { - "secrets": { + "vaults": { "type": "object", "properties": { - "type": { - "enum": [ - "Microsoft.KeyVault/vaults/secrets" - ] - }, "apiVersion": { + "type": "string", "enum": [ - "2014-12-19-preview", "2015-06-01" ] }, - "properties": { - "type": "object", - "properties": { - "value": { - "type": "string", - "description": "Secret value" - } - }, - "required": [ - "value" - ] - } - }, - "required": [ - "apiVersion", - "properties", - "type" - ], - "description": "Microsoft.KeyVault/vaults/secrets" - }, - "secretsChild": { - "type": "object", - "properties": { - "type": { - "enum": [ - "secrets" - ] - }, - "apiVersion": { - "enum": [ - "2014-12-19-preview", - "2015-06-01" - ] + "location": { + "type": "string", + "description": "The supported Azure location where the key vault should be created." }, - "properties": { - "type": "object", - "properties": { - "value": { + "name": { + "oneOf": [ + { "type": "string", - "description": "Secret value" + "pattern": "^[a-zA-Z0-9-]{3,24}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - }, - "required": [ - "value" - ] - } - }, - "required": [ - "apiVersion", - "properties", - "type" - ], - "description": "Microsoft.KeyVault/vaults/secretsChild" - }, - "vaults": { - "type": "object", - "properties": { - "type": { - "enum": [ - "Microsoft.KeyVault/vaults" - ] - }, - "apiVersion": { - "enum": [ - "2014-12-19-preview", - "2015-06-01" - ] + ], + "description": "Name of the vault" }, "properties": { - "type": "object", - "properties": { - "sku": { - "oneOf": [ - { "$ref": "#/definitions/sku" }, - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ], - "description": "Microsoft.KeyVault/vaults: Sku" - }, - "tenantId": { - "oneOf": [ - { - "type": "string", - "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" - }, - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ], - "description": "Microsoft.KeyVault/vaults: The tenant ID of the Azure Active Directory Tenant to use for authorization." + "oneOf": [ + { + "$ref": "#/definitions/VaultProperties" }, - "accessPolicies": { - "oneOf": [ - { - "type": "array", - "items": { - "$ref": "#/definitions/accessPolicy" - } - }, - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ], - "description": "Microsoft.KeyVault/vaults: Access policies" + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} }, - "enabledForDeployment": { - "oneOf": [ - { "type": "boolean" }, - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ], - "description": "Microsoft.KeyVault/vaults: Enabled for deployment" + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - }, - "required": [ - "tenantId", - "sku", - "accessPolicies" - ] + ], + "description": "The tags that will be assigned to the key vault. " }, - "resources": { - "type": "array", - "items": { - "allOf": [ - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/resourceBase" }, - { "$ref": "#/resourceDefinitions/secretsChild" } - ] - }, - "description": "Microsoft.KeyVault/vaults: Child resources" + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] } }, "required": [ "apiVersion", + "location", + "name", "properties", "type" ], @@ -152,140 +73,285 @@ } }, "definitions": { - "accessPolicy": { + "AccessPolicyEntry": { "type": "object", "properties": { - "tenantId": { + "applicationId": { "oneOf": [ - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" }, { "type": "string", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The tenant ID of the Azure Active Directory Tenant containing the objectId in this access policy." + "description": " Application ID of the client making request on behalf of a principal" }, "objectId": { + "type": "string", + "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions the identity has for keys, secrets and certificates." + }, + "tenantId": { "oneOf": [ - { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" }, { "type": "string", "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The object ID of the Azure Active Directory object to apply this access policy to. For example, the object ID of a Service Principal, or of a User Principal." - }, - "permissions": { - "$ref": "#/definitions/permissions" + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." } }, "required": [ - "tenantId", "objectId", - "permissions" - ] + "permissions", + "tenantId" + ], + "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." }, - "permissions": { + "Permissions": { "type": "object", "properties": { - "keys": { + "certificates": { "oneOf": [ { "type": "array", "items": { + "type": "string", "enum": [ "all", - "backup", - "create", - "decrypt", + "get", + "list", "delete", + "create", + "import", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to certificates" + }, + "keys": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "all", "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", "get", - "import", "list", - "restore", - "sign", - "unwrapKey", + "create", "update", - "verify", - "wrapKey" + "import", + "delete", + "backup", + "restore", + "recover", + "purge" ] - }, - "minItems": 1 + } }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The permissions granted on keys in this vault to this Active Directory object." + "description": "Permissions to keys" }, "secrets": { "oneOf": [ { "type": "array", "items": { + "type": "string", "enum": [ "all", - "delete", "get", "list", - "set" + "set", + "delete", + "backup", + "restore", + "recover", + "purge" ] - }, - "minItems": 1 + } }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The permissions granted on secrets in this vault to this Active Directory object." + "description": "Permissions to secrets" } }, - "anyOf": [ - { - "required": [ "secrets" ] - }, - { - "required": [ "keys" ] - } - ], - "description": "Microsoft.KeyVault/vaults: The permissions granted on this vault to this Active Directory object." + "description": "Permissions the identity has for keys, secrets and certificates." }, - "sku": { + "Sku": { "type": "object", "properties": { - "name": { + "family": { "oneOf": [ { + "type": "string", "enum": [ - "standard", - "premium" + "A" ] }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The service tier of KeyVault to use. Standard supports secrets and software-protected keys. Premium adds support for HSM-protected keys." + "description": "SKU family name" }, - "family": { + "name": { "oneOf": [ { + "type": "string", "enum": [ - "A" + "standard", + "premium" ] }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Microsoft.KeyVault/vaults: The SKU family to use." + "description": "SKU name to specify whether the key vault is a standard vault or a premium vault." } }, "required": [ "family", "name" - ] + ], + "description": "SKU details" + }, + "VaultProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "enabledForDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + }, + "enabledForDiskEncryption": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + }, + "enabledForTemplateDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault." + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets." + } + }, + "required": [ + "accessPolicies", + "sku", + "tenantId" + ], + "description": "Properties of the vault" } } } diff --git a/schemas/2016-10-01/Microsoft.KeyVault.json b/schemas/2016-10-01/Microsoft.KeyVault.json index 55fde71a3f..2562054401 100644 --- a/schemas/2016-10-01/Microsoft.KeyVault.json +++ b/schemas/2016-10-01/Microsoft.KeyVault.json @@ -7,15 +7,6 @@ "vaults": { "type": "object", "properties": { - "name": { - "type": "string" - }, - "type": { - "type": "string", - "enum": [ - "Microsoft.KeyVault/vaults" - ] - }, "apiVersion": { "type": "string", "enum": [ @@ -26,19 +17,17 @@ "type": "string", "description": "The supported Azure location where the key vault should be created." }, - "tags": { + "name": { "oneOf": [ { - "type": "object", - "additionalProperties": { - "type": "string" - } + "type": "string", + "pattern": "^[a-zA-Z0-9-]{3,24}$" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The tags that will be assigned to the key vault." + "description": "Name of the vault" }, "properties": { "oneOf": [ @@ -56,27 +45,54 @@ "items": { "oneOf": [ { - "$ref": "#/definitions/vaults_secrets_childResource" + "$ref": "#/definitions/vaults_accessPolicies_childResource" }, { - "$ref": "#/definitions/vaults_accessPolicies_childResource" + "$ref": "#/definitions/vaults_secrets_childResource" } ] } + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key vault." