Support more than 16 access policies

azurerm/resource_arm_key_vault.go

@@ -84,7 +84,7 @@ func resourceArmKeyVault() *schema.Resource {
 				Type:     schema.TypeList,
 				Optional: true,
 				Computed: true,
-				MaxItems: 16,
+				MaxItems: 1024,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"tenant_id": {

azurerm/resource_arm_key_vault_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/hashicorp/terraform/helper/acctest"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/terraform"
 	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response"
@@ -161,6 +162,29 @@ func TestAccAzureRMKeyVault_networkAcls(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMKeyVault_accessPolicyUpperLimit(t *testing.T) {
+	resourceName := "azurerm_key_vault.test"
+	ri := tf.AccRandTimeInt()
+	rs := acctest.RandString(10)
+	config := testAccAzureRMKeyVault_accessPolicyUpperLimit(ri, testLocation(), rs)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMKeyVaultDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMKeyVaultExists(resourceName),
+					testCheckAzureRMKeyVaultDisappears(resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
 func TestAccAzureRMKeyVault_disappears(t *testing.T) {
 	resourceName := "azurerm_key_vault.test"
 	ri := tf.AccRandTimeInt()
@@ -648,3 +672,69 @@ resource "azurerm_key_vault" "test" {
 }
 `, rInt, location, rInt)
 }
+
+func testAccAzureRMKeyVault_accessPolicyUpperLimit(rInt int, location string, rs string) string {
+
+	var storageAccountConfigs string
+	var accessPoliciesConfigs string
+
+	for i := 1; i <= 20; i++ {
+		storageAccountConfigs += testAccAzureRMKeyVault_generateStorageAccountConfigs(i, rs)
+		accessPoliciesConfigs += testAccAzureRMKeyVault_generateAccessPolicyConfigs(i)
+	}
+
+	return fmt.Sprintf(`
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_key_vault" "test" {
+  name                = "vault%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  tenant_id           = "${data.azurerm_client_config.current.tenant_id}"
+
+  sku {
+    name = "premium"
+  }
+%s
+}
+
+%s
+`, rInt, location, rInt, accessPoliciesConfigs, storageAccountConfigs)
+}
+
+func testAccAzureRMKeyVault_generateStorageAccountConfigs(accountNum int, rs string) string {
+	return fmt.Sprintf(`
+resource "azurerm_storage_account" "testsa%d" {
+    name                      = "testsa%d%s"
+    resource_group_name       = "${azurerm_resource_group.test.name}"
+    location                  = "${azurerm_resource_group.test.location}"
+    account_tier              = "Standard"
+    account_replication_type  = "GRS"
+
+    identity {
+      type = "SystemAssigned"
+    }
+
+    tags {
+      environment = "testing"
+    }
+}
+`, accountNum, accountNum, rs)
+}
+
+func testAccAzureRMKeyVault_generateAccessPolicyConfigs(accountNum int) string {
+	return fmt.Sprintf(`
+  access_policy {
+    tenant_id          = "${data.azurerm_client_config.current.tenant_id}"
+    object_id          = "${azurerm_storage_account.testsa%d.identity.0.principal_id}"
+
+    key_permissions    = ["get","create","delete","list","restore","recover","unwrapkey","wrapkey","purge","encrypt","decrypt","sign","verify"]
+    secret_permissions = ["get"]
+  }
+`, accountNum)
+}

website/docs/r/key_vault_access_policy.html.markdown

@@ -12,7 +12,7 @@ Manages a Key Vault Access Policy.
 
 ~> **NOTE:** It's possible to define Key Vault Access Policies both within [the `azurerm_key_vault` resource](key_vault.html) via the `access_policy` block and by using [the `azurerm_key_vault_access_policy` resource](key_vault_access_policy.html). However it's not possible to use both methods to manage Access Policies within a KeyVault, since there'll be conflicts.
 
--> **NOTE:** Azure permits a maximum of 16 Access Policies per Key Vault - [more information can be found in this document](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#data-plane-access-control).
+-> **NOTE:** Azure permits a maximum of 1024 Access Policies per Key Vault - [more information can be found in this document](https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#data-plane-access-control).
 
 ## Example Usage