diff --git a/.github/workflows/ci-go.yml b/.github/workflows/ci-go.yml
index f79b05cae..d55e55328 100644
--- a/.github/workflows/ci-go.yml
+++ b/.github/workflows/ci-go.yml
@@ -15,7 +15,7 @@ jobs:
   ci-from-docker:
     runs-on: ubuntu-latest
     container:
-      image: registry.access.redhat.com/ubi8/go-toolset:1.20.10
+      image: registry.access.redhat.com/ubi8/go-toolset:1.20.12-5
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -32,7 +32,7 @@ jobs:
   vendor-check:
     runs-on: ubuntu-latest
     container:
-      image: registry.access.redhat.com/ubi8/go-toolset:1.20.10
+      image: registry.access.redhat.com/ubi8/go-toolset:1.20.12-5
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -44,7 +44,7 @@ jobs:
   generate-check:
     runs-on: ubuntu-latest
     container:
-      image: registry.access.redhat.com/ubi8/go-toolset:1.20.10
+      image: registry.access.redhat.com/ubi8/go-toolset:1.20.12-5
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
index 3564656b4..ecdda2eba 100644
--- a/.pipelines/ci.yml
+++ b/.pipelines/ci.yml
@@ -22,7 +22,7 @@ pr:
 resources:
   containers:
     - container: golang
-      image: registry.access.redhat.com/ubi8/go-toolset:1.20.10
+      image: registry.access.redhat.com/ubi8/go-toolset:1.20.12-5
       options: --user=0
     - container: python
       image: registry.access.redhat.com/ubi8/python-39:latest
diff --git a/.pipelines/onebranch/pipeline.buildrp.official.yml b/.pipelines/onebranch/pipeline.buildrp.official.yml
index b95d8ba98..6eed198f4 100644
--- a/.pipelines/onebranch/pipeline.buildrp.official.yml
+++ b/.pipelines/onebranch/pipeline.buildrp.official.yml
@@ -14,7 +14,7 @@ pr: none
 variables:
   Cdp_Definition_Build_Count: $[counter('', 0)] # needed for onebranch.pipeline.version task https://aka.ms/obpipelines/versioning
   ONEBRANCH_AME_ACR_LOGIN: cdpxb8e9ef87cd634085ab141c637806568c00.azurecr.io
-  LinuxContainerImage: $(ONEBRANCH_AME_ACR_LOGIN)/b8e9ef87-cd63-4085-ab14-1c637806568c/official/ubi8/go-toolset:1.20.10 # Docker image which is used to build the project https://aka.ms/obpipelines/containers
+  LinuxContainerImage: $(ONEBRANCH_AME_ACR_LOGIN)/b8e9ef87-cd63-4085-ab14-1c637806568c/official/ubi8/go-toolset:1.20.12-5 # Docker image which is used to build the project https://aka.ms/obpipelines/containers
   Debian_Frontend: noninteractive
 
 resources:
diff --git a/.pipelines/onebranch/pipeline.buildrp.pullrequest.yml b/.pipelines/onebranch/pipeline.buildrp.pullrequest.yml
index 62df20d5c..450c6cc99 100644
--- a/.pipelines/onebranch/pipeline.buildrp.pullrequest.yml
+++ b/.pipelines/onebranch/pipeline.buildrp.pullrequest.yml
@@ -14,7 +14,7 @@ pr: none
 variables:
   Cdp_Definition_Build_Count: $[counter('', 0)] # needed for onebranch.pipeline.version task https://aka.ms/obpipelines/versioning
   ONEBRANCH_AME_ACR_LOGIN: cdpxb8e9ef87cd634085ab141c637806568c00.azurecr.io
-  LinuxContainerImage: $(ONEBRANCH_AME_ACR_LOGIN)/b8e9ef87-cd63-4085-ab14-1c637806568c/official/ubi8/go-toolset:1.20.10 # Docker image which is used to build the project https://aka.ms/obpipelines/containers
+  LinuxContainerImage: $(ONEBRANCH_AME_ACR_LOGIN)/b8e9ef87-cd63-4085-ab14-1c637806568c/official/ubi8/go-toolset:1.20.12-5 # Docker image which is used to build the project https://aka.ms/obpipelines/containers
   Debian_Frontend: noninteractive
 
 resources:
diff --git a/Dockerfile.aro-e2e b/Dockerfile.aro-e2e
index 23b575fe1..da17fb2db 100644
--- a/Dockerfile.aro-e2e
+++ b/Dockerfile.aro-e2e
@@ -1,7 +1,7 @@
 # Uses a multi-stage container build to build the RP & E2E components.
 #
 ARG REGISTRY
-FROM ${REGISTRY}/ubi8/go-toolset:1.20.10 AS builder
+FROM ${REGISTRY}/ubi8/go-toolset:1.20.12-5 AS builder
 
 USER root
 ENV GOPATH=/root/go
diff --git a/Dockerfile.aro-multistage b/Dockerfile.aro-multistage
index 148f32ad4..3edac6cdb 100644
--- a/Dockerfile.aro-multistage
+++ b/Dockerfile.aro-multistage
@@ -1,7 +1,7 @@
 # Uses a multi-stage container build to build the RP.
 #
 ARG REGISTRY
-FROM ${REGISTRY}/ubi8/go-toolset:1.20.10 AS builder
+FROM ${REGISTRY}/ubi8/go-toolset:1.20.12-5 AS builder
 
 USER root
 ENV GOPATH=/root/go
diff --git a/Dockerfile.gatekeeper b/Dockerfile.gatekeeper
index a7f3fae3c..8b781e8e3 100644
--- a/Dockerfile.gatekeeper
+++ b/Dockerfile.gatekeeper
@@ -1,5 +1,5 @@
 ARG REGISTRY
-FROM ${REGISTRY}/ubi8/go-toolset:1.20.10-1 AS builder
+FROM ${REGISTRY}/ubi8/go-toolset:1.20.12-5 AS builder
 ARG GATEKEEPER_VERSION
 ENV DOWNLOAD_URL=https://github.com/open-policy-agent/gatekeeper/archive/${GATEKEEPER_VERSION}.tar.gz
 
diff --git a/Dockerfile.proxy b/Dockerfile.proxy
index df4355866..87643f947 100644
--- a/Dockerfile.proxy
+++ b/Dockerfile.proxy
@@ -1,7 +1,7 @@
 # Uses a multi-stage container build to build the proxy
 #
 ARG REGISTRY
-FROM ${REGISTRY}/ubi8/go-toolset:1.20.10 AS builder
+FROM ${REGISTRY}/ubi8/go-toolset:1.20.12-5 AS builder
 USER root
 ENV GOPATH=/root/go
 RUN mkdir -p /app
diff --git a/Makefile b/Makefile
index e04d4aaa0..3dbbbbff4 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ NO_CACHE ?= true
 export GOFLAGS=$(GO_FLAGS)
 
 # fluentbit version must also be updated in RP code, see pkg/util/version/const.go
-MARINER_VERSION = 20230321
+MARINER_VERSION = 20240301
 FLUENTBIT_VERSION = 1.9.10
 FLUENTBIT_IMAGE ?= ${RP_IMAGE_ACR}.azurecr.io/fluentbit:$(FLUENTBIT_VERSION)-cm$(MARINER_VERSION)
 AUTOREST_VERSION = 3.6.3
@@ -114,7 +114,8 @@ generate-kiota:
 	go run ./hack/licenses -dirs ./pkg/util/graph/graphsdk
 
 init-contrib:
-	cp -R hack/git/hooks/* .git/hooks/
+	install -v hack/git/hooks/* .git/hooks/
+	
 
 image-aro-multistage:
 	docker build --platform=linux/amd64 --network=host --no-cache -f Dockerfile.aro-multistage -t $(ARO_IMAGE) --build-arg REGISTRY=$(REGISTRY) .
diff --git a/docs/deploy-development-rp.md b/docs/deploy-development-rp.md
index aa0f4ed0f..b3c48b1e3 100644
--- a/docs/deploy-development-rp.md
+++ b/docs/deploy-development-rp.md
@@ -9,24 +9,10 @@
 1. Build the development `az aro` extension:
 
    ```bash
+   . ./env
    make az
    ```
 
-1. Verify that the ARO extension path is in your `az` configuration:
-
-   ```bash
-   grep -q 'dev_sources' ~/.azure/config || cat >>~/.azure/config <<EOF
-   [extension]
-   dev_sources = $PWD/python
-   EOF
-   ```
-
-   > Alternatively, if you do not want to configure the Azure CLI to utilize
-   > this extension globally, you can set the `AZURE_EXTENSION_DEV_SOURCES`
-   > environment variable to the `./python/` subfolder of this repository, e.g.
-   > in your ./env environment file, when you want to use the extension, and
-   > unset it when you do not.
-
 1. Verify the ARO extension is registered:
 
    ```bash
@@ -41,7 +27,10 @@
    ```
 
    Note: you will be able to update your development `az aro` extension in the
-   future by simply running `git pull`.
+   future by simply running `git pull`. If you need to use the "prod" extension,
+   what is bundled in `az` natively rather than your `./python`, you can
+   `unset AZURE_EXTENSION_DEV_SOURCES` (found in your `./env` file).
+
 
 
 ## Prepare your environment
diff --git a/docs/deploy-full-rp-service-in-dev.md b/docs/deploy-full-rp-service-in-dev.md
index 1503996bc..0d06d4cf5 100644
--- a/docs/deploy-full-rp-service-in-dev.md
+++ b/docs/deploy-full-rp-service-in-dev.md
@@ -267,7 +267,7 @@
         --nsg-name rp-nsg \
         --access Allow \
         --priority 500 \
-        --source-address-prefixes "$(curl --silent ipecho.net/plain)/32" \
+        --source-address-prefixes "$(curl --silent -4 ipecho.net/plain)/32" \
         --protocol Tcp \
         --destination-port-ranges 22
     ```
@@ -290,7 +290,7 @@
         --nsg-name gateway-nsg \
         --access Allow \
         --priority 500 \
-        --source-address-prefixes "$(curl --silent ipecho.net/plain)/32" \
+        --source-address-prefixes "$(curl --silent -4 ipecho.net/plain)/32" \
         --protocol Tcp \
         --destination-port-ranges 22
     ```
@@ -315,7 +315,7 @@
         --nsg-name rp-nsg \
         --access Allow \
         --priority 499 \
-        --source-address-prefixes "$(curl --silent ipecho.net/plain)/32" \
+        --source-address-prefixes "$(curl --silent -4 ipecho.net/plain)/32" \
         --protocol Tcp \
         --destination-port-ranges 443
     ```
diff --git a/docs/feature-flags.md b/docs/feature-flags.md
index 30fff4084..467ebf113 100644
--- a/docs/feature-flags.md
+++ b/docs/feature-flags.md
@@ -20,10 +20,6 @@ Subscription feature flags used by ARO-RP include:
   graduating features to production such that they only apply on our Red Hat
   engineering subscription.
 
-* Microsoft.RedHatOpenShift/SaveAROTestConfig: used on our test subscriptions to
-  cause the pkg/billing to copy billing data to a storage account so that it can
-  be validated by the billing E2E tests.
-
 Subscription feature flags are also used for API preview, INT and region
 rollout. See the RP ARM manifest for more details.
 
diff --git a/docs/prepare-your-dev-environment.md b/docs/prepare-your-dev-environment.md
index cba63ee6d..f252b2d09 100644
--- a/docs/prepare-your-dev-environment.md
+++ b/docs/prepare-your-dev-environment.md
@@ -139,8 +139,10 @@ Make sure that `PKG_CONFIG_PATH` contains the pkgconfig files of the above packa
     cd ${GOPATH:-$HOME/go}/src/github.com/Azure/ARO-RP
     ```
 
-1. Add standard git hooks
+1. Configure local git
 
     ```bash
     make init-contrib
+    git config --global github.user <<user_name>>
     ```
+
diff --git a/env-int.example b/env-int.example
index 08e0d574c..ea40b6053 100644
--- a/env-int.example
+++ b/env-int.example
@@ -5,5 +5,6 @@ export RESOURCEGROUP=$USER-aro-$LOCATION
 export DATABASE_ACCOUNT_NAME=$USER-aro-$LOCATION
 export DATABASE_NAME=ARO
 export KEYVAULT_PREFIX=$USER-aro-$LOCATION
+export KEYVAULT_PREFIX=${KEYVAULT_PREFIX::20}
 export ARO_IMAGE=${USER}aro.azurecr.io/aro:$(git rev-parse --short=7 HEAD)$([[ $(git status --porcelain) = "" ]] || echo -dirty)
-export FLUENTBIT_IMAGE=${USER}aro.azurecr.io/fluentbit:latest
\ No newline at end of file
+export FLUENTBIT_IMAGE=${USER}aro.azurecr.io/fluentbit:latest
diff --git a/env.example b/env.example
index 7cea448a1..a265550d1 100644
--- a/env.example
+++ b/env.example
@@ -1,5 +1,6 @@
 export LOCATION=eastus
 export ARO_IMAGE=arointsvc.azurecr.io/aro:latest
 export NO_CACHE=false
+export AZURE_EXTENSION_DEV_SOURCES="$(pwd)/python"
 
 . secrets/env
diff --git a/go.mod b/go.mod
index c3e384f47..b3ad73aa3 100644
--- a/go.mod
+++ b/go.mod
@@ -5,8 +5,9 @@ go 1.20
 require (
 	github.com/Azure/azure-sdk-for-go v63.1.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/adal v0.9.23
diff --git a/go.sum b/go.sum
index 1da030279..b84beb0f9 100644
--- a/go.sum
+++ b/go.sum
@@ -5,13 +5,16 @@ github.com/Azure/azure-sdk-for-go v63.1.0+incompatible h1:yNC7qlSUWVF8p0TzxdmWW1
 github.com/Azure/azure-sdk-for-go v63.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 h1:LNHhpdK7hzUcx/k1LIcuh5k7k1LGIWLQfCjaneSj7Fc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0 h1:FTNvxTFH/08JBmhcbL5lmLaGYVXokZM6Ni92Mqr+gSg=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0/go.mod h1:T0ryqIz5h5qg4HOBni+VeRn24alSqOx1Se1IAwUByOk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.1.2 h1:mLY+pNLjCUeKhgnAJWAKhEUQM+RJQo2H1fuGSw1Ky1E=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0 h1:HlZMUZW8S4P9oob1nCHxCCKrytxyLc+24nUJGssoEto=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0/go.mod h1:StGsLbuJh06Bd8IBfnAlIFV3fLb+gkczONWf15hpX2E=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1 h1:bWh0Z2rOEDfB/ywv/l0iHN1JgyazE6kW/aIA89+CEK0=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1/go.mod h1:Bzf34hhAE9NSxailk8xVeLEZbUjOXcC+GnU1mMKdhLw=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.1.1 h1:7CBQ+Ei8SP2c6ydQTGCCrS35bDxgTMfoP2miAwK++OU=
diff --git a/pkg/api/admin/platformworkloadidentityroleset.go b/pkg/api/admin/platformworkloadidentityroleset.go
new file mode 100644
index 000000000..9ed4680bc
--- /dev/null
+++ b/pkg/api/admin/platformworkloadidentityroleset.go
@@ -0,0 +1,46 @@
+package admin
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// PlatformWorkloadIdentityRoleSetList represents a List of role sets.
+type PlatformWorkloadIdentityRoleSetList struct {
+	// The list of role sets.
+	PlatformWorkloadIdentityRoleSets []*PlatformWorkloadIdentityRoleSet `json:"value"`
+}
+
+// PlatformWorkloadIdentityRoleSet represents a mapping from the names of OCP operators to the built-in roles that should be assigned to those operator's corresponding managed identities for a particular OCP version.
+type PlatformWorkloadIdentityRoleSet struct {
+	// The ID for the resource.
+	ID string `json:"id,omitempty" mutable:"case"`
+
+	// Name of the resource.
+	Name string `json:"name,omitempty" mutable:"case"`
+
+	// The properties for the PlatformWorkloadIdentityRoleSet resource.
+	Properties PlatformWorkloadIdentityRoleSetProperties `json:"properties,omitempty"`
+}
+
+// PlatformWorkloadIdentityRoleSetProperties represents the properties of a PlatformWorkloadIdentityRoleSet resource.
+type PlatformWorkloadIdentityRoleSetProperties struct {
+	// OpenShiftVersion represents the version associated with this set of roles.
+	OpenShiftVersion string `json:"openShiftVersion,omitempty"`
+
+	// PlatformWorkloadIdentityRoles represents the set of roles associated with this version.
+	PlatformWorkloadIdentityRoles []PlatformWorkloadIdentityRole `json:"platformWorkloadIdentityRoles,omitempty" mutable:"true"`
+}
+
+// PlatformWorkloadIdentityRole represents a mapping from a particular OCP operator to the built-in role that should be assigned to that operator's corresponding managed identity.
+type PlatformWorkloadIdentityRole struct {
+	// OperatorName represents the name of the operator that this role is for.
+	OperatorName string `json:"operatorName,omitempty" mutable:"true"`
+
+	// RoleDefinitionName represents the name of the role.
+	RoleDefinitionName string `json:"roleDefinitionName,omitempty" mutable:"true"`
+
+	// RoleDefinitionID represents the resource ID of the role definition.
+	RoleDefinitionID string `json:"roleDefinitionId,omitempty" mutable:"true"`
+
+	// ServiceAccounts represents the set of service accounts associated with the given operator, since each service account needs its own federated credential.
+	ServiceAccounts []string `json:"serviceAccounts,omitempty" mutable:"true"`
+}
diff --git a/pkg/api/admin/platformworkloadidentityroleset_convert.go b/pkg/api/admin/platformworkloadidentityroleset_convert.go
new file mode 100644
index 000000000..b1caa21cb
--- /dev/null
+++ b/pkg/api/admin/platformworkloadidentityroleset_convert.go
@@ -0,0 +1,67 @@
+package admin
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+/*
+TODO: Uncomment once API endpoints have been implemented and this code is being used.
+
+type platformWorkloadIdentityRoleSetConverter struct{}
+
+// platformWorkloadIdentityRoleSetConverter.ToExternal returns a new external representation
+// of the internal object, reading from the subset of the internal object's
+// fields that appear in the external representation.  ToExternal does not
+// modify its argument; there is no pointer aliasing between the passed and
+// returned objects.
+func (c platformWorkloadIdentityRoleSetConverter) ToExternal(s *api.PlatformWorkloadIdentityRoleSet) interface{} {
+	out := &PlatformWorkloadIdentityRoleSet{
+		Properties: PlatformWorkloadIdentityRoleSetProperties{
+			OpenShiftVersion:              s.Properties.OpenShiftVersion,
+			PlatformWorkloadIdentityRoles: make([]PlatformWorkloadIdentityRole, 0, len(s.Properties.PlatformWorkloadIdentityRoles)),
+		},
+	}
+
+	for i, r := range s.Properties.PlatformWorkloadIdentityRoles {
+		out.Properties.PlatformWorkloadIdentityRoles[i].OperatorName = r.OperatorName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionName = r.RoleDefinitionName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionID = r.RoleDefinitionID
+		out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts = make([]string, 0, len(r.ServiceAccounts))
+		out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts = append(out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts, r.ServiceAccounts...)
+	}
+
+	return out
+}
+
+// ToExternalList returns a slice of external representations of the internal
+// objects
+func (c platformWorkloadIdentityRoleSetConverter) ToExternalList(sets []*api.PlatformWorkloadIdentityRoleSet) interface{} {
+	l := &PlatformWorkloadIdentityRoleSetList{
+		PlatformWorkloadIdentityRoleSets: make([]*PlatformWorkloadIdentityRoleSet, 0, len(sets)),
+	}
+
+	for _, set := range sets {
+		l.PlatformWorkloadIdentityRoleSets = append(l.PlatformWorkloadIdentityRoleSets, c.ToExternal(set).(*PlatformWorkloadIdentityRoleSet))
+	}
+
+	return l
+}
+
+// ToInternal overwrites in place a pre-existing internal object, setting (only)
+// all mapped fields from the external representation. ToInternal modifies its
+// argument; there is no pointer aliasing between the passed and returned
+// objects
+func (c platformWorkloadIdentityRoleSetConverter) ToInternal(_new interface{}, out *api.PlatformWorkloadIdentityRoleSet) {
+	new := _new.(*PlatformWorkloadIdentityRoleSet)
+
+	out.Properties.OpenShiftVersion = new.Properties.OpenShiftVersion
+	out.Properties.PlatformWorkloadIdentityRoles = make([]api.PlatformWorkloadIdentityRole, 0, len(new.Properties.PlatformWorkloadIdentityRoles))
+
+	for i, r := range new.Properties.PlatformWorkloadIdentityRoles {
+		out.Properties.PlatformWorkloadIdentityRoles[i].OperatorName = r.OperatorName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionName = r.RoleDefinitionName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionID = r.RoleDefinitionID
+		out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts = make([]string, 0, len(r.ServiceAccounts))
+		out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts = append(out.Properties.PlatformWorkloadIdentityRoles[i].ServiceAccounts, r.ServiceAccounts...)
+	}
+}
+*/
diff --git a/pkg/api/admin/platformworkloadidentityroleset_validatestatic.go b/pkg/api/admin/platformworkloadidentityroleset_validatestatic.go
new file mode 100644
index 000000000..e70bffc05
--- /dev/null
+++ b/pkg/api/admin/platformworkloadidentityroleset_validatestatic.go
@@ -0,0 +1,71 @@
+package admin
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+/*
+TODO: Uncomment once API endpoints have been implemented and this code is being used.
+
+type platformWorkloadIdentityRoleSetStaticValidator struct{}
+
+func (sv platformWorkloadIdentityRoleSetStaticValidator) Static(_new interface{}, _current *api.PlatformWorkloadIdentityRoleSet) error {
+	new := _new.(*PlatformWorkloadIdentityRoleSet)
+
+	var current *PlatformWorkloadIdentityRoleSet
+	if _current != nil {
+		current = (&platformWorkloadIdentityRoleSetConverter{}).ToExternal(_current).(*PlatformWorkloadIdentityRoleSet)
+	}
+
+	err := sv.validate(new, current == nil)
+	if err != nil {
+		return err
+	}
+
+	if current == nil {
+		return nil
+	}
+
+	return sv.validateDelta(new, current)
+}
+
+func (sv platformWorkloadIdentityRoleSetStaticValidator) validate(new *PlatformWorkloadIdentityRoleSet, isCreate bool) error {
+	if new.Properties.OpenShiftVersion == "" {
+		return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "properties.openShiftVersion", "Must be provided")
+	}
+
+	if new.Properties.PlatformWorkloadIdentityRoles == nil || len(new.Properties.PlatformWorkloadIdentityRoles) == 0 {
+		return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "properties.platformWorkloadIdentityRoles", "Must be provided and must be non-empty")
+	}
+
+	errs := []error{}
+
+	for i, r := range new.Properties.PlatformWorkloadIdentityRoles {
+		if r.OperatorName == "" {
+			errs = append(errs, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("properties.platformWorkloadIdentityRoles[%d].operatorName", i), "Must be provided"))
+		}
+
+		if r.RoleDefinitionName == "" {
+			errs = append(errs, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("properties.platformWorkloadIdentityRoles[%d].roleDefinitionName", i), "Must be provided"))
+		}
+
+		if r.RoleDefinitionID == "" {
+			errs = append(errs, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("properties.platformWorkloadIdentityRoles[%d].roleDefinitionId", i), "Must be provided"))
+		}
+
+		if r.ServiceAccounts == nil || len(r.ServiceAccounts) == 0 {
+			errs = append(errs, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, fmt.Sprintf("properties.platformWorkloadIdentityRoles[%d].serviceAccounts", i), "Must be provided and must be non-empty"))
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+func (sv platformWorkloadIdentityRoleSetStaticValidator) validateDelta(new, current *PlatformWorkloadIdentityRoleSet) error {
+	err := immutable.Validate("", new, current)
+	if err != nil {
+		err := err.(*immutable.ValidationError)
+		return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodePropertyChangeNotAllowed, err.Target, err.Message)
+	}
+	return nil
+}
+*/
diff --git a/pkg/api/featureflags.go b/pkg/api/featureflags.go
index 31ef71f1f..2f3ad77f1 100644
--- a/pkg/api/featureflags.go
+++ b/pkg/api/featureflags.go
@@ -4,11 +4,6 @@ package api
 // Licensed under the Apache License 2.0.
 
 const (
-	// FeatureFlagSaveAROTestConfig is the feature in the subscription that is used
-	// to indicate if we need to save ARO cluster config into the E2E
-	// StorageAccount
-	FeatureFlagSaveAROTestConfig = "Microsoft.RedHatOpenShift/SaveAROTestConfig"
-
 	// FeatureFlagMTU3900 is the feature in the subscription that causes new
 	// OpenShift cluster nodes to use the largest available Maximum Transmission
 	// Unit (MTU) on Azure virtual networks, which as of late 2021 is 3900 bytes.
diff --git a/pkg/api/platformworkloadidentityroleset.go b/pkg/api/platformworkloadidentityroleset.go
new file mode 100644
index 000000000..372eab1c8
--- /dev/null
+++ b/pkg/api/platformworkloadidentityroleset.go
@@ -0,0 +1,30 @@
+package api
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// PlatformWorkloadIdentityRoleSet represents a mapping from the names of OCP operators to the built-in roles that should be assigned to those operator's corresponding managed identities for a particular OCP version.
+type PlatformWorkloadIdentityRoleSet struct {
+	MissingFields
+
+	ID       string `json:"id,omitempty"`
+	Name     string `json:"name,omitempty"`
+	Type     string `json:"type,omitempty"`
+	Deleting bool   `json:"deleting,omitempty"` // https://docs.microsoft.com/en-us/azure/cosmos-db/change-feed-design-patterns#deletes
+
+	Properties PlatformWorkloadIdentityRoleSetProperties `json:"properties,omitempty"`
+}
+
+// PlatformWorkloadIdentityRoleSetProperties represents the properties of a PlatformWorkloadIdentityRoleSet resource.
+type PlatformWorkloadIdentityRoleSetProperties struct {
+	OpenShiftVersion              string                         `json:"openShiftVersion,omitempty"`
+	PlatformWorkloadIdentityRoles []PlatformWorkloadIdentityRole `json:"platformWorkloadIdentityRoles,omitempty"`
+}
+
+// PlatformWorkloadIdentityRole represents a mapping from a particular OCP operator to the built-in role that should be assigned to that operator's corresponding managed identity.
+type PlatformWorkloadIdentityRole struct {
+	OperatorName       string   `json:"operatorName,omitempty"`
+	RoleDefinitionName string   `json:"roleDefinitionName,omitempty"`
+	RoleDefinitionID   string   `json:"roleDefinitionId,omitempty"`
+	ServiceAccounts    []string `json:"serviceAccounts,omitempty"`
+}
diff --git a/pkg/api/platformworkloadidentityrolesetdocument.go b/pkg/api/platformworkloadidentityrolesetdocument.go
new file mode 100644
index 000000000..f9eee2d8b
--- /dev/null
+++ b/pkg/api/platformworkloadidentityrolesetdocument.go
@@ -0,0 +1,38 @@
+package api
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// PlatformWorkloadIdentityRoleSetDocuments represents a set of PlatformWorkloadIdentityRoleSetDocuments.
+// pkg/database/cosmosdb requires its definition.
+type PlatformWorkloadIdentityRoleSetDocuments struct {
+	Count                                    int                                        `json:"_count,omitempty"`
+	ResourceID                               string                                     `json:"_rid,omitempty"`
+	PlatformWorkloadIdentityRoleSetDocuments []*PlatformWorkloadIdentityRoleSetDocument `json:"Documents,omitempty"`
+}
+
+func (c *PlatformWorkloadIdentityRoleSetDocuments) String() string {
+	return encodeJSON(c)
+}
+
+// PlatformWorkloadIdentityRoleSetDocument represents a document specifying a mapping from the names of OCP operators to the built-in roles that should be assigned to those operator's corresponding managed identities for a particular OCP version.
+// pkg/database/cosmosdb requires its definition.
+type PlatformWorkloadIdentityRoleSetDocument struct {
+	MissingFields
+
+	ID          string                 `json:"id,omitempty"`
+	ResourceID  string                 `json:"_rid,omitempty"`
+	Timestamp   int                    `json:"_ts,omitempty"`
+	Self        string                 `json:"_self,omitempty"`
+	ETag        string                 `json:"_etag,omitempty" deep:"-"`
+	Attachments string                 `json:"_attachments,omitempty"`
+	TTL         int                    `json:"ttl,omitempty"`
+	LSN         int                    `json:"_lsn,omitempty"`
+	Metadata    map[string]interface{} `json:"_metadata,omitempty"`
+
+	PlatformWorkloadIdentityRoleSet *PlatformWorkloadIdentityRoleSet `json:"platformWorkloadIdentityRoleSet,omitempty"`
+}
+
+func (c *PlatformWorkloadIdentityRoleSetDocument) String() string {
+	return encodeJSON(c)
+}
diff --git a/pkg/api/platformworkloadidentityrolesetdocument_example.go b/pkg/api/platformworkloadidentityrolesetdocument_example.go
new file mode 100644
index 000000000..12fd32f23
--- /dev/null
+++ b/pkg/api/platformworkloadidentityrolesetdocument_example.go
@@ -0,0 +1,29 @@
+package api
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+func ExamplePlatformWorkloadIdentityRoleSetDocument() *PlatformWorkloadIdentityRoleSetDocument {
+	return &PlatformWorkloadIdentityRoleSetDocument{
+		MissingFields: MissingFields{},
+		ID:            "00000000-0000-0000-0000-000000000000",
+		PlatformWorkloadIdentityRoleSet: &PlatformWorkloadIdentityRoleSet{
+			ID:   "00000000-0000-0000-0000-000000000000",
+			Name: "4.14",
+			Type: "Microsoft.RedHatOpenShift/PlatformWorkloadIdentityRoleSet",
+			Properties: PlatformWorkloadIdentityRoleSetProperties{
+				OpenShiftVersion: "4.14",
+				PlatformWorkloadIdentityRoles: []PlatformWorkloadIdentityRole{
+					{
+						OperatorName:       "ServiceOperator",
+						RoleDefinitionName: "AzureRedHatOpenShiftServiceOperator",
+						RoleDefinitionID:   "/providers/Microsoft.Authorization/roleDefinitions/00000000-0000-0000-0000-000000000000",
+						ServiceAccounts: []string{
+							"aro-operator-master",
+						},
+					},
+				},
+			},
+		},
+	}
+}
diff --git a/pkg/api/pretty.go b/pkg/api/pretty.go
index de3b07a8c..7d0bbcc06 100644
--- a/pkg/api/pretty.go
+++ b/pkg/api/pretty.go
@@ -15,13 +15,7 @@ import (
 var secretPreservingJSONHandle *codec.JsonHandle
 
 func init() {
-	secretPreservingJSONHandle = &codec.JsonHandle{
-		BasicHandle: codec.BasicHandle{
-			DecodeOptions: codec.DecodeOptions{
-				ErrorIfNoField: true,
-			},
-		},
-	}
+	secretPreservingJSONHandle = &codec.JsonHandle{}
 
 	err := secretPreservingJSONHandle.SetInterfaceExt(reflect.TypeOf(SecureBytes{}), 1, secureHidingExt{})
 	if err != nil {
diff --git a/pkg/api/v20231122/openshiftcluster_convert.go b/pkg/api/v20231122/openshiftcluster_convert.go
index ab633f4d5..f4f107665 100644
--- a/pkg/api/v20231122/openshiftcluster_convert.go
+++ b/pkg/api/v20231122/openshiftcluster_convert.go
@@ -277,4 +277,11 @@ func (c openShiftClusterConverter) ExternalNoReadOnly(_oc interface{}) {
 	if oc.Properties.NetworkProfile.LoadBalancerProfile != nil {
 		oc.Properties.NetworkProfile.LoadBalancerProfile.EffectiveOutboundIPs = nil
 	}
+	oc.SystemData = nil
+	oc.Properties.ConsoleProfile.URL = ""
+	oc.Properties.APIServerProfile.URL = ""
+	oc.Properties.APIServerProfile.IP = ""
+	for i := range oc.Properties.IngressProfiles {
+		oc.Properties.IngressProfiles[i].IP = ""
+	}
 }
diff --git a/pkg/api/v20240812preview/openshiftcluster_convert.go b/pkg/api/v20240812preview/openshiftcluster_convert.go
index 45c82a7bf..295c77c07 100644
--- a/pkg/api/v20240812preview/openshiftcluster_convert.go
+++ b/pkg/api/v20240812preview/openshiftcluster_convert.go
@@ -326,4 +326,15 @@ func (c openShiftClusterConverter) ExternalNoReadOnly(_oc interface{}) {
 	if oc.Properties.NetworkProfile.LoadBalancerProfile != nil {
 		oc.Properties.NetworkProfile.LoadBalancerProfile.EffectiveOutboundIPs = nil
 	}
+	oc.SystemData = nil
+	oc.Properties.ConsoleProfile.URL = ""
+	oc.Properties.APIServerProfile.URL = ""
+	oc.Properties.APIServerProfile.IP = ""
+	for i := range oc.Properties.IngressProfiles {
+		oc.Properties.IngressProfiles[i].IP = ""
+	}
+	for i := range oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities {
+		oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ClientID = ""
+		oc.Properties.PlatformWorkloadIdentityProfile.PlatformWorkloadIdentities[i].ObjectID = ""
+	}
 }
diff --git a/pkg/api/v20240812preview/platformworkloadidentityroleset.go b/pkg/api/v20240812preview/platformworkloadidentityroleset.go
new file mode 100644
index 000000000..b944b9675
--- /dev/null
+++ b/pkg/api/v20240812preview/platformworkloadidentityroleset.go
@@ -0,0 +1,51 @@
+package v20240812preview
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// PlatformWorkloadIdentityRoleSetList represents a List of role sets.
+type PlatformWorkloadIdentityRoleSetList struct {
+	// The list of role sets.
+	PlatformWorkloadIdentityRoleSets []*PlatformWorkloadIdentityRoleSet `json:"value"`
+
+	// Next Link to next operation.
+	NextLink string `json:"nextLink,omitempty"`
+}
+
+// PlatformWorkloadIdentityRoleSet represents a mapping from the names of OCP operators to the built-in roles that should be assigned to those operator's corresponding managed identities for a particular OCP version.
+type PlatformWorkloadIdentityRoleSet struct {
+	proxyResource bool
+
+	// The ID for the resource.
+	ID string `json:"id,omitempty" mutable:"case"`
+
+	// Name of the resource.
+	Name string `json:"name,omitempty" mutable:"case"`
+
+	// The resource type.
+	Type string `json:"type,omitempty" mutable:"case"`
+
+	// The properties for the PlatformWorkloadIdentityRoleSet resource.
+	Properties PlatformWorkloadIdentityRoleSetProperties `json:"properties,omitempty"`
+}
+
+// PlatformWorkloadIdentityRoleSetProperties represents the properties of a PlatformWorkloadIdentityRoleSet resource.
+type PlatformWorkloadIdentityRoleSetProperties struct {
+	// OpenShiftVersion represents the version associated with this set of roles.
+	OpenShiftVersion string `json:"openShiftVersion,omitempty"`
+
+	// PlatformWorkloadIdentityRoles represents the set of roles associated with this version.
+	PlatformWorkloadIdentityRoles []PlatformWorkloadIdentityRole `json:"platformWorkloadIdentityRoles,omitempty"`
+}
+
+// PlatformWorkloadIdentityRole represents a mapping from a particular OCP operator to the built-in role that should be assigned to that operator's corresponding managed identity.
+type PlatformWorkloadIdentityRole struct {
+	// OperatorName represents the name of the operator that this role is for.
+	OperatorName string `json:"operatorName,omitempty"`
+
+	// RoleDefinitionName represents the name of the role.
+	RoleDefinitionName string `json:"roleDefinitionName,omitempty"`
+
+	// RoleDefinitionID represents the resource ID of the role definition.
+	RoleDefinitionID string `json:"roleDefinitionId,omitempty"`
+}
diff --git a/pkg/api/v20240812preview/platformworkloadidentityroleset_convert.go b/pkg/api/v20240812preview/platformworkloadidentityroleset_convert.go
new file mode 100644
index 000000000..a651229c1
--- /dev/null
+++ b/pkg/api/v20240812preview/platformworkloadidentityroleset_convert.go
@@ -0,0 +1,65 @@
+package v20240812preview
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"github.com/Azure/ARO-RP/pkg/api"
+)
+
+type platformWorkloadIdentityRoleSetConverter struct{}
+
+// platformWorkloadIdentityRoleSetConverter.ToExternal returns a new external representation
+// of the internal object, reading from the subset of the internal object's
+// fields that appear in the external representation.  ToExternal does not
+// modify its argument; there is no pointer aliasing between the passed and
+// returned objects.
+func (c platformWorkloadIdentityRoleSetConverter) ToExternal(s *api.PlatformWorkloadIdentityRoleSet) interface{} {
+	out := &PlatformWorkloadIdentityRoleSet{
+		ID:            s.ID,
+		proxyResource: true,
+		Properties: PlatformWorkloadIdentityRoleSetProperties{
+			OpenShiftVersion:              s.Properties.OpenShiftVersion,
+			PlatformWorkloadIdentityRoles: make([]PlatformWorkloadIdentityRole, 0, len(s.Properties.PlatformWorkloadIdentityRoles)),
+		},
+	}
+
+	for i, r := range s.Properties.PlatformWorkloadIdentityRoles {
+		out.Properties.PlatformWorkloadIdentityRoles[i].OperatorName = r.OperatorName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionName = r.RoleDefinitionName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionID = r.RoleDefinitionID
+	}
+
+	return out
+}
+
+// ToExternalList returns a slice of external representations of the internal
+// objects
+func (c platformWorkloadIdentityRoleSetConverter) ToExternalList(sets []*api.PlatformWorkloadIdentityRoleSet) interface{} {
+	l := &PlatformWorkloadIdentityRoleSetList{
+		PlatformWorkloadIdentityRoleSets: make([]*PlatformWorkloadIdentityRoleSet, 0, len(sets)),
+	}
+
+	for _, set := range sets {
+		l.PlatformWorkloadIdentityRoleSets = append(l.PlatformWorkloadIdentityRoleSets, c.ToExternal(set).(*PlatformWorkloadIdentityRoleSet))
+	}
+
+	return l
+}
+
+// ToInternal overwrites in place a pre-existing internal object, setting (only)
+// all mapped fields from the external representation. ToInternal modifies its
+// argument; there is no pointer aliasing between the passed and returned
+// objects
+func (c platformWorkloadIdentityRoleSetConverter) ToInternal(_new interface{}, out *api.PlatformWorkloadIdentityRoleSet) {
+	new := _new.(*PlatformWorkloadIdentityRoleSet)
+
+	out.Properties.OpenShiftVersion = new.Properties.OpenShiftVersion
+	out.Properties.PlatformWorkloadIdentityRoles = make([]api.PlatformWorkloadIdentityRole, 0, len(new.Properties.PlatformWorkloadIdentityRoles))
+
+	for i, r := range new.Properties.PlatformWorkloadIdentityRoles {
+		out.Properties.PlatformWorkloadIdentityRoles[i].OperatorName = r.OperatorName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionName = r.RoleDefinitionName
+		out.Properties.PlatformWorkloadIdentityRoles[i].RoleDefinitionID = r.RoleDefinitionID
+	}
+}
diff --git a/pkg/api/v20240812preview/platformworkloadidentityroleset_example.go b/pkg/api/v20240812preview/platformworkloadidentityroleset_example.go
new file mode 100644
index 000000000..6cf6a1d09
--- /dev/null
+++ b/pkg/api/v20240812preview/platformworkloadidentityroleset_example.go
@@ -0,0 +1,24 @@
+package v20240812preview
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import "github.com/Azure/ARO-RP/pkg/api"
+
+func examplePlatformWorkloadIdentityRoleSet() *PlatformWorkloadIdentityRoleSet {
+	doc := api.ExamplePlatformWorkloadIdentityRoleSetDocument()
+	ext := (&platformWorkloadIdentityRoleSetConverter{}).ToExternal(doc.PlatformWorkloadIdentityRoleSet)
+	return ext.(*PlatformWorkloadIdentityRoleSet)
+}
+
+func ExamplePlatformWorkloadIdentityRoleSetResponse() interface{} {
+	return examplePlatformWorkloadIdentityRoleSet()
+}
+
+func ExamplePlatformWorkloadIdentityRoleSetListResponse() interface{} {
+	return &PlatformWorkloadIdentityRoleSetList{
+		PlatformWorkloadIdentityRoleSets: []*PlatformWorkloadIdentityRoleSet{
+			ExamplePlatformWorkloadIdentityRoleSetResponse().(*PlatformWorkloadIdentityRoleSet),
+		},
+	}
+}
diff --git a/pkg/containerinstall/install_test.go b/pkg/containerinstall/install_test.go
index 620a7e62f..12a075ab5 100644
--- a/pkg/containerinstall/install_test.go
+++ b/pkg/containerinstall/install_test.go
@@ -27,7 +27,7 @@ import (
 	testlog "github.com/Azure/ARO-RP/test/util/log"
 )
 