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] } }, "required": [ - "name", - "type", "apiVersion", "location", - "properties" + "name", + "properties", + "type" ], "description": "Microsoft.KeyVault/vaults" }, "vaults_accessPolicies": { "type": "object", "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2016-10-01" + ] + }, "name": { "oneOf": [ { @@ -90,19 +106,8 @@ { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ] - }, - "type": { - "type": "string", - "enum": [ - "Microsoft.KeyVault/vaults/accessPolicies" - ] - }, - "apiVersion": { - "type": "string", - "enum": [ - "2016-10-01" - ] + ], + "description": "Name of the operation." }, "properties": { "oneOf": [ @@ -113,48 +118,43 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Properties of the access policy" + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/accessPolicies" + ] } }, "required": [ - "name", - "type", "apiVersion", - "properties" + "name", + "properties", + "type" ], "description": "Microsoft.KeyVault/vaults/accessPolicies" }, "vaults_secrets": { "type": "object", "properties": { - "name": { - "type": "string" - }, - "type": { - "type": "string", - "enum": [ - "Microsoft.KeyVault/vaults/secrets" - ] - }, "apiVersion": { "type": "string", "enum": [ "2016-10-01" ] }, - "tags": { + "name": { "oneOf": [ { - "type": "object", - "additionalProperties": { - "type": "string" - } + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The tags that will be assigned to the secret. " + "description": "Name of the secret" }, "properties": { "oneOf": [ @@ -166,13 +166,34 @@ } ], "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/secrets" + ] } }, "required": [ - "name", - "type", "apiVersion", - "properties" + "name", + "properties", + "type" ], "description": "Microsoft.KeyVault/vaults/secrets" } @@ -181,7 +202,7 @@ "AccessPolicyEntry": { "type": "object", "properties": { - "tenantId": { + "applicationId": { "oneOf": [ { "type": "string", @@ -191,67 +212,65 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + "description": " Application ID of the client making request on behalf of a principal" }, "objectId": { "type": "string", "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." }, - "applicationId": { + "permissions": { "oneOf": [ { - "type": "string", - "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + "$ref": "#/definitions/Permissions" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": " Application ID of the client making request on behalf of a principal" + "description": "Permissions the identity has for keys, secrets, certificates and storage." }, - "permissions": { + "tenantId": { "oneOf": [ { - "$ref": "#/definitions/Permissions" + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Permissions the identity has for keys, secrets and certificates." + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." } }, "required": [ - "tenantId", "objectId", - "permissions" + "permissions", + "tenantId" ], "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." }, "Permissions": { "type": "object", "properties": { - "keys": { + "certificates": { "oneOf": [ { "type": "array", "items": { "type": "string", "enum": [ - "encrypt", - "decrypt", - "wrapKey", - "unwrapKey", - "sign", - "verify", "get", "list", + "delete", "create", - "update", "import", - "delete", - "backup", - "restore", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", "recover", "purge" ] @@ -261,18 +280,26 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Permissions to keys" + "description": "Permissions to certificates" }, - "secrets": { + "keys": { "oneOf": [ { "type": "array", "items": { "type": "string", "enum": [ + "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", "get", "list", - "set", + "create", + "update", + "import", "delete", "backup", "restore", @@ -285,9 +312,9 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Permissions to secrets" + "description": "Permissions to keys" }, - "certificates": { + "secrets": { "oneOf": [ { "type": "array", @@ -296,16 +323,10 @@ "enum": [ "get", "list", + "set", "delete", - "create", - "import", - "update", - "managecontacts", - "getissuers", - "listissuers", - "setissuers", - "deleteissuers", - "manageissuers", + "backup", + "restore", "recover", "purge" ] @@ -315,7 +336,7 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Permissions to certificates" + "description": "Permissions to secrets" }, "storage": { "oneOf": [ @@ -330,6 +351,10 @@ "set", "update", "regeneratekey", + "recover", + "purge", + "backup", + "restore", "setsas", "listsas", "getsas", @@ -360,7 +385,7 @@ ], "description": "Determines whether the object is enabled." }, - "nbf": { + "exp": { "oneOf": [ { "type": "integer" @@ -369,9 +394,9 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Not before date in UTC expressed as a unix time integer.." + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." }, - "exp": { + "nbf": { "oneOf": [ { "type": "integer" @@ -380,7 +405,7 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Expiry date in UTC expressed as a unix time integer.." + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." } }, "description": "The secret management attributes." @@ -388,14 +413,6 @@ "SecretProperties": { "type": "object", "properties": { - "value": { - "type": "string", - "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." - }, - "contentType": { - "type": "string", - "description": "The content type of the secret." - }, "attributes": { "oneOf": [ { @@ -405,7 +422,15 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The attributes of the secret." + "description": "The secret management attributes." + }, + "contentType": { + "type": "string", + "description": "The content type of the secret." + }, + "value": { + "type": "string", + "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." } }, "description": "Properties of the secret" @@ -475,44 +500,47 @@ "VaultProperties": { "type": "object", "properties": { - "tenantId": { + "accessPolicies": { "oneOf": [ { - "type": "string", - "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required." }, - "sku": { + "createMode": { "oneOf": [ { - "$ref": "#/definitions/Sku" + "type": "string", + "enum": [ + "recover", + "default" + ] }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "SKU details" + "description": "The vault's create mode to indicate whether the vault need to be recovered or not." }, - "accessPolicies": { + "enabledForDeployment": { "oneOf": [ { - "type": "array", - "items": { - "$ref": "#/definitions/AccessPolicyEntry" - } + "type": "boolean" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." }, - "enabledForDeployment": { + "enabledForDiskEncryption": { "oneOf": [ { "type": "boolean" @@ -521,9 +549,9 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." }, - "enabledForDiskEncryption": { + "enabledForTemplateDeployment": { "oneOf": [ { "type": "boolean" @@ -532,9 +560,9 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." }, - "enabledForTemplateDeployment": { + "enablePurgeProtection": { "oneOf": [ { "type": "boolean" @@ -543,7 +571,7 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." }, "enableSoftDelete": { "oneOf": [ @@ -554,33 +582,51 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. It does not accept false value." + "description": "Property specifying whether recoverable deletion is enabled for this key vault. Setting this property to true activates the soft delete feature, whereby vaults or vault entities can be recovered after deletion. Enabling this functionality is irreversible - that is, the property does not accept false as its value." }, - "createMode": { + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "tenantId": { "oneOf": [ { "type": "string", - "enum": [ - "recover", - "default" - ] + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The vault's create mode to indicate whether the vault need to be recovered or not." + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets." } }, "required": [ - "tenantId", - "sku" + "sku", + "tenantId" ], "description": "Properties of the vault" }, "vaults_accessPolicies_childResource": { "type": "object", "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2016-10-01" + ] + }, "name": { "oneOf": [ { @@ -594,19 +640,8 @@ { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } - ] - }, - "type": { - "type": "string", - "enum": [ - "accessPolicies" - ] - }, - "apiVersion": { - "type": "string", - "enum": [ - "2016-10-01" - ] + ], + "description": "Name of the operation." }, "properties": { "oneOf": [ @@ -617,48 +652,43 @@ "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "Properties of the access policy" + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "accessPolicies" + ] } }, "required": [ - "name", - "type", "apiVersion", - "properties" + "name", + "properties", + "type" ], "description": "Microsoft.KeyVault/vaults/accessPolicies" }, "vaults_secrets_childResource": { "type": "object", "properties": { - "name": { - "type": "string" - }, - "type": { - "type": "string", - "enum": [ - "secrets" - ] - }, "apiVersion": { "type": "string", "enum": [ "2016-10-01" ] }, - "tags": { + "name": { "oneOf": [ { - "type": "object", - "additionalProperties": { - "type": "string" - } + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" }, { "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" } ], - "description": "The tags that will be assigned to the secret. " + "description": "Name of the secret" }, "properties": { "oneOf": [ @@ -670,13 +700,34 @@ } ], "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "secrets" + ] } }, "required": [ - "name", - "type", "apiVersion", - "properties" + "name", + "properties", + "type" ], "description": "Microsoft.KeyVault/vaults/secrets" } diff --git a/schemas/2018-02-14-preview/Microsoft.KeyVault.json b/schemas/2018-02-14-preview/Microsoft.KeyVault.json new file mode 100644 index 0000000000..071d48056b --- /dev/null +++ b/schemas/2018-02-14-preview/Microsoft.KeyVault.json @@ -0,0 +1,838 @@ +{ + "id": "https://schema.management.azure.com/schemas/2018-02-14-preview/Microsoft.KeyVault.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.KeyVault", + "description": "Microsoft KeyVault Resource Types", + "resourceDefinitions": { + "vaults": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14-preview" + ] + }, + "location": { + "type": "string", + "description": "The supported Azure location where the key vault should be created." + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{3,24}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the vault" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/vaults_accessPolicies_childResource" + }, + { + "$ref": "#/definitions/vaults_secrets_childResource" + } + ] + } + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key vault." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] + } + }, + "required": [ + "apiVersion", + "location", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults" + }, + "vaults_accessPolicies": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_secrets": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + } + }, + "definitions": { + "AccessPolicyEntry": { + "type": "object", + "properties": { + "applicationId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": " Application ID of the client making request on behalf of a principal" + }, + "objectId": { + "type": "string", + "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + } + }, + "required": [ + "objectId", + "permissions", + "tenantId" + ], + "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "IPRule": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." + } + }, + "required": [ + "value" + ], + "description": "A rule governing the accessibility of a vault from a specific ip address or ip range." + }, + "NetworkRuleSet": { + "type": "object", + "properties": { + "bypass": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AzureServices", + "None" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'." + }, + "defaultAction": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Allow", + "Deny" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated." + }, + "ipRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IPRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of IP address rules." + }, + "virtualNetworkRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/VirtualNetworkRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of virtual network rules." + } + }, + "description": "A set of rules governing the network accessibility of a vault." + }, + "Permissions": { + "type": "object", + "properties": { + "certificates": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "create", + "import", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", + "recover", + "purge", + "backup", + "restore" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to certificates" + }, + "keys": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", + "get", + "list", + "create", + "update", + "import", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to keys" + }, + "secrets": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "set", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to secrets" + }, + "storage": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "set", + "update", + "regeneratekey", + "recover", + "purge", + "backup", + "restore", + "setsas", + "listsas", + "getsas", + "deletesas" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to storage accounts" + } + }, + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "SecretAttributes": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the object is enabled." + }, + "exp": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." + }, + "nbf": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." + } + }, + "description": "The secret management attributes." + }, + "SecretProperties": { + "type": "object", + "properties": { + "attributes": { + "oneOf": [ + { + "$ref": "#/definitions/SecretAttributes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The secret management attributes." + }, + "contentType": { + "type": "string", + "description": "The content type of the secret." + }, + "value": { + "type": "string", + "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." + } + }, + "description": "Properties of the secret" + }, + "Sku": { + "type": "object", + "properties": { + "family": { + "oneOf": [ + { + "type": "string", + "enum": [ + "A" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU family name" + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "standard", + "premium" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU name to specify whether the key vault is a standard vault or a premium vault." + } + }, + "required": [ + "family", + "name" + ], + "description": "SKU details" + }, + "VaultAccessPolicyProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + } + }, + "required": [ + "accessPolicies" + ], + "description": "Properties of the vault access policy" + }, + "VaultProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "createMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "recover", + "default" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The vault's create mode to indicate whether the vault need to be recovered or not." + }, + "enabledForDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + }, + "enabledForDiskEncryption": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + }, + "enabledForTemplateDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + }, + "enablePurgeProtection": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. It does not accept false value." + }, + "networkAcls": { + "oneOf": [ + { + "$ref": "#/definitions/NetworkRuleSet" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A set of rules governing the network accessibility of a vault." + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets." + } + }, + "required": [ + "sku", + "tenantId" + ], + "description": "Properties of the vault" + }, + "vaults_accessPolicies_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_secrets_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + }, + "VirtualNetworkRule": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'." + } + }, + "required": [ + "id" + ], + "description": "A rule governing the accessibility of a vault from a specific virtual network." + } + } +} diff --git a/schemas/2018-02-14/Microsoft.KeyVault.json b/schemas/2018-02-14/Microsoft.KeyVault.json new file mode 100644 index 0000000000..11cb96ac91 --- /dev/null +++ b/schemas/2018-02-14/Microsoft.KeyVault.json @@ -0,0 +1,1002 @@ +{ + "id": "https://schema.management.azure.com/schemas/2018-02-14/Microsoft.KeyVault.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.KeyVault", + "description": "Microsoft KeyVault Resource Types", + "resourceDefinitions": { + "vaults": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "location": { + "type": "string", + "description": "The supported Azure location where the key vault should be created." + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{3,24}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the vault" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/vaults_accessPolicies_childResource" + }, + { + "$ref": "#/definitions/vaults_privateEndpointConnections_childResource" + }, + { + "$ref": "#/definitions/vaults_secrets_childResource" + } + ] + } + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key vault." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] + } + }, + "required": [ + "apiVersion", + "location", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults" + }, + "vaults_accessPolicies": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_privateEndpointConnections": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + } + }, + "definitions": { + "AccessPolicyEntry": { + "type": "object", + "properties": { + "applicationId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": " Application ID of the client making request on behalf of a principal" + }, + "objectId": { + "type": "string", + "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + } + }, + "required": [ + "objectId", + "permissions", + "tenantId" + ], + "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "IPRule": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." + } + }, + "required": [ + "value" + ], + "description": "A rule governing the accessibility of a vault from a specific ip address or ip range." + }, + "NetworkRuleSet": { + "type": "object", + "properties": { + "bypass": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AzureServices", + "None" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'." + }, + "defaultAction": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Allow", + "Deny" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated." + }, + "ipRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IPRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of IP address rules." + }, + "virtualNetworkRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/VirtualNetworkRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of virtual network rules." + } + }, + "description": "A set of rules governing the network accessibility of a vault." + }, + "Permissions": { + "type": "object", + "properties": { + "certificates": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "create", + "import", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", + "recover", + "purge", + "backup", + "restore" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to certificates" + }, + "keys": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", + "get", + "list", + "create", + "update", + "import", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to keys" + }, + "secrets": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "set", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to secrets" + }, + "storage": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "set", + "update", + "regeneratekey", + "recover", + "purge", + "backup", + "restore", + "setsas", + "listsas", + "getsas", + "deletesas" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to storage accounts" + } + }, + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "PrivateEndpoint": { + "type": "object", + "properties": {}, + "description": "Private endpoint object properties." + }, + "PrivateEndpointConnectionProperties": { + "type": "object", + "properties": { + "privateEndpoint": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Private endpoint object properties." + }, + "privateLinkServiceConnectionState": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateLinkServiceConnectionState" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An object that represents the approval state of the private link connection." + }, + "provisioningState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Succeeded", + "Creating", + "Updating", + "Deleting", + "Failed", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provisioning state of the private endpoint connection." + } + }, + "description": "Properties of the private endpoint connection resource." + }, + "PrivateLinkServiceConnectionState": { + "type": "object", + "properties": { + "actionRequired": { + "type": "string", + "description": "A message indicating if changes on the service provider require any updates on the consumer." + }, + "description": { + "type": "string", + "description": "The reason for approval or rejection." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Pending", + "Approved", + "Rejected", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicates whether the connection has been approved, rejected or removed by the key vault owner." + } + }, + "description": "An object that represents the approval state of the private link connection." + }, + "SecretAttributes": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the object is enabled." + }, + "exp": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." + }, + "nbf": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." + } + }, + "description": "The secret management attributes." + }, + "SecretProperties": { + "type": "object", + "properties": { + "attributes": { + "oneOf": [ + { + "$ref": "#/definitions/SecretAttributes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The secret management attributes." + }, + "contentType": { + "type": "string", + "description": "The content type of the secret." + }, + "value": { + "type": "string", + "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." + } + }, + "description": "Properties of the secret" + }, + "Sku": { + "type": "object", + "properties": { + "family": { + "oneOf": [ + { + "type": "string", + "enum": [ + "A" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU family name" + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "standard", + "premium" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU name to specify whether the key vault is a standard vault or a premium vault." + } + }, + "required": [ + "family", + "name" + ], + "description": "SKU details" + }, + "VaultAccessPolicyProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + } + }, + "required": [ + "accessPolicies" + ], + "description": "Properties of the vault access policy" + }, + "VaultProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required." + }, + "createMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "recover", + "default" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The vault's create mode to indicate whether the vault need to be recovered or not." + }, + "enabledForDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + }, + "enabledForDiskEncryption": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + }, + "enabledForTemplateDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + }, + "enablePurgeProtection": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. It does not accept false value." + }, + "networkAcls": { + "oneOf": [ + { + "$ref": "#/definitions/NetworkRuleSet" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A set of rules governing the network accessibility of a vault." + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets." + } + }, + "required": [ + "sku", + "tenantId" + ], + "description": "Properties of the vault" + }, + "vaults_accessPolicies_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_privateEndpointConnections_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2018-02-14" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + }, + "VirtualNetworkRule": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'." + } + }, + "required": [ + "id" + ], + "description": "A rule governing the accessibility of a vault from a specific virtual network." + } + } +} diff --git a/schemas/2019-09-01/Microsoft.KeyVault.json b/schemas/2019-09-01/Microsoft.KeyVault.json new file mode 100644 index 0000000000..4d30f2548f --- /dev/null +++ b/schemas/2019-09-01/Microsoft.KeyVault.json @@ -0,0 +1,1315 @@ +{ + "id": "https://schema.management.azure.com/schemas/2019-09-01/Microsoft.KeyVault.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.KeyVault", + "description": "Microsoft KeyVault Resource Types", + "resourceDefinitions": { + "vaults": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "location": { + "type": "string", + "description": "The supported Azure location where the key vault should be created." + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{3,24}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the vault" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/vaults_accessPolicies_childResource" + }, + { + "$ref": "#/definitions/vaults_privateEndpointConnections_childResource" + }, + { + "$ref": "#/definitions/vaults_keys_childResource" + }, + { + "$ref": "#/definitions/vaults_secrets_childResource" + } + ] + } + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key vault." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] + } + }, + "required": [ + "apiVersion", + "location", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults" + }, + "vaults_accessPolicies": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_keys": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The name of the key to be created." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/KeyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The properties of the key." + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/keys" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/keys" + }, + "vaults_privateEndpointConnections": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "etag": { + "type": "string", + "description": "Modified whenever there is a change in the state of private endpoint connection." + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + } + }, + "definitions": { + "AccessPolicyEntry": { + "type": "object", + "properties": { + "applicationId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": " Application ID of the client making request on behalf of a principal" + }, + "objectId": { + "type": "string", + "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + } + }, + "required": [ + "objectId", + "permissions", + "tenantId" + ], + "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "IPRule": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." + } + }, + "required": [ + "value" + ], + "description": "A rule governing the accessibility of a vault from a specific ip address or ip range." + }, + "KeyAttributes": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether or not the object is enabled." + }, + "exp": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." + }, + "nbf": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." + } + }, + "description": "The attributes of the key." + }, + "KeyProperties": { + "type": "object", + "properties": { + "attributes": { + "oneOf": [ + { + "$ref": "#/definitions/KeyAttributes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The attributes of the key." + }, + "curveName": { + "oneOf": [ + { + "type": "string", + "enum": [ + "P-256", + "P-384", + "P-521", + "P-256K" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The elliptic curve name. For valid values, see JsonWebKeyCurveName." + }, + "keyOps": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "encrypt", + "decrypt", + "sign", + "verify", + "wrapKey", + "unwrapKey", + "import" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ] + }, + "keySize": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The key size in bits. For example: 2048, 3072, or 4096 for RSA." + }, + "kty": { + "oneOf": [ + { + "type": "string", + "enum": [ + "EC", + "EC-HSM", + "RSA", + "RSA-HSM" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The type of the key. For valid values, see JsonWebKeyType." + } + }, + "description": "The properties of the key." + }, + "NetworkRuleSet": { + "type": "object", + "properties": { + "bypass": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AzureServices", + "None" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'." + }, + "defaultAction": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Allow", + "Deny" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated." + }, + "ipRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IPRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of IP address rules." + }, + "virtualNetworkRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/VirtualNetworkRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of virtual network rules." + } + }, + "description": "A set of rules governing the network accessibility of a