Skip to content

Add key-vault-certificate-create template#14707

Merged
alex-frankel merged 7 commits intoAzure:masterfrom
msmbaldwin:akv-key-vault-certificate-create
May 6, 2026
Merged

Add key-vault-certificate-create template#14707
alex-frankel merged 7 commits intoAzure:masterfrom
msmbaldwin:akv-key-vault-certificate-create

Conversation

@msmbaldwin
Copy link
Copy Markdown
Contributor

@msmbaldwin msmbaldwin commented Apr 10, 2026

New RBAC-enabled template for creating a key vault and self-signed certificate.

Template details

  • Creates a key vault with enableRbacAuthorization: true
  • Creates a self-signed certificate with configurable subject name and validity period
  • API version: 2023-07-01
  • Includes: bicep, ARM JSON, parameters, metadata, README

This template is referenced by the Key Vault certificates ARM quickstart.

Part of a series to modernize Key Vault quickstart templates to RBAC.

@msmbaldwin
Add key-vault-certificate-create template
f875310 
New RBAC-enabled template for creating a key vault and self-signed certificate:
- enableRbacAuthorization: true, enableSoftDelete, API version 2023-07-01
- Self-signed certificate with configurable subject and validity
- Full template directory: bicep, JSON, params, metadata, README

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-quickstarts azure-quickstarts added remove azuredeploy.json bicep sample, remove json from PR metadata violations metadata violations during PR bicep warnings labels Apr 10, 2026
@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented Apr 10, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

@msmbaldwin
Remove azuredeploy.json, testResult from metadata, suppress BCP081 bi…
801cbe5 
…cep warning

The certificates resource type does not have bicep type definitions at
any API version. Suppress BCP081 with #disable-next-line.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-quickstarts azure-quickstarts removed remove azuredeploy.json bicep sample, remove json from PR metadata violations metadata violations during PR bicep warnings labels Apr 10, 2026
@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented Apr 10, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

@msmbaldwin msmbaldwin mentioned this pull request Apr 10, 2026
Merged
@msmbaldwin
Add testResult to metadata.json
6bd9b79 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-quickstarts azure-quickstarts added the metadata violations metadata violations during PR label Apr 24, 2026
@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented Apr 24, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

@msmbaldwin
Use create-kv-certificate registry module to actually deploy the cert
82c5c94 
ARM doesn't have a Microsoft.KeyVault/vaults/certificates resource type, so
the previous template failed at deployment time with BadRequest after the
vault was created. Switch to the public Bicep registry module
br/public:deployment-scripts/create-kv-certificate:3.4.2, which provisions
a user-assigned managed identity, grants it Key Vault Certificate Officer
on the vault, and runs az keyvault certificate create via deploymentScript.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@msmbaldwin
Copy link
Copy Markdown
Contributor Author

msmbaldwin commented May 1, 2026

Pushed a fix in 82c5c94. The MAC pipeline failure was a deployment failure: Microsoft.KeyVault/vaults/certificates is not a valid ARM resource type (Bicep was warning BCP081, which I had suppressed). The vault deployed but the certificate sub-resource returned BadRequest.

Replaced the inline certificate resource with the public Bicep registry module br/public:deployment-scripts/create-kv-certificate:3.4.2, which provisions a user-assigned managed identity, grants it Key Vault Certificate Officer on the vault, and runs az keyvault certificate create via a deployment script. Same approach as deployment-script-azcli-agw-certificates.

Re-running CI now.

@azure-quickstarts azure-quickstarts removed the metadata violations metadata violations during PR label May 1, 2026
@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented May 1, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented May 1, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

@msmbaldwin
Copy link
Copy Markdown
Contributor Author

msmbaldwin commented May 1, 2026

MAC fix landed in b2a99de. The deployment-script module wraps each output in createArray(), so I needed [0][0] (not [0]) to get the string out of the array-of-arrays for certificateSecretIds and certificateThumbprintHexs. Build 186903 passed.

The remaining "Validate" Action failure is the GH Actions / MAC schema conflict that's already biting other recent PRs (#14717, #14719 merged with the same red Validate check) — Validate requires testResult in metadata.json, but the MAC schema rejects it.

@msmbaldwin
Copy link
Copy Markdown
Contributor Author

msmbaldwin commented May 1, 2026

#sign-off

MAC is green. The red "Validate" check is the known testResult schema conflict — Validate requires the field, the MAC schema rejects it. Same situation under which #14717 and #14719 were recently merged.

@msmbaldwin
Retrigger CI
650b1f8 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@azure-quickstarts
Copy link
Copy Markdown
Collaborator

azure-quickstarts commented May 5, 2026

@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

alex-frankel
alex-frankel approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@alex-frankel alex-frankel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Old-rules compliant; AzQuickStarts-MAC passed. Net-new key-vault-certificate-create sample (Bicep + README + metadata, +133/-0).

@alex-frankel alex-frankel merged commit 124cea4 into Azure:master May 6, 2026
3 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex-frankel alex-frankel alex-frankel approved these changes

Assignees

No one assigned

Labels

best practices violations

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msmbaldwin @azure-quickstarts @alex-frankel