-const TEST_PULLSPEC = "registry.access.redhat.com/ubi8/go-toolset:1.20.10"
+const TEST_PULLSPEC = "registry.access.redhat.com/ubi8/go-toolset:1.20.12-5"
 
 var _ = Describe("Podman", Ordered, func() {
 	var err error
diff --git a/pkg/database/database.go b/pkg/database/database.go
index 9c8c230c0..4e6ad73d7 100644
--- a/pkg/database/database.go
+++ b/pkg/database/database.go
@@ -78,13 +78,7 @@ func getDatabaseKey(keys sdkcosmos.DatabaseAccountsClientListKeysResponse, log *
 }
 
 func NewJSONHandle(aead encryption.AEAD) (*codec.JsonHandle, error) {
-	h := &codec.JsonHandle{
-		BasicHandle: codec.BasicHandle{
-			DecodeOptions: codec.DecodeOptions{
-				ErrorIfNoField: true,
-			},
-		},
-	}
+	h := &codec.JsonHandle{}
 
 	if aead == nil {
 		return h, nil
diff --git a/pkg/deploy/assets/databases-development.json b/pkg/deploy/assets/databases-development.json
index 0216939f1..d0c7aabfa 100644
--- a/pkg/deploy/assets/databases-development.json
+++ b/pkg/deploy/assets/databases-development.json
@@ -11,160 +11,167 @@
     },
     "resources": [
         {
+            "apiVersion": "2023-04-15",
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'))]",
             "properties": {
-                "resource": {
-                    "id": "[parameters('databaseName')]"
-                },
                 "options": {
                     "autoscaleSettings": {
                         "maxThroughput": 1000
                     }
+                },
+                "resource": {
+                    "id": "[parameters('databaseName')]"
                 }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'))]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15"
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/AsyncOperations')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": 604800,
                     "id": "AsyncOperations",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": 604800
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/AsyncOperations')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/OpenShiftVersions')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": -1,
                     "id": "OpenShiftVersions",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/OpenShiftVersions')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/ClusterManagerConfigurations')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "ClusterManagerConfigurations",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/partitionKey"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/ClusterManagerConfigurations')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Billing')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "Billing",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Billing')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Gateway')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": -1,
                     "id": "Gateway",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Gateway')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Monitors')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": -1,
                     "id": "Monitors",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Monitors')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/OpenShiftClusters')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "OpenShiftClusters",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/partitionKey"
-                        ],
-                        "kind": "Hash"
+                        ]
                     },
                     "uniqueKeyPolicy": {
                         "uniqueKeys": [
@@ -185,59 +192,52 @@
                             }
                         ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/OpenShiftClusters')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Portal')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": -1,
                     "id": "Portal",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Portal')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Subscriptions')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "Subscriptions",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', parameters('databaseName'), '/Subscriptions')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), parameters('databaseName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         }
     ]
 }
diff --git a/pkg/deploy/assets/env-development.json b/pkg/deploy/assets/env-development.json
index 10057c045..4328b7592 100644
--- a/pkg/deploy/assets/env-development.json
+++ b/pkg/deploy/assets/env-development.json
@@ -224,7 +224,7 @@
             },
             "properties": {
                 "upgradePolicy": {
-                    "mode": "Manual"
+                    "mode": "Rolling"
                 },
                 "virtualMachineProfile": {
                     "osProfile": {
@@ -296,7 +296,7 @@
                                     "autoUpgradeMinorVersion": true,
                                     "settings": {},
                                     "protectedSettings": {
-                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'PROXYIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('proxyImage')),''')\n','PROXYIMAGEAUTH=$(base64 -d \u003c\u003c\u003c''',base64(parameters('proxyImageAuth')),''')\n','PROXYCERT=''',parameters('proxyCert'),'''\n','PROXYCLIENTCERT=''',parameters('proxyClientCert'),'''\n','PROXYKEY=''',parameters('proxyKey'),'''\n','\n',base64ToString('I0FkZGluZyByZXRyeSBsb2dpYyB0byB5dW0gY29tbWFuZHMgaW4gb3JkZXIgdG8gYXZvaWQgc3RhbGxpbmcgb3V0IG9uIHJlc291cmNlIGxvY2tzCmVjaG8gInJ1bm5pbmcgUkhVSSBmaXgiCmZvciBhdHRlbXB0IGluIHsxLi41fTsgZG8KICB5dW0gdXBkYXRlIC15IC0tZGlzYWJsZXJlcG89JyonIC0tZW5hYmxlcmVwbz0ncmh1aS1taWNyb3NvZnQtYXp1cmUqJyAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDUgXV07IHRoZW4gc2xlZXAgMTA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgplY2hvICJydW5uaW5nIHl1bSB1cGRhdGUiCmZvciBhdHRlbXB0IGluIHsxLi41fTsgZG8KICB5dW0gLXkgLXggV0FMaW51eEFnZW50IC14IFdBTGludXhBZ2VudC11ZGV2IHVwZGF0ZSAtLWFsbG93ZXJhc2luZyAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDUgXV07IHRoZW4gc2xlZXAgMTA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgplY2hvICJpbnN0YWxsaW5nIHBvZG1hbi1kb2NrZXIiCmZvciBhdHRlbXB0IGluIHsxLi41fTsgZG8KICB5dW0gLXkgaW5zdGFsbCBwb2RtYW4tZG9ja2VyICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTQ0My90Y3AgLS1wZXJtYW5lbnQKCm1rZGlyIC9yb290Ly5kb2NrZXIKY2F0ID4vcm9vdC8uZG9ja2VyL2NvbmZpZy5qc29uIDw8RU9GCnsKCSJhdXRocyI6IHsKCQkiJHtQUk9YWUlNQUdFJSUvKn0iOiB7CgkJCSJhdXRoIjogIiRQUk9YWUlNQUdFQVVUSCIKCQl9Cgl9Cn0KRU9GCgpta2RpciAtcCAvZXRjL2NvbnRhaW5lcnMvCnRvdWNoIC9ldGMvY29udGFpbmVycy9ub2RvY2tlcgoKZG9ja2VyIHB1bGwgIiRQUk9YWUlNQUdFIgoKbWtkaXIgL2V0Yy9wcm94eQpiYXNlNjQgLWQgPDw8IiRQUk9YWUNFUlQiID4vZXRjL3Byb3h5L3Byb3h5LmNydApiYXNlNjQgLWQgPDw8IiRQUk9YWUtFWSIgPi9ldGMvcHJveHkvcHJveHkua2V5CmJhc2U2NCAtZCA8PDwiJFBST1hZQ0xJRU5UQ0VSVCIgPi9ldGMvcHJveHkvcHJveHktY2xpZW50LmNydApjaG93biAtUiAxMDAwOjEwMDAgL2V0Yy9wcm94eQpjaG1vZCAwNjAwIC9ldGMvcHJveHkvcHJveHkua2V5CgpjYXQgPi9ldGMvc3lzY29uZmlnL3Byb3h5IDw8RU9GClBST1hZX0lNQUdFPSckUFJPWFlJTUFHRScKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vcHJveHkuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL3Byb3h5CkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVuCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIC0tcm0gLS1uYW1lICVuIC1wIDQ0Mzo4NDQzIC12IC9ldGMvcHJveHk6L3NlY3JldHMgJFBST1hZX0lNQUdFCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wICVuClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9MQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKc3lzdGVtY3RsIGVuYWJsZSBwcm94eS5zZXJ2aWNlCgpjYXQgPi9ldGMvY3Jvbi53ZWVrbHkvcHVsbC1pbWFnZSA8PCdFT0YnCiMhL2Jpbi9iYXNoCgpkb2NrZXIgcHVsbCAkUFJPWFlJTUFHRQpzeXN0ZW1jdGwgcmVzdGFydCBwcm94eS5zZXJ2aWNlCkVPRgpjaG1vZCAreCAvZXRjL2Nyb24ud2Vla2x5L3B1bGwtaW1hZ2UKCmNhdCA+L2V0Yy9jcm9uLndlZWtseS95dW11cGRhdGUgPDwnRU9GJwojIS9iaW4vYmFzaAoKeXVtIHVwZGF0ZSAteQpFT0YKY2htb2QgK3ggL2V0Yy9jcm9uLndlZWtseS95dW11cGRhdGUKCmNhdCA+L2V0Yy9jcm9uLmRhaWx5L3Jlc3RhcnQtcHJveHkgPDwnRU9GJwojIS9iaW4vYmFzaAoKc3lzdGVtY3RsIHJlc3RhcnQgcHJveHkuc2VydmljZQpFT0YKY2htb2QgK3ggL2V0Yy9jcm9uLmRhaWx5L3Jlc3RhcnQtcHJveHkKCigKCXNsZWVwIDMwCglyZWJvb3QKKSAmCg==')))]"
+                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'PROXYIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('proxyImage')),''')\n','PROXYIMAGEAUTH=$(base64 -d \u003c\u003c\u003c''',base64(parameters('proxyImageAuth')),''')\n','PROXYCERT=''',parameters('proxyCert'),'''\n','PROXYCLIENTCERT=''',parameters('proxyClientCert'),'''\n','PROXYKEY=''',parameters('proxyKey'),'''\n','\n',base64ToString('I0FkZGluZyByZXRyeSBsb2dpYyB0byB5dW0gY29tbWFuZHMgaW4gb3JkZXIgdG8gYXZvaWQgc3RhbGxpbmcgb3V0IG9uIHJlc291cmNlIGxvY2tzCmVjaG8gInJ1bm5pbmcgUkhVSSBmaXgiCmZvciBhdHRlbXB0IGluIHsxLi42MH07IGRvCiAgeXVtIHVwZGF0ZSAteSAtLWRpc2FibGVyZXBvPScqJyAtLWVuYWJsZXJlcG89J3JodWktbWljcm9zb2Z0LWF6dXJlKicgJiYgYnJlYWsKICBpZiBbWyAke2F0dGVtcHR9IC1sdCA2MCBdXTsgdGhlbiBzbGVlcCAzMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gInJ1bm5pbmcgeXVtIHVwZGF0ZSIKZm9yIGF0dGVtcHQgaW4gezEuLjYwfTsgZG8KICB5dW0gLXkgLXggV0FMaW51eEFnZW50IC14IFdBTGludXhBZ2VudC11ZGV2IHVwZGF0ZSAtLWFsbG93ZXJhc2luZyAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDYwIF1dOyB0aGVuIHNsZWVwIDMwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAiaW5zdGFsbGluZyBwb2RtYW4tZG9ja2VyIgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwogIHl1bSAteSBpbnN0YWxsIHBvZG1hbi1kb2NrZXIgJiYgYnJlYWsKICBpZiBbWyAke2F0dGVtcHR9IC1sdCA2MCBdXTsgdGhlbiBzbGVlcCAzMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTQ0My90Y3AgLS1wZXJtYW5lbnQKCm1rZGlyIC9yb290Ly5kb2NrZXIKY2F0ID4vcm9vdC8uZG9ja2VyL2NvbmZpZy5qc29uIDw8RU9GCnsKCSJhdXRocyI6IHsKCQkiJHtQUk9YWUlNQUdFJSUvKn0iOiB7CgkJCSJhdXRoIjogIiRQUk9YWUlNQUdFQVVUSCIKCQl9Cgl9Cn0KRU9GCgpta2RpciAtcCAvZXRjL2NvbnRhaW5lcnMvCnRvdWNoIC9ldGMvY29udGFpbmVycy9ub2RvY2tlcgoKZG9ja2VyIHB1bGwgIiRQUk9YWUlNQUdFIgoKbWtkaXIgL2V0Yy9wcm94eQpiYXNlNjQgLWQgPDw8IiRQUk9YWUNFUlQiID4vZXRjL3Byb3h5L3Byb3h5LmNydApiYXNlNjQgLWQgPDw8IiRQUk9YWUtFWSIgPi9ldGMvcHJveHkvcHJveHkua2V5CmJhc2U2NCAtZCA8PDwiJFBST1hZQ0xJRU5UQ0VSVCIgPi9ldGMvcHJveHkvcHJveHktY2xpZW50LmNydApjaG93biAtUiAxMDAwOjEwMDAgL2V0Yy9wcm94eQpjaG1vZCAwNjAwIC9ldGMvcHJveHkvcHJveHkua2V5CgpjYXQgPi9ldGMvc3lzY29uZmlnL3Byb3h5IDw8RU9GClBST1hZX0lNQUdFPSckUFJPWFlJTUFHRScKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vcHJveHkuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL3Byb3h5CkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVuCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIC0tcm0gLS1uYW1lICVuIC1wIDQ0Mzo4NDQzIC12IC9ldGMvcHJveHk6L3NlY3JldHMgJFBST1hZX0lNQUdFCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wICVuClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9MQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKc3lzdGVtY3RsIGVuYWJsZSBwcm94eS5zZXJ2aWNlCgpjYXQgPi9ldGMvY3Jvbi53ZWVrbHkvcHVsbC1pbWFnZSA8PCdFT0YnCiMhL2Jpbi9iYXNoCgpkb2NrZXIgcHVsbCAkUFJPWFlJTUFHRQpzeXN0ZW1jdGwgcmVzdGFydCBwcm94eS5zZXJ2aWNlCkVPRgpjaG1vZCAreCAvZXRjL2Nyb24ud2Vla2x5L3B1bGwtaW1hZ2UKCmNhdCA+L2V0Yy9jcm9uLndlZWtseS95dW11cGRhdGUgPDwnRU9GJwojIS9iaW4vYmFzaAoKeXVtIHVwZGF0ZSAteQpFT0YKY2htb2QgK3ggL2V0Yy9jcm9uLndlZWtseS95dW11cGRhdGUKCmNhdCA+L2V0Yy9jcm9uLmRhaWx5L3Jlc3RhcnQtcHJveHkgPDwnRU9GJwojIS9iaW4vYmFzaAoKc3lzdGVtY3RsIHJlc3RhcnQgcHJveHkuc2VydmljZQpFT0YKY2htb2QgK3ggL2V0Yy9jcm9uLmRhaWx5L3Jlc3RhcnQtcHJveHkKCigKCXNsZWVwIDMwCglyZWJvb3QKKSAmCg==')))]"
                                     },
                                     "provisionAfterExtensions": [
                                         "Microsoft.Azure.Monitor.AzureMonitorLinuxAgent",
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
index 1a3296cd8..19f123da7 100644
--- a/pkg/deploy/assets/gateway-production.json
+++ b/pkg/deploy/assets/gateway-production.json
@@ -226,7 +226,7 @@
             },
             "properties": {
                 "upgradePolicy": {
-                    "mode": "Manual"
+                    "mode": "Rolling"
                 },
                 "virtualMachineProfile": {
                     "osProfile": {
@@ -309,7 +309,7 @@
                                     "autoUpgradeMinorVersion": true,
                                     "settings": {},
                                     "protectedSettings": {
-                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'ACRRESOURCEID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('acrResourceId')),''')\n','AZURECLOUDNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureCloudName')),''')\n','AZURESECPACKQUALYSURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackQualysUrl')),''')\n','AZURESECPACKVSATENANTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackVSATenantId')),''')\n','DATABASEACCOUNTNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('databaseAccountName')),''')\n','DBTOKENCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenClientId')),''')\n','DBTOKENURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenUrl')),''')\n','MDMFRONTENDURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdmFrontendUrl')),''')\n','MDSDENVIRONMENT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdsdEnvironment')),''')\n','FLUENTBITIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fluentbitImage')),''')\n','GATEWAYMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayMdsdConfigVersion')),''')\n','GATEWAYDOMAINS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayDomains')),''')\n','GATEWAYFEATURES=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayFeatures')),''')\n','KEYVAULTDNSSUFFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultDNSSuffix')),''')\n','KEYVAULTPREFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultPrefix')),''')\n','RPIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpImage')),''')\n','RPMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdmAccount')),''')\n','RPMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdAccount')),''')\n','RPMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdNamespace')),''')\n','MDMIMAGE=''/genevamdm:2.2024.328.1744-c5fb79-20240328t1935''\n','LOCATION=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().location),''')\n','SUBSCRIPTIONID=$(base64 -d \u003c\u003c\u003c''',base64(subscription().subscriptionId),''')\n','RESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().name),''')\n','\n',base64ToString('IyEvYmluL2Jhc2gKCmVjaG8gInNldHRpbmcgc3NoIHBhc3N3b3JkIGF1dGhlbnRpY2F0aW9uIgojIFdlIG5lZWQgdG8gbWFudWFsbHkgc2V0IFBhc3N3b3JkQXV0aGVudGljYXRpb24gdG8gdHJ1ZSBpbiBvcmRlciBmb3IgdGhlIFZNU1MgQWNjZXNzIEpJVCB0byB3b3JrCnNlZCAtaSAncy9QYXNzd29yZEF1dGhlbnRpY2F0aW9uIG5vL1Bhc3N3b3JkQXV0aGVudGljYXRpb24geWVzL2cnIC9ldGMvc3NoL3NzaGRfY29uZmlnCnN5c3RlbWN0bCByZWxvYWQgc3NoZC5zZXJ2aWNlCgojQWRkaW5nIHJldHJ5IGxvZ2ljIHRvIHl1bSBjb21tYW5kcyBpbiBvcmRlciB0byBhdm9pZCBzdGFsbGluZyBvdXQgb24gcmVzb3VyY2UgbG9ja3MKZWNobyAicnVubmluZyBSSFVJIGZpeCIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIHl1bSB1cGRhdGUgLXkgLS1kaXNhYmxlcmVwbz0nKicgLS1lbmFibGVyZXBvPSdyaHVpLW1pY3Jvc29mdC1henVyZSonICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gInJ1bm5pbmcgeXVtIHVwZGF0ZSIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIHl1bSAteSAteCBXQUxpbnV4QWdlbnQgLXggV0FMaW51eEFnZW50LXVkZXYgdXBkYXRlIC0tYWxsb3dlcmFzaW5nICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gImV4dGVuZGluZyBwYXJ0aXRpb24gdGFibGUiCiMgTGludXggYmxvY2sgZGV2aWNlcyBhcmUgaW5jb25zaXN0ZW50bHkgbmFtZWQKIyBpdCdzIGRpZmZpY3VsdCB0byB0aWUgdGhlIGx2bSBwdiB0byB0aGUgcGh5c2ljYWwgZGlzayB1c2luZyAvZGV2L2Rpc2sgZmlsZXMsIHdoaWNoIGlzIHdoeSBsdnMgaXMgdXNlZCBoZXJlCnBoeXNpY2FsX2Rpc2s9IiQobHZzIC1vIGRldmljZXMgLWEgfCBoZWFkIC1uMiB8IHRhaWwgLW4xIHwgY3V0IC1kICcgJyAtZiAzIHwgY3V0IC1kIFwoIC1mIDEgfCB0ciAtZCAnWzpkaWdpdDpdJykiCmdyb3dwYXJ0ICIkcGh5c2ljYWxfZGlzayIgMgoKZWNobyAiZXh0ZW5kaW5nIGZpbGVzeXN0ZW1zIgpsdmV4dGVuZCAtbCArMjAlRlJFRSAvZGV2L3Jvb3R2Zy9yb290bHYKeGZzX2dyb3dmcyAvCgpsdmV4dGVuZCAtbCArMTAwJUZSRUUgL2Rldi9yb290dmcvdmFybHYKeGZzX2dyb3dmcyAvdmFyCgpycG0gLS1pbXBvcnQgaHR0cHM6Ly9kbC5mZWRvcmFwcm9qZWN0Lm9yZy9wdWIvZXBlbC9SUE0tR1BHLUtFWS1FUEVMLTgKcnBtIC0taW1wb3J0IGh0dHBzOi8vcGFja2FnZXMubWljcm9zb2Z0LmNvbS9rZXlzL21pY3Jvc29mdC5hc2MKCmZvciBhdHRlbXB0IGluIHsxLi41fTsgZG8KICB5dW0gLXkgaW5zdGFsbCBodHRwczovL2RsLmZlZG9yYXByb2plY3Qub3JnL3B1Yi9lcGVsL2VwZWwtcmVsZWFzZS1sYXRlc3QtOC5ub2FyY2gucnBtICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gImNvbmZpZ3VyaW5nIGxvZ3JvdGF0ZSIKCiMgZ2F0ZXdheV9sb2dkaXIgaXMgYSByZWFkb25seSB2YXJpYWJsZSB0aGF0IHNwZWNpZmllcyB0aGUgaG9zdCBwYXRoIG1vdW50IHBvaW50IGZvciB0aGUgZ2F0ZXdheSBjb250YWluZXIgbG9nIGZpbGUKIyBmb3IgdGhlIHB1cnBvc2Ugb2Ygcm90YXRpbmcgdGhlIGdhdGV3YXkgbG9ncwpkZWNsYXJlIC1yIGdhdGV3YXlfbG9nZGlyPScvdmFyL2xvZy9hcm8tZ2F0ZXdheScKCmNhdCA+L2V0Yy9sb2dyb3RhdGUuY29uZiA8PEVPRgojIHNlZSAibWFuIGxvZ3JvdGF0ZSIgZm9yIGRldGFpbHMKIyByb3RhdGUgbG9nIGZpbGVzIHdlZWtseQp3ZWVrbHkKCiMga2VlcCAyIHdlZWtzIHdvcnRoIG9mIGJhY2tsb2dzCnJvdGF0ZSAyCgojIGNyZWF0ZSBuZXcgKGVtcHR5KSBsb2cgZmlsZXMgYWZ0ZXIgcm90YXRpbmcgb2xkIG9uZXMKY3JlYXRlCgojIHVzZSBkYXRlIGFzIGEgc3VmZml4IG9mIHRoZSByb3RhdGVkIGZpbGUKZGF0ZWV4dAoKIyB1bmNvbW1lbnQgdGhpcyBpZiB5b3Ugd2FudCB5b3VyIGxvZyBmaWxlcyBjb21wcmVzc2VkCmNvbXByZXNzCgojIFJQTSBwYWNrYWdlcyBkcm9wIGxvZyByb3RhdGlvbiBpbmZvcm1hdGlvbiBpbnRvIHRoaXMgZGlyZWN0b3J5CmluY2x1ZGUgL2V0Yy9sb2dyb3RhdGUuZAoKIyBubyBwYWNrYWdlcyBvd24gd3RtcCBhbmQgYnRtcCAtLSB3ZSdsbCByb3RhdGUgdGhlbSBoZXJlCi92YXIvbG9nL3d0bXAgewogICAgbW9udGhseQogICAgY3JlYXRlIDA2NjQgcm9vdCB1dG1wCiAgICAgICAgbWluc2l6ZSAxTQogICAgcm90YXRlIDEKfQoKL3Zhci9sb2cvYnRtcCB7CiAgICBtaXNzaW5nb2sKICAgIG1vbnRobHkKICAgIGNyZWF0ZSAwNjAwIHJvb3QgdXRtcAogICAgcm90YXRlIDEKfQoKIyBNYXhpbXVtIGxvZyBkaXJlY3Rvcnkgc2l6ZSBpcyAxMDBHIHdpdGggdGhpcyBjb25maWd1cmF0aW9uCiMgU2V0dGluZyBsaW1pdCB0byAxMDBHIHRvIGFsbG93IHNwYWNlIGZvciBvdGhlciBsb2dnaW5nIHNlcnZpY2VzCiMgY29weXRydW5jYXRlIGlzIGEgY3JpdGljYWwgb3B0aW9uIHVzZWQgdG8gcHJldmVudCBsb2dzIGZyb20gYmVpbmcgc2hpcHBlZCB0d2ljZQoke2dhdGV3YXlfbG9nZGlyfSB7CiAgICBzaXplIDIwRwogICAgcm90YXRlIDUKICAgIGNyZWF0ZSAwNjAwIHJvb3Qgcm9vdAogICAgY29weXRydW5jYXRlCiAgICBub29sZGRpcgogICAgY29tcHJlc3MKfQpFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIHl1bSByZXBvc2l0b3J5IGFuZCBydW5uaW5nIHl1bSB1cGRhdGUiCmNhdCA+L2V0Yy95dW0ucmVwb3MuZC9henVyZS5yZXBvIDw8J0VPRicKW2F6dXJlLWNsaV0KbmFtZT1henVyZS1jbGkKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmUtY2xpCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPXllcwoKW2F6dXJlY29yZV0KbmFtZT1henVyZWNvcmUKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmVjb3JlCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPW5vCkVPRgoKc2VtYW5hZ2UgZmNvbnRleHQgLWEgLXQgdmFyX2xvZ190ICIvdmFyL2xvZy9qb3VybmFsKC8uKik/Igpta2RpciAtcCAvdmFyL2xvZy9qb3VybmFsCgpmb3IgYXR0ZW1wdCBpbiB7MS4uNX07IGRvCiAgeXVtIC15IGluc3RhbGwgY2xhbWF2IGF6c2VjLWNsYW1hdiBhenNlYy1tb25pdG9yIGF6dXJlLWNsaSBhenVyZS1tZHNkIGF6dXJlLXNlY3VyaXR5IHBvZG1hbi1kb2NrZXIgb3BlbnNzbC1wZXJsIHB5dGhvbjMgJiYgYnJlYWsKICAjIGhhY2sgLSB3ZSBhcmUgaW5zdGFsbGluZyBweXRob24zIG9uIGhvc3RzIGR1ZSB0byBhbiBpc3N1ZSB3aXRoIEF6dXJlIExpbnV4IEV4dGVuc2lvbnMgaHR0cHM6Ly9naXRodWIuY29tL0F6dXJlL2F6dXJlLWxpbnV4LWV4dGVuc2lvbnMvcHVsbC8xNTA1CiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gImFwcGx5aW5nIGZpcmV3YWxsIHJ1bGVzIgojIGh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vc2VjdXJpdHkvY3ZlL2N2ZS0yMDIwLTEzNDAxCmNhdCA+L2V0Yy9zeXNjdGwuZC8wMi1kaXNhYmxlLWFjY2VwdC1yYS5jb25mIDw8J0VPRicKbmV0LmlwdjYuY29uZi5hbGwuYWNjZXB0X3JhPTAKRU9GCgpjYXQgPi9ldGMvc3lzY3RsLmQvMDEtZGlzYWJsZS1jb3JlLmNvbmYgPDwnRU9GJwprZXJuZWwuY29yZV9wYXR0ZXJuID0gfC9iaW4vdHJ1ZQpFT0YKc3lzY3RsIC0tc3lzdGVtCgpmaXJld2FsbC1jbWQgLS1hZGQtcG9ydD04MC90Y3AgLS1wZXJtYW5lbnQKZmlyZXdhbGwtY21kIC0tYWRkLXBvcnQ9ODA4MS90Y3AgLS1wZXJtYW5lbnQKZmlyZXdhbGwtY21kIC0tYWRkLXBvcnQ9NDQzL3RjcCAtLXBlcm1hbmVudAoKZWNobyAibG9nZ2luZyBpbnRvIHByb2QgYWNyIgpleHBvcnQgQVpVUkVfQ0xPVURfTkFNRT0kQVpVUkVDTE9VRE5BTUUKYXogbG9naW4gLWkgLS1hbGxvdy1uby1zdWJzY3JpcHRpb25zCgojIFRoZSBtYW5hZ2VkIGlkZW50aXR5IHRoYXQgdGhlIFZNIHJ1bnMgYXMgb25seSBoYXMgYSBzaW5nbGUgcm9sZWFzc2lnbm1lbnQuCiMgVGhpcyByb2xlIGFzc2lnbm1lbnQgaXMgQUNSUHVsbCB3aGljaCBpcyBub3QgbmVjZXNzYXJpbHkgcHJlc2VudCBpbiB0aGUKIyBzdWJzY3JpcHRpb24gd2UncmUgZGVwbG95aW5nIGludG8uICBJZiB0aGUgaWRlbnRpdHkgZG9lcyBub3QgaGF2ZSBhbnkKIyByb2xlIGFzc2lnbm1lbnRzIHNjb3BlZCBvbiB0aGUgc3Vic2NyaXB0aW9uIHdlJ3JlIGRlcGxveWluZyBpbnRvLCBpdCB3aWxsCiMgbm90IHNob3cgb24gYXogbG9naW4gLWksIHdoaWNoIGlzIHdoeSB0aGUgYmVsb3cgbGluZSBpcyBjb21tZW50ZWQuCiMgYXogYWNjb3VudCBzZXQgLXMgIiRTVUJTQ1JJUFRJT05JRCIKCiMgU3VwcHJlc3MgZW11bGF0aW9uIG91dHB1dCBmb3IgcG9kbWFuIGluc3RlYWQgb2YgZG9ja2VyIGZvciBheiBhY3IgY29tcGF0YWJpbGl0eQpta2RpciAtcCAvZXRjL2NvbnRhaW5lcnMvCnRvdWNoIC9ldGMvY29udGFpbmVycy9ub2RvY2tlcgoKbWtkaXIgLXAgL3Jvb3QvLmRvY2tlcgpSRUdJU1RSWV9BVVRIX0ZJTEU9L3Jvb3QvLmRvY2tlci9jb25maWcuanNvbiBheiBhY3IgbG9naW4gLS1uYW1lICIkKHNlZCAtZSAnc3wuKi98fCcgPDw8IiRBQ1JSRVNPVVJDRUlEIikiCgpNRE1JTUFHRT0iJHtSUElNQUdFJSUvKn0vJHtNRE1JTUFHRSMjKi99Igpkb2NrZXIgcHVsbCAiJE1ETUlNQUdFIgpkb2NrZXIgcHVsbCAiJFJQSU1BR0UiCmRvY2tlciBwdWxsICIkRkxVRU5UQklUSU1BR0UiCgpheiBsb2dvdXQKCmVjaG8gImNvbmZpZ3VyaW5nIGZsdWVudGJpdCBzZXJ2aWNlIgpta2RpciAtcCAvZXRjL2ZsdWVudGJpdC8KbWtkaXIgLXAgL3Zhci9saWIvZmx1ZW50CgpjYXQgPi9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mIDw8J0VPRicKW0lOUFVUXQoJTmFtZSBzeXN0ZW1kCglUYWcgam91cm5hbGQKCVN5c3RlbWRfRmlsdGVyIF9DT01NPWFybwoJREIgL3Zhci9saWIvZmx1ZW50L2pvdXJuYWxkYgoKW0ZJTFRFUl0KCU5hbWUgbW9kaWZ5CglNYXRjaCBqb3VybmFsZAoJUmVtb3ZlX3dpbGRjYXJkIF8KCVJlbW92ZSBUSU1FU1RBTVAKCltPVVRQVVRdCglOYW1lIGZvcndhcmQKCU1hdGNoICoKCVBvcnQgMjkyMzAKRU9GCgplY2hvICJGTFVFTlRCSVRJTUFHRT0kRkxVRU5UQklUSU1BR0UiID4vZXRjL3N5c2NvbmZpZy9mbHVlbnRiaXQKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9mbHVlbnRiaXQuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0ClN0YXJ0TGltaXRJbnRlcnZhbFNlYz0wCgpbU2VydmljZV0KUmVzdGFydFNlYz0xcwpFbnZpcm9ubWVudEZpbGU9L2V0Yy9zeXNjb25maWcvZmx1ZW50Yml0CkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLXNlY3VyaXR5LW9wdCBsYWJlbD1kaXNhYmxlIFwKICAtLWVudHJ5cG9pbnQgL29wdC90ZC1hZ2VudC1iaXQvYmluL3RkLWFnZW50LWJpdCBcCiAgLS1uZXQ9aG9zdCBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC12IC9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mOi9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mIFwKICAtdiAvdmFyL2xpYi9mbHVlbnQ6L3Zhci9saWIvZmx1ZW50OnogXAogIC12IC92YXIvbG9nL2pvdXJuYWw6L3Zhci9sb2cvam91cm5hbDpybyBcCiAgLXYgL2V0Yy9tYWNoaW5lLWlkOi9ldGMvbWFjaGluZS1pZDpybyBcCiAgJEZMVUVOVEJJVElNQUdFIFwKICAtYyAvZXRjL2ZsdWVudGJpdC9mbHVlbnRiaXQuY29uZgoKRXhlY1N0b3A9L3Vzci9iaW4vZG9ja2VyIHN0b3AgJU4KUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz01ClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBtZG0gc2VydmljZSIKY2F0ID4vZXRjL3N5c2NvbmZpZy9tZG0gPDxFT0YKTURNRlJPTlRFTkRVUkw9JyRNRE1GUk9OVEVORFVSTCcKTURNSU1BR0U9JyRNRE1JTUFHRScKTURNU09VUkNFRU5WSVJPTk1FTlQ9JyRMT0NBVElPTicKTURNU09VUkNFUk9MRT1nYXRld2F5Ck1ETVNPVVJDRVJPTEVJTlNUQU5DRT0nJChob3N0bmFtZSknCkVPRgoKbWtkaXIgL3Zhci9ldHcKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL21kbS5zZXJ2aWNlIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKCltTZXJ2aWNlXQpFbnZpcm9ubWVudEZpbGU9L2V0Yy9zeXNjb25maWcvbWRtCkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLWVudHJ5cG9pbnQgL3Vzci9zYmluL01ldHJpY3NFeHRlbnNpb24gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtbSAyZyBcCiAgLXYgL2V0Yy9tZG0ucGVtOi9ldGMvbWRtLnBlbSBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJE1ETUlNQUdFIFwKICAtQ2VydEZpbGUgL2V0Yy9tZG0ucGVtIFwKICAtRnJvbnRFbmRVcmwgJE1ETUZST05URU5EVVJMIFwKICAtTG9nZ2VyIENvbnNvbGUgXAogIC1Mb2dMZXZlbCBXYXJuaW5nIFwKICAtUHJpdmF0ZUtleUZpbGUgL2V0Yy9tZG0ucGVtIFwKICAtU291cmNlRW52aXJvbm1lbnQgJE1ETVNPVVJDRUVOVklST05NRU5UIFwKICAtU291cmNlUm9sZSAkTURNU09VUkNFUk9MRSBcCiAgLVNvdXJjZVJvbGVJbnN0YW5jZSAkTURNU09VUkNFUk9MRUlOU1RBTkNFCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wICVOClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9MQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKZWNobyAiY29uZmlndXJpbmcgYXJvLWdhdGV3YXkgc2VydmljZSIKY2F0ID4vZXRjL3N5c2NvbmZpZy9hcm8tZ2F0ZXdheSA8PEVPRgpBQ1JfUkVTT1VSQ0VfSUQ9JyRBQ1JSRVNPVVJDRUlEJwpEQVRBQkFTRV9BQ0NPVU5UX05BTUU9JyREQVRBQkFTRUFDQ09VTlROQU1FJwpBWlVSRV9EQlRPS0VOX0NMSUVOVF9JRD0nJERCVE9LRU5DTElFTlRJRCcKREJUT0tFTl9VUkw9JyREQlRPS0VOVVJMJwpNRE1fQUNDT1VOVD0iJFJQTURNQUNDT1VOVCIKTURNX05BTUVTUEFDRT1HYXRld2F5CkdBVEVXQVlfRE9NQUlOUz0nJEdBVEVXQVlET01BSU5TJwpHQVRFV0FZX0ZFQVRVUkVTPSckR0FURVdBWUZFQVRVUkVTJwpSUElNQUdFPSckUlBJTUFHRScKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vYXJvLWdhdGV3YXkuc2VydmljZSA8PEVPRgpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9hcm8tZ2F0ZXdheQpFeGVjU3RhcnRQcmU9LS91c3IvYmluL2RvY2tlciBybSAtZiAlTgpFeGVjU3RhcnRQcmU9L3Vzci9iaW4vbWtkaXIgLXAgJHtnYXRld2F5X2xvZ2Rpcn0KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtZSBBQ1JfUkVTT1VSQ0VfSUQgXAogIC1lIERBVEFCQVNFX0FDQ09VTlRfTkFNRSBcCiAgLWUgQVpVUkVfREJUT0tFTl9DTElFTlRfSUQgXAogIC1lIERCVE9LRU5fVVJMIFwKICAtZSBHQVRFV0FZX0RPTUFJTlMgXAogIC1lIEdBVEVXQVlfRkVBVFVSRVMgXAogIC1lIE1ETV9BQ0NPVU5UIFwKICAtZSBNRE1fTkFNRVNQQUNFIFwKICAtbSAyZyBcCiAgLXAgODA6ODA4MCBcCiAgLXAgODA4MTo4MDgxIFwKICAtcCA0NDM6ODQ0MyBcCiAgLXYgL3J1bi9zeXN0ZW1kL2pvdXJuYWw6L3J1bi9zeXN0ZW1kL2pvdXJuYWwgXAogIC12IC92YXIvZXR3Oi92YXIvZXR3OnogXAogIC12ICR7Z2F0ZXdheV9sb2dkaXJ9Oi9jdHIubG9nOnogXAogIFwkUlBJTUFHRSBcCiAgZ2F0ZXdheQpFeGVjU3RvcD0vdXNyL2Jpbi9kb2NrZXIgc3RvcCAtdCAzNjAwICVOClRpbWVvdXRTdG9wU2VjPTM2MDAKUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgpjaGNvbiAtUiBzeXN0ZW1fdTpvYmplY3Rfcjp2YXJfbG9nX3Q6czAgL3Zhci9vcHQvbWljcm9zb2Z0L2xpbnV4bW9uYWdlbnQKCm1rZGlyIC1wIC92YXIvbGliL3dhYWdlbnQvTWljcm9zb2Z0LkF6dXJlLktleVZhdWx0LlN0b3JlCgplY2hvICJjb25maWd1cmluZyBtZHNkIGFuZCBtZG0gc2VydmljZXMiCmZvciB2YXIgaW4gIm1kc2QiICJtZG0iOyBkbwpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vZG93bmxvYWQtJHZhci1jcmVkZW50aWFscy5zZXJ2aWNlIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1QZXJpb2RpYyAkdmFyIGNyZWRlbnRpYWxzIHJlZnJlc2gKCltTZXJ2aWNlXQpUeXBlPW9uZXNob3QKRXhlY1N0YXJ0PS91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoICR2YXIKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vZG93bmxvYWQtJHZhci1jcmVkZW50aWFscy50aW1lciA8PEVPRgpbVW5pdF0KRGVzY3JpcHRpb249UGVyaW9kaWMgJHZhciBjcmVkZW50aWFscyByZWZyZXNoCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKCltUaW1lcl0KT25Cb290U2VjPTBtaW4KT25DYWxlbmRhcj0wLzEyOjAwOjAwCkFjY3VyYWN5U2VjPTVzCgpbSW5zdGFsbF0KV2FudGVkQnk9dGltZXJzLnRhcmdldApFT0YKZG9uZQoKY2F0ID4vdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaCA8PEVPRgojIS9iaW4vYmFzaApzZXQgLWV1CgpDT01QT05FTlQ9IlwkMSIKZWNobyAiRG93bmxvYWQgXCRDT01QT05FTlQgY3JlZGVudGlhbHMiCgpURU1QX0RJUj1cJChta3RlbXAgLWQpCmV4cG9ydCBBWlVSRV9DT05GSUdfRElSPVwkKG1rdGVtcCAtZCkKCmVjaG8gIkxvZ2dpbmcgaW50byBBenVyZS4uLiIKUkVUUklFUz0zCndoaWxlIFsgIlwkUkVUUklFUyIgLWd0IDAgXTsgZG8KICAgIGlmIGF6IGxvZ2luIC1pIC0tYWxsb3ctbm8tc3Vic2NyaXB0aW9ucwogICAgdGhlbgogICAgICAgIGVjaG8gImF6IGxvZ2luIHN1Y2Nlc3NmdWwiCiAgICAgICAgYnJlYWsKICAgIGVsc2UKICAgICAgICBlY2hvICJheiBsb2dpbiBmYWlsZWQuIFJldHJ5aW5nLi4uIgogICAgICAgIGxldCBSRVRSSUVTLT0xCiAgICAgICAgc2xlZXAgNQogICAgZmkKZG9uZQoKdHJhcCAiY2xlYW51cCIgRVhJVAoKY2xlYW51cCgpIHsKICBheiBsb2dvdXQKICBbWyAiXCRURU1QX0RJUiIgPX4gL3RtcC8uKyBdXSAmJiBybSAtcmYgXCRURU1QX0RJUgogIFtbICJcJEFaVVJFX0NPTkZJR19ESVIiID1+IC90bXAvLisgXV0gJiYgcm0gLXJmIFwkQVpVUkVfQ09ORklHX0RJUgp9CgppZiBbICJcJENPTVBPTkVOVCIgPSAibWRtIiBdOyB0aGVuCiAgQ1VSUkVOVF9DRVJUX0ZJTEU9Ii9ldGMvbWRtLnBlbSIKZWxpZiBbICJcJENPTVBPTkVOVCIgPSAibWRzZCIgXTsgdGhlbgogIENVUlJFTlRfQ0VSVF9GSUxFPSIvdmFyL2xpYi93YWFnZW50L01pY3Jvc29mdC5BenVyZS5LZXlWYXVsdC5TdG9yZS9tZHNkLnBlbSIKZWxzZQogIGVjaG8gSW52YWxpZCB1c2FnZSAmJiBleGl0IDEKZmkKClNFQ1JFVF9OQU1FPSJnd3ktXCR7Q09NUE9ORU5UfSIKTkVXX0NFUlRfRklMRT0iXCRURU1QX0RJUi9cJENPTVBPTkVOVC5wZW0iCmZvciBhdHRlbXB0IGluIHsxLi41fTsgZG8KICBheiBrZXl2YXVsdCBzZWNyZXQgZG93bmxvYWQgLS1maWxlIFwkTkVXX0NFUlRfRklMRSAtLWlkICJodHRwczovLyRLRVlWQVVMVFBSRUZJWC1nd3kuJEtFWVZBVUxURE5TU1VGRklYL3NlY3JldHMvXCRTRUNSRVRfTkFNRSIgJiYgYnJlYWsKICBpZiBbWyBcJGF0dGVtcHQgLWx0IDUgXV07IHRoZW4gc2xlZXAgMTA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgppZiBbIC1mIFwkTkVXX0NFUlRfRklMRSBdOyB0aGVuCiAgaWYgWyAiXCRDT01QT05FTlQiID0gIm1kc2QiIF07IHRoZW4KICAgIGNob3duIHN5c2xvZzpzeXNsb2cgXCRORVdfQ0VSVF9GSUxFCiAgZWxzZQogICAgc2VkIC1pIC1uZSAnMSwvRU5EIENFUlRJRklDQVRFLyBwJyBcJE5FV19DRVJUX0ZJTEUKICBmaQoKICBuZXdfY2VydF9zbj0iXCQob3BlbnNzbCB4NTA5IC1pbiAiXCRORVdfQ0VSVF9GSUxFIiAtbm9vdXQgLXNlcmlhbCB8IGF3ayAtRj0gJ3twcmludCBcJDJ9JykiCiAgY3VycmVudF9jZXJ0X3NuPSJcJChvcGVuc3NsIHg1MDkgLWluICJcJENVUlJFTlRfQ0VSVF9GSUxFIiAtbm9vdXQgLXNlcmlhbCB8IGF3ayAtRj0gJ3twcmludCBcJDJ9JykiCiAgaWYgW1sgISAteiBcJG5ld19jZXJ0X3NuIF1dICYmIFtbIFwkbmV3X2NlcnRfc24gIT0gIlwkY3VycmVudF9jZXJ0X3NuIiBdXTsgdGhlbgogICAgZWNobyB1cGRhdGluZyBjZXJ0aWZpY2F0ZSBmb3IgXCRDT01QT05FTlQKICAgIGNobW9kIDA2MDAgXCRORVdfQ0VSVF9GSUxFCiAgICBtdiBcJE5FV19DRVJUX0ZJTEUgXCRDVVJSRU5UX0NFUlRfRklMRQogIGZpCmVsc2UKICBlY2hvIEZhaWxlZCB0byByZWZyZXNoIGNlcnRpZmljYXRlIGZvciBcJENPTVBPTkVOVCAmJiBleGl0IDEKZmkKRU9GCgpjaG1vZCB1K3ggL3Vzci9sb2NhbC9iaW4vZG93bmxvYWQtY3JlZGVudGlhbHMuc2gKCnN5c3RlbWN0bCBlbmFibGUgZG93bmxvYWQtbWRzZC1jcmVkZW50aWFscy50aW1lcgpzeXN0ZW1jdGwgZW5hYmxlIGRvd25sb2FkLW1kbS1jcmVkZW50aWFscy50aW1lcgoKL3Vzci9sb2NhbC9iaW4vZG93bmxvYWQtY3JlZGVudGlhbHMuc2ggbWRzZAovdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaCBtZG0KTURTRENFUlRJRklDQVRFU0FOPSQob3BlbnNzbCB4NTA5IC1pbiAvdmFyL2xpYi93YWFnZW50L01pY3Jvc29mdC5BenVyZS5LZXlWYXVsdC5TdG9yZS9tZHNkLnBlbSAtbm9vdXQgLXN1YmplY3QgfCBzZWQgLWUgJ3MvLipDTiA9IC8vJykKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS93YXRjaC1tZG0tY3JlZGVudGlhbHMuc2VydmljZSA8PEVPRgpbVW5pdF0KRGVzY3JpcHRpb249V2F0Y2ggZm9yIGNoYW5nZXMgaW4gbWRtLnBlbSBhbmQgcmVzdGFydHMgdGhlIG1kbSBzZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1vbmVzaG90CkV4ZWNTdGFydD0vdXNyL2Jpbi9zeXN0ZW1jdGwgcmVzdGFydCBtZG0uc2VydmljZQoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL3dhdGNoLW1kbS1jcmVkZW50aWFscy5wYXRoIDw8RU9GCltQYXRoXQpQYXRoTW9kaWZpZWQ9L2V0Yy9tZG0ucGVtCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgpzeXN0ZW1jdGwgZW5hYmxlIHdhdGNoLW1kbS1jcmVkZW50aWFscy5wYXRoCnN5c3RlbWN0bCBzdGFydCB3YXRjaC1tZG0tY3JlZGVudGlhbHMucGF0aAoKbWtkaXIgL2V0Yy9zeXN0ZW1kL3N5c3RlbS9tZHNkLnNlcnZpY2UuZApjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vbWRzZC5zZXJ2aWNlLmQvb3ZlcnJpZGUuY29uZiA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKRU9GCgpjYXQgPi9ldGMvZGVmYXVsdC9tZHNkIDw8RU9GCk1EU0RfUk9MRV9QUkVGSVg9L3Zhci9ydW4vbWRzZC9kZWZhdWx0Ck1EU0RfT1BUSU9OUz0iLUEgLWQgLXIgXCRNRFNEX1JPTEVfUFJFRklYIgoKZXhwb3J0IE1PTklUT1JJTkdfR0NTX0VOVklST05NRU5UPSckTURTREVOVklST05NRU5UJwpleHBvcnQgTU9OSVRPUklOR19HQ1NfQUNDT1VOVD0nJFJQTURTREFDQ09VTlQnCmV4cG9ydCBNT05JVE9SSU5HX0dDU19SRUdJT049JyRMT0NBVElPTicKZXhwb3J0IE1PTklUT1JJTkdfR0NTX0FVVEhfSURfVFlQRT1BdXRoS2V5VmF1bHQKZXhwb3J0IE1PTklUT1JJTkdfR0NTX0FVVEhfSUQ9JyRNRFNEQ0VSVElGSUNBVEVTQU4nCmV4cG9ydCBNT05JVE9SSU5HX0dDU19OQU1FU1BBQ0U9JyRSUE1EU0ROQU1FU1BBQ0UnCmV4cG9ydCBNT05JVE9SSU5HX0NPTkZJR19WRVJTSU9OPSckR0FURVdBWU1EU0RDT05GSUdWRVJTSU9OJwpleHBvcnQgTU9OSVRPUklOR19VU0VfR0VORVZBX0NPTkZJR19TRVJWSUNFPXRydWUKCmV4cG9ydCBNT05JVE9SSU5HX1RFTkFOVD0nJExPQ0FUSU9OJwpleHBvcnQgTU9OSVRPUklOR19ST0xFPWdhdGV3YXkKZXhwb3J0IE1PTklUT1JJTkdfUk9MRV9JTlNUQU5DRT0nJChob3N0bmFtZSknCgpleHBvcnQgTURTRF9NU0dQQUNLX1NPUlRfQ09MVU1OUz0xCkVPRgoKIyBzZXR0aW5nIE1PTklUT1JJTkdfR0NTX0FVVEhfSURfVFlQRT1BdXRoS2V5VmF1bHQgc2VlbXMgdG8gaGF2ZSBjYXVzZWQgbWRzZCBub3QKIyB0byBob25vdXIgU1NMX0NFUlRfRklMRSBhbnkgbW9yZSwgaGVhdmVuIG9ubHkga25vd3Mgd2h5Lgpta2RpciAtcCAvdXNyL2xpYi9zc2wvY2VydHMKY3NwbGl0IC1mIC91c3IvbGliL3NzbC9jZXJ0cy9jZXJ0LSAtYiAlMDNkLnBlbSAvZXRjL3BraS90bHMvY2VydHMvY2EtYnVuZGxlLmNydCAvXiQvMSB7Kn0gPi9kZXYvbnVsbApjX3JlaGFzaCAvdXNyL2xpYi9zc2wvY2VydHMKCiMgd2UgbGVhdmUgY2xpZW50SWQgYmxhbmsgYXMgbG9uZyBhcyBvbmx5IDEgbWFuYWdlZCBpZGVudGl0eSBhc3NpZ25lZCB0byB2bXNzCiMgaWYgd2UgaGF2ZSBtb3JlIHRoYW4gMSwgd2Ugd2lsbCBuZWVkIHRvIHBvcHVsYXRlIHdpdGggY2xpZW50SWQgdXNlZCBmb3Igb2ZmLW5vZGUgc2Nhbm5pbmcKY2F0ID4vZXRjL2RlZmF1bHQvdnNhLW5vZGVzY2FuLWFnZW50LmNvbmZpZyA8PEVPRgp7CiAgICAiTmljZSI6IDE5LAogICAgIlRpbWVvdXQiOiAxMDgwMCwKICAgICJDbGllbnRJZCI6ICIiLAogICAgIlRlbmFudElkIjogIiRBWlVSRVNFQ1BBQ0tWU0FURU5BTlRJRCIsCiAgICAiUXVhbHlzU3RvcmVCYXNlVXJsIjogIiRBWlVSRVNFQ1BBQ0tRVUFMWVNVUkwiLAogICAgIlByb2Nlc3NUaW1lb3V0IjogMzAwLAogICAgIkNvbW1hbmREZWxheSI6IDAKICB9CkVPRgoKZWNobyAiZW5hYmxpbmcgYXJvIHNlcnZpY2VzIgpmb3Igc2VydmljZSBpbiBhcm8tZ2F0ZXdheSBhdW9tcyBhenNlY2QgYXpzZWNtb25kIG1kc2QgbWRtIGNocm9ueWQgZmx1ZW50Yml0OyBkbwogIHN5c3RlbWN0bCBlbmFibGUgJHNlcnZpY2Uuc2VydmljZQpkb25lCgpmb3Igc2NhbiBpbiBiYXNlbGluZSBjbGFtYXYgc29mdHdhcmU7IGRvCiAgL3Vzci9sb2NhbC9iaW4vYXpzZWNkIGNvbmZpZyAtcyAkc2NhbiAtZCBQMUQKZG9uZQoKZWNobyAicmVib290aW5nIgpyZXN0b3JlY29uIC1SRiAvdmFyL2xvZy8qCihzbGVlcCAzMDsgcmVib290KSAmCg==')))]"
+                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'ACRRESOURCEID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('acrResourceId')),''')\n','AZURECLOUDNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureCloudName')),''')\n','AZURESECPACKQUALYSURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackQualysUrl')),''')\n','AZURESECPACKVSATENANTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackVSATenantId')),''')\n','DATABASEACCOUNTNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('databaseAccountName')),''')\n','DBTOKENCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenClientId')),''')\n','DBTOKENURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenUrl')),''')\n','MDMFRONTENDURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdmFrontendUrl')),''')\n','MDSDENVIRONMENT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdsdEnvironment')),''')\n','FLUENTBITIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fluentbitImage')),''')\n','GATEWAYMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayMdsdConfigVersion')),''')\n','GATEWAYDOMAINS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayDomains')),''')\n','GATEWAYFEATURES=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayFeatures')),''')\n','KEYVAULTDNSSUFFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultDNSSuffix')),''')\n','KEYVAULTPREFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultPrefix')),''')\n','RPIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpImage')),''')\n','RPMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdmAccount')),''')\n','RPMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdAccount')),''')\n','RPMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdNamespace')),''')\n','MDMIMAGE=''/genevamdm:2.2024.328.1744-c5fb79-20240328t1935''\n','LOCATION=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().location),''')\n','SUBSCRIPTIONID=$(base64 -d \u003c\u003c\u003c''',base64(subscription().subscriptionId),''')\n','RESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().name),''')\n','\n',base64ToString('IyEvYmluL2Jhc2gKCmVjaG8gInNldHRpbmcgc3NoIHBhc3N3b3JkIGF1dGhlbnRpY2F0aW9uIgojIFdlIG5lZWQgdG8gbWFudWFsbHkgc2V0IFBhc3N3b3JkQXV0aGVudGljYXRpb24gdG8gdHJ1ZSBpbiBvcmRlciBmb3IgdGhlIFZNU1MgQWNjZXNzIEpJVCB0byB3b3JrCnNlZCAtaSAncy9QYXNzd29yZEF1dGhlbnRpY2F0aW9uIG5vL1Bhc3N3b3JkQXV0aGVudGljYXRpb24geWVzL2cnIC9ldGMvc3NoL3NzaGRfY29uZmlnCnN5c3RlbWN0bCByZWxvYWQgc3NoZC5zZXJ2aWNlCgojQWRkaW5nIHJldHJ5IGxvZ2ljIHRvIHl1bSBjb21tYW5kcyBpbiBvcmRlciB0byBhdm9pZCBzdGFsbGluZyBvdXQgb24gcmVzb3VyY2UgbG9ja3MKZWNobyAicnVubmluZyBSSFVJIGZpeCIKZm9yIGF0dGVtcHQgaW4gezEuLjYwfTsgZG8KICB5dW0gdXBkYXRlIC15IC0tZGlzYWJsZXJlcG89JyonIC0tZW5hYmxlcmVwbz0ncmh1aS1taWNyb3NvZnQtYXp1cmUqJyAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDYwIF1dOyB0aGVuIHNsZWVwIDMwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAicnVubmluZyB5dW0gdXBkYXRlIgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwogIHl1bSAteSAteCBXQUxpbnV4QWdlbnQgLXggV0FMaW51eEFnZW50LXVkZXYgdXBkYXRlIC0tYWxsb3dlcmFzaW5nICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNjAgXV07IHRoZW4gc2xlZXAgMzA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgplY2hvICJleHRlbmRpbmcgcGFydGl0aW9uIHRhYmxlIgojIExpbnV4IGJsb2NrIGRldmljZXMgYXJlIGluY29uc2lzdGVudGx5IG5hbWVkCiMgaXQncyBkaWZmaWN1bHQgdG8gdGllIHRoZSBsdm0gcHYgdG8gdGhlIHBoeXNpY2FsIGRpc2sgdXNpbmcgL2Rldi9kaXNrIGZpbGVzLCB3aGljaCBpcyB3aHkgbHZzIGlzIHVzZWQgaGVyZQpwaHlzaWNhbF9kaXNrPSIkKGx2cyAtbyBkZXZpY2VzIC1hIHwgaGVhZCAtbjIgfCB0YWlsIC1uMSB8IGN1dCAtZCAnICcgLWYgMyB8IGN1dCAtZCBcKCAtZiAxIHwgdHIgLWQgJ1s6ZGlnaXQ6XScpIgpncm93cGFydCAiJHBoeXNpY2FsX2Rpc2siIDIKCmVjaG8gImV4dGVuZGluZyBmaWxlc3lzdGVtcyIKbHZleHRlbmQgLWwgKzIwJUZSRUUgL2Rldi9yb290dmcvcm9vdGx2Cnhmc19ncm93ZnMgLwoKbHZleHRlbmQgLWwgKzEwMCVGUkVFIC9kZXYvcm9vdHZnL3Zhcmx2Cnhmc19ncm93ZnMgL3ZhcgoKcnBtIC0taW1wb3J0IGh0dHBzOi8vZGwuZmVkb3JhcHJvamVjdC5vcmcvcHViL2VwZWwvUlBNLUdQRy1LRVktRVBFTC04CnJwbSAtLWltcG9ydCBodHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20va2V5cy9taWNyb3NvZnQuYXNjCgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwogIHl1bSAteSBpbnN0YWxsIGh0dHBzOi8vZGwuZmVkb3JhcHJvamVjdC5vcmcvcHViL2VwZWwvZXBlbC1yZWxlYXNlLWxhdGVzdC04Lm5vYXJjaC5ycG0gJiYgYnJlYWsKICBpZiBbWyAke2F0dGVtcHR9IC1sdCA2MCBdXTsgdGhlbiBzbGVlcCAzMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gImNvbmZpZ3VyaW5nIGxvZ3JvdGF0ZSIKCiMgZ2F0ZXdheV9sb2dkaXIgaXMgYSByZWFkb25seSB2YXJpYWJsZSB0aGF0IHNwZWNpZmllcyB0aGUgaG9zdCBwYXRoIG1vdW50IHBvaW50IGZvciB0aGUgZ2F0ZXdheSBjb250YWluZXIgbG9nIGZpbGUKIyBmb3IgdGhlIHB1cnBvc2Ugb2Ygcm90YXRpbmcgdGhlIGdhdGV3YXkgbG9ncwpkZWNsYXJlIC1yIGdhdGV3YXlfbG9nZGlyPScvdmFyL2xvZy9hcm8tZ2F0ZXdheScKCmNhdCA+L2V0Yy9sb2dyb3RhdGUuY29uZiA8PEVPRgojIHNlZSAibWFuIGxvZ3JvdGF0ZSIgZm9yIGRldGFpbHMKIyByb3RhdGUgbG9nIGZpbGVzIHdlZWtseQp3ZWVrbHkKCiMga2VlcCAyIHdlZWtzIHdvcnRoIG9mIGJhY2tsb2dzCnJvdGF0ZSAyCgojIGNyZWF0ZSBuZXcgKGVtcHR5KSBsb2cgZmlsZXMgYWZ0ZXIgcm90YXRpbmcgb2xkIG9uZXMKY3JlYXRlCgojIHVzZSBkYXRlIGFzIGEgc3VmZml4IG9mIHRoZSByb3RhdGVkIGZpbGUKZGF0ZWV4dAoKIyB1bmNvbW1lbnQgdGhpcyBpZiB5b3Ugd2FudCB5b3VyIGxvZyBmaWxlcyBjb21wcmVzc2VkCmNvbXByZXNzCgojIFJQTSBwYWNrYWdlcyBkcm9wIGxvZyByb3RhdGlvbiBpbmZvcm1hdGlvbiBpbnRvIHRoaXMgZGlyZWN0b3J5CmluY2x1ZGUgL2V0Yy9sb2dyb3RhdGUuZAoKIyBubyBwYWNrYWdlcyBvd24gd3RtcCBhbmQgYnRtcCAtLSB3ZSdsbCByb3RhdGUgdGhlbSBoZXJlCi92YXIvbG9nL3d0bXAgewogICAgbW9udGhseQogICAgY3JlYXRlIDA2NjQgcm9vdCB1dG1wCiAgICAgICAgbWluc2l6ZSAxTQogICAgcm90YXRlIDEKfQoKL3Zhci9sb2cvYnRtcCB7CiAgICBtaXNzaW5nb2sKICAgIG1vbnRobHkKICAgIGNyZWF0ZSAwNjAwIHJvb3QgdXRtcAogICAgcm90YXRlIDEKfQoKIyBNYXhpbXVtIGxvZyBkaXJlY3Rvcnkgc2l6ZSBpcyAxMDBHIHdpdGggdGhpcyBjb25maWd1cmF0aW9uCiMgU2V0dGluZyBsaW1pdCB0byAxMDBHIHRvIGFsbG93IHNwYWNlIGZvciBvdGhlciBsb2dnaW5nIHNlcnZpY2VzCiMgY29weXRydW5jYXRlIGlzIGEgY3JpdGljYWwgb3B0aW9uIHVzZWQgdG8gcHJldmVudCBsb2dzIGZyb20gYmVpbmcgc2hpcHBlZCB0d2ljZQoke2dhdGV3YXlfbG9nZGlyfSB7CiAgICBzaXplIDIwRwogICAgcm90YXRlIDUKICAgIGNyZWF0ZSAwNjAwIHJvb3Qgcm9vdAogICAgY29weXRydW5jYXRlCiAgICBub29sZGRpcgogICAgY29tcHJlc3MKfQpFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIHl1bSByZXBvc2l0b3J5IGFuZCBydW5uaW5nIHl1bSB1cGRhdGUiCmNhdCA+L2V0Yy95dW0ucmVwb3MuZC9henVyZS5yZXBvIDw8J0VPRicKW2F6dXJlLWNsaV0KbmFtZT1henVyZS1jbGkKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmUtY2xpCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPXllcwoKW2F6dXJlY29yZV0KbmFtZT1henVyZWNvcmUKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmVjb3JlCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPW5vCkVPRgoKc2VtYW5hZ2UgZmNvbnRleHQgLWEgLXQgdmFyX2xvZ190ICIvdmFyL2xvZy9qb3VybmFsKC8uKik/Igpta2RpciAtcCAvdmFyL2xvZy9qb3VybmFsCgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwogIHl1bSAteSBpbnN0YWxsIGNsYW1hdiBhenNlYy1jbGFtYXYgYXpzZWMtbW9uaXRvciBhenVyZS1jbGkgYXp1cmUtbWRzZCBhenVyZS1zZWN1cml0eSBwb2RtYW4tZG9ja2VyIG9wZW5zc2wtcGVybCBweXRob24zICYmIGJyZWFrCiAgIyBoYWNrIC0gd2UgYXJlIGluc3RhbGxpbmcgcHl0aG9uMyBvbiBob3N0cyBkdWUgdG8gYW4gaXNzdWUgd2l0aCBBenVyZSBMaW51eCBFeHRlbnNpb25zIGh0dHBzOi8vZ2l0aHViLmNvbS9BenVyZS9henVyZS1saW51eC1leHRlbnNpb25zL3B1bGwvMTUwNQogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDYwIF1dOyB0aGVuIHNsZWVwIDMwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAiYXBwbHlpbmcgZmlyZXdhbGwgcnVsZXMiCiMgaHR0cHM6Ly9hY2Nlc3MucmVkaGF0LmNvbS9zZWN1cml0eS9jdmUvY3ZlLTIwMjAtMTM0MDEKY2F0ID4vZXRjL3N5c2N0bC5kLzAyLWRpc2FibGUtYWNjZXB0LXJhLmNvbmYgPDwnRU9GJwpuZXQuaXB2Ni5jb25mLmFsbC5hY2NlcHRfcmE9MApFT0YKCmNhdCA+L2V0Yy9zeXNjdGwuZC8wMS1kaXNhYmxlLWNvcmUuY29uZiA8PCdFT0YnCmtlcm5lbC5jb3JlX3BhdHRlcm4gPSB8L2Jpbi90cnVlCkVPRgpzeXNjdGwgLS1zeXN0ZW0KCmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTgwL3RjcCAtLXBlcm1hbmVudApmaXJld2FsbC1jbWQgLS1hZGQtcG9ydD04MDgxL3RjcCAtLXBlcm1hbmVudApmaXJld2FsbC1jbWQgLS1hZGQtcG9ydD00NDMvdGNwIC0tcGVybWFuZW50CgplY2hvICJsb2dnaW5nIGludG8gcHJvZCBhY3IiCmV4cG9ydCBBWlVSRV9DTE9VRF9OQU1FPSRBWlVSRUNMT1VETkFNRQpheiBsb2dpbiAtaSAtLWFsbG93LW5vLXN1YnNjcmlwdGlvbnMKCiMgVGhlIG1hbmFnZWQgaWRlbnRpdHkgdGhhdCB0aGUgVk0gcnVucyBhcyBvbmx5IGhhcyBhIHNpbmdsZSByb2xlYXNzaWdubWVudC4KIyBUaGlzIHJvbGUgYXNzaWdubWVudCBpcyBBQ1JQdWxsIHdoaWNoIGlzIG5vdCBuZWNlc3NhcmlseSBwcmVzZW50IGluIHRoZQojIHN1YnNjcmlwdGlvbiB3ZSdyZSBkZXBsb3lpbmcgaW50by4gIElmIHRoZSBpZGVudGl0eSBkb2VzIG5vdCBoYXZlIGFueQojIHJvbGUgYXNzaWdubWVudHMgc2NvcGVkIG9uIHRoZSBzdWJzY3JpcHRpb24gd2UncmUgZGVwbG95aW5nIGludG8sIGl0IHdpbGwKIyBub3Qgc2hvdyBvbiBheiBsb2dpbiAtaSwgd2hpY2ggaXMgd2h5IHRoZSBiZWxvdyBsaW5lIGlzIGNvbW1lbnRlZC4KIyBheiBhY2NvdW50IHNldCAtcyAiJFNVQlNDUklQVElPTklEIgoKIyBTdXBwcmVzcyBlbXVsYXRpb24gb3V0cHV0IGZvciBwb2RtYW4gaW5zdGVhZCBvZiBkb2NrZXIgZm9yIGF6IGFjciBjb21wYXRhYmlsaXR5Cm1rZGlyIC1wIC9ldGMvY29udGFpbmVycy8KdG91Y2ggL2V0Yy9jb250YWluZXJzL25vZG9ja2VyCgpta2RpciAtcCAvcm9vdC8uZG9ja2VyClJFR0lTVFJZX0FVVEhfRklMRT0vcm9vdC8uZG9ja2VyL2NvbmZpZy5qc29uIGF6IGFjciBsb2dpbiAtLW5hbWUgIiQoc2VkIC1lICdzfC4qL3x8JyA8PDwiJEFDUlJFU09VUkNFSUQiKSIKCk1ETUlNQUdFPSIke1JQSU1BR0UlJS8qfS8ke01ETUlNQUdFIyMqL30iCmRvY2tlciBwdWxsICIkTURNSU1BR0UiCmRvY2tlciBwdWxsICIkUlBJTUFHRSIKZG9ja2VyIHB1bGwgIiRGTFVFTlRCSVRJTUFHRSIKCmF6IGxvZ291dAoKZWNobyAiY29uZmlndXJpbmcgZmx1ZW50Yml0IHNlcnZpY2UiCm1rZGlyIC1wIC9ldGMvZmx1ZW50Yml0Lwpta2RpciAtcCAvdmFyL2xpYi9mbHVlbnQKCmNhdCA+L2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmYgPDwnRU9GJwpbSU5QVVRdCglOYW1lIHN5c3RlbWQKCVRhZyBqb3VybmFsZAoJU3lzdGVtZF9GaWx0ZXIgX0NPTU09YXJvCglEQiAvdmFyL2xpYi9mbHVlbnQvam91cm5hbGRiCgpbRklMVEVSXQoJTmFtZSBtb2RpZnkKCU1hdGNoIGpvdXJuYWxkCglSZW1vdmVfd2lsZGNhcmQgXwoJUmVtb3ZlIFRJTUVTVEFNUAoKW09VVFBVVF0KCU5hbWUgZm9yd2FyZAoJTWF0Y2ggKgoJUG9ydCAyOTIzMApFT0YKCmVjaG8gIkZMVUVOVEJJVElNQUdFPSRGTFVFTlRCSVRJTUFHRSIgPi9ldGMvc3lzY29uZmlnL2ZsdWVudGJpdAoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL2ZsdWVudGJpdC5zZXJ2aWNlIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKU3RhcnRMaW1pdEludGVydmFsU2VjPTAKCltTZXJ2aWNlXQpSZXN0YXJ0U2VjPTFzCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9mbHVlbnRiaXQKRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0tc2VjdXJpdHktb3B0IGxhYmVsPWRpc2FibGUgXAogIC0tZW50cnlwb2ludCAvb3B0L3RkLWFnZW50LWJpdC9iaW4vdGQtYWdlbnQtYml0IFwKICAtLW5ldD1ob3N0IFwKICAtLWhvc3RuYW1lICVIIFwKICAtLW5hbWUgJU4gXAogIC0tcm0gXAogIC0tY2FwLWRyb3AgbmV0X3JhdyBcCiAgLXYgL2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmY6L2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmYgXAogIC12IC92YXIvbGliL2ZsdWVudDovdmFyL2xpYi9mbHVlbnQ6eiBcCiAgLXYgL3Zhci9sb2cvam91cm5hbDovdmFyL2xvZy9qb3VybmFsOnJvIFwKICAtdiAvZXRjL21hY2hpbmUtaWQ6L2V0Yy9tYWNoaW5lLWlkOnJvIFwKICAkRkxVRU5UQklUSU1BR0UgXAogIC1jIC9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mCgpFeGVjU3RvcD0vdXNyL2Jpbi9kb2NrZXIgc3RvcCAlTgpSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIG1kbSBzZXJ2aWNlIgpjYXQgPi9ldGMvc3lzY29uZmlnL21kbSA8PEVPRgpNRE1GUk9OVEVORFVSTD0nJE1ETUZST05URU5EVVJMJwpNRE1JTUFHRT0nJE1ETUlNQUdFJwpNRE1TT1VSQ0VFTlZJUk9OTUVOVD0nJExPQ0FUSU9OJwpNRE1TT1VSQ0VST0xFPWdhdGV3YXkKTURNU09VUkNFUk9MRUlOU1RBTkNFPSckKGhvc3RuYW1lKScKRU9GCgpta2RpciAvdmFyL2V0dwpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vbWRtLnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9tZG0KRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0tZW50cnlwb2ludCAvdXNyL3NiaW4vTWV0cmljc0V4dGVuc2lvbiBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC1tIDJnIFwKICAtdiAvZXRjL21kbS5wZW06L2V0Yy9tZG0ucGVtIFwKICAtdiAvdmFyL2V0dzovdmFyL2V0dzp6IFwKICAkTURNSU1BR0UgXAogIC1DZXJ0RmlsZSAvZXRjL21kbS5wZW0gXAogIC1Gcm9udEVuZFVybCAkTURNRlJPTlRFTkRVUkwgXAogIC1Mb2dnZXIgQ29uc29sZSBcCiAgLUxvZ0xldmVsIFdhcm5pbmcgXAogIC1Qcml2YXRlS2V5RmlsZSAvZXRjL21kbS5wZW0gXAogIC1Tb3VyY2VFbnZpcm9ubWVudCAkTURNU09VUkNFRU5WSVJPTk1FTlQgXAogIC1Tb3VyY2VSb2xlICRNRE1TT1VSQ0VST0xFIFwKICAtU291cmNlUm9sZUluc3RhbmNlICRNRE1TT1VSQ0VST0xFSU5TVEFOQ0UKRXhlY1N0b3A9L3Vzci9iaW4vZG9ja2VyIHN0b3AgJU4KUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBhcm8tZ2F0ZXdheSBzZXJ2aWNlIgpjYXQgPi9ldGMvc3lzY29uZmlnL2Fyby1nYXRld2F5IDw8RU9GCkFDUl9SRVNPVVJDRV9JRD0nJEFDUlJFU09VUkNFSUQnCkRBVEFCQVNFX0FDQ09VTlRfTkFNRT0nJERBVEFCQVNFQUNDT1VOVE5BTUUnCkFaVVJFX0RCVE9LRU5fQ0xJRU5UX0lEPSckREJUT0tFTkNMSUVOVElEJwpEQlRPS0VOX1VSTD0nJERCVE9LRU5VUkwnCk1ETV9BQ0NPVU5UPSIkUlBNRE1BQ0NPVU5UIgpNRE1fTkFNRVNQQUNFPUdhdGV3YXkKR0FURVdBWV9ET01BSU5TPSckR0FURVdBWURPTUFJTlMnCkdBVEVXQVlfRkVBVFVSRVM9JyRHQVRFV0FZRkVBVFVSRVMnClJQSU1BR0U9JyRSUElNQUdFJwpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9hcm8tZ2F0ZXdheS5zZXJ2aWNlIDw8RU9GCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2Fyby1nYXRld2F5CkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydFByZT0vdXNyL2Jpbi9ta2RpciAtcCAke2dhdGV3YXlfbG9nZGlyfQpFeGVjU3RhcnQ9L3Vzci9iaW4vZG9ja2VyIHJ1biBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC1lIEFDUl9SRVNPVVJDRV9JRCBcCiAgLWUgREFUQUJBU0VfQUNDT1VOVF9OQU1FIFwKICAtZSBBWlVSRV9EQlRPS0VOX0NMSUVOVF9JRCBcCiAgLWUgREJUT0tFTl9VUkwgXAogIC1lIEdBVEVXQVlfRE9NQUlOUyBcCiAgLWUgR0FURVdBWV9GRUFUVVJFUyBcCiAgLWUgTURNX0FDQ09VTlQgXAogIC1lIE1ETV9OQU1FU1BBQ0UgXAogIC1tIDJnIFwKICAtcCA4MDo4MDgwIFwKICAtcCA4MDgxOjgwODEgXAogIC1wIDQ0Mzo4NDQzIFwKICAtdiAvcnVuL3N5c3RlbWQvam91cm5hbDovcnVuL3N5c3RlbWQvam91cm5hbCBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgLXYgJHtnYXRld2F5X2xvZ2Rpcn06L2N0ci5sb2c6eiBcCiAgXCRSUElNQUdFIFwKICBnYXRld2F5CkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wIC10IDM2MDAgJU4KVGltZW91dFN0b3BTZWM9MzYwMApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTEKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmNoY29uIC1SIHN5c3RlbV91Om9iamVjdF9yOnZhcl9sb2dfdDpzMCAvdmFyL29wdC9taWNyb3NvZnQvbGludXhtb25hZ2VudAoKbWtkaXIgLXAgL3Zhci9saWIvd2FhZ2VudC9NaWNyb3NvZnQuQXp1cmUuS2V5VmF1bHQuU3RvcmUKCmVjaG8gImNvbmZpZ3VyaW5nIG1kc2QgYW5kIG1kbSBzZXJ2aWNlcyIKZm9yIHZhciBpbiAibWRzZCIgIm1kbSI7IGRvCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9kb3dubG9hZC0kdmFyLWNyZWRlbnRpYWxzLnNlcnZpY2UgPDxFT0YKW1VuaXRdCkRlc2NyaXB0aW9uPVBlcmlvZGljICR2YXIgY3JlZGVudGlhbHMgcmVmcmVzaAoKW1NlcnZpY2VdClR5cGU9b25lc2hvdApFeGVjU3RhcnQ9L3Vzci9sb2NhbC9iaW4vZG93bmxvYWQtY3JlZGVudGlhbHMuc2ggJHZhcgpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9kb3dubG9hZC0kdmFyLWNyZWRlbnRpYWxzLnRpbWVyIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1QZXJpb2RpYyAkdmFyIGNyZWRlbnRpYWxzIHJlZnJlc2gKQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1RpbWVyXQpPbkJvb3RTZWM9MG1pbgpPbkNhbGVuZGFyPTAvMTI6MDA6MDAKQWNjdXJhY3lTZWM9NXMKCltJbnN0YWxsXQpXYW50ZWRCeT10aW1lcnMudGFyZ2V0CkVPRgpkb25lCgpjYXQgPi91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoIDw8RU9GCiMhL2Jpbi9iYXNoCnNldCAtZXUKCkNPTVBPTkVOVD0iXCQxIgplY2hvICJEb3dubG9hZCBcJENPTVBPTkVOVCBjcmVkZW50aWFscyIKClRFTVBfRElSPVwkKG1rdGVtcCAtZCkKZXhwb3J0IEFaVVJFX0NPTkZJR19ESVI9XCQobWt0ZW1wIC1kKQoKZWNobyAiTG9nZ2luZyBpbnRvIEF6dXJlLi4uIgpSRVRSSUVTPTMKd2hpbGUgWyAiXCRSRVRSSUVTIiAtZ3QgMCBdOyBkbwogICAgaWYgYXogbG9naW4gLWkgLS1hbGxvdy1uby1zdWJzY3JpcHRpb25zCiAgICB0aGVuCiAgICAgICAgZWNobyAiYXogbG9naW4gc3VjY2Vzc2Z1bCIKICAgICAgICBicmVhawogICAgZWxzZQogICAgICAgIGVjaG8gImF6IGxvZ2luIGZhaWxlZC4gUmV0cnlpbmcuLi4iCiAgICAgICAgbGV0IFJFVFJJRVMtPTEKICAgICAgICBzbGVlcCA1CiAgICBmaQpkb25lCgp0cmFwICJjbGVhbnVwIiBFWElUCgpjbGVhbnVwKCkgewogIGF6IGxvZ291dAogIFtbICJcJFRFTVBfRElSIiA9fiAvdG1wLy4rIF1dICYmIHJtIC1yZiBcJFRFTVBfRElSCiAgW1sgIlwkQVpVUkVfQ09ORklHX0RJUiIgPX4gL3RtcC8uKyBdXSAmJiBybSAtcmYgXCRBWlVSRV9DT05GSUdfRElSCn0KCmlmIFsgIlwkQ09NUE9ORU5UIiA9ICJtZG0iIF07IHRoZW4KICBDVVJSRU5UX0NFUlRfRklMRT0iL2V0Yy9tZG0ucGVtIgplbGlmIFsgIlwkQ09NUE9ORU5UIiA9ICJtZHNkIiBdOyB0aGVuCiAgQ1VSUkVOVF9DRVJUX0ZJTEU9Ii92YXIvbGliL3dhYWdlbnQvTWljcm9zb2Z0LkF6dXJlLktleVZhdWx0LlN0b3JlL21kc2QucGVtIgplbHNlCiAgZWNobyBJbnZhbGlkIHVzYWdlICYmIGV4aXQgMQpmaQoKU0VDUkVUX05BTUU9Imd3eS1cJHtDT01QT05FTlR9IgpORVdfQ0VSVF9GSUxFPSJcJFRFTVBfRElSL1wkQ09NUE9ORU5ULnBlbSIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIGF6IGtleXZhdWx0IHNlY3JldCBkb3dubG9hZCAtLWZpbGUgXCRORVdfQ0VSVF9GSUxFIC0taWQgImh0dHBzOi8vJEtFWVZBVUxUUFJFRklYLWd3eS4kS0VZVkFVTFRETlNTVUZGSVgvc2VjcmV0cy9cJFNFQ1JFVF9OQU1FIiAmJiBicmVhawogIGlmIFtbIFwkYXR0ZW1wdCAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmlmIFsgLWYgXCRORVdfQ0VSVF9GSUxFIF07IHRoZW4KICBpZiBbICJcJENPTVBPTkVOVCIgPSAibWRzZCIgXTsgdGhlbgogICAgY2hvd24gc3lzbG9nOnN5c2xvZyBcJE5FV19DRVJUX0ZJTEUKICBlbHNlCiAgICBzZWQgLWkgLW5lICcxLC9FTkQgQ0VSVElGSUNBVEUvIHAnIFwkTkVXX0NFUlRfRklMRQogIGZpCgogIG5ld19jZXJ0X3NuPSJcJChvcGVuc3NsIHg1MDkgLWluICJcJE5FV19DRVJUX0ZJTEUiIC1ub291dCAtc2VyaWFsIHwgYXdrIC1GPSAne3ByaW50IFwkMn0nKSIKICBjdXJyZW50X2NlcnRfc249IlwkKG9wZW5zc2wgeDUwOSAtaW4gIlwkQ1VSUkVOVF9DRVJUX0ZJTEUiIC1ub291dCAtc2VyaWFsIHwgYXdrIC1GPSAne3ByaW50IFwkMn0nKSIKICBpZiBbWyAhIC16IFwkbmV3X2NlcnRfc24gXV0gJiYgW1sgXCRuZXdfY2VydF9zbiAhPSAiXCRjdXJyZW50X2NlcnRfc24iIF1dOyB0aGVuCiAgICBlY2hvIHVwZGF0aW5nIGNlcnRpZmljYXRlIGZvciBcJENPTVBPTkVOVAogICAgY2htb2QgMDYwMCBcJE5FV19DRVJUX0ZJTEUKICAgIG12IFwkTkVXX0NFUlRfRklMRSBcJENVUlJFTlRfQ0VSVF9GSUxFCiAgZmkKZWxzZQogIGVjaG8gRmFpbGVkIHRvIHJlZnJlc2ggY2VydGlmaWNhdGUgZm9yIFwkQ09NUE9ORU5UICYmIGV4aXQgMQpmaQpFT0YKCmNobW9kIHUreCAvdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaAoKc3lzdGVtY3RsIGVuYWJsZSBkb3dubG9hZC1tZHNkLWNyZWRlbnRpYWxzLnRpbWVyCnN5c3RlbWN0bCBlbmFibGUgZG93bmxvYWQtbWRtLWNyZWRlbnRpYWxzLnRpbWVyCgovdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaCBtZHNkCi91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoIG1kbQpNRFNEQ0VSVElGSUNBVEVTQU49JChvcGVuc3NsIHg1MDkgLWluIC92YXIvbGliL3dhYWdlbnQvTWljcm9zb2Z0LkF6dXJlLktleVZhdWx0LlN0b3JlL21kc2QucGVtIC1ub291dCAtc3ViamVjdCB8IHNlZCAtZSAncy8uKkNOID0gLy8nKQoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL3dhdGNoLW1kbS1jcmVkZW50aWFscy5zZXJ2aWNlIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1XYXRjaCBmb3IgY2hhbmdlcyBpbiBtZG0ucGVtIGFuZCByZXN0YXJ0cyB0aGUgbWRtIHNlcnZpY2UKCltTZXJ2aWNlXQpUeXBlPW9uZXNob3QKRXhlY1N0YXJ0PS91c3IvYmluL3N5c3RlbWN0bCByZXN0YXJ0IG1kbS5zZXJ2aWNlCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnBhdGggPDxFT0YKW1BhdGhdClBhdGhNb2RpZmllZD0vZXRjL21kbS5wZW0KCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCnN5c3RlbWN0bCBlbmFibGUgd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnBhdGgKc3lzdGVtY3RsIHN0YXJ0IHdhdGNoLW1kbS1jcmVkZW50aWFscy5wYXRoCgpta2RpciAvZXRjL3N5c3RlbWQvc3lzdGVtL21kc2Quc2VydmljZS5kCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9tZHNkLnNlcnZpY2UuZC9vdmVycmlkZS5jb25mIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApFT0YKCmNhdCA+L2V0Yy9kZWZhdWx0L21kc2QgPDxFT0YKTURTRF9ST0xFX1BSRUZJWD0vdmFyL3J1bi9tZHNkL2RlZmF1bHQKTURTRF9PUFRJT05TPSItQSAtZCAtciBcJE1EU0RfUk9MRV9QUkVGSVgiCgpleHBvcnQgTU9OSVRPUklOR19HQ1NfRU5WSVJPTk1FTlQ9JyRNRFNERU5WSVJPTk1FTlQnCmV4cG9ydCBNT05JVE9SSU5HX0dDU19BQ0NPVU5UPSckUlBNRFNEQUNDT1VOVCcKZXhwb3J0IE1PTklUT1JJTkdfR0NTX1JFR0lPTj0nJExPQ0FUSU9OJwpleHBvcnQgTU9OSVRPUklOR19HQ1NfQVVUSF9JRF9UWVBFPUF1dGhLZXlWYXVsdApleHBvcnQgTU9OSVRPUklOR19HQ1NfQVVUSF9JRD0nJE1EU0RDRVJUSUZJQ0FURVNBTicKZXhwb3J0IE1PTklUT1JJTkdfR0NTX05BTUVTUEFDRT0nJFJQTURTRE5BTUVTUEFDRScKZXhwb3J0IE1PTklUT1JJTkdfQ09ORklHX1ZFUlNJT049JyRHQVRFV0FZTURTRENPTkZJR1ZFUlNJT04nCmV4cG9ydCBNT05JVE9SSU5HX1VTRV9HRU5FVkFfQ09ORklHX1NFUlZJQ0U9dHJ1ZQoKZXhwb3J0IE1PTklUT1JJTkdfVEVOQU5UPSckTE9DQVRJT04nCmV4cG9ydCBNT05JVE9SSU5HX1JPTEU9Z2F0ZXdheQpleHBvcnQgTU9OSVRPUklOR19ST0xFX0lOU1RBTkNFPSckKGhvc3RuYW1lKScKCmV4cG9ydCBNRFNEX01TR1BBQ0tfU09SVF9DT0xVTU5TPTEKRU9GCgojIHNldHRpbmcgTU9OSVRPUklOR19HQ1NfQVVUSF9JRF9UWVBFPUF1dGhLZXlWYXVsdCBzZWVtcyB0byBoYXZlIGNhdXNlZCBtZHNkIG5vdAojIHRvIGhvbm91ciBTU0xfQ0VSVF9GSUxFIGFueSBtb3JlLCBoZWF2ZW4gb25seSBrbm93cyB3aHkuCm1rZGlyIC1wIC91c3IvbGliL3NzbC9jZXJ0cwpjc3BsaXQgLWYgL3Vzci9saWIvc3NsL2NlcnRzL2NlcnQtIC1iICUwM2QucGVtIC9ldGMvcGtpL3Rscy9jZXJ0cy9jYS1idW5kbGUuY3J0IC9eJC8xIHsqfSA+L2Rldi9udWxsCmNfcmVoYXNoIC91c3IvbGliL3NzbC9jZXJ0cwoKIyB3ZSBsZWF2ZSBjbGllbnRJZCBibGFuayBhcyBsb25nIGFzIG9ubHkgMSBtYW5hZ2VkIGlkZW50aXR5IGFzc2lnbmVkIHRvIHZtc3MKIyBpZiB3ZSBoYXZlIG1vcmUgdGhhbiAxLCB3ZSB3aWxsIG5lZWQgdG8gcG9wdWxhdGUgd2l0aCBjbGllbnRJZCB1c2VkIGZvciBvZmYtbm9kZSBzY2FubmluZwpjYXQgPi9ldGMvZGVmYXVsdC92c2Etbm9kZXNjYW4tYWdlbnQuY29uZmlnIDw8RU9GCnsKICAgICJOaWNlIjogMTksCiAgICAiVGltZW91dCI6IDEwODAwLAogICAgIkNsaWVudElkIjogIiIsCiAgICAiVGVuYW50SWQiOiAiJEFaVVJFU0VDUEFDS1ZTQVRFTkFOVElEIiwKICAgICJRdWFseXNTdG9yZUJhc2VVcmwiOiAiJEFaVVJFU0VDUEFDS1FVQUxZU1VSTCIsCiAgICAiUHJvY2Vzc1RpbWVvdXQiOiAzMDAsCiAgICAiQ29tbWFuZERlbGF5IjogMAogIH0KRU9GCgplY2hvICJlbmFibGluZyBhcm8gc2VydmljZXMiCmZvciBzZXJ2aWNlIGluIGFyby1nYXRld2F5IGF1b21zIGF6c2VjZCBhenNlY21vbmQgbWRzZCBtZG0gY2hyb255ZCBmbHVlbnRiaXQ7IGRvCiAgc3lzdGVtY3RsIGVuYWJsZSAkc2VydmljZS5zZXJ2aWNlCmRvbmUKCmZvciBzY2FuIGluIGJhc2VsaW5lIGNsYW1hdiBzb2Z0d2FyZTsgZG8KICAvdXNyL2xvY2FsL2Jpbi9henNlY2QgY29uZmlnIC1zICRzY2FuIC1kIFAxRApkb25lCgplY2hvICJyZWJvb3RpbmciCnJlc3RvcmVjb24gLVJGIC92YXIvbG9nLyoKKHNsZWVwIDMwOyByZWJvb3QpICYK')))]"
                                     }
                                 }
                             }
diff --git a/pkg/deploy/assets/rbac-development.json b/pkg/deploy/assets/rbac-development.json
index 0d52a98b0..57f08d08e 100644
--- a/pkg/deploy/assets/rbac-development.json
+++ b/pkg/deploy/assets/rbac-development.json
@@ -26,7 +26,8 @@
                     {
                         "actions": [
                             "Microsoft.Resources/subscriptions/resourceGroups/read",
-                            "Microsoft.Resources/subscriptions/resourceGroups/write"
+                            "Microsoft.Resources/subscriptions/resourceGroups/write",
+                            "Microsoft.Authorization/*/action"
                         ]
                     }
                 ],
diff --git a/pkg/deploy/assets/rp-development.json b/pkg/deploy/assets/rp-development.json
index 561d81a0f..b488666b9 100644
--- a/pkg/deploy/assets/rp-development.json
+++ b/pkg/deploy/assets/rp-development.json
@@ -54,32 +54,33 @@
             "location": "[resourceGroup().location]"
         },
         {
+            "apiVersion": "2023-04-15",
             "kind": "GlobalDocumentDB",
+            "location": "[resourceGroup().location]",
+            "name": "[parameters('databaseAccountName')]",
             "properties": {
-                "consistencyPolicy": {
-                    "defaultConsistencyLevel": "Strong"
-                },
-                "locations": [
-                    {
-                        "locationName": "[resourceGroup().location]"
-                    }
-                ],
-                "databaseAccountOfferType": "Standard",
                 "backupPolicy": {
                     "periodicModeProperties": {
                         "backupIntervalInMinutes": 240,
                         "backupRetentionIntervalInHours": 720
                     },
                     "type": "Periodic"
-                }
+                },
+                "consistencyPolicy": {
+                    "defaultConsistencyLevel": "Strong"
+                },
+                "databaseAccountOfferType": "Standard",
+                "locations": [
+                    {
+                        "locationName": "[resourceGroup().location]"
+                    }
+                ],
+                "minimalTlsVersion": "Tls12"
             },
-            "name": "[parameters('databaseAccountName')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts",
-            "location": "[resourceGroup().location]",
             "tags": {
                 "defaultExperience": "Core (SQL)"
             },
-            "apiVersion": "2021-01-15"
+            "type": "Microsoft.DocumentDB/databaseAccounts"
         },
         {
             "name": "[guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / Reader')]",
diff --git a/pkg/deploy/assets/rp-production-parameters.json b/pkg/deploy/assets/rp-production-parameters.json
index eb5855604..9e40f9398 100644
--- a/pkg/deploy/assets/rp-production-parameters.json
+++ b/pkg/deploy/assets/rp-production-parameters.json
@@ -29,12 +29,6 @@
         "azureSecPackVSATenantId": {
             "value": ""
         },
-        "billingE2EStorageAccountId": {
-            "value": ""
-        },
-        "billingServicePrincipalId": {
-            "value": ""
-        },
         "clusterDefaultInstallerPullspec": {
             "value": ""
         },
diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
index 7b80cdb22..2fd7a5ade 100644
--- a/pkg/deploy/assets/rp-production.json
+++ b/pkg/deploy/assets/rp-production.json
@@ -45,14 +45,6 @@
         "azureSecPackVSATenantId": {
             "type": "string"
         },
-        "billingE2EStorageAccountId": {
-            "type": "string",
-            "defaultValue": ""
-        },
-        "billingServicePrincipalId": {
-            "type": "string",
-            "defaultValue": ""
-        },
         "clusterDefaultInstallerPullspec": {
             "type": "string",
             "defaultValue": ""
@@ -431,7 +423,7 @@
             },
             "properties": {
                 "upgradePolicy": {
-                    "mode": "Manual"
+                    "mode": "Rolling"
                 },
                 "virtualMachineProfile": {
                     "osProfile": {
@@ -516,7 +508,7 @@
                                     "autoUpgradeMinorVersion": true,
                                     "settings": {},
                                     "protectedSettings": {
-                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'ACRRESOURCEID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('acrResourceId')),''')\n','ADMINAPICLIENTCERTCOMMONNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('adminApiClientCertCommonName')),''')\n','ARMAPICLIENTCERTCOMMONNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('armApiClientCertCommonName')),''')\n','ARMCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('armClientId')),''')\n','AZURECLOUDNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureCloudName')),''')\n','AZURESECPACKQUALYSURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackQualysUrl')),''')\n','AZURESECPACKVSATENANTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackVSATenantId')),''')\n','BILLINGE2ESTORAGEACCOUNTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('billingE2EStorageAccountId')),''')\n','CLUSTERMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdmAccount')),''')\n','CLUSTERMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdAccount')),''')\n','CLUSTERMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdConfigVersion')),''')\n','CLUSTERMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdNamespace')),''')\n','CLUSTERPARENTDOMAINNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterParentDomainName')),''')\n','DATABASEACCOUNTNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('databaseAccountName')),''')\n','DBTOKENCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenClientId')),''')\n','FLUENTBITIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fluentbitImage')),''')\n','FPCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fpClientId')),''')\n','FPSERVICEPRINCIPALID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fpServicePrincipalId')),''')\n','GATEWAYDOMAINS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayDomains')),''')\n','GATEWAYRESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayResourceGroupName')),''')\n','GATEWAYSERVICEPRINCIPALID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayServicePrincipalId')),''')\n','KEYVAULTDNSSUFFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultDNSSuffix')),''')\n','KEYVAULTPREFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultPrefix')),''')\n','MDMFRONTENDURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdmFrontendUrl')),''')\n','MDSDENVIRONMENT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdsdEnvironment')),''')\n','PORTALACCESSGROUPIDS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalAccessGroupIds')),''')\n','PORTALCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalClientId')),''')\n','PORTALELEVATEDGROUPIDS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalElevatedGroupIds')),''')\n','RPFEATURES=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpFeatures')),''')\n','RPIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpImage')),''')\n','RPMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdmAccount')),''')\n','RPMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdAccount')),''')\n','RPMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdConfigVersion')),''')\n','RPMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdNamespace')),''')\n','RPPARENTDOMAINNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpParentDomainName')),''')\n','CLUSTERSINSTALLVIAHIVE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clustersInstallViaHive')),''')\n','CLUSTERSADOPTBYHIVE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clustersAdoptByHive')),''')\n','CLUSTERDEFAULTINSTALLERPULLSPEC=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterDefaultInstallerPullspec')),''')\n','USECHECKACCESS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('useCheckAccess')),''')\n','ADMINAPICABUNDLE=''',parameters('adminApiCaBundle'),'''\n','ARMAPICABUNDLE=''',parameters('armApiCaBundle'),'''\n','MDMIMAGE=''/genevamdm:2.2024.328.1744-c5fb79-20240328t1935''\n','LOCATION=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().location),''')\n','SUBSCRIPTIONID=$(base64 -d \u003c\u003c\u003c''',base64(subscription().subscriptionId),''')\n','RESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().name),''')\n','\n',base64ToString('IyEvYmluL2Jhc2gKCmVjaG8gInNldHRpbmcgc3NoIHBhc3N3b3JkIGF1dGhlbnRpY2F0aW9uIgojIFdlIG5lZWQgdG8gbWFudWFsbHkgc2V0IFBhc3N3b3JkQXV0aGVudGljYXRpb24gdG8gdHJ1ZSBpbiBvcmRlciBmb3IgdGhlIFZNU1MgQWNjZXNzIEpJVCB0byB3b3JrCnNlZCAtaSAncy9QYXNzd29yZEF1dGhlbnRpY2F0aW9uIG5vL1Bhc3N3b3JkQXV0aGVudGljYXRpb24geWVzL2cnIC9ldGMvc3NoL3NzaGRfY29uZmlnCnN5c3RlbWN0bCByZWxvYWQgc3NoZC5zZXJ2aWNlCgojQWRkaW5nIHJldHJ5IGxvZ2ljIHRvIHl1bSBjb21tYW5kcyBpbiBvcmRlciB0byBhdm9pZCBzdGFsbGluZyBvdXQgb24gcmVzb3VyY2UgbG9ja3MKZWNobyAicnVubmluZyBSSFVJIGZpeCIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIHl1bSB1cGRhdGUgLXkgLS1kaXNhYmxlcmVwbz0nKicgLS1lbmFibGVyZXBvPSdyaHVpLW1pY3Jvc29mdC1henVyZSonICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gInJ1bm5pbmcgeXVtIHVwZGF0ZSIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIHl1bSAteSAteCBXQUxpbnV4QWdlbnQgLXggV0FMaW51eEFnZW50LXVkZXYgdXBkYXRlIC0tYWxsb3dlcmFzaW5nICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmVjaG8gImV4dGVuZGluZyBwYXJ0aXRpb24gdGFibGUiCiMgTGludXggYmxvY2sgZGV2aWNlcyBhcmUgaW5jb25zaXN0ZW50bHkgbmFtZWQKIyBpdCdzIGRpZmZpY3VsdCB0byB0aWUgdGhlIGx2bSBwdiB0byB0aGUgcGh5c2ljYWwgZGlzayB1c2luZyAvZGV2L2Rpc2sgZmlsZXMsIHdoaWNoIGlzIHdoeSBsdnMgaXMgdXNlZCBoZXJlCnBoeXNpY2FsRGlzaz0iJChsdnMgLW8gZGV2aWNlcyAtYSB8IGhlYWQgLW4yIHwgdGFpbCAtbjEgfCBjdXQgLWQgJyAnIC1mIDMgfCBjdXQgLWQgXCggLWYgMSB8IHRyIC1kICdbOmRpZ2l0Ol0nKSIKZ3Jvd3BhcnQgIiRwaHlzaWNhbERpc2siIDIKCmVjaG8gImV4dGVuZGluZyBmaWxlc3lzdGVtcyIKbHZleHRlbmQgLWwgKzIwJUZSRUUgL2Rldi9yb290dmcvcm9vdGx2Cnhmc19ncm93ZnMgLwoKbHZleHRlbmQgLWwgKzEwMCVGUkVFIC9kZXYvcm9vdHZnL3Zhcmx2Cnhmc19ncm93ZnMgL3ZhcgoKZWNobyAiaW1wb3J0aW5nIHJwbSByZXBvc2l0b3JpZXMiCnJwbSAtLWltcG9ydCBodHRwczovL2RsLmZlZG9yYXByb2plY3Qub3JnL3B1Yi9lcGVsL1JQTS1HUEctS0VZLUVQRUwtOApycG0gLS1pbXBvcnQgaHR0cHM6Ly9wYWNrYWdlcy5taWNyb3NvZnQuY29tL2tleXMvbWljcm9zb2Z0LmFzYwoKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIHl1bSAteSBpbnN0YWxsIGh0dHBzOi8vZGwuZmVkb3JhcHJvamVjdC5vcmcvcHViL2VwZWwvZXBlbC1yZWxlYXNlLWxhdGVzdC04Lm5vYXJjaC5ycG0gJiYgYnJlYWsKICBpZiBbWyAke2F0dGVtcHR9IC1sdCA1IF1dOyB0aGVuIHNsZWVwIDEwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAiY29uZmlndXJpbmcgbG9ncm90YXRlIgpjYXQgPi9ldGMvbG9ncm90YXRlLmNvbmYgPDwnRU9GJwojIHNlZSAibWFuIGxvZ3JvdGF0ZSIgZm9yIGRldGFpbHMKIyByb3RhdGUgbG9nIGZpbGVzIHdlZWtseQp3ZWVrbHkKCiMga2VlcCAyIHdlZWtzIHdvcnRoIG9mIGJhY2tsb2dzCnJvdGF0ZSAyCgojIGNyZWF0ZSBuZXcgKGVtcHR5KSBsb2cgZmlsZXMgYWZ0ZXIgcm90YXRpbmcgb2xkIG9uZXMKY3JlYXRlCgojIHVzZSBkYXRlIGFzIGEgc3VmZml4IG9mIHRoZSByb3RhdGVkIGZpbGUKZGF0ZWV4dAoKIyB1bmNvbW1lbnQgdGhpcyBpZiB5b3Ugd2FudCB5b3VyIGxvZyBmaWxlcyBjb21wcmVzc2VkCmNvbXByZXNzCgojIFJQTSBwYWNrYWdlcyBkcm9wIGxvZyByb3RhdGlvbiBpbmZvcm1hdGlvbiBpbnRvIHRoaXMgZGlyZWN0b3J5CmluY2x1ZGUgL2V0Yy9sb2dyb3RhdGUuZAoKIyBubyBwYWNrYWdlcyBvd24gd3RtcCBhbmQgYnRtcCAtLSB3ZSdsbCByb3RhdGUgdGhlbSBoZXJlCi92YXIvbG9nL3d0bXAgewogICAgbW9udGhseQogICAgY3JlYXRlIDA2NjQgcm9vdCB1dG1wCiAgICAgICAgbWluc2l6ZSAxTQogICAgcm90YXRlIDEKfQoKL3Zhci9sb2cvYnRtcCB7CiAgICBtaXNzaW5nb2sKICAgIG1vbnRobHkKICAgIGNyZWF0ZSAwNjAwIHJvb3QgdXRtcAogICAgcm90YXRlIDEKfQpFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIHl1bSByZXBvc2l0b3J5IGFuZCBydW5uaW5nIHl1bSB1cGRhdGUiCmNhdCA+L2V0Yy95dW0ucmVwb3MuZC9henVyZS5yZXBvIDw8J0VPRicKW2F6dXJlLWNsaV0KbmFtZT1henVyZS1jbGkKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmUtY2xpCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPXllcwoKW2F6dXJlY29yZV0KbmFtZT1henVyZWNvcmUKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmVjb3JlCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPW5vCkVPRgoKc2VtYW5hZ2UgZmNvbnRleHQgLWEgLXQgdmFyX2xvZ190ICIvdmFyL2xvZy9qb3VybmFsKC8uKik/Igpta2RpciAtcCAvdmFyL2xvZy9qb3VybmFsCgpmb3IgYXR0ZW1wdCBpbiB7MS4uNX07IGRvCnl1bSAteSBpbnN0YWxsIGNsYW1hdiBhenNlYy1jbGFtYXYgYXpzZWMtbW9uaXRvciBhenVyZS1jbGkgYXp1cmUtbWRzZCBhenVyZS1zZWN1cml0eSBwb2RtYW4gcG9kbWFuLWRvY2tlciBvcGVuc3NsLXBlcmwgcHl0aG9uMyAmJiBicmVhawogICMgaGFjayAtIHdlIGFyZSBpbnN0YWxsaW5nIHB5dGhvbjMgb24gaG9zdHMgZHVlIHRvIGFuIGlzc3VlIHdpdGggQXp1cmUgTGludXggRXh0ZW5zaW9ucyBodHRwczovL2dpdGh1Yi5jb20vQXp1cmUvYXp1cmUtbGludXgtZXh0ZW5zaW9ucy9wdWxsLzE1MDUKICBpZiBbWyAke2F0dGVtcHR9IC1sdCA1IF1dOyB0aGVuIHNsZWVwIDEwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKIyBodHRwczovL2FjY2Vzcy5yZWRoYXQuY29tL3NlY3VyaXR5L2N2ZS9jdmUtMjAyMC0xMzQwMQplY2hvICJhcHBseWluZyBmaXJld2FsbCBydWxlcyIKY2F0ID4vZXRjL3N5c2N0bC5kLzAyLWRpc2FibGUtYWNjZXB0LXJhLmNvbmYgPDwnRU9GJwpuZXQuaXB2Ni5jb25mLmFsbC5hY2NlcHRfcmE9MApFT0YKCmNhdCA+L2V0Yy9zeXNjdGwuZC8wMS1kaXNhYmxlLWNvcmUuY29uZiA8PCdFT0YnCmtlcm5lbC5jb3JlX3BhdHRlcm4gPSB8L2Jpbi90cnVlCkVPRgpzeXNjdGwgLS1zeXN0ZW0KCmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTQ0My90Y3AgLS1wZXJtYW5lbnQKZmlyZXdhbGwtY21kIC0tYWRkLXBvcnQ9NDQ0L3RjcCAtLXBlcm1hbmVudApmaXJld2FsbC1jbWQgLS1hZGQtcG9ydD00NDUvdGNwIC0tcGVybWFuZW50CmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTIyMjIvdGNwIC0tcGVybWFuZW50CgpleHBvcnQgQVpVUkVfQ0xPVURfTkFNRT0kQVpVUkVDTE9VRE5BTUUKCmVjaG8gImxvZ2dpbmcgaW50byBwcm9kIGFjciIKYXogbG9naW4gLWkgLS1hbGxvdy1uby1zdWJzY3JpcHRpb25zCgojIFN1cHByZXNzIGVtdWxhdGlvbiBvdXRwdXQgZm9yIHBvZG1hbiBpbnN0ZWFkIG9mIGRvY2tlciBmb3IgYXogYWNyIGNvbXBhdGFiaWxpdHkKbWtkaXIgLXAgL2V0Yy9jb250YWluZXJzLwp0b3VjaCAvZXRjL2NvbnRhaW5lcnMvbm9kb2NrZXIKCm1rZGlyIC1wIC9yb290Ly5kb2NrZXIKUkVHSVNUUllfQVVUSF9GSUxFPS9yb290Ly5kb2NrZXIvY29uZmlnLmpzb24gYXogYWNyIGxvZ2luIC0tbmFtZSAiJChzZWQgLWUgJ3N8LiovfHwnIDw8PCIkQUNSUkVTT1VSQ0VJRCIpIgoKTURNSU1BR0U9IiR7UlBJTUFHRSUlLyp9LyR7TURNSU1BR0UjIyovfSIKZG9ja2VyIHB1bGwgIiRNRE1JTUFHRSIKZG9ja2VyIHB1bGwgIiRSUElNQUdFIgpkb2NrZXIgcHVsbCAiJEZMVUVOVEJJVElNQUdFIgoKYXogbG9nb3V0CgplY2hvICJjb25maWd1cmluZyBmbHVlbnRiaXQgc2VydmljZSIKbWtkaXIgLXAgL2V0Yy9mbHVlbnRiaXQvCm1rZGlyIC1wIC92YXIvbGliL2ZsdWVudAoKY2F0ID4vZXRjL2ZsdWVudGJpdC9mbHVlbnRiaXQuY29uZiA8PCdFT0YnCltJTlBVVF0KCU5hbWUgc3lzdGVtZAoJVGFnIGpvdXJuYWxkCglTeXN0ZW1kX0ZpbHRlciBfQ09NTT1hcm8KCURCIC92YXIvbGliL2ZsdWVudC9qb3VybmFsZGIKCltGSUxURVJdCglOYW1lIG1vZGlmeQoJTWF0Y2ggam91cm5hbGQKCVJlbW92ZV93aWxkY2FyZCBfCglSZW1vdmUgVElNRVNUQU1QCgpbRklMVEVSXQoJTmFtZSByZXdyaXRlX3RhZwoJTWF0Y2ggam91cm5hbGQKCVJ1bGUgJExPR0tJTkQgYXN5bmNxb3MgYXN5bmNxb3MgdHJ1ZQoKW0ZJTFRFUl0KCU5hbWUgbW9kaWZ5CglNYXRjaCBhc3luY3FvcwoJUmVtb3ZlIENMSUVOVF9QUklOQ0lQQUxfTkFNRQoJUmVtb3ZlIEZJTEUKCVJlbW92ZSBDT01QT05FTlQKCltGSUxURVJdCglOYW1lIHJld3JpdGVfdGFnCglNYXRjaCBqb3VybmFsZAoJUnVsZSAkTE9HS0lORCBpZnhhdWRpdCBpZnhhdWRpdCBmYWxzZQoKW09VVFBVVF0KCU5hbWUgZm9yd2FyZAoJTWF0Y2ggKgoJUG9ydCAyOTIzMApFT0YKCmVjaG8gIkZMVUVOVEJJVElNQUdFPSRGTFVFTlRCSVRJTUFHRSIgPi9ldGMvc3lzY29uZmlnL2ZsdWVudGJpdAoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL2ZsdWVudGJpdC5zZXJ2aWNlIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKU3RhcnRMaW1pdEludGVydmFsU2VjPTAKCltTZXJ2aWNlXQpSZXN0YXJ0U2VjPTFzCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9mbHVlbnRiaXQKRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0tc2VjdXJpdHktb3B0IGxhYmVsPWRpc2FibGUgXAogIC0tZW50cnlwb2ludCAvb3B0L3RkLWFnZW50LWJpdC9iaW4vdGQtYWdlbnQtYml0IFwKICAtLW5ldD1ob3N0IFwKICAtLWhvc3RuYW1lICVIIFwKICAtLW5hbWUgJU4gXAogIC0tcm0gXAogIC0tY2FwLWRyb3AgbmV0X3JhdyBcCiAgLXYgL2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmY6L2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmYgXAogIC12IC92YXIvbGliL2ZsdWVudDovdmFyL2xpYi9mbHVlbnQ6eiBcCiAgLXYgL3Zhci9sb2cvam91cm5hbDovdmFyL2xvZy9qb3VybmFsOnJvIFwKICAtdiAvZXRjL21hY2hpbmUtaWQ6L2V0Yy9tYWNoaW5lLWlkOnJvIFwKICAkRkxVRU5UQklUSU1BR0UgXAogIC1jIC9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mCgpFeGVjU3RvcD0vdXNyL2Jpbi9kb2NrZXIgc3RvcCAlTgpSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCm1rZGlyIC9ldGMvYXJvLXJwCmJhc2U2NCAtZCA8PDwiJEFETUlOQVBJQ0FCVU5ETEUiID4vZXRjL2Fyby1ycC9hZG1pbi1jYS1idW5kbGUucGVtCmlmIFtbIC1uICIkQVJNQVBJQ0FCVU5ETEUiIF1dOyB0aGVuCiAgYmFzZTY0IC1kIDw8PCIkQVJNQVBJQ0FCVU5ETEUiID4vZXRjL2Fyby1ycC9hcm0tY2EtYnVuZGxlLnBlbQpmaQpjaG93biAtUiAxMDAwOjEwMDAgL2V0Yy9hcm8tcnAKCmVjaG8gImNvbmZpZ3VyaW5nIG1kbSBzZXJ2aWNlIgpjYXQgPi9ldGMvc3lzY29uZmlnL21kbSA8PEVPRgpNRE1GUk9OVEVORFVSTD0nJE1ETUZST05URU5EVVJMJwpNRE1JTUFHRT0nJE1ETUlNQUdFJwpNRE1TT1VSQ0VFTlZJUk9OTUVOVD0nJExPQ0FUSU9OJwpNRE1TT1VSQ0VST0xFPXJwCk1ETVNPVVJDRVJPTEVJTlNUQU5DRT0nJChob3N0bmFtZSknCkVPRgoKbWtkaXIgL3Zhci9ldHcKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL21kbS5zZXJ2aWNlIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKCltTZXJ2aWNlXQpFbnZpcm9ubWVudEZpbGU9L2V0Yy9zeXNjb25maWcvbWRtCkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLWVudHJ5cG9pbnQgL3Vzci9zYmluL01ldHJpY3NFeHRlbnNpb24gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtbSAyZyBcCiAgLXYgL2V0Yy9tZG0ucGVtOi9ldGMvbWRtLnBlbSBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJE1ETUlNQUdFIFwKICAtQ2VydEZpbGUgL2V0Yy9tZG0ucGVtIFwKICAtRnJvbnRFbmRVcmwgJE1ETUZST05URU5EVVJMIFwKICAtTG9nZ2VyIENvbnNvbGUgXAogIC1Mb2dMZXZlbCBXYXJuaW5nIFwKICAtUHJpdmF0ZUtleUZpbGUgL2V0Yy9tZG0ucGVtIFwKICAtU291cmNlRW52aXJvbm1lbnQgJE1ETVNPVVJDRUVOVklST05NRU5UIFwKICAtU291cmNlUm9sZSAkTURNU09VUkNFUk9MRSBcCiAgLVNvdXJjZVJvbGVJbnN0YW5jZSAkTURNU09VUkNFUk9MRUlOU1RBTkNFCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wICVOClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9MQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKZWNobyAiY29uZmlndXJpbmcgYXJvLXJwIHNlcnZpY2UiCmNhdCA+L2V0Yy9zeXNjb25maWcvYXJvLXJwIDw8RU9GCkFDUl9SRVNPVVJDRV9JRD0nJEFDUlJFU09VUkNFSUQnCkFETUlOX0FQSV9DTElFTlRfQ0VSVF9DT01NT05fTkFNRT0nJEFETUlOQVBJQ0xJRU5UQ0VSVENPTU1PTk5BTUUnCkFSTV9BUElfQ0xJRU5UX0NFUlRfQ09NTU9OX05BTUU9JyRBUk1BUElDTElFTlRDRVJUQ09NTU9OTkFNRScKQVpVUkVfQVJNX0NMSUVOVF9JRD0nJEFSTUNMSUVOVElEJwpBWlVSRV9GUF9DTElFTlRfSUQ9JyRGUENMSUVOVElEJwpBWlVSRV9GUF9TRVJWSUNFX1BSSU5DSVBBTF9JRD0nJEZQU0VSVklDRVBSSU5DSVBBTElEJwpCSUxMSU5HX0UyRV9TVE9SQUdFX0FDQ09VTlRfSUQ9JyRCSUxMSU5HRTJFU1RPUkFHRUFDQ09VTlRJRCcKQ0xVU1RFUl9NRE1fQUNDT1VOVD0nJENMVVNURVJNRE1BQ0NPVU5UJwpDTFVTVEVSX01ETV9OQU1FU1BBQ0U9UlAKQ0xVU1RFUl9NRFNEX0FDQ09VTlQ9JyRDTFVTVEVSTURTREFDQ09VTlQnCkNMVVNURVJfTURTRF9DT05GSUdfVkVSU0lPTj0nJENMVVNURVJNRFNEQ09ORklHVkVSU0lPTicKQ0xVU1RFUl9NRFNEX05BTUVTUEFDRT0nJENMVVNURVJNRFNETkFNRVNQQUNFJwpEQVRBQkFTRV9BQ0NPVU5UX05BTUU9JyREQVRBQkFTRUFDQ09VTlROQU1FJwpET01BSU5fTkFNRT0nJExPQ0FUSU9OLiRDTFVTVEVSUEFSRU5URE9NQUlOTkFNRScKR0FURVdBWV9ET01BSU5TPSckR0FURVdBWURPTUFJTlMnCkdBVEVXQVlfUkVTT1VSQ0VHUk9VUD0nJEdBVEVXQVlSRVNPVVJDRUdST1VQTkFNRScKS0VZVkFVTFRfUFJFRklYPSckS0VZVkFVTFRQUkVGSVgnCk1ETV9BQ0NPVU5UPSckUlBNRE1BQ0NPVU5UJwpNRE1fTkFNRVNQQUNFPVJQCk1EU0RfRU5WSVJPTk1FTlQ9JyRNRFNERU5WSVJPTk1FTlQnClJQX0ZFQVRVUkVTPSckUlBGRUFUVVJFUycKUlBJTUFHRT0nJFJQSU1BR0UnCkFST19JTlNUQUxMX1ZJQV9ISVZFPSckQ0xVU1RFUlNJTlNUQUxMVklBSElWRScKQVJPX0hJVkVfREVGQVVMVF9JTlNUQUxMRVJfUFVMTFNQRUM9JyRDTFVTVEVSREVGQVVMVElOU1RBTExFUlBVTExTUEVDJwpBUk9fQURPUFRfQllfSElWRT0nJENMVVNURVJTQURPUFRCWUhJVkUnClVTRV9DSEVDS0FDQ0VTUz0nJFVTRUNIRUNLQUNDRVNTJwpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9hcm8tcnAuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2Fyby1ycApFeGVjU3RhcnRQcmU9LS91c3IvYmluL2RvY2tlciBybSAtZiAlTgpFeGVjU3RhcnQ9L3Vzci9iaW4vZG9ja2VyIHJ1biBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC1lIEFDUl9SRVNPVVJDRV9JRCBcCiAgLWUgQURNSU5fQVBJX0NMSUVOVF9DRVJUX0NPTU1PTl9OQU1FIFwKICAtZSBBUk1fQVBJX0NMSUVOVF9DRVJUX0NPTU1PTl9OQU1FIFwKICAtZSBBWlVSRV9BUk1fQ0xJRU5UX0lEIFwKICAtZSBBWlVSRV9GUF9DTElFTlRfSUQgXAogIC1lIEJJTExJTkdfRTJFX1NUT1JBR0VfQUNDT1VOVF9JRCBcCiAgLWUgQ0xVU1RFUl9NRE1fQUNDT1VOVCBcCiAgLWUgQ0xVU1RFUl9NRE1fTkFNRVNQQUNFIFwKICAtZSBDTFVTVEVSX01EU0RfQUNDT1VOVCBcCiAgLWUgQ0xVU1RFUl9NRFNEX0NPTkZJR19WRVJTSU9OIFwKICAtZSBDTFVTVEVSX01EU0RfTkFNRVNQQUNFIFwKICAtZSBEQVRBQkFTRV9BQ0NPVU5UX05BTUUgXAogIC1lIERPTUFJTl9OQU1FIFwKICAtZSBHQVRFV0FZX0RPTUFJTlMgXAogIC1lIEdBVEVXQVlfUkVTT1VSQ0VHUk9VUCBcCiAgLWUgS0VZVkFVTFRfUFJFRklYIFwKICAtZSBNRE1fQUNDT1VOVCBcCiAgLWUgTURNX05BTUVTUEFDRSBcCiAgLWUgTURTRF9FTlZJUk9OTUVOVCBcCiAgLWUgUlBfRkVBVFVSRVMgXAogIC1lIEFST19JTlNUQUxMX1ZJQV9ISVZFIFwKICAtZSBBUk9fSElWRV9ERUZBVUxUX0lOU1RBTExFUl9QVUxMU1BFQyBcCiAgLWUgQVJPX0FET1BUX0JZX0hJVkUgXAogIC1lIFVTRV9DSEVDS0FDQ0VTUyBcCiAgLW0gMmcgXAogIC1wIDQ0Mzo4NDQzIFwKICAtdiAvZXRjL2Fyby1ycDovZXRjL2Fyby1ycCBcCiAgLXYgL3J1bi9zeXN0ZW1kL2pvdXJuYWw6L3J1bi9zeXN0ZW1kL2pvdXJuYWwgXAogIC12IC92YXIvZXR3Oi92YXIvZXR3OnogXAogICRSUElNQUdFIFwKICBycApFeGVjU3RvcD0vdXNyL2Jpbi9kb2NrZXIgc3RvcCAtdCAzNjAwICVOClRpbWVvdXRTdG9wU2VjPTM2MDAKUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBhcm8tZGJ0b2tlbiBzZXJ2aWNlIgpjYXQgPi9ldGMvc3lzY29uZmlnL2Fyby1kYnRva2VuIDw8RU9GCkRBVEFCQVNFX0FDQ09VTlRfTkFNRT0nJERBVEFCQVNFQUNDT1VOVE5BTUUnCkFaVVJFX0RCVE9LRU5fQ0xJRU5UX0lEPSckREJUT0tFTkNMSUVOVElEJwpBWlVSRV9HQVRFV0FZX1NFUlZJQ0VfUFJJTkNJUEFMX0lEPSckR0FURVdBWVNFUlZJQ0VQUklOQ0lQQUxJRCcKS0VZVkFVTFRfUFJFRklYPSckS0VZVkFVTFRQUkVGSVgnCk1ETV9BQ0NPVU5UPSckUlBNRE1BQ0NPVU5UJwpNRE1fTkFNRVNQQUNFPURCVG9rZW4KUlBJTUFHRT0nJFJQSU1BR0UnCkVPRgoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL2Fyby1kYnRva2VuLnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9hcm8tZGJ0b2tlbgpFeGVjU3RhcnRQcmU9LS91c3IvYmluL2RvY2tlciBybSAtZiAlTgpFeGVjU3RhcnQ9L3Vzci9iaW4vZG9ja2VyIHJ1biBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC1lIEFaVVJFX0dBVEVXQVlfU0VSVklDRV9QUklOQ0lQQUxfSUQgXAogIC1lIERBVEFCQVNFX0FDQ09VTlRfTkFNRSBcCiAgLWUgQVpVUkVfREJUT0tFTl9DTElFTlRfSUQgXAogIC1lIEtFWVZBVUxUX1BSRUZJWCBcCiAgLWUgTURNX0FDQ09VTlQgXAogIC1lIE1ETV9OQU1FU1BBQ0UgXAogIC1tIDJnIFwKICAtcCA0NDU6ODQ0NSBcCiAgLXYgL3J1bi9zeXN0ZW1kL2pvdXJuYWw6L3J1bi9zeXN0ZW1kL2pvdXJuYWwgXAogIC12IC92YXIvZXR3Oi92YXIvZXR3OnogXAogICRSUElNQUdFIFwKICBkYnRva2VuCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wIC10IDM2MDAgJU4KVGltZW91dFN0b3BTZWM9MzYwMApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTEKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCiMgRE9NQUlOX05BTUUsIENMVVNURVJfTURTRF9BQ0NPVU5ULCBDTFVTVEVSX01EU0RfQ09ORklHX1ZFUlNJT04sIEdBVEVXQVlfRE9NQUlOUywgR0FURVdBWV9SRVNPVVJDRUdST1VQLCBNRFNEX0VOVklST05NRU5UIENMVVNURVJfTURTRF9OQU1FU1BBQ0UKIyBhcmUgbm90IHVzZWQsIGJ1dCBjYW4ndCBlYXNpbHkgYmUgcmVmYWN0b3JlZCBvdXQuIFNob3VsZCBiZSByZXZpc2l0ZWQgaW4gdGhlIGZ1dHVyZS4KZWNobyAiY29uZmlndXJpbmcgYXJvLW1vbml0b3Igc2VydmljZSIKY2F0ID4vZXRjL3N5c2NvbmZpZy9hcm8tbW9uaXRvciA8PEVPRgpBWlVSRV9GUF9DTElFTlRfSUQ9JyRGUENMSUVOVElEJwpET01BSU5fTkFNRT0nJExPQ0FUSU9OLiRDTFVTVEVSUEFSRU5URE9NQUlOTkFNRScKQ0xVU1RFUl9NRFNEX0FDQ09VTlQ9JyRDTFVTVEVSTURTREFDQ09VTlQnCkNMVVNURVJfTURTRF9DT05GSUdfVkVSU0lPTj0nJENMVVNURVJNRFNEQ09ORklHVkVSU0lPTicKR0FURVdBWV9ET01BSU5TPSckR0FURVdBWURPTUFJTlMnCkdBVEVXQVlfUkVTT1VSQ0VHUk9VUD0nJEdBVEVXQVlSRVNPVVJDRUdST1VQTkFNRScKTURTRF9FTlZJUk9OTUVOVD0nJE1EU0RFTlZJUk9OTUVOVCcKQ0xVU1RFUl9NRFNEX05BTUVTUEFDRT0nJENMVVNURVJNRFNETkFNRVNQQUNFJwpDTFVTVEVSX01ETV9BQ0NPVU5UPSckQ0xVU1RFUk1ETUFDQ09VTlQnCkNMVVNURVJfTURNX05BTUVTUEFDRT1CQk0KREFUQUJBU0VfQUNDT1VOVF9OQU1FPSckREFUQUJBU0VBQ0NPVU5UTkFNRScKS0VZVkFVTFRfUFJFRklYPSckS0VZVkFVTFRQUkVGSVgnCk1ETV9BQ0NPVU5UPSckUlBNRE1BQ0NPVU5UJwpNRE1fTkFNRVNQQUNFPUJCTQpSUElNQUdFPSckUlBJTUFHRScKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vYXJvLW1vbml0b3Iuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2Fyby1tb25pdG9yCkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLWhvc3RuYW1lICVIIFwKICAtLW5hbWUgJU4gXAogIC0tcm0gXAogIC0tY2FwLWRyb3AgbmV0X3JhdyBcCiAgLWUgQVpVUkVfRlBfQ0xJRU5UX0lEIFwKICAtZSBET01BSU5fTkFNRSBcCiAgLWUgQ0xVU1RFUl9NRFNEX0FDQ09VTlQgXAogIC1lIENMVVNURVJfTURTRF9DT05GSUdfVkVSU0lPTiBcCiAgLWUgR0FURVdBWV9ET01BSU5TIFwKICAtZSBHQVRFV0FZX1JFU09VUkNFR1JPVVAgXAogIC1lIE1EU0RfRU5WSVJPTk1FTlQgXAogIC1lIENMVVNURVJfTURTRF9OQU1FU1BBQ0UgXAogIC1lIENMVVNURVJfTURNX0FDQ09VTlQgXAogIC1lIENMVVNURVJfTURNX05BTUVTUEFDRSBcCiAgLWUgREFUQUJBU0VfQUNDT1VOVF9OQU1FIFwKICAtZSBLRVlWQVVMVF9QUkVGSVggXAogIC1lIE1ETV9BQ0NPVU5UIFwKICAtZSBNRE1fTkFNRVNQQUNFIFwKICAtbSAyLjVnIFwKICAtdiAvcnVuL3N5c3RlbWQvam91cm5hbDovcnVuL3N5c3RlbWQvam91cm5hbCBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJFJQSU1BR0UgXAogIG1vbml0b3IKUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBhcm8tcG9ydGFsIHNlcnZpY2UiCmNhdCA+L2V0Yy9zeXNjb25maWcvYXJvLXBvcnRhbCA8PEVPRgpBWlVSRV9QT1JUQUxfQUNDRVNTX0dST1VQX0lEUz0nJFBPUlRBTEFDQ0VTU0dST1VQSURTJwpBWlVSRV9QT1JUQUxfQ0xJRU5UX0lEPSckUE9SVEFMQ0xJRU5USUQnCkFaVVJFX1BPUlRBTF9FTEVWQVRFRF9HUk9VUF9JRFM9JyRQT1JUQUxFTEVWQVRFREdST1VQSURTJwpEQVRBQkFTRV9BQ0NPVU5UX05BTUU9JyREQVRBQkFTRUFDQ09VTlROQU1FJwpLRVlWQVVMVF9QUkVGSVg9JyRLRVlWQVVMVFBSRUZJWCcKTURNX0FDQ09VTlQ9JyRSUE1ETUFDQ09VTlQnCk1ETV9OQU1FU1BBQ0U9UG9ydGFsClBPUlRBTF9IT1NUTkFNRT0nJExPQ0FUSU9OLmFkbWluLiRSUFBBUkVOVERPTUFJTk5BTUUnClJQSU1BR0U9JyRSUElNQUdFJwpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9hcm8tcG9ydGFsLnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldApTdGFydExpbWl0SW50ZXJ2YWw9MAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9hcm8tcG9ydGFsCkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLWhvc3RuYW1lICVIIFwKICAtLW5hbWUgJU4gXAogIC0tcm0gXAogIC0tY2FwLWRyb3AgbmV0X3JhdyBcCiAgLWUgQVpVUkVfUE9SVEFMX0FDQ0VTU19HUk9VUF9JRFMgXAogIC1lIEFaVVJFX1BPUlRBTF9DTElFTlRfSUQgXAogIC1lIEFaVVJFX1BPUlRBTF9FTEVWQVRFRF9HUk9VUF9JRFMgXAogIC1lIERBVEFCQVNFX0FDQ09VTlRfTkFNRSBcCiAgLWUgS0VZVkFVTFRfUFJFRklYIFwKICAtZSBNRE1fQUNDT1VOVCBcCiAgLWUgTURNX05BTUVTUEFDRSBcCiAgLWUgUE9SVEFMX0hPU1ROQU1FIFwKICAtbSAyZyBcCiAgLXAgNDQ0Ojg0NDQgXAogIC1wIDIyMjI6MjIyMiBcCiAgLXYgL3J1bi9zeXN0ZW1kL2pvdXJuYWw6L3J1bi9zeXN0ZW1kL2pvdXJuYWwgXAogIC12IC92YXIvZXR3Oi92YXIvZXR3OnogXAogICRSUElNQUdFIFwKICBwb3J0YWwKUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBtZHNkIGFuZCBtZG0gc2VydmljZXMiCmNoY29uIC1SIHN5c3RlbV91Om9iamVjdF9yOnZhcl9sb2dfdDpzMCAvdmFyL29wdC9taWNyb3NvZnQvbGludXhtb25hZ2VudAoKbWtkaXIgLXAgL3Zhci9saWIvd2FhZ2VudC9NaWNyb3NvZnQuQXp1cmUuS2V5VmF1bHQuU3RvcmUKCmZvciB2YXIgaW4gIm1kc2QiICJtZG0iOyBkbwpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vZG93bmxvYWQtJHZhci1jcmVkZW50aWFscy5zZXJ2aWNlIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1QZXJpb2RpYyAkdmFyIGNyZWRlbnRpYWxzIHJlZnJlc2gKCltTZXJ2aWNlXQpUeXBlPW9uZXNob3QKRXhlY1N0YXJ0PS91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoICR2YXIKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vZG93bmxvYWQtJHZhci1jcmVkZW50aWFscy50aW1lciA8PEVPRgpbVW5pdF0KRGVzY3JpcHRpb249UGVyaW9kaWMgJHZhciBjcmVkZW50aWFscyByZWZyZXNoCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKCltUaW1lcl0KT25Cb290U2VjPTBtaW4KT25DYWxlbmRhcj0wLzEyOjAwOjAwCkFjY3VyYWN5U2VjPTVzCgpbSW5zdGFsbF0KV2FudGVkQnk9dGltZXJzLnRhcmdldApFT0YKZG9uZQoKY2F0ID4vdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaCA8PEVPRgojIS9iaW4vYmFzaApzZXQgLWV1CgpDT01QT05FTlQ9IlwkMSIKZWNobyAiRG93bmxvYWQgXCRDT01QT05FTlQgY3JlZGVudGlhbHMiCgpURU1QX0RJUj1cJChta3RlbXAgLWQpCmV4cG9ydCBBWlVSRV9DT05GSUdfRElSPVwkKG1rdGVtcCAtZCkKCmVjaG8gIkxvZ2dpbmcgaW50byBBenVyZS4uLiIKUkVUUklFUz0zCndoaWxlIFsgIlwkUkVUUklFUyIgLWd0IDAgXTsgZG8KICAgIGlmIGF6IGxvZ2luIC1pIC0tYWxsb3ctbm8tc3Vic2NyaXB0aW9ucwogICAgdGhlbgogICAgICAgIGVjaG8gImF6IGxvZ2luIHN1Y2Nlc3NmdWwiCiAgICAgICAgYnJlYWsKICAgIGVsc2UKICAgICAgICBlY2hvICJheiBsb2dpbiBmYWlsZWQuIFJldHJ5aW5nLi4uIgogICAgICAgIGxldCBSRVRSSUVTLT0xCiAgICAgICAgc2xlZXAgNQogICAgZmkKZG9uZQoKdHJhcCAiY2xlYW51cCIgRVhJVAoKY2xlYW51cCgpIHsKICBheiBsb2dvdXQKICBbWyAiXCRURU1QX0RJUiIgPX4gL3RtcC8uKyBdXSAmJiBybSAtcmYgXCRURU1QX0RJUgogIFtbICJcJEFaVVJFX0NPTkZJR19ESVIiID1+IC90bXAvLisgXV0gJiYgcm0gLXJmIFwkQVpVUkVfQ09ORklHX0RJUgp9CgppZiBbICJcJENPTVBPTkVOVCIgPSAibWRtIiBdOyB0aGVuCiAgQ1VSUkVOVF9DRVJUX0ZJTEU9Ii9ldGMvbWRtLnBlbSIKZWxpZiBbICJcJENPTVBPTkVOVCIgPSAibWRzZCIgXTsgdGhlbgogIENVUlJFTlRfQ0VSVF9GSUxFPSIvdmFyL2xpYi93YWFnZW50L01pY3Jvc29mdC5BenVyZS5LZXlWYXVsdC5TdG9yZS9tZHNkLnBlbSIKZWxzZQogIGVjaG8gSW52YWxpZCB1c2FnZSAmJiBleGl0IDEKZmkKClNFQ1JFVF9OQU1FPSJycC1cJHtDT01QT05FTlR9IgpORVdfQ0VSVF9GSUxFPSJcJFRFTVBfRElSL1wkQ09NUE9ORU5ULnBlbSIKZm9yIGF0dGVtcHQgaW4gezEuLjV9OyBkbwogIGF6IGtleXZhdWx0IHNlY3JldCBkb3dubG9hZCAtLWZpbGUgXCRORVdfQ0VSVF9GSUxFIC0taWQgImh0dHBzOi8vJEtFWVZBVUxUUFJFRklYLXN2Yy4kS0VZVkFVTFRETlNTVUZGSVgvc2VjcmV0cy9cJFNFQ1JFVF9OQU1FIiAmJiBicmVhawogIGlmIFtbIFwkYXR0ZW1wdCAtbHQgNSBdXTsgdGhlbiBzbGVlcCAxMDsgZWxzZSBleGl0IDE7IGZpCmRvbmUKCmlmIFsgLWYgXCRORVdfQ0VSVF9GSUxFIF07IHRoZW4KICBpZiBbICJcJENPTVBPTkVOVCIgPSAibWRzZCIgXTsgdGhlbgogICAgY2hvd24gc3lzbG9nOnN5c2xvZyBcJE5FV19DRVJUX0ZJTEUKICBlbHNlCiAgICBzZWQgLWkgLW5lICcxLC9FTkQgQ0VSVElGSUNBVEUvIHAnIFwkTkVXX0NFUlRfRklMRQogIGZpCgogIG5ld19jZXJ0X3NuPSJcJChvcGVuc3NsIHg1MDkgLWluICJcJE5FV19DRVJUX0ZJTEUiIC1ub291dCAtc2VyaWFsIHwgYXdrIC1GPSAne3ByaW50IFwkMn0nKSIKICBjdXJyZW50X2NlcnRfc249IlwkKG9wZW5zc2wgeDUwOSAtaW4gIlwkQ1VSUkVOVF9DRVJUX0ZJTEUiIC1ub291dCAtc2VyaWFsIHwgYXdrIC1GPSAne3ByaW50IFwkMn0nKSIKICBpZiBbWyAhIC16IFwkbmV3X2NlcnRfc24gXV0gJiYgW1sgXCRuZXdfY2VydF9zbiAhPSAiXCRjdXJyZW50X2NlcnRfc24iIF1dOyB0aGVuCiAgICBlY2hvIHVwZGF0aW5nIGNlcnRpZmljYXRlIGZvciBcJENPTVBPTkVOVAogICAgY2htb2QgMDYwMCBcJE5FV19DRVJUX0ZJTEUKICAgIG12IFwkTkVXX0NFUlRfRklMRSBcJENVUlJFTlRfQ0VSVF9GSUxFCiAgZmkKZWxzZQogIGVjaG8gRmFpbGVkIHRvIHJlZnJlc2ggY2VydGlmaWNhdGUgZm9yIFwkQ09NUE9ORU5UICYmIGV4aXQgMQpmaQpFT0YKCmNobW9kIHUreCAvdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaAoKc3lzdGVtY3RsIGVuYWJsZSBkb3dubG9hZC1tZHNkLWNyZWRlbnRpYWxzLnRpbWVyCnN5c3RlbWN0bCBlbmFibGUgZG93bmxvYWQtbWRtLWNyZWRlbnRpYWxzLnRpbWVyCgovdXNyL2xvY2FsL2Jpbi9kb3dubG9hZC1jcmVkZW50aWFscy5zaCBtZHNkCi91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoIG1kbQpNRFNEQ0VSVElGSUNBVEVTQU49JChvcGVuc3NsIHg1MDkgLWluIC92YXIvbGliL3dhYWdlbnQvTWljcm9zb2Z0LkF6dXJlLktleVZhdWx0LlN0b3JlL21kc2QucGVtIC1ub291dCAtc3ViamVjdCB8IHNlZCAtZSAncy8uKkNOID0gLy8nKQoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL3dhdGNoLW1kbS1jcmVkZW50aWFscy5zZXJ2aWNlIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1XYXRjaCBmb3IgY2hhbmdlcyBpbiBtZG0ucGVtIGFuZCByZXN0YXJ0cyB0aGUgbWRtIHNlcnZpY2UKCltTZXJ2aWNlXQpUeXBlPW9uZXNob3QKRXhlY1N0YXJ0PS91c3IvYmluL3N5c3RlbWN0bCByZXN0YXJ0IG1kbS5zZXJ2aWNlCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnBhdGggPDxFT0YKW1BhdGhdClBhdGhNb2RpZmllZD0vZXRjL21kbS5wZW0KCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCnN5c3RlbWN0bCBlbmFibGUgd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnBhdGgKc3lzdGVtY3RsIHN0YXJ0IHdhdGNoLW1kbS1jcmVkZW50aWFscy5wYXRoCgpta2RpciAvZXRjL3N5c3RlbWQvc3lzdGVtL21kc2Quc2VydmljZS5kCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9tZHNkLnNlcnZpY2UuZC9vdmVycmlkZS5jb25mIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApFT0YKCmNhdCA+L2V0Yy9kZWZhdWx0L21kc2QgPDxFT0YKTURTRF9ST0xFX1BSRUZJWD0vdmFyL3J1bi9tZHNkL2RlZmF1bHQKTURTRF9PUFRJT05TPSItQSAtZCAtciBcJE1EU0RfUk9MRV9QUkVGSVgiCgpleHBvcnQgTU9OSVRPUklOR19HQ1NfRU5WSVJPTk1FTlQ9JyRNRFNERU5WSVJPTk1FTlQnCmV4cG9ydCBNT05JVE9SSU5HX0dDU19BQ0NPVU5UPSckUlBNRFNEQUNDT1VOVCcKZXhwb3J0IE1PTklUT1JJTkdfR0NTX1JFR0lPTj0nJExPQ0FUSU9OJwpleHBvcnQgTU9OSVRPUklOR19HQ1NfQVVUSF9JRF9UWVBFPUF1dGhLZXlWYXVsdApleHBvcnQgTU9OSVRPUklOR19HQ1NfQVVUSF9JRD0nJE1EU0RDRVJUSUZJQ0FURVNBTicKZXhwb3J0IE1PTklUT1JJTkdfR0NTX05BTUVTUEFDRT0nJFJQTURTRE5BTUVTUEFDRScKZXhwb3J0IE1PTklUT1JJTkdfQ09ORklHX1ZFUlNJT049JyRSUE1EU0RDT05GSUdWRVJTSU9OJwpleHBvcnQgTU9OSVRPUklOR19VU0VfR0VORVZBX0NPTkZJR19TRVJWSUNFPXRydWUKCmV4cG9ydCBNT05JVE9SSU5HX1RFTkFOVD0nJExPQ0FUSU9OJwpleHBvcnQgTU9OSVRPUklOR19ST0xFPXJwCmV4cG9ydCBNT05JVE9SSU5HX1JPTEVfSU5TVEFOQ0U9JyQoaG9zdG5hbWUpJwoKZXhwb3J0IE1EU0RfTVNHUEFDS19TT1JUX0NPTFVNTlM9MQpFT0YKCiMgc2V0dGluZyBNT05JVE9SSU5HX0dDU19BVVRIX0lEX1RZUEU9QXV0aEtleVZhdWx0IHNlZW1zIHRvIGhhdmUgY2F1c2VkIG1kc2Qgbm90CiMgdG8gaG9ub3VyIFNTTF9DRVJUX0ZJTEUgYW55IG1vcmUsIGhlYXZlbiBvbmx5IGtub3dzIHdoeS4KbWtkaXIgLXAgL3Vzci9saWIvc3NsL2NlcnRzCmNzcGxpdCAtZiAvdXNyL2xpYi9zc2wvY2VydHMvY2VydC0gLWIgJTAzZC5wZW0gL2V0Yy9wa2kvdGxzL2NlcnRzL2NhLWJ1bmRsZS5jcnQgL14kLzEgeyp9ID4vZGV2L251bGwKY19yZWhhc2ggL3Vzci9saWIvc3NsL2NlcnRzCgojIHdlIGxlYXZlIGNsaWVudElkIGJsYW5rIGFzIGxvbmcgYXMgb25seSAxIG1hbmFnZWQgaWRlbnRpdHkgYXNzaWduZWQgdG8gdm1zcwojIGlmIHdlIGhhdmUgbW9yZSB0aGFuIDEsIHdlIHdpbGwgbmVlZCB0byBwb3B1bGF0ZSB3aXRoIGNsaWVudElkIHVzZWQgZm9yIG9mZi1ub2RlIHNjYW5uaW5nCmNhdCA+L2V0Yy9kZWZhdWx0L3ZzYS1ub2Rlc2Nhbi1hZ2VudC5jb25maWcgPDxFT0YKewogICAgIk5pY2UiOiAxOSwKICAgICJUaW1lb3V0IjogMTA4MDAsCiAgICAiQ2xpZW50SWQiOiAiIiwKICAgICJUZW5hbnRJZCI6ICIkQVpVUkVTRUNQQUNLVlNBVEVOQU5USUQiLAogICAgIlF1YWx5c1N0b3JlQmFzZVVybCI6ICIkQVpVUkVTRUNQQUNLUVVBTFlTVVJMIiwKICAgICJQcm9jZXNzVGltZW91dCI6IDMwMCwKICAgICJDb21tYW5kRGVsYXkiOiAwCiAgfQpFT0YKCmVjaG8gImVuYWJsaW5nIGFybyBzZXJ2aWNlcyIKZm9yIHNlcnZpY2UgaW4gYXJvLWRidG9rZW4gYXJvLW1vbml0b3IgYXJvLXBvcnRhbCBhcm8tcnAgYXVvbXMgYXpzZWNkIGF6c2VjbW9uZCBtZHNkIG1kbSBjaHJvbnlkIGZsdWVudGJpdDsgZG8KICBzeXN0ZW1jdGwgZW5hYmxlICRzZXJ2aWNlLnNlcnZpY2UKZG9uZQoKZm9yIHNjYW4gaW4gYmFzZWxpbmUgY2xhbWF2IHNvZnR3YXJlOyBkbwogIC91c3IvbG9jYWwvYmluL2F6c2VjZCBjb25maWcgLXMgJHNjYW4gLWQgUDFECmRvbmUKCmVjaG8gInJlYm9vdGluZyIKcmVzdG9yZWNvbiAtUkYgL3Zhci9sb2cvKgooc2xlZXAgMzA7IHJlYm9vdCkgJgo=')))]"