vault." + }, + "Permissions": { + "type": "object", + "properties": { + "certificates": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "all", + "get", + "list", + "delete", + "create", + "import", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", + "recover", + "purge", + "backup", + "restore" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to certificates" + }, + "keys": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "all", + "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", + "get", + "list", + "create", + "update", + "import", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to keys" + }, + "secrets": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "all", + "get", + "list", + "set", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to secrets" + }, + "storage": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "all", + "get", + "list", + "delete", + "set", + "update", + "regeneratekey", + "recover", + "purge", + "backup", + "restore", + "setsas", + "listsas", + "getsas", + "deletesas" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to storage accounts" + } + }, + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "PrivateEndpoint": { + "type": "object", + "properties": {}, + "description": "Private endpoint object properties." + }, + "PrivateEndpointConnectionProperties": { + "type": "object", + "properties": { + "privateEndpoint": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Private endpoint object properties." + }, + "privateLinkServiceConnectionState": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateLinkServiceConnectionState" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An object that represents the approval state of the private link connection." + }, + "provisioningState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Succeeded", + "Creating", + "Updating", + "Deleting", + "Failed", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provisioning state of the private endpoint connection." + } + }, + "description": "Properties of the private endpoint connection resource." + }, + "PrivateLinkServiceConnectionState": { + "type": "object", + "properties": { + "actionsRequired": { + "type": "string", + "description": "A message indicating if changes on the service provider require any updates on the consumer." + }, + "description": { + "type": "string", + "description": "The reason for approval or rejection." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Pending", + "Approved", + "Rejected", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicates whether the connection has been approved, rejected or removed by the key vault owner." + } + }, + "description": "An object that represents the approval state of the private link connection." + }, + "SecretAttributes": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the object is enabled." + }, + "exp": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." + }, + "nbf": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." + } + }, + "description": "The secret management attributes." + }, + "SecretProperties": { + "type": "object", + "properties": { + "attributes": { + "oneOf": [ + { + "$ref": "#/definitions/SecretAttributes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The secret management attributes." + }, + "contentType": { + "type": "string", + "description": "The content type of the secret." + }, + "value": { + "type": "string", + "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." + } + }, + "description": "Properties of the secret" + }, + "Sku": { + "type": "object", + "properties": { + "family": { + "oneOf": [ + { + "type": "string", + "enum": [ + "A" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU family name" + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "standard", + "premium" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU name to specify whether the key vault is a standard vault or a premium vault." + } + }, + "required": [ + "family", + "name" + ], + "description": "SKU details" + }, + "VaultAccessPolicyProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + } + }, + "required": [ + "accessPolicies" + ], + "description": "Properties of the vault access policy" + }, + "VaultProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required." + }, + "createMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "recover", + "default" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The vault's create mode to indicate whether the vault need to be recovered or not." + }, + "enabledForDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + }, + "enabledForDiskEncryption": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + }, + "enabledForTemplateDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + }, + "enablePurgeProtection": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." + }, + "enableRbacAuthorization": { + "oneOf": [ + { + "type": "boolean", + "default": false + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean", + "default": true + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false." + }, + "networkAcls": { + "oneOf": [ + { + "$ref": "#/definitions/NetworkRuleSet" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A set of rules governing the network accessibility of a vault." + }, + "provisioningState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Succeeded", + "RegisteringDns" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provisioning state of the vault." + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "softDeleteRetentionInDays": { + "oneOf": [ + { + "type": "integer", + "default": "90" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "softDelete data retention days. It accepts >=7 and <=90." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets. This property is readonly" + } + }, + "required": [ + "sku", + "tenantId" + ], + "description": "Properties of the vault" + }, + "vaults_accessPolicies_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_keys_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The name of the key to be created." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/KeyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The properties of the key." + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key." + }, + "type": { + "type": "string", + "enum": [ + "keys" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/keys" + }, + "vaults_privateEndpointConnections_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "etag": { + "type": "string", + "description": "Modified whenever there is a change in the state of private endpoint connection." + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2019-09-01" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + }, + "VirtualNetworkRule": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'." + }, + "ignoreMissingVnetServiceEndpoint": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured." + } + }, + "required": [ + "id" + ], + "description": "A rule governing the accessibility of a vault from a specific virtual network." + } + } +} diff --git a/schemas/2020-04-01-preview/Microsoft.KeyVault.json b/schemas/2020-04-01-preview/Microsoft.KeyVault.json new file mode 100644 index 0000000000..fd4842bd02 --- /dev/null +++ b/schemas/2020-04-01-preview/Microsoft.KeyVault.json @@ -0,0 +1,1262 @@ +{ + "id": "https://schema.management.azure.com/schemas/2020-04-01-preview/Microsoft.KeyVault.json#", + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Microsoft.KeyVault", + "description": "Microsoft KeyVault Resource Types", + "resourceDefinitions": { + "managedHSMs": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "location": { + "type": "string", + "description": "The supported Azure