I have discovered lately that when you deploy an Azure ML instance from the ARM Template, the MSI will override the purge protection settings of the Key Vault. It will enable purge protection on the Key Vault. This is not the behavior that I am looking for, because when trying to deploy it again, the template will fail saying that the Key Vault with the name already exists and you can't deleted before the retention period. This was my conclusion after doing several tests. Is my assumption correct?
If you deploy the Azure ML instance manually and select the Key Vault, it will keep the disable purge settings. Any ideas how can we keep purge disabled hier?
The Azure ML properties that we used are mentioned bellow:
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2020-09-01-preview",
"name": "[variables('machineLearningWorkspaceName')]",
"location": "[parameters('location')]",
"identity": {
"type": "[parameters('amlManagedIdentityOption')]"
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]",
"[resourceId('Microsoft.ContainerRegistry/registries', variables('containerRegistryName'))]"
],
"tags": "[parameters('resourceTags')]",
"properties": {
"friendlyName": "[variables('machineLearningWorkspaceName')]",
"storageAccount": "[variables('storageAccount')]",
**"keyVault": "[variables('keyVault')]",**
"applicationInsights": "[variables('applicationInsights')]",
"containerRegistry": "[ variables('containerRegistry')]",
"adbWorkspace": "[variables('adbWorkSpace')]",
"hbiWorkspace": "[parameters('confidential_data')]",
"allowPublicAccessWhenBehindVnet": "[parameters('allowPublicAccessWhenBehindVnet')]"
}
}
On the Key Vault created also via ARM we have:
"properties": {
"enabledForDeployment": "[parameters('enabledForDeployment')]",
"enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
"enabledForVolumeEncryption": "[parameters('enableVaultForVolumeEncryption')]",
"softDeleteRetentionInDays": 7,
"tenantId": "[subscription().tenantId]",
"copy": [
{
"name": "accessPolicies",
"count": "[length(parameters('userObjectId'))]",
"input": {
"tenantId": "[subscription().tenantId]",
"objectId": "[parameters('userObjectId')[copyIndex('accessPolicies')].Id]",
"permissions": "[parameters('userObjectId')[copyIndex('accessPolicies')].Permissions]"
}
}