+                                        "script": "[base64(concat(base64ToString('c2V0IC1leAoK'),'ACRRESOURCEID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('acrResourceId')),''')\n','ADMINAPICLIENTCERTCOMMONNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('adminApiClientCertCommonName')),''')\n','ARMAPICLIENTCERTCOMMONNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('armApiClientCertCommonName')),''')\n','ARMCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('armClientId')),''')\n','AZURECLOUDNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureCloudName')),''')\n','AZURESECPACKQUALYSURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackQualysUrl')),''')\n','AZURESECPACKVSATENANTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('azureSecPackVSATenantId')),''')\n','CLUSTERMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdmAccount')),''')\n','CLUSTERMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdAccount')),''')\n','CLUSTERMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdConfigVersion')),''')\n','CLUSTERMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterMdsdNamespace')),''')\n','CLUSTERPARENTDOMAINNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterParentDomainName')),''')\n','DATABASEACCOUNTNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('databaseAccountName')),''')\n','DBTOKENCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('dbtokenClientId')),''')\n','FLUENTBITIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fluentbitImage')),''')\n','FPCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fpClientId')),''')\n','FPSERVICEPRINCIPALID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('fpServicePrincipalId')),''')\n','GATEWAYDOMAINS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayDomains')),''')\n','GATEWAYRESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayResourceGroupName')),''')\n','GATEWAYSERVICEPRINCIPALID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('gatewayServicePrincipalId')),''')\n','KEYVAULTDNSSUFFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultDNSSuffix')),''')\n','KEYVAULTPREFIX=$(base64 -d \u003c\u003c\u003c''',base64(parameters('keyvaultPrefix')),''')\n','MDMFRONTENDURL=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdmFrontendUrl')),''')\n','MDSDENVIRONMENT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('mdsdEnvironment')),''')\n','PORTALACCESSGROUPIDS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalAccessGroupIds')),''')\n','PORTALCLIENTID=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalClientId')),''')\n','PORTALELEVATEDGROUPIDS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('portalElevatedGroupIds')),''')\n','RPFEATURES=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpFeatures')),''')\n','RPIMAGE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpImage')),''')\n','RPMDMACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdmAccount')),''')\n','RPMDSDACCOUNT=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdAccount')),''')\n','RPMDSDCONFIGVERSION=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdConfigVersion')),''')\n','RPMDSDNAMESPACE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpMdsdNamespace')),''')\n','RPPARENTDOMAINNAME=$(base64 -d \u003c\u003c\u003c''',base64(parameters('rpParentDomainName')),''')\n','CLUSTERSINSTALLVIAHIVE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clustersInstallViaHive')),''')\n','CLUSTERSADOPTBYHIVE=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clustersAdoptByHive')),''')\n','CLUSTERDEFAULTINSTALLERPULLSPEC=$(base64 -d \u003c\u003c\u003c''',base64(parameters('clusterDefaultInstallerPullspec')),''')\n','USECHECKACCESS=$(base64 -d \u003c\u003c\u003c''',base64(parameters('useCheckAccess')),''')\n','ADMINAPICABUNDLE=''',parameters('adminApiCaBundle'),'''\n','ARMAPICABUNDLE=''',parameters('armApiCaBundle'),'''\n','MDMIMAGE=''/genevamdm:2.2024.328.1744-c5fb79-20240328t1935''\n','LOCATION=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().location),''')\n','SUBSCRIPTIONID=$(base64 -d \u003c\u003c\u003c''',base64(subscription().subscriptionId),''')\n','RESOURCEGROUPNAME=$(base64 -d \u003c\u003c\u003c''',base64(resourceGroup().name),''')\n','\n',base64ToString('IyEvYmluL2Jhc2gKCmVjaG8gInNldHRpbmcgc3NoIHBhc3N3b3JkIGF1dGhlbnRpY2F0aW9uIgojIFdlIG5lZWQgdG8gbWFudWFsbHkgc2V0IFBhc3N3b3JkQXV0aGVudGljYXRpb24gdG8gdHJ1ZSBpbiBvcmRlciBmb3IgdGhlIFZNU1MgQWNjZXNzIEpJVCB0byB3b3JrCnNlZCAtaSAncy9QYXNzd29yZEF1dGhlbnRpY2F0aW9uIG5vL1Bhc3N3b3JkQXV0aGVudGljYXRpb24geWVzL2cnIC9ldGMvc3NoL3NzaGRfY29uZmlnCnN5c3RlbWN0bCByZWxvYWQgc3NoZC5zZXJ2aWNlCgojQWRkaW5nIHJldHJ5IGxvZ2ljIHRvIHl1bSBjb21tYW5kcyBpbiBvcmRlciB0byBhdm9pZCBzdGFsbGluZyBvdXQgb24gcmVzb3VyY2UgbG9ja3MKZWNobyAicnVubmluZyBSSFVJIGZpeCIKZm9yIGF0dGVtcHQgaW4gezEuLjYwfTsgZG8KICB5dW0gdXBkYXRlIC15IC0tZGlzYWJsZXJlcG89JyonIC0tZW5hYmxlcmVwbz0ncmh1aS1taWNyb3NvZnQtYXp1cmUqJyAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDYwIF1dOyB0aGVuIHNsZWVwIDMwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAicnVubmluZyB5dW0gdXBkYXRlIgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwogIHl1bSAteSAteCBXQUxpbnV4QWdlbnQgLXggV0FMaW51eEFnZW50LXVkZXYgdXBkYXRlIC0tYWxsb3dlcmFzaW5nICYmIGJyZWFrCiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNjAgXV07IHRoZW4gc2xlZXAgMzA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgplY2hvICJleHRlbmRpbmcgcGFydGl0aW9uIHRhYmxlIgojIExpbnV4IGJsb2NrIGRldmljZXMgYXJlIGluY29uc2lzdGVudGx5IG5hbWVkCiMgaXQncyBkaWZmaWN1bHQgdG8gdGllIHRoZSBsdm0gcHYgdG8gdGhlIHBoeXNpY2FsIGRpc2sgdXNpbmcgL2Rldi9kaXNrIGZpbGVzLCB3aGljaCBpcyB3aHkgbHZzIGlzIHVzZWQgaGVyZQpwaHlzaWNhbERpc2s9IiQobHZzIC1vIGRldmljZXMgLWEgfCBoZWFkIC1uMiB8IHRhaWwgLW4xIHwgY3V0IC1kICcgJyAtZiAzIHwgY3V0IC1kIFwoIC1mIDEgfCB0ciAtZCAnWzpkaWdpdDpdJykiCmdyb3dwYXJ0ICIkcGh5c2ljYWxEaXNrIiAyCgplY2hvICJleHRlbmRpbmcgZmlsZXN5c3RlbXMiCmx2ZXh0ZW5kIC1sICsyMCVGUkVFIC9kZXYvcm9vdHZnL3Jvb3Rsdgp4ZnNfZ3Jvd2ZzIC8KCmx2ZXh0ZW5kIC1sICsxMDAlRlJFRSAvZGV2L3Jvb3R2Zy92YXJsdgp4ZnNfZ3Jvd2ZzIC92YXIKCmVjaG8gImltcG9ydGluZyBycG0gcmVwb3NpdG9yaWVzIgpycG0gLS1pbXBvcnQgaHR0cHM6Ly9kbC5mZWRvcmFwcm9qZWN0Lm9yZy9wdWIvZXBlbC9SUE0tR1BHLUtFWS1FUEVMLTgKcnBtIC0taW1wb3J0IGh0dHBzOi8vcGFja2FnZXMubWljcm9zb2Z0LmNvbS9rZXlzL21pY3Jvc29mdC5hc2MKCmZvciBhdHRlbXB0IGluIHsxLi42MH07IGRvCiAgeXVtIC15IGluc3RhbGwgaHR0cHM6Ly9kbC5mZWRvcmFwcm9qZWN0Lm9yZy9wdWIvZXBlbC9lcGVsLXJlbGVhc2UtbGF0ZXN0LTgubm9hcmNoLnJwbSAmJiBicmVhawogIGlmIFtbICR7YXR0ZW1wdH0gLWx0IDYwIF1dOyB0aGVuIHNsZWVwIDMwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKZWNobyAiY29uZmlndXJpbmcgbG9ncm90YXRlIgpjYXQgPi9ldGMvbG9ncm90YXRlLmNvbmYgPDwnRU9GJwojIHNlZSAibWFuIGxvZ3JvdGF0ZSIgZm9yIGRldGFpbHMKIyByb3RhdGUgbG9nIGZpbGVzIHdlZWtseQp3ZWVrbHkKCiMga2VlcCAyIHdlZWtzIHdvcnRoIG9mIGJhY2tsb2dzCnJvdGF0ZSAyCgojIGNyZWF0ZSBuZXcgKGVtcHR5KSBsb2cgZmlsZXMgYWZ0ZXIgcm90YXRpbmcgb2xkIG9uZXMKY3JlYXRlCgojIHVzZSBkYXRlIGFzIGEgc3VmZml4IG9mIHRoZSByb3RhdGVkIGZpbGUKZGF0ZWV4dAoKIyB1bmNvbW1lbnQgdGhpcyBpZiB5b3Ugd2FudCB5b3VyIGxvZyBmaWxlcyBjb21wcmVzc2VkCmNvbXByZXNzCgojIFJQTSBwYWNrYWdlcyBkcm9wIGxvZyByb3RhdGlvbiBpbmZvcm1hdGlvbiBpbnRvIHRoaXMgZGlyZWN0b3J5CmluY2x1ZGUgL2V0Yy9sb2dyb3RhdGUuZAoKIyBubyBwYWNrYWdlcyBvd24gd3RtcCBhbmQgYnRtcCAtLSB3ZSdsbCByb3RhdGUgdGhlbSBoZXJlCi92YXIvbG9nL3d0bXAgewogICAgbW9udGhseQogICAgY3JlYXRlIDA2NjQgcm9vdCB1dG1wCiAgICAgICAgbWluc2l6ZSAxTQogICAgcm90YXRlIDEKfQoKL3Zhci9sb2cvYnRtcCB7CiAgICBtaXNzaW5nb2sKICAgIG1vbnRobHkKICAgIGNyZWF0ZSAwNjAwIHJvb3QgdXRtcAogICAgcm90YXRlIDEKfQpFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIHl1bSByZXBvc2l0b3J5IGFuZCBydW5uaW5nIHl1bSB1cGRhdGUiCmNhdCA+L2V0Yy95dW0ucmVwb3MuZC9henVyZS5yZXBvIDw8J0VPRicKW2F6dXJlLWNsaV0KbmFtZT1henVyZS1jbGkKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmUtY2xpCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPXllcwoKW2F6dXJlY29yZV0KbmFtZT1henVyZWNvcmUKYmFzZXVybD1odHRwczovL3BhY2thZ2VzLm1pY3Jvc29mdC5jb20veXVtcmVwb3MvYXp1cmVjb3JlCmVuYWJsZWQ9eWVzCmdwZ2NoZWNrPW5vCkVPRgoKc2VtYW5hZ2UgZmNvbnRleHQgLWEgLXQgdmFyX2xvZ190ICIvdmFyL2xvZy9qb3VybmFsKC8uKik/Igpta2RpciAtcCAvdmFyL2xvZy9qb3VybmFsCgpmb3IgYXR0ZW1wdCBpbiB7MS4uNjB9OyBkbwp5dW0gLXkgaW5zdGFsbCBjbGFtYXYgYXpzZWMtY2xhbWF2IGF6c2VjLW1vbml0b3IgYXp1cmUtY2xpIGF6dXJlLW1kc2QgYXp1cmUtc2VjdXJpdHkgcG9kbWFuIHBvZG1hbi1kb2NrZXIgb3BlbnNzbC1wZXJsIHB5dGhvbjMgJiYgYnJlYWsKICAjIGhhY2sgLSB3ZSBhcmUgaW5zdGFsbGluZyBweXRob24zIG9uIGhvc3RzIGR1ZSB0byBhbiBpc3N1ZSB3aXRoIEF6dXJlIExpbnV4IEV4dGVuc2lvbnMgaHR0cHM6Ly9naXRodWIuY29tL0F6dXJlL2F6dXJlLWxpbnV4LWV4dGVuc2lvbnMvcHVsbC8xNTA1CiAgaWYgW1sgJHthdHRlbXB0fSAtbHQgNjAgXV07IHRoZW4gc2xlZXAgMzA7IGVsc2UgZXhpdCAxOyBmaQpkb25lCgojIGh0dHBzOi8vYWNjZXNzLnJlZGhhdC5jb20vc2VjdXJpdHkvY3ZlL2N2ZS0yMDIwLTEzNDAxCmVjaG8gImFwcGx5aW5nIGZpcmV3YWxsIHJ1bGVzIgpjYXQgPi9ldGMvc3lzY3RsLmQvMDItZGlzYWJsZS1hY2NlcHQtcmEuY29uZiA8PCdFT0YnCm5ldC5pcHY2LmNvbmYuYWxsLmFjY2VwdF9yYT0wCkVPRgoKY2F0ID4vZXRjL3N5c2N0bC5kLzAxLWRpc2FibGUtY29yZS5jb25mIDw8J0VPRicKa2VybmVsLmNvcmVfcGF0dGVybiA9IHwvYmluL3RydWUKRU9GCnN5c2N0bCAtLXN5c3RlbQoKZmlyZXdhbGwtY21kIC0tYWRkLXBvcnQ9NDQzL3RjcCAtLXBlcm1hbmVudApmaXJld2FsbC1jbWQgLS1hZGQtcG9ydD00NDQvdGNwIC0tcGVybWFuZW50CmZpcmV3YWxsLWNtZCAtLWFkZC1wb3J0PTQ0NS90Y3AgLS1wZXJtYW5lbnQKZmlyZXdhbGwtY21kIC0tYWRkLXBvcnQ9MjIyMi90Y3AgLS1wZXJtYW5lbnQKCmV4cG9ydCBBWlVSRV9DTE9VRF9OQU1FPSRBWlVSRUNMT1VETkFNRQoKZWNobyAibG9nZ2luZyBpbnRvIHByb2QgYWNyIgpheiBsb2dpbiAtaSAtLWFsbG93LW5vLXN1YnNjcmlwdGlvbnMKCiMgU3VwcHJlc3MgZW11bGF0aW9uIG91dHB1dCBmb3IgcG9kbWFuIGluc3RlYWQgb2YgZG9ja2VyIGZvciBheiBhY3IgY29tcGF0YWJpbGl0eQpta2RpciAtcCAvZXRjL2NvbnRhaW5lcnMvCnRvdWNoIC9ldGMvY29udGFpbmVycy9ub2RvY2tlcgoKbWtkaXIgLXAgL3Jvb3QvLmRvY2tlcgpSRUdJU1RSWV9BVVRIX0ZJTEU9L3Jvb3QvLmRvY2tlci9jb25maWcuanNvbiBheiBhY3IgbG9naW4gLS1uYW1lICIkKHNlZCAtZSAnc3wuKi98fCcgPDw8IiRBQ1JSRVNPVVJDRUlEIikiCgpNRE1JTUFHRT0iJHtSUElNQUdFJSUvKn0vJHtNRE1JTUFHRSMjKi99Igpkb2NrZXIgcHVsbCAiJE1ETUlNQUdFIgpkb2NrZXIgcHVsbCAiJFJQSU1BR0UiCmRvY2tlciBwdWxsICIkRkxVRU5UQklUSU1BR0UiCgpheiBsb2dvdXQKCmVjaG8gImNvbmZpZ3VyaW5nIGZsdWVudGJpdCBzZXJ2aWNlIgpta2RpciAtcCAvZXRjL2ZsdWVudGJpdC8KbWtkaXIgLXAgL3Zhci9saWIvZmx1ZW50CgpjYXQgPi9ldGMvZmx1ZW50Yml0L2ZsdWVudGJpdC5jb25mIDw8J0VPRicKW0lOUFVUXQoJTmFtZSBzeXN0ZW1kCglUYWcgam91cm5hbGQKCVN5c3RlbWRfRmlsdGVyIF9DT01NPWFybwoJREIgL3Zhci9saWIvZmx1ZW50L2pvdXJuYWxkYgoKW0ZJTFRFUl0KCU5hbWUgbW9kaWZ5CglNYXRjaCBqb3VybmFsZAoJUmVtb3ZlX3dpbGRjYXJkIF8KCVJlbW92ZSBUSU1FU1RBTVAKCltGSUxURVJdCglOYW1lIHJld3JpdGVfdGFnCglNYXRjaCBqb3VybmFsZAoJUnVsZSAkTE9HS0lORCBhc3luY3FvcyBhc3luY3FvcyB0cnVlCgpbRklMVEVSXQoJTmFtZSBtb2RpZnkKCU1hdGNoIGFzeW5jcW9zCglSZW1vdmUgQ0xJRU5UX1BSSU5DSVBBTF9OQU1FCglSZW1vdmUgRklMRQoJUmVtb3ZlIENPTVBPTkVOVAoKW0ZJTFRFUl0KCU5hbWUgcmV3cml0ZV90YWcKCU1hdGNoIGpvdXJuYWxkCglSdWxlICRMT0dLSU5EIGlmeGF1ZGl0IGlmeGF1ZGl0IGZhbHNlCgpbT1VUUFVUXQoJTmFtZSBmb3J3YXJkCglNYXRjaCAqCglQb3J0IDI5MjMwCkVPRgoKZWNobyAiRkxVRU5UQklUSU1BR0U9JEZMVUVOVEJJVElNQUdFIiA+L2V0Yy9zeXNjb25maWcvZmx1ZW50Yml0CgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vZmx1ZW50Yml0LnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldApTdGFydExpbWl0SW50ZXJ2YWxTZWM9MAoKW1NlcnZpY2VdClJlc3RhcnRTZWM9MXMKRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2ZsdWVudGJpdApFeGVjU3RhcnRQcmU9LS91c3IvYmluL2RvY2tlciBybSAtZiAlTgpFeGVjU3RhcnQ9L3Vzci9iaW4vZG9ja2VyIHJ1biBcCiAgLS1zZWN1cml0eS1vcHQgbGFiZWw9ZGlzYWJsZSBcCiAgLS1lbnRyeXBvaW50IC9vcHQvdGQtYWdlbnQtYml0L2Jpbi90ZC1hZ2VudC1iaXQgXAogIC0tbmV0PWhvc3QgXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtdiAvZXRjL2ZsdWVudGJpdC9mbHVlbnRiaXQuY29uZjovZXRjL2ZsdWVudGJpdC9mbHVlbnRiaXQuY29uZiBcCiAgLXYgL3Zhci9saWIvZmx1ZW50Oi92YXIvbGliL2ZsdWVudDp6IFwKICAtdiAvdmFyL2xvZy9qb3VybmFsOi92YXIvbG9nL2pvdXJuYWw6cm8gXAogIC12IC9ldGMvbWFjaGluZS1pZDovZXRjL21hY2hpbmUtaWQ6cm8gXAogICRGTFVFTlRCSVRJTUFHRSBcCiAgLWMgL2V0Yy9mbHVlbnRiaXQvZmx1ZW50Yml0LmNvbmYKCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wICVOClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9NQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKbWtkaXIgL2V0Yy9hcm8tcnAKYmFzZTY0IC1kIDw8PCIkQURNSU5BUElDQUJVTkRMRSIgPi9ldGMvYXJvLXJwL2FkbWluLWNhLWJ1bmRsZS5wZW0KaWYgW1sgLW4gIiRBUk1BUElDQUJVTkRMRSIgXV07IHRoZW4KICBiYXNlNjQgLWQgPDw8IiRBUk1BUElDQUJVTkRMRSIgPi9ldGMvYXJvLXJwL2FybS1jYS1idW5kbGUucGVtCmZpCmNob3duIC1SIDEwMDA6MTAwMCAvZXRjL2Fyby1ycAoKZWNobyAiY29uZmlndXJpbmcgbWRtIHNlcnZpY2UiCmNhdCA+L2V0Yy9zeXNjb25maWcvbWRtIDw8RU9GCk1ETUZST05URU5EVVJMPSckTURNRlJPTlRFTkRVUkwnCk1ETUlNQUdFPSckTURNSU1BR0UnCk1ETVNPVVJDRUVOVklST05NRU5UPSckTE9DQVRJT04nCk1ETVNPVVJDRVJPTEU9cnAKTURNU09VUkNFUk9MRUlOU1RBTkNFPSckKGhvc3RuYW1lKScKRU9GCgpta2RpciAvdmFyL2V0dwpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vbWRtLnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9tZG0KRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0tZW50cnlwb2ludCAvdXNyL3NiaW4vTWV0cmljc0V4dGVuc2lvbiBcCiAgLS1ob3N0bmFtZSAlSCBcCiAgLS1uYW1lICVOIFwKICAtLXJtIFwKICAtLWNhcC1kcm9wIG5ldF9yYXcgXAogIC1tIDJnIFwKICAtdiAvZXRjL21kbS5wZW06L2V0Yy9tZG0ucGVtIFwKICAtdiAvdmFyL2V0dzovdmFyL2V0dzp6IFwKICAkTURNSU1BR0UgXAogIC1DZXJ0RmlsZSAvZXRjL21kbS5wZW0gXAogIC1Gcm9udEVuZFVybCAkTURNRlJPTlRFTkRVUkwgXAogIC1Mb2dnZXIgQ29uc29sZSBcCiAgLUxvZ0xldmVsIFdhcm5pbmcgXAogIC1Qcml2YXRlS2V5RmlsZSAvZXRjL21kbS5wZW0gXAogIC1Tb3VyY2VFbnZpcm9ubWVudCAkTURNU09VUkNFRU5WSVJPTk1FTlQgXAogIC1Tb3VyY2VSb2xlICRNRE1TT1VSQ0VST0xFIFwKICAtU291cmNlUm9sZUluc3RhbmNlICRNRE1TT1VSQ0VST0xFSU5TVEFOQ0UKRXhlY1N0b3A9L3Vzci9iaW4vZG9ja2VyIHN0b3AgJU4KUmVzdGFydD1hbHdheXMKUmVzdGFydFNlYz0xClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbSW5zdGFsbF0KV2FudGVkQnk9bXVsdGktdXNlci50YXJnZXQKRU9GCgplY2hvICJjb25maWd1cmluZyBhcm8tcnAgc2VydmljZSIKY2F0ID4vZXRjL3N5c2NvbmZpZy9hcm8tcnAgPDxFT0YKQUNSX1JFU09VUkNFX0lEPSckQUNSUkVTT1VSQ0VJRCcKQURNSU5fQVBJX0NMSUVOVF9DRVJUX0NPTU1PTl9OQU1FPSckQURNSU5BUElDTElFTlRDRVJUQ09NTU9OTkFNRScKQVJNX0FQSV9DTElFTlRfQ0VSVF9DT01NT05fTkFNRT0nJEFSTUFQSUNMSUVOVENFUlRDT01NT05OQU1FJwpBWlVSRV9BUk1fQ0xJRU5UX0lEPSckQVJNQ0xJRU5USUQnCkFaVVJFX0ZQX0NMSUVOVF9JRD0nJEZQQ0xJRU5USUQnCkFaVVJFX0ZQX1NFUlZJQ0VfUFJJTkNJUEFMX0lEPSckRlBTRVJWSUNFUFJJTkNJUEFMSUQnCkNMVVNURVJfTURNX0FDQ09VTlQ9JyRDTFVTVEVSTURNQUNDT1VOVCcKQ0xVU1RFUl9NRE1fTkFNRVNQQUNFPVJQCkNMVVNURVJfTURTRF9BQ0NPVU5UPSckQ0xVU1RFUk1EU0RBQ0NPVU5UJwpDTFVTVEVSX01EU0RfQ09ORklHX1ZFUlNJT049JyRDTFVTVEVSTURTRENPTkZJR1ZFUlNJT04nCkNMVVNURVJfTURTRF9OQU1FU1BBQ0U9JyRDTFVTVEVSTURTRE5BTUVTUEFDRScKREFUQUJBU0VfQUNDT1VOVF9OQU1FPSckREFUQUJBU0VBQ0NPVU5UTkFNRScKRE9NQUlOX05BTUU9JyRMT0NBVElPTi4kQ0xVU1RFUlBBUkVOVERPTUFJTk5BTUUnCkdBVEVXQVlfRE9NQUlOUz0nJEdBVEVXQVlET01BSU5TJwpHQVRFV0FZX1JFU09VUkNFR1JPVVA9JyRHQVRFV0FZUkVTT1VSQ0VHUk9VUE5BTUUnCktFWVZBVUxUX1BSRUZJWD0nJEtFWVZBVUxUUFJFRklYJwpNRE1fQUNDT1VOVD0nJFJQTURNQUNDT1VOVCcKTURNX05BTUVTUEFDRT1SUApNRFNEX0VOVklST05NRU5UPSckTURTREVOVklST05NRU5UJwpSUF9GRUFUVVJFUz0nJFJQRkVBVFVSRVMnClJQSU1BR0U9JyRSUElNQUdFJwpBUk9fSU5TVEFMTF9WSUFfSElWRT0nJENMVVNURVJTSU5TVEFMTFZJQUhJVkUnCkFST19ISVZFX0RFRkFVTFRfSU5TVEFMTEVSX1BVTExTUEVDPSckQ0xVU1RFUkRFRkFVTFRJTlNUQUxMRVJQVUxMU1BFQycKQVJPX0FET1BUX0JZX0hJVkU9JyRDTFVTVEVSU0FET1BUQllISVZFJwpVU0VfQ0hFQ0tBQ0NFU1M9JyRVU0VDSEVDS0FDQ0VTUycKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vYXJvLXJwLnNlcnZpY2UgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1NlcnZpY2VdCkVudmlyb25tZW50RmlsZT0vZXRjL3N5c2NvbmZpZy9hcm8tcnAKRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtZSBBQ1JfUkVTT1VSQ0VfSUQgXAogIC1lIEFETUlOX0FQSV9DTElFTlRfQ0VSVF9DT01NT05fTkFNRSBcCiAgLWUgQVJNX0FQSV9DTElFTlRfQ0VSVF9DT01NT05fTkFNRSBcCiAgLWUgQVpVUkVfQVJNX0NMSUVOVF9JRCBcCiAgLWUgQVpVUkVfRlBfQ0xJRU5UX0lEIFwKICAtZSBDTFVTVEVSX01ETV9BQ0NPVU5UIFwKICAtZSBDTFVTVEVSX01ETV9OQU1FU1BBQ0UgXAogIC1lIENMVVNURVJfTURTRF9BQ0NPVU5UIFwKICAtZSBDTFVTVEVSX01EU0RfQ09ORklHX1ZFUlNJT04gXAogIC1lIENMVVNURVJfTURTRF9OQU1FU1BBQ0UgXAogIC1lIERBVEFCQVNFX0FDQ09VTlRfTkFNRSBcCiAgLWUgRE9NQUlOX05BTUUgXAogIC1lIEdBVEVXQVlfRE9NQUlOUyBcCiAgLWUgR0FURVdBWV9SRVNPVVJDRUdST1VQIFwKICAtZSBLRVlWQVVMVF9QUkVGSVggXAogIC1lIE1ETV9BQ0NPVU5UIFwKICAtZSBNRE1fTkFNRVNQQUNFIFwKICAtZSBNRFNEX0VOVklST05NRU5UIFwKICAtZSBSUF9GRUFUVVJFUyBcCiAgLWUgQVJPX0lOU1RBTExfVklBX0hJVkUgXAogIC1lIEFST19ISVZFX0RFRkFVTFRfSU5TVEFMTEVSX1BVTExTUEVDIFwKICAtZSBBUk9fQURPUFRfQllfSElWRSBcCiAgLWUgVVNFX0NIRUNLQUNDRVNTIFwKICAtbSAyZyBcCiAgLXAgNDQzOjg0NDMgXAogIC12IC9ldGMvYXJvLXJwOi9ldGMvYXJvLXJwIFwKICAtdiAvcnVuL3N5c3RlbWQvam91cm5hbDovcnVuL3N5c3RlbWQvam91cm5hbCBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJFJQSU1BR0UgXAogIHJwCkV4ZWNTdG9wPS91c3IvYmluL2RvY2tlciBzdG9wIC10IDM2MDAgJU4KVGltZW91dFN0b3BTZWM9MzYwMApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTEKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIGFyby1kYnRva2VuIHNlcnZpY2UiCmNhdCA+L2V0Yy9zeXNjb25maWcvYXJvLWRidG9rZW4gPDxFT0YKREFUQUJBU0VfQUNDT1VOVF9OQU1FPSckREFUQUJBU0VBQ0NPVU5UTkFNRScKQVpVUkVfREJUT0tFTl9DTElFTlRfSUQ9JyREQlRPS0VOQ0xJRU5USUQnCkFaVVJFX0dBVEVXQVlfU0VSVklDRV9QUklOQ0lQQUxfSUQ9JyRHQVRFV0FZU0VSVklDRVBSSU5DSVBBTElEJwpLRVlWQVVMVF9QUkVGSVg9JyRLRVlWQVVMVFBSRUZJWCcKTURNX0FDQ09VTlQ9JyRSUE1ETUFDQ09VTlQnCk1ETV9OQU1FU1BBQ0U9REJUb2tlbgpSUElNQUdFPSckUlBJTUFHRScKRU9GCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vYXJvLWRidG9rZW4uc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0CgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2Fyby1kYnRva2VuCkV4ZWNTdGFydFByZT0tL3Vzci9iaW4vZG9ja2VyIHJtIC1mICVOCkV4ZWNTdGFydD0vdXNyL2Jpbi9kb2NrZXIgcnVuIFwKICAtLWhvc3RuYW1lICVIIFwKICAtLW5hbWUgJU4gXAogIC0tcm0gXAogIC0tY2FwLWRyb3AgbmV0X3JhdyBcCiAgLWUgQVpVUkVfR0FURVdBWV9TRVJWSUNFX1BSSU5DSVBBTF9JRCBcCiAgLWUgREFUQUJBU0VfQUNDT1VOVF9OQU1FIFwKICAtZSBBWlVSRV9EQlRPS0VOX0NMSUVOVF9JRCBcCiAgLWUgS0VZVkFVTFRfUFJFRklYIFwKICAtZSBNRE1fQUNDT1VOVCBcCiAgLWUgTURNX05BTUVTUEFDRSBcCiAgLW0gMmcgXAogIC1wIDQ0NTo4NDQ1IFwKICAtdiAvcnVuL3N5c3RlbWQvam91cm5hbDovcnVuL3N5c3RlbWQvam91cm5hbCBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJFJQSU1BR0UgXAogIGRidG9rZW4KRXhlY1N0b3A9L3Vzci9iaW4vZG9ja2VyIHN0b3AgLXQgMzYwMCAlTgpUaW1lb3V0U3RvcFNlYz0zNjAwClJlc3RhcnQ9YWx3YXlzClJlc3RhcnRTZWM9MQpTdGFydExpbWl0SW50ZXJ2YWw9MAoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKIyBET01BSU5fTkFNRSwgQ0xVU1RFUl9NRFNEX0FDQ09VTlQsIENMVVNURVJfTURTRF9DT05GSUdfVkVSU0lPTiwgR0FURVdBWV9ET01BSU5TLCBHQVRFV0FZX1JFU09VUkNFR1JPVVAsIE1EU0RfRU5WSVJPTk1FTlQgQ0xVU1RFUl9NRFNEX05BTUVTUEFDRQojIGFyZSBub3QgdXNlZCwgYnV0IGNhbid0IGVhc2lseSBiZSByZWZhY3RvcmVkIG91dC4gU2hvdWxkIGJlIHJldmlzaXRlZCBpbiB0aGUgZnV0dXJlLgplY2hvICJjb25maWd1cmluZyBhcm8tbW9uaXRvciBzZXJ2aWNlIgpjYXQgPi9ldGMvc3lzY29uZmlnL2Fyby1tb25pdG9yIDw8RU9GCkFaVVJFX0ZQX0NMSUVOVF9JRD0nJEZQQ0xJRU5USUQnCkRPTUFJTl9OQU1FPSckTE9DQVRJT04uJENMVVNURVJQQVJFTlRET01BSU5OQU1FJwpDTFVTVEVSX01EU0RfQUNDT1VOVD0nJENMVVNURVJNRFNEQUNDT1VOVCcKQ0xVU1RFUl9NRFNEX0NPTkZJR19WRVJTSU9OPSckQ0xVU1RFUk1EU0RDT05GSUdWRVJTSU9OJwpHQVRFV0FZX0RPTUFJTlM9JyRHQVRFV0FZRE9NQUlOUycKR0FURVdBWV9SRVNPVVJDRUdST1VQPSckR0FURVdBWVJFU09VUkNFR1JPVVBOQU1FJwpNRFNEX0VOVklST05NRU5UPSckTURTREVOVklST05NRU5UJwpDTFVTVEVSX01EU0RfTkFNRVNQQUNFPSckQ0xVU1RFUk1EU0ROQU1FU1BBQ0UnCkNMVVNURVJfTURNX0FDQ09VTlQ9JyRDTFVTVEVSTURNQUNDT1VOVCcKQ0xVU1RFUl9NRE1fTkFNRVNQQUNFPUJCTQpEQVRBQkFTRV9BQ0NPVU5UX05BTUU9JyREQVRBQkFTRUFDQ09VTlROQU1FJwpLRVlWQVVMVF9QUkVGSVg9JyRLRVlWQVVMVFBSRUZJWCcKTURNX0FDQ09VTlQ9JyRSUE1ETUFDQ09VTlQnCk1ETV9OQU1FU1BBQ0U9QkJNClJQSU1BR0U9JyRSUElNQUdFJwpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9hcm8tbW9uaXRvci5zZXJ2aWNlIDw8J0VPRicKW1VuaXRdCkFmdGVyPW5ldHdvcmstb25saW5lLnRhcmdldApXYW50cz1uZXR3b3JrLW9ubGluZS50YXJnZXQKCltTZXJ2aWNlXQpFbnZpcm9ubWVudEZpbGU9L2V0Yy9zeXNjb25maWcvYXJvLW1vbml0b3IKRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtZSBBWlVSRV9GUF9DTElFTlRfSUQgXAogIC1lIERPTUFJTl9OQU1FIFwKICAtZSBDTFVTVEVSX01EU0RfQUNDT1VOVCBcCiAgLWUgQ0xVU1RFUl9NRFNEX0NPTkZJR19WRVJTSU9OIFwKICAtZSBHQVRFV0FZX0RPTUFJTlMgXAogIC1lIEdBVEVXQVlfUkVTT1VSQ0VHUk9VUCBcCiAgLWUgTURTRF9FTlZJUk9OTUVOVCBcCiAgLWUgQ0xVU1RFUl9NRFNEX05BTUVTUEFDRSBcCiAgLWUgQ0xVU1RFUl9NRE1fQUNDT1VOVCBcCiAgLWUgQ0xVU1RFUl9NRE1fTkFNRVNQQUNFIFwKICAtZSBEQVRBQkFTRV9BQ0NPVU5UX05BTUUgXAogIC1lIEtFWVZBVUxUX1BSRUZJWCBcCiAgLWUgTURNX0FDQ09VTlQgXAogIC1lIE1ETV9OQU1FU1BBQ0UgXAogIC1tIDIuNWcgXAogIC12IC9ydW4vc3lzdGVtZC9qb3VybmFsOi9ydW4vc3lzdGVtZC9qb3VybmFsIFwKICAtdiAvdmFyL2V0dzovdmFyL2V0dzp6IFwKICAkUlBJTUFHRSBcCiAgbW9uaXRvcgpSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTEKU3RhcnRMaW1pdEludGVydmFsPTAKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIGFyby1wb3J0YWwgc2VydmljZSIKY2F0ID4vZXRjL3N5c2NvbmZpZy9hcm8tcG9ydGFsIDw8RU9GCkFaVVJFX1BPUlRBTF9BQ0NFU1NfR1JPVVBfSURTPSckUE9SVEFMQUNDRVNTR1JPVVBJRFMnCkFaVVJFX1BPUlRBTF9DTElFTlRfSUQ9JyRQT1JUQUxDTElFTlRJRCcKQVpVUkVfUE9SVEFMX0VMRVZBVEVEX0dST1VQX0lEUz0nJFBPUlRBTEVMRVZBVEVER1JPVVBJRFMnCkRBVEFCQVNFX0FDQ09VTlRfTkFNRT0nJERBVEFCQVNFQUNDT1VOVE5BTUUnCktFWVZBVUxUX1BSRUZJWD0nJEtFWVZBVUxUUFJFRklYJwpNRE1fQUNDT1VOVD0nJFJQTURNQUNDT1VOVCcKTURNX05BTUVTUEFDRT1Qb3J0YWwKUE9SVEFMX0hPU1ROQU1FPSckTE9DQVRJT04uYWRtaW4uJFJQUEFSRU5URE9NQUlOTkFNRScKUlBJTUFHRT0nJFJQSU1BR0UnCkVPRgoKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL2Fyby1wb3J0YWwuc2VydmljZSA8PCdFT0YnCltVbml0XQpBZnRlcj1uZXR3b3JrLW9ubGluZS50YXJnZXQKV2FudHM9bmV0d29yay1vbmxpbmUudGFyZ2V0ClN0YXJ0TGltaXRJbnRlcnZhbD0wCgpbU2VydmljZV0KRW52aXJvbm1lbnRGaWxlPS9ldGMvc3lzY29uZmlnL2Fyby1wb3J0YWwKRXhlY1N0YXJ0UHJlPS0vdXNyL2Jpbi9kb2NrZXIgcm0gLWYgJU4KRXhlY1N0YXJ0PS91c3IvYmluL2RvY2tlciBydW4gXAogIC0taG9zdG5hbWUgJUggXAogIC0tbmFtZSAlTiBcCiAgLS1ybSBcCiAgLS1jYXAtZHJvcCBuZXRfcmF3IFwKICAtZSBBWlVSRV9QT1JUQUxfQUNDRVNTX0dST1VQX0lEUyBcCiAgLWUgQVpVUkVfUE9SVEFMX0NMSUVOVF9JRCBcCiAgLWUgQVpVUkVfUE9SVEFMX0VMRVZBVEVEX0dST1VQX0lEUyBcCiAgLWUgREFUQUJBU0VfQUNDT1VOVF9OQU1FIFwKICAtZSBLRVlWQVVMVF9QUkVGSVggXAogIC1lIE1ETV9BQ0NPVU5UIFwKICAtZSBNRE1fTkFNRVNQQUNFIFwKICAtZSBQT1JUQUxfSE9TVE5BTUUgXAogIC1tIDJnIFwKICAtcCA0NDQ6ODQ0NCBcCiAgLXAgMjIyMjoyMjIyIFwKICAtdiAvcnVuL3N5c3RlbWQvam91cm5hbDovcnVuL3N5c3RlbWQvam91cm5hbCBcCiAgLXYgL3Zhci9ldHc6L3Zhci9ldHc6eiBcCiAgJFJQSU1BR0UgXAogIHBvcnRhbApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTEKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmVjaG8gImNvbmZpZ3VyaW5nIG1kc2QgYW5kIG1kbSBzZXJ2aWNlcyIKY2hjb24gLVIgc3lzdGVtX3U6b2JqZWN0X3I6dmFyX2xvZ190OnMwIC92YXIvb3B0L21pY3Jvc29mdC9saW51eG1vbmFnZW50Cgpta2RpciAtcCAvdmFyL2xpYi93YWFnZW50L01pY3Jvc29mdC5BenVyZS5LZXlWYXVsdC5TdG9yZQoKZm9yIHZhciBpbiAibWRzZCIgIm1kbSI7IGRvCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9kb3dubG9hZC0kdmFyLWNyZWRlbnRpYWxzLnNlcnZpY2UgPDxFT0YKW1VuaXRdCkRlc2NyaXB0aW9uPVBlcmlvZGljICR2YXIgY3JlZGVudGlhbHMgcmVmcmVzaAoKW1NlcnZpY2VdClR5cGU9b25lc2hvdApFeGVjU3RhcnQ9L3Vzci9sb2NhbC9iaW4vZG93bmxvYWQtY3JlZGVudGlhbHMuc2ggJHZhcgpFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS9kb3dubG9hZC0kdmFyLWNyZWRlbnRpYWxzLnRpbWVyIDw8RU9GCltVbml0XQpEZXNjcmlwdGlvbj1QZXJpb2RpYyAkdmFyIGNyZWRlbnRpYWxzIHJlZnJlc2gKQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CldhbnRzPW5ldHdvcmstb25saW5lLnRhcmdldAoKW1RpbWVyXQpPbkJvb3RTZWM9MG1pbgpPbkNhbGVuZGFyPTAvMTI6MDA6MDAKQWNjdXJhY3lTZWM9NXMKCltJbnN0YWxsXQpXYW50ZWRCeT10aW1lcnMudGFyZ2V0CkVPRgpkb25lCgpjYXQgPi91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoIDw8RU9GCiMhL2Jpbi9iYXNoCnNldCAtZXUKCkNPTVBPTkVOVD0iXCQxIgplY2hvICJEb3dubG9hZCBcJENPTVBPTkVOVCBjcmVkZW50aWFscyIKClRFTVBfRElSPVwkKG1rdGVtcCAtZCkKZXhwb3J0IEFaVVJFX0NPTkZJR19ESVI9XCQobWt0ZW1wIC1kKQoKZWNobyAiTG9nZ2luZyBpbnRvIEF6dXJlLi4uIgpSRVRSSUVTPTMKd2hpbGUgWyAiXCRSRVRSSUVTIiAtZ3QgMCBdOyBkbwogICAgaWYgYXogbG9naW4gLWkgLS1hbGxvdy1uby1zdWJzY3JpcHRpb25zCiAgICB0aGVuCiAgICAgICAgZWNobyAiYXogbG9naW4gc3VjY2Vzc2Z1bCIKICAgICAgICBicmVhawogICAgZWxzZQogICAgICAgIGVjaG8gImF6IGxvZ2luIGZhaWxlZC4gUmV0cnlpbmcuLi4iCiAgICAgICAgbGV0IFJFVFJJRVMtPTEKICAgICAgICBzbGVlcCA1CiAgICBmaQpkb25lCgp0cmFwICJjbGVhbnVwIiBFWElUCgpjbGVhbnVwKCkgewogIGF6IGxvZ291dAogIFtbICJcJFRFTVBfRElSIiA9fiAvdG1wLy4rIF1dICYmIHJtIC1yZiBcJFRFTVBfRElSCiAgW1sgIlwkQVpVUkVfQ09ORklHX0RJUiIgPX4gL3RtcC8uKyBdXSAmJiBybSAtcmYgXCRBWlVSRV9DT05GSUdfRElSCn0KCmlmIFsgIlwkQ09NUE9ORU5UIiA9ICJtZG0iIF07IHRoZW4KICBDVVJSRU5UX0NFUlRfRklMRT0iL2V0Yy9tZG0ucGVtIgplbGlmIFsgIlwkQ09NUE9ORU5UIiA9ICJtZHNkIiBdOyB0aGVuCiAgQ1VSUkVOVF9DRVJUX0ZJTEU9Ii92YXIvbGliL3dhYWdlbnQvTWljcm9zb2Z0LkF6dXJlLktleVZhdWx0LlN0b3JlL21kc2QucGVtIgplbHNlCiAgZWNobyBJbnZhbGlkIHVzYWdlICYmIGV4aXQgMQpmaQoKU0VDUkVUX05BTUU9InJwLVwke0NPTVBPTkVOVH0iCk5FV19DRVJUX0ZJTEU9IlwkVEVNUF9ESVIvXCRDT01QT05FTlQucGVtIgpmb3IgYXR0ZW1wdCBpbiB7MS4uNX07IGRvCiAgYXoga2V5dmF1bHQgc2VjcmV0IGRvd25sb2FkIC0tZmlsZSBcJE5FV19DRVJUX0ZJTEUgLS1pZCAiaHR0cHM6Ly8kS0VZVkFVTFRQUkVGSVgtc3ZjLiRLRVlWQVVMVEROU1NVRkZJWC9zZWNyZXRzL1wkU0VDUkVUX05BTUUiICYmIGJyZWFrCiAgaWYgW1sgXCRhdHRlbXB0IC1sdCA1IF1dOyB0aGVuIHNsZWVwIDEwOyBlbHNlIGV4aXQgMTsgZmkKZG9uZQoKaWYgWyAtZiBcJE5FV19DRVJUX0ZJTEUgXTsgdGhlbgogIGlmIFsgIlwkQ09NUE9ORU5UIiA9ICJtZHNkIiBdOyB0aGVuCiAgICBjaG93biBzeXNsb2c6c3lzbG9nIFwkTkVXX0NFUlRfRklMRQogIGVsc2UKICAgIHNlZCAtaSAtbmUgJzEsL0VORCBDRVJUSUZJQ0FURS8gcCcgXCRORVdfQ0VSVF9GSUxFCiAgZmkKCiAgbmV3X2NlcnRfc249IlwkKG9wZW5zc2wgeDUwOSAtaW4gIlwkTkVXX0NFUlRfRklMRSIgLW5vb3V0IC1zZXJpYWwgfCBhd2sgLUY9ICd7cHJpbnQgXCQyfScpIgogIGN1cnJlbnRfY2VydF9zbj0iXCQob3BlbnNzbCB4NTA5IC1pbiAiXCRDVVJSRU5UX0NFUlRfRklMRSIgLW5vb3V0IC1zZXJpYWwgfCBhd2sgLUY9ICd7cHJpbnQgXCQyfScpIgogIGlmIFtbICEgLXogXCRuZXdfY2VydF9zbiBdXSAmJiBbWyBcJG5ld19jZXJ0X3NuICE9ICJcJGN1cnJlbnRfY2VydF9zbiIgXV07IHRoZW4KICAgIGVjaG8gdXBkYXRpbmcgY2VydGlmaWNhdGUgZm9yIFwkQ09NUE9ORU5UCiAgICBjaG1vZCAwNjAwIFwkTkVXX0NFUlRfRklMRQogICAgbXYgXCRORVdfQ0VSVF9GSUxFIFwkQ1VSUkVOVF9DRVJUX0ZJTEUKICBmaQplbHNlCiAgZWNobyBGYWlsZWQgdG8gcmVmcmVzaCBjZXJ0aWZpY2F0ZSBmb3IgXCRDT01QT05FTlQgJiYgZXhpdCAxCmZpCkVPRgoKY2htb2QgdSt4IC91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoCgpzeXN0ZW1jdGwgZW5hYmxlIGRvd25sb2FkLW1kc2QtY3JlZGVudGlhbHMudGltZXIKc3lzdGVtY3RsIGVuYWJsZSBkb3dubG9hZC1tZG0tY3JlZGVudGlhbHMudGltZXIKCi91c3IvbG9jYWwvYmluL2Rvd25sb2FkLWNyZWRlbnRpYWxzLnNoIG1kc2QKL3Vzci9sb2NhbC9iaW4vZG93bmxvYWQtY3JlZGVudGlhbHMuc2ggbWRtCk1EU0RDRVJUSUZJQ0FURVNBTj0kKG9wZW5zc2wgeDUwOSAtaW4gL3Zhci9saWIvd2FhZ2VudC9NaWNyb3NvZnQuQXp1cmUuS2V5VmF1bHQuU3RvcmUvbWRzZC5wZW0gLW5vb3V0IC1zdWJqZWN0IHwgc2VkIC1lICdzLy4qQ04gPSAvLycpCgpjYXQgPi9ldGMvc3lzdGVtZC9zeXN0ZW0vd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnNlcnZpY2UgPDxFT0YKW1VuaXRdCkRlc2NyaXB0aW9uPVdhdGNoIGZvciBjaGFuZ2VzIGluIG1kbS5wZW0gYW5kIHJlc3RhcnRzIHRoZSBtZG0gc2VydmljZQoKW1NlcnZpY2VdClR5cGU9b25lc2hvdApFeGVjU3RhcnQ9L3Vzci9iaW4vc3lzdGVtY3RsIHJlc3RhcnQgbWRtLnNlcnZpY2UKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldApFT0YKCmNhdCA+L2V0Yy9zeXN0ZW1kL3N5c3RlbS93YXRjaC1tZG0tY3JlZGVudGlhbHMucGF0aCA8PEVPRgpbUGF0aF0KUGF0aE1vZGlmaWVkPS9ldGMvbWRtLnBlbQoKW0luc3RhbGxdCldhbnRlZEJ5PW11bHRpLXVzZXIudGFyZ2V0CkVPRgoKc3lzdGVtY3RsIGVuYWJsZSB3YXRjaC1tZG0tY3JlZGVudGlhbHMucGF0aApzeXN0ZW1jdGwgc3RhcnQgd2F0Y2gtbWRtLWNyZWRlbnRpYWxzLnBhdGgKCm1rZGlyIC9ldGMvc3lzdGVtZC9zeXN0ZW0vbWRzZC5zZXJ2aWNlLmQKY2F0ID4vZXRjL3N5c3RlbWQvc3lzdGVtL21kc2Quc2VydmljZS5kL292ZXJyaWRlLmNvbmYgPDwnRU9GJwpbVW5pdF0KQWZ0ZXI9bmV0d29yay1vbmxpbmUudGFyZ2V0CkVPRgoKY2F0ID4vZXRjL2RlZmF1bHQvbWRzZCA8PEVPRgpNRFNEX1JPTEVfUFJFRklYPS92YXIvcnVuL21kc2QvZGVmYXVsdApNRFNEX09QVElPTlM9Ii1BIC1kIC1yIFwkTURTRF9ST0xFX1BSRUZJWCIKCmV4cG9ydCBNT05JVE9SSU5HX0dDU19FTlZJUk9OTUVOVD0nJE1EU0RFTlZJUk9OTUVOVCcKZXhwb3J0IE1PTklUT1JJTkdfR0NTX0FDQ09VTlQ9JyRSUE1EU0RBQ0NPVU5UJwpleHBvcnQgTU9OSVRPUklOR19HQ1NfUkVHSU9OPSckTE9DQVRJT04nCmV4cG9ydCBNT05JVE9SSU5HX0dDU19BVVRIX0lEX1RZUEU9QXV0aEtleVZhdWx0CmV4cG9ydCBNT05JVE9SSU5HX0dDU19BVVRIX0lEPSckTURTRENFUlRJRklDQVRFU0FOJwpleHBvcnQgTU9OSVRPUklOR19HQ1NfTkFNRVNQQUNFPSckUlBNRFNETkFNRVNQQUNFJwpleHBvcnQgTU9OSVRPUklOR19DT05GSUdfVkVSU0lPTj0nJFJQTURTRENPTkZJR1ZFUlNJT04nCmV4cG9ydCBNT05JVE9SSU5HX1VTRV9HRU5FVkFfQ09ORklHX1NFUlZJQ0U9dHJ1ZQoKZXhwb3J0IE1PTklUT1JJTkdfVEVOQU5UPSckTE9DQVRJT04nCmV4cG9ydCBNT05JVE9SSU5HX1JPTEU9cnAKZXhwb3J0IE1PTklUT1JJTkdfUk9MRV9JTlNUQU5DRT0nJChob3N0bmFtZSknCgpleHBvcnQgTURTRF9NU0dQQUNLX1NPUlRfQ09MVU1OUz0xCkVPRgoKIyBzZXR0aW5nIE1PTklUT1JJTkdfR0NTX0FVVEhfSURfVFlQRT1BdXRoS2V5VmF1bHQgc2VlbXMgdG8gaGF2ZSBjYXVzZWQgbWRzZCBub3QKIyB0byBob25vdXIgU1NMX0NFUlRfRklMRSBhbnkgbW9yZSwgaGVhdmVuIG9ubHkga25vd3Mgd2h5Lgpta2RpciAtcCAvdXNyL2xpYi9zc2wvY2VydHMKY3NwbGl0IC1mIC91c3IvbGliL3NzbC9jZXJ0cy9jZXJ0LSAtYiAlMDNkLnBlbSAvZXRjL3BraS90bHMvY2VydHMvY2EtYnVuZGxlLmNydCAvXiQvMSB7Kn0gPi9kZXYvbnVsbApjX3JlaGFzaCAvdXNyL2xpYi9zc2wvY2VydHMKCiMgd2UgbGVhdmUgY2xpZW50SWQgYmxhbmsgYXMgbG9uZyBhcyBvbmx5IDEgbWFuYWdlZCBpZGVudGl0eSBhc3NpZ25lZCB0byB2bXNzCiMgaWYgd2UgaGF2ZSBtb3JlIHRoYW4gMSwgd2Ugd2lsbCBuZWVkIHRvIHBvcHVsYXRlIHdpdGggY2xpZW50SWQgdXNlZCBmb3Igb2ZmLW5vZGUgc2Nhbm5pbmcKY2F0ID4vZXRjL2RlZmF1bHQvdnNhLW5vZGVzY2FuLWFnZW50LmNvbmZpZyA8PEVPRgp7CiAgICAiTmljZSI6IDE5LAogICAgIlRpbWVvdXQiOiAxMDgwMCwKICAgICJDbGllbnRJZCI6ICIiLAogICAgIlRlbmFudElkIjogIiRBWlVSRVNFQ1BBQ0tWU0FURU5BTlRJRCIsCiAgICAiUXVhbHlzU3RvcmVCYXNlVXJsIjogIiRBWlVSRVNFQ1BBQ0tRVUFMWVNVUkwiLAogICAgIlByb2Nlc3NUaW1lb3V0IjogMzAwLAogICAgIkNvbW1hbmREZWxheSI6IDAKICB9CkVPRgoKZWNobyAiZW5hYmxpbmcgYXJvIHNlcnZpY2VzIgpmb3Igc2VydmljZSBpbiBhcm8tZGJ0b2tlbiBhcm8tbW9uaXRvciBhcm8tcG9ydGFsIGFyby1ycCBhdW9tcyBhenNlY2QgYXpzZWNtb25kIG1kc2QgbWRtIGNocm9ueWQgZmx1ZW50Yml0OyBkbwogIHN5c3RlbWN0bCBlbmFibGUgJHNlcnZpY2Uuc2VydmljZQpkb25lCgpmb3Igc2NhbiBpbiBiYXNlbGluZSBjbGFtYXYgc29mdHdhcmU7IGRvCiAgL3Vzci9sb2NhbC9iaW4vYXpzZWNkIGNvbmZpZyAtcyAkc2NhbiAtZCBQMUQKZG9uZQoKZWNobyAicmVib290aW5nIgpyZXN0b3JlY29uIC1SRiAvdmFyL2xvZy8qCihzbGVlcCAzMDsgcmVib290KSAmCg==')))]"
                                     }
                                 }
                             }
@@ -678,21 +670,6 @@
                 "[resourceId('Microsoft.Network/loadBalancers', 'rp-lb')]"
             ]
         },
-        {
-            "name": "[concat(parameters('databaseAccountName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('billingServicePrincipalId') , 'Billing / DocumentDB Account Contributor'))]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/providers/roleAssignments",
-            "properties": {
-                "scope": "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]",
-                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]",
-                "principalId": "[parameters('billingServicePrincipalId')]",
-                "principalType": "ServicePrincipal"
-            },
-            "condition": "[greater(length(parameters('billingServicePrincipalId')), 0)]",
-            "apiVersion": "2018-09-01-preview",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
         {
             "properties": {
                 "allowVirtualNetworkAccess": true,
@@ -746,201 +723,210 @@
             "location": "[resourceGroup().location]"
         },
         {
+            "apiVersion": "2023-04-15",
             "kind": "GlobalDocumentDB",
+            "location": "[resourceGroup().location]",
+            "name": "[parameters('databaseAccountName')]",
             "properties": {
-                "consistencyPolicy": {
-                    "defaultConsistencyLevel": "Strong"
-                },
-                "locations": [
-                    {
-                        "locationName": "[resourceGroup().location]"
-                    }
-                ],
-                "databaseAccountOfferType": "Standard",
-                "ipRules": "[if(parameters('disableCosmosDBFirewall'), createArray(), concat(parameters('ipRules'),createArray(createObject('ipAddressOrRange', '104.42.195.92'),createObject('ipAddressOrRange','40.76.54.131'),createObject('ipAddressOrRange','52.176.6.30'),createObject('ipAddressOrRange','52.169.50.45'),createObject('ipAddressOrRange','52.187.184.26'))))]",
-                "isVirtualNetworkFilterEnabled": "[not(parameters('disableCosmosDBFirewall'))]",
-                "virtualNetworkRules": "[if(parameters('disableCosmosDBFirewall'), createArray(), variables('rpCosmoDbVirtualNetworkRules'))]",
-                "disableKeyBasedMetadataWriteAccess": true,
                 "backupPolicy": {
                     "periodicModeProperties": {
                         "backupIntervalInMinutes": 240,
                         "backupRetentionIntervalInHours": 720
                     },
                     "type": "Periodic"
-                }
+                },
+                "consistencyPolicy": {
+                    "defaultConsistencyLevel": "Strong"
+                },
+                "databaseAccountOfferType": "Standard",
+                "disableKeyBasedMetadataWriteAccess": true,
+                "ipRules": "[if(parameters('disableCosmosDBFirewall'), createArray(), concat(parameters('ipRules'),createArray(createObject('ipAddressOrRange', '104.42.195.92'),createObject('ipAddressOrRange','40.76.54.131'),createObject('ipAddressOrRange','52.176.6.30'),createObject('ipAddressOrRange','52.169.50.45'),createObject('ipAddressOrRange','52.187.184.26'))))]",
+                "isVirtualNetworkFilterEnabled": "[not(parameters('disableCosmosDBFirewall'))]",
+                "locations": [
+                    {
+                        "locationName": "[resourceGroup().location]"
+                    }
+                ],
+                "minimalTlsVersion": "Tls12",
+                "virtualNetworkRules": "[if(parameters('disableCosmosDBFirewall'), createArray(), variables('rpCosmoDbVirtualNetworkRules'))]"
             },
-            "name": "[parameters('databaseAccountName')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts",
-            "location": "[resourceGroup().location]",
             "tags": {
                 "defaultExperience": "Core (SQL)"
             },
-            "apiVersion": "2021-01-15"
+            "type": "Microsoft.DocumentDB/databaseAccounts"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO')]",
             "properties": {
-                "resource": {
-                    "id": "['ARO']"
-                },
                 "options": {
                     "throughput": "[parameters('cosmosDB').standardProvisionedThroughput]"
+                },
+                "resource": {
+                    "id": "['ARO']"
                 }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/AsyncOperations')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": 604800,
                     "id": "AsyncOperations",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": 604800
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/AsyncOperations')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/OpenShiftVersions')]",
             "properties": {
+                "options": {},
                 "resource": {
+                    "defaultTtl": -1,
                     "id": "OpenShiftVersions",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/OpenShiftVersions')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/ClusterManagerConfigurations')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "ClusterManagerConfigurations",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/partitionKey"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/ClusterManagerConfigurations')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Billing')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "Billing",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
-            },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Billing')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
-            "properties": {
-                "resource": {
-                    "id": "Gateway",
-                    "partitionKey": {
-                        "paths": [
-                            "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {
-                    "throughput": "[parameters('cosmosDB').gatewayProvisionedThroughput]"
                 }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Gateway')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Gateway')]",
             "properties": {
+                "options": {
+                    "throughput": "[parameters('cosmosDB').gatewayProvisionedThroughput]"
+                },
                 "resource": {
-                    "id": "Monitors",
+                    "defaultTtl": -1,
+                    "id": "Gateway",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {}
+                        ]
+                    }
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Monitors')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Monitors')]",
+            "properties": {
+                "options": {},
+                "resource": {
+                    "defaultTtl": -1,
+                    "id": "Monitors",
+                    "partitionKey": {
+                        "kind": "Hash",
+                        "paths": [
+                            "/id"
+                        ]
+                    }
+                }
+            },
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/OpenShiftClusters')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "OpenShiftClusters",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/partitionKey"
-                        ],
-                        "kind": "Hash"
+                        ]
                     },
                     "uniqueKeyPolicy": {
                         "uniqueKeys": [
@@ -961,64 +947,56 @@
                             }
                         ]
                     }
-                },
-                "options": {}
-            },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/OpenShiftClusters')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
-        },
-        {
-            "properties": {
-                "resource": {
-                    "id": "Portal",
-                    "partitionKey": {
-                        "paths": [
-                            "/id"
-                        ],
-                        "kind": "Hash"
-                    },
-                    "defaultTtl": -1
-                },
-                "options": {
-                    "throughput": "[parameters('cosmosDB').portalProvisionedThroughput]"
                 }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Portal')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
+        },
+        {
+            "apiVersion": "2023-04-15",
             "dependsOn": [
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
                 "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Portal')]",
+            "properties": {
+                "options": {
+                    "throughput": "[parameters('cosmosDB').portalProvisionedThroughput]"
+                },
+                "resource": {
+                    "defaultTtl": -1,
+                    "id": "Portal",
+                    "partitionKey": {
+                        "kind": "Hash",
+                        "paths": [
+                            "/id"
+                        ]
+                    }
+                }
+            },
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
+            "apiVersion": "2023-04-15",
+            "dependsOn": [
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
+                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
+            ],
+            "location": "[resourceGroup().location]",
+            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Subscriptions')]",
             "properties": {
+                "options": {},
                 "resource": {
                     "id": "Subscriptions",
                     "partitionKey": {
+                        "kind": "Hash",
                         "paths": [
                             "/id"
-                        ],
-                        "kind": "Hash"
+                        ]
                     }
-                },
-                "options": {}
+                }
             },
-            "name": "[concat(parameters('databaseAccountName'), '/', 'ARO', '/Subscriptions')]",
-            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers",
-            "location": "[resourceGroup().location]",
-            "apiVersion": "2021-01-15",
-            "dependsOn": [
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), 'ARO')]",
-                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
-            ]
+            "type": "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"
         },
         {
             "properties": {
diff --git a/pkg/deploy/config.go b/pkg/deploy/config.go
index 449cd6990..998d11095 100644
--- a/pkg/deploy/config.go
+++ b/pkg/deploy/config.go
@@ -48,8 +48,6 @@ type Configuration struct {
 	ARMAPICABundle                     *string                `json:"armApiCaBundle,omitempty"`
 	ARMAPIClientCertCommonName         *string                `json:"armApiClientCertCommonName,omitempty"`
 	ARMClientID                        *string                `json:"armClientId,omitempty"`
-	BillingE2EStorageAccountID         *string                `json:"billingE2EStorageAccountId,omitempty"`
-	BillingServicePrincipalID          *string                `json:"billingServicePrincipalId,omitempty"`
 	ClusterMDMAccount                  *string                `json:"clusterMdmAccount,omitempty" value:"required"`
 	ClusterMDSDAccount                 *string                `json:"clusterMdsdAccount,omitempty" value:"required"`
 	ClusterMDSDConfigVersion           *string                `json:"clusterMdsdConfigVersion,omitempty" value:"required"`
diff --git a/pkg/deploy/generator/resources_dev.go b/pkg/deploy/generator/resources_dev.go
index fdd7181fe..668b7fee3 100644
--- a/pkg/deploy/generator/resources_dev.go
+++ b/pkg/deploy/generator/resources_dev.go
@@ -53,7 +53,7 @@ func (g *generator) devProxyVMSS() *arm.Resource {
 			},
 			VirtualMachineScaleSetProperties: &mgmtcompute.VirtualMachineScaleSetProperties{
 				UpgradePolicy: &mgmtcompute.UpgradePolicy{
-					Mode: mgmtcompute.UpgradeModeManual,
+					Mode: mgmtcompute.UpgradeModeRolling,
 				},
 				VirtualMachineProfile: &mgmtcompute.VirtualMachineScaleSetVMProfile{
 					OsProfile: &mgmtcompute.VirtualMachineScaleSetOSProfile{
diff --git a/pkg/deploy/generator/resources_gateway.go b/pkg/deploy/generator/resources_gateway.go
index 63e7f1dbf..dc5ae15bb 100644
--- a/pkg/deploy/generator/resources_gateway.go
+++ b/pkg/deploy/generator/resources_gateway.go
@@ -259,7 +259,7 @@ func (g *generator) gatewayVMSS() *arm.Resource {
 			Tags: map[string]*string{},
 			VirtualMachineScaleSetProperties: &mgmtcompute.VirtualMachineScaleSetProperties{
 				UpgradePolicy: &mgmtcompute.UpgradePolicy{
-					Mode: mgmtcompute.UpgradeModeManual,
+					Mode: mgmtcompute.UpgradeModeRolling,
 				},
 				VirtualMachineProfile: &mgmtcompute.VirtualMachineScaleSetVMProfile{
 					OsProfile: &mgmtcompute.VirtualMachineScaleSetOSProfile{
diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
index ac4aa4d94..38f959042 100644
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@@ -8,8 +8,8 @@ import (
 	"fmt"
 	"strings"
 