location where the managed HSM Pool should be created." + }, + "name": { + "type": "string", + "description": "Name of the managed HSM Pool" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/ManagedHsmProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the managed HSM Pool" + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/ManagedHsmSku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Resource tags" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/managedHSMs" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/managedHSMs" + }, + "vaults": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "location": { + "type": "string", + "description": "The supported Azure location where the key vault should be created." + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{3,24}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the vault" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault" + }, + "resources": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/definitions/vaults_accessPolicies_childResource" + }, + { + "$ref": "#/definitions/vaults_privateEndpointConnections_childResource" + }, + { + "$ref": "#/definitions/vaults_secrets_childResource" + } + ] + } + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the key vault." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults" + ] + } + }, + "required": [ + "apiVersion", + "location", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults" + }, + "vaults_accessPolicies": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_privateEndpointConnections": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Modified whenever there is a change in the state of private endpoint connection." + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "Microsoft.KeyVault/vaults/secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + } + }, + "definitions": { + "AccessPolicyEntry": { + "type": "object", + "properties": { + "applicationId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": " Application ID of the client making request on behalf of a principal" + }, + "objectId": { + "type": "string", + "description": "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies." + }, + "permissions": { + "oneOf": [ + { + "$ref": "#/definitions/Permissions" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + } + }, + "required": [ + "objectId", + "permissions", + "tenantId" + ], + "description": "An identity that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + }, + "IPRule": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78)." + } + }, + "required": [ + "value" + ], + "description": "A rule governing the accessibility of a vault from a specific ip address or ip range." + }, + "ManagedHsmProperties": { + "type": "object", + "properties": { + "createMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "recover", + "default" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The create mode to indicate whether the resource is being created or is being recovered from a deleted resource." + }, + "enablePurgeProtection": { + "oneOf": [ + { + "type": "boolean", + "default": true + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean", + "default": true + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. If it's not set to any value(true or false) when creating new managed HSM pool, it will be set to true by default. Once set to true, it cannot be reverted to false." + }, + "initialAdminObjectIds": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Array of initial administrators object ids for this managed hsm pool." + }, + "softDeleteRetentionInDays": { + "oneOf": [ + { + "type": "integer", + "default": "90" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "softDelete data retention days. It accepts >=7 and <=90." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool." + } + }, + "description": "Properties of the managed HSM Pool" + }, + "ManagedHsmSku": { + "type": "object", + "properties": { + "family": { + "oneOf": [ + { + "type": "string", + "enum": [ + "B" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU Family of the managed HSM Pool" + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Standard_B1", + "Custom_B32" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU of the managed HSM Pool." + } + }, + "required": [ + "family", + "name" + ], + "description": "SKU details" + }, + "NetworkRuleSet": { + "type": "object", + "properties": { + "bypass": { + "oneOf": [ + { + "type": "string", + "enum": [ + "AzureServices", + "None" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'." + }, + "defaultAction": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Allow", + "Deny" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated." + }, + "ipRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/IPRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of IP address rules." + }, + "virtualNetworkRules": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/VirtualNetworkRule" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The list of virtual network rules." + } + }, + "description": "A set of rules governing the network accessibility of a vault." + }, + "Permissions": { + "type": "object", + "properties": { + "certificates": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "create", + "import", + "update", + "managecontacts", + "getissuers", + "listissuers", + "setissuers", + "deleteissuers", + "manageissuers", + "recover", + "purge", + "backup", + "restore" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to certificates" + }, + "keys": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "encrypt", + "decrypt", + "wrapKey", + "unwrapKey", + "sign", + "verify", + "get", + "list", + "create", + "update", + "import", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to keys" + }, + "secrets": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "set", + "delete", + "backup", + "restore", + "recover", + "purge" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to secrets" + }, + "storage": { + "oneOf": [ + { + "type": "array", + "items": { + "type": "string", + "enum": [ + "get", + "list", + "delete", + "set", + "update", + "regeneratekey", + "recover", + "purge", + "backup", + "restore", + "setsas", + "listsas", + "getsas", + "deletesas" + ] + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Permissions to storage accounts" + } + }, + "description": "Permissions the identity has for keys, secrets, certificates and storage." + }, + "PrivateEndpoint": { + "type": "object", + "properties": {}, + "description": "Private endpoint object properties." + }, + "PrivateEndpointConnectionProperties": { + "type": "object", + "properties": { + "privateEndpoint": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpoint" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Private endpoint object properties." + }, + "privateLinkServiceConnectionState": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateLinkServiceConnectionState" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An object that represents the approval state of the private link connection." + }, + "provisioningState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Succeeded", + "Creating", + "Updating", + "Deleting", + "Failed", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provisioning state of the private endpoint connection." + } + }, + "description": "Properties of the private endpoint connection resource." + }, + "PrivateLinkServiceConnectionState": { + "type": "object", + "properties": { + "actionsRequired": { + "oneOf": [ + { + "type": "string", + "enum": [ + "None" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A