I have a ARM template that I use to create a keyvault.
For a very specific reason, I need to manually set access policies on my keyvault once it's created.
If I run my ARM template again (to change some settings), the access policies I manually set are deleted.
What function or trick can I use to have an ARM template that combines access policies in the ARM template with the access policies that were set manually?
It is not possible; if you are using access policies, then you must specify them as you deploy the Microsoft.KeyVault/vaults resource.
The ARM reference says
access policies are required
There is a workaround, but it is not simple. Instead of using access policies, you need to use the RBAC model to define access to your key vault. That is what is recommended by Microsoft in response to a feature request ARM Template for KeyVault to have AccessPolicies non-mandatory:
For anyone who opens this feedback item:
- Use RBAC permission model: https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-migration