+	sdkcosmos "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2"
 	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
-	mgmtdocumentdb "github.com/Azure/azure-sdk-for-go/services/cosmos-db/mgmt/2021-01-15/documentdb"
 	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
 	mgmtmsi "github.com/Azure/azure-sdk-for-go/services/msi/mgmt/2018-11-30/msi"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
@@ -457,7 +457,6 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"azureCloudName",
 		"azureSecPackQualysUrl",
 		"azureSecPackVSATenantId",
-		"billingE2EStorageAccountId",
 		"clusterMdmAccount",
 		"clusterMdsdAccount",
 		"clusterMdsdConfigVersion",
@@ -548,7 +547,7 @@ func (g *generator) rpVMSS() *arm.Resource {
 			Tags: map[string]*string{},
 			VirtualMachineScaleSetProperties: &mgmtcompute.VirtualMachineScaleSetProperties{
 				UpgradePolicy: &mgmtcompute.UpgradePolicy{
-					Mode: mgmtcompute.UpgradeModeManual,
+					Mode: mgmtcompute.UpgradeModeRolling,
 				},
 				VirtualMachineProfile: &mgmtcompute.VirtualMachineScaleSetVMProfile{
 					OsProfile: &mgmtcompute.VirtualMachineScaleSetOSProfile{
@@ -978,25 +977,31 @@ func (g *generator) rpServiceKeyvault() *arm.Resource {
 }
 