message indicating if changes on the service provider require any updates on the consumer." + }, + "description": { + "type": "string", + "description": "The reason for approval or rejection." + }, + "status": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Pending", + "Approved", + "Rejected", + "Disconnected" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Indicates whether the connection has been approved, rejected or removed by the key vault owner." + } + }, + "description": "An object that represents the approval state of the private link connection." + }, + "SecretAttributes": { + "type": "object", + "properties": { + "enabled": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Determines whether the object is enabled." + }, + "exp": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Expiry date in seconds since 1970-01-01T00:00:00Z." + }, + "nbf": { + "oneOf": [ + { + "type": "integer" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Not before date in seconds since 1970-01-01T00:00:00Z." + } + }, + "description": "The secret management attributes." + }, + "SecretProperties": { + "type": "object", + "properties": { + "attributes": { + "oneOf": [ + { + "$ref": "#/definitions/SecretAttributes" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The secret management attributes." + }, + "contentType": { + "type": "string", + "description": "The content type of the secret." + }, + "value": { + "type": "string", + "description": "The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended for internal use in ARM deployments. Users should use the data-plane REST service for interaction with vault secrets." + } + }, + "description": "Properties of the secret" + }, + "Sku": { + "type": "object", + "properties": { + "family": { + "oneOf": [ + { + "type": "string", + "enum": [ + "A" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU family name" + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "standard", + "premium" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU name to specify whether the key vault is a standard vault or a premium vault." + } + }, + "required": [ + "family", + "name" + ], + "description": "SKU details" + }, + "VaultAccessPolicyProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID." + } + }, + "required": [ + "accessPolicies" + ], + "description": "Properties of the vault access policy" + }, + "VaultProperties": { + "type": "object", + "properties": { + "accessPolicies": { + "oneOf": [ + { + "type": "array", + "items": { + "$ref": "#/definitions/AccessPolicyEntry" + } + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. When `createMode` is set to `recover`, access policies are not required. Otherwise, access policies are required." + }, + "createMode": { + "oneOf": [ + { + "type": "string", + "enum": [ + "recover", + "default" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The vault's create mode to indicate whether the vault need to be recovered or not." + }, + "enabledForDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault." + }, + "enabledForDiskEncryption": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys." + }, + "enabledForTemplateDeployment": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault." + }, + "enablePurgeProtection": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible - that is, the property does not accept false as its value." + }, + "enableRbacAuthorization": { + "oneOf": [ + { + "type": "boolean", + "default": false + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC." + }, + "enableSoftDelete": { + "oneOf": [ + { + "type": "boolean", + "default": true + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true or false) when creating new key vault, it will be set to true by default. Once set to true, it cannot be reverted to false." + }, + "networkAcls": { + "oneOf": [ + { + "$ref": "#/definitions/NetworkRuleSet" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "A set of rules governing the network accessibility of a vault." + }, + "provisioningState": { + "oneOf": [ + { + "type": "string", + "enum": [ + "Succeeded", + "RegisteringDns" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Provisioning state of the vault." + }, + "sku": { + "oneOf": [ + { + "$ref": "#/definitions/Sku" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "SKU details" + }, + "softDeleteRetentionInDays": { + "oneOf": [ + { + "type": "integer", + "default": "90" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "softDelete data retention days. It accepts >=7 and <=90." + }, + "tenantId": { + "oneOf": [ + { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}(-[0-9a-fA-F]{4}){3}-[0-9a-fA-F]{12}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." + }, + "vaultUri": { + "type": "string", + "description": "The URI of the vault for performing operations on keys and secrets." + } + }, + "required": [ + "sku", + "tenantId" + ], + "description": "Properties of the vault" + }, + "vaults_accessPolicies_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "enum": [ + "add", + "replace", + "remove" + ] + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the operation." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/VaultAccessPolicyProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the vault access policy" + }, + "type": { + "type": "string", + "enum": [ + "accessPolicies" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/accessPolicies" + }, + "vaults_privateEndpointConnections_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "etag": { + "type": "string", + "description": "Modified whenever there is a change in the state of private endpoint connection." + }, + "name": { + "type": "string", + "description": "Name of the private endpoint connection associated with the key vault." + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/PrivateEndpointConnectionProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the private endpoint connection resource." + }, + "type": { + "type": "string", + "enum": [ + "privateEndpointConnections" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/privateEndpointConnections" + }, + "vaults_secrets_childResource": { + "type": "object", + "properties": { + "apiVersion": { + "type": "string", + "enum": [ + "2020-04-01-preview" + ] + }, + "name": { + "oneOf": [ + { + "type": "string", + "pattern": "^[a-zA-Z0-9-]{1,127}$" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Name of the secret" + }, + "properties": { + "oneOf": [ + { + "$ref": "#/definitions/SecretProperties" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Properties of the secret" + }, + "tags": { + "oneOf": [ + { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "properties": {} + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "The tags that will be assigned to the secret. " + }, + "type": { + "type": "string", + "enum": [ + "secrets" + ] + } + }, + "required": [ + "apiVersion", + "name", + "properties", + "type" + ], + "description": "Microsoft.KeyVault/vaults/secrets" + }, + "VirtualNetworkRule": { + "type": "object", + "properties": { + "id": { + "type": "string", + "description": "Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'." + }, + "ignoreMissingVnetServiceEndpoint": { + "oneOf": [ + { + "type": "boolean" + }, + { + "$ref": "https://schema.management.azure.com/schemas/common/definitions.json#/definitions/expression" + } + ], + "description": "Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured." + } + }, + "required": [ + "id" + ], + "description": "A rule governing the accessibility of a vault from a specific virtual network." + } + } +}