 func (g *generator) rpCosmosDB() []*arm.Resource {
-	cosmosdb := &mgmtdocumentdb.DatabaseAccountCreateUpdateParameters{
-		Kind: mgmtdocumentdb.GlobalDocumentDB,
-		DatabaseAccountCreateUpdateProperties: &mgmtdocumentdb.DatabaseAccountCreateUpdateProperties{
-			ConsistencyPolicy: &mgmtdocumentdb.ConsistencyPolicy{
-				DefaultConsistencyLevel: mgmtdocumentdb.Strong,
+	dbType := sdkcosmos.DatabaseAccountKindGlobalDocumentDB
+	consistency := sdkcosmos.DefaultConsistencyLevelStrong
+	backupPolicy := sdkcosmos.BackupPolicyTypePeriodic
+	minTLSVersion := sdkcosmos.MinimalTLSVersionTls12
+
+	cosmosdb := &sdkcosmos.DatabaseAccountCreateUpdateParameters{
+		Kind: &dbType,
+		Properties: &sdkcosmos.DatabaseAccountCreateUpdateProperties{
+			ConsistencyPolicy: &sdkcosmos.ConsistencyPolicy{
+				DefaultConsistencyLevel: &consistency,
 			},
-			Locations: &[]mgmtdocumentdb.Location{
+			Locations: []*sdkcosmos.Location{
 				{
 					LocationName: to.StringPtr("[resourceGroup().location]"),
 				},
 			},
-			DatabaseAccountOfferType: to.StringPtr(string(mgmtdocumentdb.Standard)),
-			BackupPolicy: mgmtdocumentdb.PeriodicModeBackupPolicy{
-				Type: mgmtdocumentdb.TypePeriodic,
-				PeriodicModeProperties: &mgmtdocumentdb.PeriodicModeProperties{
+			DatabaseAccountOfferType: to.StringPtr("Standard"),
+			BackupPolicy: &sdkcosmos.PeriodicModeBackupPolicy{
+				Type: &backupPolicy,
+				PeriodicModeProperties: &sdkcosmos.PeriodicModeProperties{
 					BackupIntervalInMinutes:        to.Int32Ptr(240), //4 hours
 					BackupRetentionIntervalInHours: to.Int32Ptr(720), //30 days
 				},
 			},
+			MinimalTLSVersion: &minTLSVersion,
 		},
 		Name:     to.StringPtr("[parameters('databaseAccountName')]"),
 		Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts"),
@@ -1009,12 +1014,13 @@ func (g *generator) rpCosmosDB() []*arm.Resource {
 	r := &arm.Resource{
 		Resource:   cosmosdb,
 		APIVersion: azureclient.APIVersion("Microsoft.DocumentDB"),
+		Type:       "Microsoft.DocumentDB/databaseAccounts",
 	}
 	if g.production {
-		cosmosdb.IPRules = &[]mgmtdocumentdb.IPAddressOrRange{}
-		cosmosdb.IsVirtualNetworkFilterEnabled = to.BoolPtr(true)
-		cosmosdb.VirtualNetworkRules = &[]mgmtdocumentdb.VirtualNetworkRule{}
-		cosmosdb.DisableKeyBasedMetadataWriteAccess = to.BoolPtr(true)
+		cosmosdb.Properties.IPRules = []*sdkcosmos.IPAddressOrRange{}
+		cosmosdb.Properties.IsVirtualNetworkFilterEnabled = to.BoolPtr(true)
+		cosmosdb.Properties.VirtualNetworkRules = []*sdkcosmos.VirtualNetworkRule{}
+		cosmosdb.Properties.DisableKeyBasedMetadataWriteAccess = to.BoolPtr(true)
 	}
 
 	rs := []*arm.Resource{
@@ -1031,12 +1037,12 @@ func (g *generator) rpCosmosDB() []*arm.Resource {
 
 func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Resource {
 	database := &arm.Resource{
-		Resource: &mgmtdocumentdb.SQLDatabaseCreateUpdateParameters{
-			SQLDatabaseCreateUpdateProperties: &mgmtdocumentdb.SQLDatabaseCreateUpdateProperties{
-				Resource: &mgmtdocumentdb.SQLDatabaseResource{
+		Resource: &sdkcosmos.SQLDatabaseCreateUpdateParameters{
+			Properties: &sdkcosmos.SQLDatabaseCreateUpdateProperties{
+				Resource: &sdkcosmos.SQLDatabaseResource{
 					ID: to.StringPtr("[" + databaseName + "]"),
 				},
-				Options: &mgmtdocumentdb.CreateUpdateOptions{
+				Options: &sdkcosmos.CreateUpdateOptions{
 					Throughput: to.Int32Ptr(cosmosDbStandardProvisionedThroughputHack),
 				},
 			},
@@ -1045,21 +1051,23 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			Location: to.StringPtr("[resourceGroup().location]"),
 		},
 		APIVersion: azureclient.APIVersion("Microsoft.DocumentDB"),
+		Type:       "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 	}
+	hashPartitionKey := sdkcosmos.PartitionKindHash
 	portal := &arm.Resource{
-		Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-			SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-				Resource: &mgmtdocumentdb.SQLContainerResource{
+		Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+			Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+				Resource: &sdkcosmos.SQLContainerResource{
 					ID: to.StringPtr("Portal"),
-					PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-						Paths: &[]string{
-							"/id",
+					PartitionKey: &sdkcosmos.ContainerPartitionKey{
+						Paths: []*string{
+							to.StringPtr("/id"),
 						},
-						Kind: mgmtdocumentdb.PartitionKindHash,
+						Kind: &hashPartitionKey,
 					},
 					DefaultTTL: to.Int32Ptr(-1),
 				},
-				Options: &mgmtdocumentdb.CreateUpdateOptions{
+				Options: &sdkcosmos.CreateUpdateOptions{
 					Throughput: to.Int32Ptr(cosmosDbPortalProvisionedThroughputHack),
 				},
 			},
@@ -1071,22 +1079,23 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 		DependsOn: []string{
 			"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 		},
+		Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 	}
 
 	gateway := &arm.Resource{
-		Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-			SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-				Resource: &mgmtdocumentdb.SQLContainerResource{
+		Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+			Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+				Resource: &sdkcosmos.SQLContainerResource{
 					ID: to.StringPtr("Gateway"),
-					PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-						Paths: &[]string{
-							"/id",
+					PartitionKey: &sdkcosmos.ContainerPartitionKey{
+						Paths: []*string{
+							to.StringPtr("/id"),
 						},
-						Kind: mgmtdocumentdb.PartitionKindHash,
+						Kind: &hashPartitionKey,
 					},
 					DefaultTTL: to.Int32Ptr(-1),
 				},
-				Options: &mgmtdocumentdb.CreateUpdateOptions{
+				Options: &sdkcosmos.CreateUpdateOptions{
 					Throughput: to.Int32Ptr(cosmosDbGatewayProvisionedThroughputHack),
 				},
 			},
@@ -1098,34 +1107,35 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 		DependsOn: []string{
 			"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 		},
+		Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 	}
 
 	if !g.production {
-		database.Resource.(*mgmtdocumentdb.SQLDatabaseCreateUpdateParameters).SQLDatabaseCreateUpdateProperties.Options = &mgmtdocumentdb.CreateUpdateOptions{
-			AutoscaleSettings: &mgmtdocumentdb.AutoscaleSettings{
+		database.Resource.(*sdkcosmos.SQLDatabaseCreateUpdateParameters).Properties.Options = &sdkcosmos.CreateUpdateOptions{
+			AutoscaleSettings: &sdkcosmos.AutoscaleSettings{
 				MaxThroughput: to.Int32Ptr(1000),
 			},
 		}
-		portal.Resource.(*mgmtdocumentdb.SQLContainerCreateUpdateParameters).SQLContainerCreateUpdateProperties.Options = &mgmtdocumentdb.CreateUpdateOptions{}
-		gateway.Resource.(*mgmtdocumentdb.SQLContainerCreateUpdateParameters).SQLContainerCreateUpdateProperties.Options = &mgmtdocumentdb.CreateUpdateOptions{}
+		portal.Resource.(*sdkcosmos.SQLContainerCreateUpdateParameters).Properties.Options = &sdkcosmos.CreateUpdateOptions{}
+		gateway.Resource.(*sdkcosmos.SQLContainerCreateUpdateParameters).Properties.Options = &sdkcosmos.CreateUpdateOptions{}
 	}
 
 	rs := []*arm.Resource{
 		database,
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("AsyncOperations"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/id",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/id"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 						DefaultTTL: to.Int32Ptr(7 * 86400), // 7 days
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/AsyncOperations')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1135,21 +1145,22 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("OpenShiftVersions"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/id",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/id"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 						DefaultTTL: to.Int32Ptr(-1),
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/OpenShiftVersions')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1159,20 +1170,21 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("ClusterManagerConfigurations"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/partitionKey",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/partitionKey"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/ClusterManagerConfigurations')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1182,20 +1194,21 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("Billing"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/id",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/id"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/Billing')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1205,22 +1218,23 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		gateway,
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("Monitors"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/id",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/id"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 						DefaultTTL: to.Int32Ptr(-1),
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/Monitors')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1230,39 +1244,40 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("OpenShiftClusters"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/partitionKey",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/partitionKey"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
-						UniqueKeyPolicy: &mgmtdocumentdb.UniqueKeyPolicy{
-							UniqueKeys: &[]mgmtdocumentdb.UniqueKey{
+						UniqueKeyPolicy: &sdkcosmos.UniqueKeyPolicy{
+							UniqueKeys: []*sdkcosmos.UniqueKey{
 								{
-									Paths: &[]string{
-										"/key",
+									Paths: []*string{
+										to.StringPtr("/key"),
 									},
 								},
 								{
-									Paths: &[]string{
-										"/clusterResourceGroupIdKey",
+									Paths: []*string{
+										to.StringPtr("/clusterResourceGroupIdKey"),
 									},
 								},
 								{
-									Paths: &[]string{
-										"/clientIdKey",
+									Paths: []*string{
+										to.StringPtr("/clientIdKey"),
 									},
 								},
 							},
 						},
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/OpenShiftClusters')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1272,21 +1287,22 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 		portal,
 		{
-			Resource: &mgmtdocumentdb.SQLContainerCreateUpdateParameters{
-				SQLContainerCreateUpdateProperties: &mgmtdocumentdb.SQLContainerCreateUpdateProperties{
-					Resource: &mgmtdocumentdb.SQLContainerResource{
+			Resource: &sdkcosmos.SQLContainerCreateUpdateParameters{
+				Properties: &sdkcosmos.SQLContainerCreateUpdateProperties{
+					Resource: &sdkcosmos.SQLContainerResource{
 						ID: to.StringPtr("Subscriptions"),
-						PartitionKey: &mgmtdocumentdb.ContainerPartitionKey{
-							Paths: &[]string{
-								"/id",
+						PartitionKey: &sdkcosmos.ContainerPartitionKey{
+							Paths: []*string{
+								to.StringPtr("/id"),
 							},
-							Kind: mgmtdocumentdb.PartitionKindHash,
+							Kind: &hashPartitionKey,
 						},
 					},
-					Options: &mgmtdocumentdb.CreateUpdateOptions{},
+					Options: &sdkcosmos.CreateUpdateOptions{},
 				},
 				Name:     to.StringPtr("[concat(parameters('databaseAccountName'), '/', " + databaseName + ", '/Subscriptions')]"),
 				Type:     to.StringPtr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers"),
@@ -1296,6 +1312,7 @@ func (g *generator) database(databaseName string, addDependsOn bool) []*arm.Reso
 			DependsOn: []string{
 				"[resourceId('Microsoft.DocumentDB/databaseAccounts/sqlDatabases', parameters('databaseAccountName'), " + databaseName + ")]",
 			},
+			Type: "Microsoft.DocumentDB/databaseAccounts/sqlDatabases",
 		},
 	}
 
@@ -1426,19 +1443,6 @@ func (g *generator) rpRBAC() []*arm.Resource {
 	}
 }
 
-func (g *generator) rpBillingContributorRbac() []*arm.Resource {
-	return []*arm.Resource{
-		rbac.ResourceRoleAssignmentWithName(
-			rbac.RoleDocumentDBAccountContributor,
-			"parameters('billingServicePrincipalId')",
-			"Microsoft.DocumentDB/databaseAccounts",
-			"parameters('databaseAccountName')",
-			"concat(parameters('databaseAccountName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('billingServicePrincipalId') , 'Billing / DocumentDB Account Contributor'))",
-			"[greater(length(parameters('billingServicePrincipalId')), 0)]",
-		),
-	}
-}
-
 func (g *generator) rpACR() *arm.Resource {
 	return &arm.Resource{
 		Resource: &mgmtcontainerregistry.Registry{
diff --git a/pkg/deploy/generator/scripts/devProxyVMSS.sh b/pkg/deploy/generator/scripts/devProxyVMSS.sh
index bdbb8fe35..cb8e15bf8 100644
--- a/pkg/deploy/generator/scripts/devProxyVMSS.sh
+++ b/pkg/deploy/generator/scripts/devProxyVMSS.sh
@@ -1,20 +1,20 @@
 #Adding retry logic to yum commands in order to avoid stalling out on resource locks
 echo "running RHUI fix"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum update -y --disablerepo='*' --enablerepo='rhui-microsoft-azure*' && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "running yum update"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y -x WALinuxAgent -x WALinuxAgent-udev update --allowerasing && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "installing podman-docker"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y install podman-docker && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 firewall-cmd --add-port=443/tcp --permanent
diff --git a/pkg/deploy/generator/scripts/gatewayVMSS.sh b/pkg/deploy/generator/scripts/gatewayVMSS.sh
index 4034eed36..2f9b09efe 100644
--- a/pkg/deploy/generator/scripts/gatewayVMSS.sh
+++ b/pkg/deploy/generator/scripts/gatewayVMSS.sh
@@ -7,15 +7,15 @@ systemctl reload sshd.service
 
 #Adding retry logic to yum commands in order to avoid stalling out on resource locks
 echo "running RHUI fix"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum update -y --disablerepo='*' --enablerepo='rhui-microsoft-azure*' && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "running yum update"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y -x WALinuxAgent -x WALinuxAgent-udev update --allowerasing && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "extending partition table"
@@ -34,9 +34,9 @@ xfs_growfs /var
 rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
 rpm --import https://packages.microsoft.com/keys/microsoft.asc
 
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "configuring logrotate"
@@ -111,10 +111,10 @@ EOF
 semanage fcontext -a -t var_log_t "/var/log/journal(/.*)?"
 mkdir -p /var/log/journal
 
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y install clamav azsec-clamav azsec-monitor azure-cli azure-mdsd azure-security podman-docker openssl-perl python3 && break
   # hack - we are installing python3 on hosts due to an issue with Azure Linux Extensions https://github.com/Azure/azure-linux-extensions/pull/1505
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "applying firewall rules"
diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh
index 290b534c1..78149f304 100644
--- a/pkg/deploy/generator/scripts/rpVMSS.sh
+++ b/pkg/deploy/generator/scripts/rpVMSS.sh
@@ -7,15 +7,15 @@ systemctl reload sshd.service
 
 #Adding retry logic to yum commands in order to avoid stalling out on resource locks
 echo "running RHUI fix"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum update -y --disablerepo='*' --enablerepo='rhui-microsoft-azure*' && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "running yum update"
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y -x WALinuxAgent -x WALinuxAgent-udev update --allowerasing && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "extending partition table"
@@ -35,9 +35,9 @@ echo "importing rpm repositories"
 rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
 rpm --import https://packages.microsoft.com/keys/microsoft.asc
 
-for attempt in {1..5}; do
+for attempt in {1..60}; do
   yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && break
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 echo "configuring logrotate"
@@ -95,10 +95,10 @@ EOF
 semanage fcontext -a -t var_log_t "/var/log/journal(/.*)?"
 mkdir -p /var/log/journal
 
-for attempt in {1..5}; do
+for attempt in {1..60}; do
 yum -y install clamav azsec-clamav azsec-monitor azure-cli azure-mdsd azure-security podman podman-docker openssl-perl python3 && break
   # hack - we are installing python3 on hosts due to an issue with Azure Linux Extensions https://github.com/Azure/azure-linux-extensions/pull/1505
-  if [[ ${attempt} -lt 5 ]]; then sleep 10; else exit 1; fi
+  if [[ ${attempt} -lt 60 ]]; then sleep 30; else exit 1; fi
 done
 
 # https://access.redhat.com/security/cve/cve-2020-13401
@@ -272,7 +272,6 @@ ARM_API_CLIENT_CERT_COMMON_NAME='$ARMAPICLIENTCERTCOMMONNAME'
 AZURE_ARM_CLIENT_ID='$ARMCLIENTID'
 AZURE_FP_CLIENT_ID='$FPCLIENTID'
 AZURE_FP_SERVICE_PRINCIPAL_ID='$FPSERVICEPRINCIPALID'
-BILLING_E2E_STORAGE_ACCOUNT_ID='$BILLINGE2ESTORAGEACCOUNTID'
 CLUSTER_MDM_ACCOUNT='$CLUSTERMDMACCOUNT'
 CLUSTER_MDM_NAMESPACE=RP
 CLUSTER_MDSD_ACCOUNT='$CLUSTERMDSDACCOUNT'
@@ -312,7 +311,6 @@ ExecStart=/usr/bin/docker run \
   -e ARM_API_CLIENT_CERT_COMMON_NAME \
   -e AZURE_ARM_CLIENT_ID \
   -e AZURE_FP_CLIENT_ID \
-  -e BILLING_E2E_STORAGE_ACCOUNT_ID \
   -e CLUSTER_MDM_ACCOUNT \
   -e CLUSTER_MDM_NAMESPACE \
   -e CLUSTER_MDSD_ACCOUNT \
diff --git a/pkg/deploy/generator/templates_rp.go b/pkg/deploy/generator/templates_rp.go
index 7452d0fb2..d5506af64 100644
--- a/pkg/deploy/generator/templates_rp.go
+++ b/pkg/deploy/generator/templates_rp.go
@@ -41,8 +41,6 @@ func (g *generator) rpTemplate() *arm.Template {
 			"azureCloudName",
 			"azureSecPackQualysUrl",
 			"azureSecPackVSATenantId",
-			"billingE2EStorageAccountId",
-			"billingServicePrincipalId",
 			"clusterMdmAccount",
 			"clusterMdsdAccount",
 			"clusterMdsdConfigVersion",
@@ -100,8 +98,6 @@ func (g *generator) rpTemplate() *arm.Template {
 		case "armApiCaBundle",
 			"armApiClientCertCommonName",
 			"armClientId",
-			"billingServicePrincipalId",
-			"billingE2EStorageAccountId",
 			"gatewayDomains",
 			"rpFeatures":
 			p.DefaultValue = ""
@@ -177,7 +173,6 @@ func (g *generator) rpTemplate() *arm.Template {
 			g.rpLBAlert(67.0, 3, "rp-degraded-alert", "PT15M", "PT6H", "DipAvailability"),     // 1/3 backend down for 1h or 2/3 down for 3h in the last 6h
 			g.rpLBAlert(33.0, 2, "rp-vnet-alert", "PT5M", "PT5M", "VipAvailability"))          // this will trigger only if the Azure network infrastructure between the loadBalancers and VMs is down for 3.5min
 		// more on alerts https://msazure.visualstudio.com/AzureRedHatOpenShift/_wiki/wikis/ARO.wiki/53765/WIP-Alerting
-		t.Resources = append(t.Resources, g.rpBillingContributorRbac()...)
 
 		t.Resources = append(t.Resources,
 			g.virtualNetworkPeering("rp-vnet/peering-gateway-vnet", "[resourceId(parameters('gatewayResourceGroupName'), 'Microsoft.Network/virtualNetworks', 'gateway-vnet')]", false, false, nil),
diff --git a/pkg/frontend/openshiftcluster_putorpatch.go b/pkg/frontend/openshiftcluster_putorpatch.go
index 3fe18ab61..9390a1f8f 100644
--- a/pkg/frontend/openshiftcluster_putorpatch.go
+++ b/pkg/frontend/openshiftcluster_putorpatch.go
@@ -149,9 +149,10 @@ func (f *frontend) _putOrPatchOpenShiftCluster(ctx context.Context, log *logrus.
 	// Patch should be used for updating individual fields of the document.
 	case http.MethodPatch:
 		ext = converter.ToExternal(doc.OpenShiftCluster)
-		converter.ExternalNoReadOnly(ext)
 	}
 
+	converter.ExternalNoReadOnly(ext)
+
 	err = json.Unmarshal(body, &ext)
 	if err != nil {
 		return nil, api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidRequestContent, "", "The request content was invalid and could not be deserialized: %q.", err)
diff --git a/pkg/frontend/subscriptions_put.go b/pkg/frontend/subscriptions_put.go
index 42d6a345a..84d530884 100644
--- a/pkg/frontend/subscriptions_put.go
+++ b/pkg/frontend/subscriptions_put.go
@@ -51,11 +51,6 @@ func (f *frontend) _putSubscription(ctx context.Context, r *http.Request) ([]byt
 	oldState := doc.Subscription.State
 
 	h := &codec.JsonHandle{
-		BasicHandle: codec.BasicHandle{
-			DecodeOptions: codec.DecodeOptions{
-				ErrorIfNoField: true,
-			},
-		},
 		Indent: 4,
 	}
 
diff --git a/pkg/util/arm/marshal.go b/pkg/util/arm/marshal.go
index 58929d5a6..69bf5fdd8 100644
--- a/pkg/util/arm/marshal.go
+++ b/pkg/util/arm/marshal.go
@@ -7,13 +7,47 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"strings"
 
+	sdkcosmos "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2"
 	gofrsuuid "github.com/gofrs/uuid"
 )
 
 // MarshalJSON marshals the nested r.Resource ignoring any MarshalJSON() methods
 // on its types.  It then merges remaining fields of r over the result
 func (r *Resource) MarshalJSON() ([]byte, error) {
+	var b []byte
+	var err error
+
+	// hack to handle newer track2 sdk which doesn't have json tags
+	if strings.HasPrefix(r.Type, "Microsoft.DocumentDB/databaseAccounts/sqlDatabases") {
+		if reflect.TypeOf(r.Resource) == reflect.TypeOf(&sdkcosmos.SQLDatabaseCreateUpdateParameters{}) {
+			b, err = r.Resource.(*sdkcosmos.SQLDatabaseCreateUpdateParameters).MarshalJSON()
+		} else if reflect.TypeOf(r.Resource) == reflect.TypeOf(&sdkcosmos.SQLContainerCreateUpdateParameters{}) {
+			b, err = r.Resource.(*sdkcosmos.SQLContainerCreateUpdateParameters).MarshalJSON()
+		}
+	} else if strings.HasPrefix(r.Type, "Microsoft.DocumentDB/databaseAccounts") {
+		b, err = r.Resource.(*sdkcosmos.DatabaseAccountCreateUpdateParameters).MarshalJSON()
+	}
+
+	if err != nil {
+		return b, err
+	}
+
+	if b != nil {
+		dataMap := map[string]interface{}{}
+		err = json.Unmarshal(b, &dataMap)
+		if err != nil {
+			return nil, err
+		}
+
+		dataMap["apiVersion"] = r.APIVersion
+		if r.DependsOn != nil {
+			dataMap["dependsOn"] = r.DependsOn
+		}
+		return json.Marshal(dataMap)
+	}
+
 	resource := reflect.ValueOf(shadowCopy(r.Resource))
 	outer := reflect.ValueOf(*r)
 
diff --git a/pkg/util/azureclient/apiversions.go b/pkg/util/azureclient/apiversions.go
index b80bb5afc..3ad8deffd 100644
--- a/pkg/util/azureclient/apiversions.go
+++ b/pkg/util/azureclient/apiversions.go
@@ -19,7 +19,7 @@ var apiVersions = map[string]string{
 	"microsoft.compute/snapshots":              "2020-05-01",
 	"microsoft.containerregistry":              "2020-11-01-preview",
 	"microsoft.resources/deployments":          "2021-04-01",
-	"microsoft.documentdb":                     "2021-01-15",
+	"microsoft.documentdb":                     "2023-04-15",
 	"microsoft.insights":                       "2018-03-01",
 	"microsoft.keyvault":                       "2019-09-01",
 	"microsoft.keyvault/vaults/accesspolicies": "2021-10-01",
diff --git a/pkg/util/azureclient/azuresdk/armkeyvault/vaults.go b/pkg/util/azureclient/azuresdk/armkeyvault/vaults.go
new file mode 100644
index 000000000..36a8c906e
--- /dev/null
+++ b/pkg/util/azureclient/azuresdk/armkeyvault/vaults.go
@@ -0,0 +1,30 @@
+package armkeyvault
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault"
+
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azcore"
+)
+
+type VaultsClient interface {
+	CheckNameAvailability(ctx context.Context, vaultName armkeyvault.VaultCheckNameAvailabilityParameters, options *armkeyvault.VaultsClientCheckNameAvailabilityOptions) (armkeyvault.VaultsClientCheckNameAvailabilityResponse, error)
+}
+
+type vaultsClient struct {
+	*armkeyvault.VaultsClient
+}
+
+var _ VaultsClient = &vaultsClient{}
+
+func NewVaultsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (VaultsClient, error) {
+	client, err := armkeyvault.NewVaultsClient(subscriptionID, credential, options)
+	return vaultsClient{
+		VaultsClient: client,
+	}, err
+}
diff --git a/pkg/util/azureclient/mgmt/authorization/generate.go b/pkg/util/azureclient/mgmt/authorization/generate.go
index 9072a9836..d894dcbfa 100644
--- a/pkg/util/azureclient/mgmt/authorization/generate.go
+++ b/pkg/util/azureclient/mgmt/authorization/generate.go
@@ -4,5 +4,5 @@ package authorization
 // Licensed under the Apache License 2.0.
 
 //go:generate rm -rf ../../../../util/mocks/$GOPACKAGE
-//go:generate go run ../../../../../vendor/github.com/golang/mock/mockgen -destination=../../../../util/mocks/azureclient/mgmt/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/$GOPACKAGE PermissionsClient,RoleAssignmentsClient,DenyAssignmentClient,RoleDefinitionsClient
+//go:generate go run ../../../../../vendor/github.com/golang/mock/mockgen -destination=../../../../util/mocks/azureclient/mgmt/$GOPACKAGE/$GOPACKAGE.go github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/$GOPACKAGE RoleAssignmentsClient,DenyAssignmentClient,RoleDefinitionsClient
 //go:generate go run ../../../../../vendor/golang.org/x/tools/cmd/goimports -local=github.com/Azure/ARO-RP -e -w ../../../../util/mocks/azureclient/mgmt/$GOPACKAGE/$GOPACKAGE.go
diff --git a/pkg/util/azureclient/mgmt/authorization/permissions.go b/pkg/util/azureclient/mgmt/authorization/permissions.go
deleted file mode 100644
index 478c59317..000000000
--- a/pkg/util/azureclient/mgmt/authorization/permissions.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package authorization
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
-
-import (
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-	"github.com/Azure/go-autorest/autorest"
-
-	"github.com/Azure/ARO-RP/pkg/util/azureclient"
-)
-
-// PermissionsClient is a minimal interface for azure PermissionsClient
-type PermissionsClient interface {
-	PermissionsClientAddons
-}
-
-type permissionsClient struct {
-	mgmtauthorization.PermissionsClient
-}
-
-var _ PermissionsClient = &permissionsClient{}
-
-// NewPermissionsClient creates a new PermissionsClient
-func NewPermissionsClient(environment *azureclient.AROEnvironment, subscriptionID string, authorizer autorest.Authorizer) PermissionsClient {
-	client := mgmtauthorization.NewPermissionsClientWithBaseURI(environment.ResourceManagerEndpoint, subscriptionID)
-	client.Authorizer = authorizer
-
-	return &permissionsClient{
-		PermissionsClient: client,
-	}
-}
diff --git a/pkg/util/azureclient/mgmt/authorization/permissions_addons.go b/pkg/util/azureclient/mgmt/authorization/permissions_addons.go
deleted file mode 100644
index ca4251861..000000000
--- a/pkg/util/azureclient/mgmt/authorization/permissions_addons.go
+++ /dev/null
@@ -1,60 +0,0 @@
-package authorization
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
-
-import (
-	"context"
-
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-)
-
-// PermissionsClientAddons contains addons for PermissionsClient
-type PermissionsClientAddons interface {
-	ListForResource(ctx context.Context, resourceGroupName string, resourceProviderNamespace string, parentResourcePath string, resourceType string, resourceName string) (permissions []mgmtauthorization.Permission, err error)
-	ListForResourceGroup(ctx context.Context, resourceGroupName string) (permissions []mgmtauthorization.Permission, err error)
-}
-
-func (c *permissionsClient) ListForResource(ctx context.Context, resourceGroupName string, resourceProviderNamespace string, parentResourcePath string, resourceType string, resourceName string) (permissions []mgmtauthorization.Permission, err error) {
-	page, err := c.PermissionsClient.ListForResource(ctx, resourceGroupName, resourceProviderNamespace, parentResourcePath, resourceType, resourceName)
-	if err != nil {
-		return nil, err
-	}
-
-	for {
-		permissions = append(permissions, page.Values()...)
-
-		err = page.NextWithContext(ctx)
-		if err != nil {
-			return nil, err
-		}
-
-		if !page.NotDone() {
-			break
-		}
-	}
-
-	return permissions, nil
-}
-
-func (c *permissionsClient) ListForResourceGroup(ctx context.Context, resourceGroupName string) (permissions []mgmtauthorization.Permission, error error) {
-	page, err := c.PermissionsClient.ListForResourceGroup(ctx, resourceGroupName)
-	if err != nil {
-		return nil, err
-	}
-
-	for {
-		permissions = append(permissions, page.Values()...)
-
-		err = page.NextWithContext(ctx)
-		if err != nil {
-			return nil, err
-		}
-
-		if !page.NotDone() {
-			break
-		}
-	}
-
-	return permissions, nil
-}
diff --git a/pkg/util/azureclient/mgmt/compute/virtualmachines.go b/pkg/util/azureclient/mgmt/compute/virtualmachines.go
index 4988cc3d8..860d5d811 100644
--- a/pkg/util/azureclient/mgmt/compute/virtualmachines.go
+++ b/pkg/util/azureclient/mgmt/compute/virtualmachines.go
@@ -5,6 +5,7 @@ package compute
 
 import (
 	"context"
+	"time"
 
 	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
 	"github.com/Azure/go-autorest/autorest"
@@ -28,6 +29,7 @@ var _ VirtualMachinesClient = &virtualMachinesClient{}
 func NewVirtualMachinesClient(environment *azureclient.AROEnvironment, subscriptionID string, authorizer autorest.Authorizer) VirtualMachinesClient {
 	client := mgmtcompute.NewVirtualMachinesClientWithBaseURI(environment.ResourceManagerEndpoint, subscriptionID)
 	client.Authorizer = authorizer
+	client.PollingDuration = 30 * time.Minute
 
 	return &virtualMachinesClient{
 		VirtualMachinesClient: client,
diff --git a/pkg/util/azureclient/mgmt/keyvault/vaults.go b/pkg/util/azureclient/mgmt/keyvault/vaults.go
deleted file mode 100644
index 2d2ebf52c..000000000
--- a/pkg/util/azureclient/mgmt/keyvault/vaults.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package keyvault
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
-
-import (
-	"context"
-
-	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
-	"github.com/Azure/go-autorest/autorest"
-
-	"github.com/Azure/ARO-RP/pkg/util/azureclient"
-)
-
-// VaultsClient is a minimal interface for azure VaultsClient
-type VaultsClient interface {
-	CheckNameAvailability(ctx context.Context, vaultName mgmtkeyvault.VaultCheckNameAvailabilityParameters) (result mgmtkeyvault.CheckNameAvailabilityResult, err error)
-}
-
-type vaultsClient struct {
-	mgmtkeyvault.VaultsClient
-}
-
-var _ VaultsClient = &vaultsClient{}
-
-// NewVaultsClient creates a new KeyvaultClient
-func NewVaultsClient(environment *azureclient.AROEnvironment, subscriptionID string, authorizer autorest.Authorizer) VaultsClient {
-	client := mgmtkeyvault.NewVaultsClientWithBaseURI(environment.ResourceManagerEndpoint, subscriptionID)
-	client.Authorizer = authorizer
-
-	return &vaultsClient{
-		VaultsClient: client,
-	}
-}
diff --git a/pkg/util/billing/billing.go b/pkg/util/billing/billing.go
index a8e97b8a2..935f9abbe 100644
--- a/pkg/util/billing/billing.go
+++ b/pkg/util/billing/billing.go
@@ -4,28 +4,15 @@ package billing
 // Licensed under the Apache License 2.0.
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"net/http"
-	"os"
-	"strings"
 
-	azstorage "github.com/Azure/azure-sdk-for-go/storage"
-	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/database"
 	"github.com/Azure/ARO-RP/pkg/database/cosmosdb"
 	"github.com/Azure/ARO-RP/pkg/env"
-	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/storage"
-	"github.com/Azure/ARO-RP/pkg/util/feature"
-)
-
-const (
-	tenantIDMSFT = "72f988bf-86f1-41af-91ab-2d7cd011db47"
-	tenantIDAME  = "33e01921-4d64-4f8c-a055-5bdaffd5e33d"
 )
 
 type Manager interface {
@@ -34,58 +21,19 @@ type Manager interface {
 }
 
 type manager struct {
-	storageClient *azstorage.Client
-	billingDB     database.Billing
-	subDB         database.Subscriptions
-	log           *logrus.Entry
+	billingDB database.Billing
+	log       *logrus.Entry
 }
 
 func NewManager(env env.Interface, billing database.Billing, sub database.Subscriptions, log *logrus.Entry) (Manager, error) {
-	storageClient, err := storageClient(env, billing, sub, log)
-	if err != nil {
-		return nil, err
-	}
-
 	return &manager{
-		storageClient: storageClient,
-		subDB:         sub,
-		billingDB:     billing,
-		log:           log,
+		billingDB: billing,
+		log:       log,
 	}, nil
 }
 
-func storageClient(env env.Interface, billing database.Billing, sub database.Subscriptions, log *logrus.Entry) (*azstorage.Client, error) {
-	if os.Getenv("BILLING_E2E_STORAGE_ACCOUNT_ID") == "" {
-		return nil, nil
-	}
-
-	r, err := azure.ParseResourceID(os.Getenv("BILLING_E2E_STORAGE_ACCOUNT_ID"))
-	if err != nil {
-		return nil, err
-	}
-
-	localFPAuthorizer, err := env.FPAuthorizer(env.TenantID(), env.Environment().ResourceManagerScope)
-	if err != nil {
-		return nil, err
-	}
-
-	e2estorage := storage.NewAccountsClient(env.Environment(), r.SubscriptionID, localFPAuthorizer)
-
-	keys, err := e2estorage.ListKeys(context.Background(), r.ResourceGroup, r.ResourceName, "")
-	if err != nil {
-		return nil, err
-	}
-
-	client, err := azstorage.NewBasicClient(r.ResourceName, *(*keys.Keys)[0].Value)
-	if err != nil {
-		return nil, err
-	}
-
-	return &client, nil
-}
-
 func (m *manager) Ensure(ctx context.Context, doc *api.OpenShiftClusterDocument, sub *api.SubscriptionDocument) error {
-	billingDoc, err := m.billingDB.Create(ctx, &api.BillingDocument{
+	_, err := m.billingDB.Create(ctx, &api.BillingDocument{
 		ID:                        doc.ID,
 		Key:                       doc.Key,
 		ClusterResourceGroupIDKey: doc.ClusterResourceGroupIDKey,
@@ -104,16 +52,12 @@ func (m *manager) Ensure(ctx context.Context, doc *api.OpenShiftClusterDocument,
 		return err
 	}
 
-	if e2eErr := m.createOrUpdateE2EBlob(ctx, billingDoc); e2eErr != nil {
-		m.log.Warnf("createOrUpdateE2EBlob failed: %s", e2eErr)
-	}
-
 	return nil
 }
 
 func (m *manager) Delete(ctx context.Context, doc *api.OpenShiftClusterDocument) error {
 	m.log.Printf("updating billing record with deletion time")
-	billingDoc, err := m.billingDB.MarkForDeletion(ctx, doc.ID)
+	_, err := m.billingDB.MarkForDeletion(ctx, doc.ID)
 	if cosmosdb.IsErrorStatusCode(err, http.StatusNotFound) {
 		return nil
 	}
@@ -121,67 +65,5 @@ func (m *manager) Delete(ctx context.Context, doc *api.OpenShiftClusterDocument)
 		return err
 	}
 
-	if e2eErr := m.createOrUpdateE2EBlob(ctx, billingDoc); e2eErr != nil {
-		// We are not failing the operation if we cannot write to e2e storage account, just warning
-		m.log.Warnf("createOrUpdateE2EBlob failed: %s", e2eErr)
-	}
-
 	return nil
 }
-
-// isSubscriptionRegisteredForE2E returns true if the subscription has the
-// "Microsoft.RedHatOpenShift/SaveAROTestConfig" feature registered
-func isSubscriptionRegisteredForE2E(sub *api.SubscriptionProperties) bool {
-	if sub.TenantID == tenantIDMSFT || sub.TenantID == tenantIDAME {
-		return feature.IsRegisteredForFeature(sub, api.FeatureFlagSaveAROTestConfig)
-	}
-	return false
-}
-
-// createOrUpdateE2Eblob create a copy of the billing document in the e2e
-// storage account. This is used later on by the billing e2e
-func (m *manager) createOrUpdateE2EBlob(ctx context.Context, doc *api.BillingDocument) error {
-	//skip updating the storage account if this is a dev scenario
-	if m.storageClient == nil {
-		return nil
-	}
-
-	// Validate if E2E Feature is registered
-	resource, err := azure.ParseResourceID(doc.Key)
-	if err != nil {
-		return err
-	}
-
-	subscriptionDoc, err := m.subDB.Get(ctx, resource.SubscriptionID)
-	if err != nil {
-		return err
-	}
-
-	if !isSubscriptionRegisteredForE2E(subscriptionDoc.Subscription.Properties) {
-		return nil
-	}
-
-	blobclient := m.storageClient.GetBlobService()
-
-	containerName := strings.ToLower("bill-" + doc.Billing.Location + "-" + resource.ResourceGroup + "-" + resource.ResourceName)
-	if len(containerName) > 63 {
-		containerName = containerName[:63]
-	}
-
-	// The following is added to get rid of the '-' at the end in order to avoid an invalid container name.
-	containerName = strings.TrimSuffix(containerName, "-")
-
-	containerRef := blobclient.GetContainerReference(containerName)
-	_, err = containerRef.CreateIfNotExists(nil)
-	if err != nil {
-		return err
-	}
-
-	blobRef := containerRef.GetBlobReference("billingentity")
-	b, err := json.Marshal(doc)
-	if err != nil {
-		return err
-	}
-
-	return blobRef.CreateBlockBlobFromReader(bytes.NewReader(b), nil)
-}
diff --git a/pkg/util/billing/billing_test.go b/pkg/util/billing/billing_test.go
index 5cd23eda0..dca66e6f9 100644
--- a/pkg/util/billing/billing_test.go
+++ b/pkg/util/billing/billing_test.go
@@ -19,101 +19,6 @@ import (
 	utilerror "github.com/Azure/ARO-RP/test/util/error"
 )
 
-func TestIsSubscriptionRegisteredForE2E(t *testing.T) {
-	const tenantID = "11111111-1111-1111-1111-111111111111"
-
-	for _, tt := range []struct {
-		name string
-		sub  api.SubscriptionProperties
-		want bool
-	}{
-		{
-			name: "empty",
-		},
-		{
-			name: "sub without feature flag registered and not internal tenant",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantID,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  "RandomFeature",
-						State: "Registered",
-					},
-				},
-			},
-		},
-		{
-			name: "sub with feature flag registered and not internal tenant",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantID,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  api.FeatureFlagSaveAROTestConfig,
-						State: "Registered",
-					},
-				},
-			},
-		},
-		{
-			name: "AME internal tenant and feature flag not registered",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantIDAME,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  "RandomFeature",
-						State: "Registered",
-					},
-				},
-			},
-		},
-		{
-			name: "MSFT internal tenant and feature flag not registered",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantIDMSFT,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  "RandomFeature",
-						State: "Registered",
-					},
-				},
-			},
-		},
-		{
-			name: "AME internal tenant and feature flag registered",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantIDAME,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  api.FeatureFlagSaveAROTestConfig,
-						State: "Registered",
-					},
-				},
-			},
-			want: true,
-		},
-		{
-			name: "MSFT internal tenant and feature flag registered",
-			sub: api.SubscriptionProperties{
-				TenantID: tenantIDMSFT,
-				RegisteredFeatures: []api.RegisteredFeatureProfile{
-					{
-						Name:  api.FeatureFlagSaveAROTestConfig,
-						State: "Registered",
-					},
-				},
-			},
-			want: true,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			got := isSubscriptionRegisteredForE2E(&tt.sub)
-			if got != tt.want {
-				t.Error(got)
-			}
-		})
-	}
-}
-
 func TestDelete(t *testing.T) {
 	ctx := context.Background()
 
@@ -220,7 +125,6 @@ func TestDelete(t *testing.T) {
 			m := &manager{
 				log:       log,
 				billingDB: billingDatabase,
-				subDB:     subscriptionsDatabase,
 			}
 
 			err = m.Delete(ctx, &api.OpenShiftClusterDocument{ID: docID})
@@ -279,12 +183,6 @@ func TestEnsure(t *testing.T) {
 					ID: subID,
 					Subscription: &api.Subscription{
 						Properties: &api.SubscriptionProperties{
-							RegisteredFeatures: []api.RegisteredFeatureProfile{
-								{
-									Name:  api.FeatureFlagSaveAROTestConfig,
-									State: "NotRegistered",
-								},
-							},
 							TenantID: tenantID,
 						},
 					},
@@ -321,12 +219,6 @@ func TestEnsure(t *testing.T) {
 					ID: subID,
 					Subscription: &api.Subscription{
 						Properties: &api.SubscriptionProperties{
-							RegisteredFeatures: []api.RegisteredFeatureProfile{
-								{
-									Name:  api.FeatureFlagSaveAROTestConfig,
-									State: "NotRegistered",
-								},
-							},
 							TenantID: tenantID,
 						},
 					},
@@ -353,12 +245,6 @@ func TestEnsure(t *testing.T) {
 					ID: subID,
 					Subscription: &api.Subscription{
 						Properties: &api.SubscriptionProperties{
-							RegisteredFeatures: []api.RegisteredFeatureProfile{
-								{
-									Name:  api.FeatureFlagSaveAROTestConfig,
-									State: "NotRegistered",
-								},
-							},
 							TenantID: tenantID,
 						},
 					},
@@ -408,7 +294,6 @@ func TestEnsure(t *testing.T) {
 			m := &manager{
 				log:       log,
 				billingDB: billingDatabase,
-				subDB:     subscriptionsDatabase,
 			}
 
 			doc, err := openShiftClusterDatabase.Get(ctx, strings.ToLower(testdatabase.GetResourcePath(subID, "resourceName")))
diff --git a/pkg/util/clienthelper/clienthelper_test.go b/pkg/util/clienthelper/clienthelper_test.go
index 80f67b644..1a7d8d4d4 100644
--- a/pkg/util/clienthelper/clienthelper_test.go
+++ b/pkg/util/clienthelper/clienthelper_test.go
@@ -45,7 +45,7 @@ func TestEnsureDeleted(t *testing.T) {
 	})
 
 	client := testclienthelper.NewHookingClient(builder.Build()).
-		WithDeleteHook(func(obj client.Object) error {
+		WithPreDeleteHook(func(obj client.Object) error {
 			if obj.GetName() == "test-name-2" {
 				return fmt.Errorf("error on %s", obj.GetName())
 			}
@@ -70,7 +70,7 @@ func TestEnsureDeleted(t *testing.T) {
 			Namespace: "test-ns-2",
 		})
 	if err == nil {
-		t.Errorf("function should handle failure response (non-404) correctly")
+		t.Error(fmt.Errorf("function should handle failure response (non-404) correctly: %w", err))
 	}
 
 	err = ch.EnsureDeleted(ctx, schema.GroupVersionKind{Group: "core", Version: "v1", Kind: "ConfigMap"},
diff --git a/pkg/util/cluster/cluster.go b/pkg/util/cluster/cluster.go
index 18ae61849..a25537fa6 100644
--- a/pkg/util/cluster/cluster.go
+++ b/pkg/util/cluster/cluster.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"math/rand"
 	"net/http"
@@ -15,8 +16,10 @@ import (
 	"strings"
 	"time"
 
+	armsdk "github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	mgmtkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/mgmt/2019-09-01/keyvault"
+	sdkkeyvault "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
 	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
 	mgmtfeatures "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-07-01/features"
@@ -34,9 +37,9 @@ import (
 	"github.com/Azure/ARO-RP/pkg/deploy/generator"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/arm"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armkeyvault"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/features"
-	keyvaultclient "github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/keyvault"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/network"
 	redhatopenshift20200430 "github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/redhatopenshift/2020-04-30/redhatopenshift"
 	redhatopenshift20210901preview "github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/redhatopenshift/2021-09-01-preview/redhatopenshift"
@@ -67,20 +70,7 @@ type Cluster struct {
 	roleassignments                   authorization.RoleAssignmentsClient
 	peerings                          network.VirtualNetworkPeeringsClient
 	ciParentVnetPeerings              network.VirtualNetworkPeeringsClient
-	vaultsClient                      keyvaultclient.VaultsClient
-}
-
-type errors []error
-
-func (errs errors) Error() string {
-	var sb strings.Builder
-
-	for _, err := range errs {
-		sb.WriteString(err.Error())
-		sb.WriteByte('\n')
-	}
-
-	return sb.String()
+	vaultsClient                      armkeyvault.VaultsClient
 }
 
 func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
@@ -91,6 +81,7 @@ func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
 	}
 
 	options := environment.Environment().EnvironmentCredentialOptions()
+
 	spTokenCredential, err := azidentity.NewEnvironmentCredential(options)
 	if err != nil {
 		return nil, err
@@ -104,6 +95,17 @@ func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
 	scopes := []string{environment.Environment().ResourceManagerScope}
 	authorizer := azidext.NewTokenCredentialAdapter(spTokenCredential, scopes)
 
+	armOption := armsdk.ClientOptions{
+		ClientOptions: policy.ClientOptions{
+			Cloud: options.Cloud,
+		},
+	}
+
+	vaultClient, err := armkeyvault.NewVaultsClient(environment.SubscriptionID(), spTokenCredential, &armOption)
+
+	if err != nil {
+		return nil, err
+	}
 	c := &Cluster{
 		log: log,
 		env: environment,
@@ -121,7 +123,7 @@ func New(log *logrus.Entry, environment env.Core, ci bool) (*Cluster, error) {
 		routetables:                       network.NewRouteTablesClient(environment.Environment(), environment.SubscriptionID(), authorizer),
 		roleassignments:                   authorization.NewRoleAssignmentsClient(environment.Environment(), environment.SubscriptionID(), authorizer),
 		peerings:                          network.NewVirtualNetworkPeeringsClient(environment.Environment(), environment.SubscriptionID(), authorizer),
-		vaultsClient:                      keyvaultclient.NewVaultsClient(environment.Environment(), environment.SubscriptionID(), authorizer),
+		vaultsClient:                      vaultClient,
 	}
 
 	if ci && env.IsLocalDevelopmentMode() {
@@ -232,7 +234,8 @@ func (c *Cluster) Create(ctx context.Context, vnetResourceGroup, clusterName str
 	if c.ci {
 		// name is limited to 24 characters, but must be globally unique, so we generate one and try if it is available
 		kvName = "kv-" + uuid.DefaultGenerator.Generate()[:21]
-		result, err := c.vaultsClient.CheckNameAvailability(ctx, mgmtkeyvault.VaultCheckNameAvailabilityParameters{Name: &kvName, Type: to.StringPtr("Microsoft.KeyVault/vaults")})
+
+		result, err := c.vaultsClient.CheckNameAvailability(ctx, sdkkeyvault.VaultCheckNameAvailabilityParameters{Name: &kvName, Type: to.StringPtr("Microsoft.KeyVault/vaults")}, nil)
 		if err != nil {
 			return err
 		}
@@ -381,75 +384,28 @@ func (c *Cluster) generateSubnets() (vnetPrefix string, masterSubnet string, wor
 }
 
 func (c *Cluster) Delete(ctx context.Context, vnetResourceGroup, clusterName string) error {
-	var errs errors
+	var errs []error
 
-	oc, err := c.openshiftclustersv20200430.Get(ctx, vnetResourceGroup, clusterName)
-	if err == nil {
-		c.log.Print("deleting role assignments")
-		err = c.deleteRoleAssignments(ctx, vnetResourceGroup, *oc.OpenShiftClusterProperties.ServicePrincipalProfile.ClientID)
-		if err != nil {
-			errs = append(errs, err)
-		}
-
-		c.log.Print("deleting cluster")
-		err = c.openshiftclustersv20200430.DeleteAndWait(ctx, vnetResourceGroup, clusterName)
-		if err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if c.ci {
-		_, err = c.groups.Get(ctx, vnetResourceGroup)
-		if err == nil {
-			c.log.Print("deleting resource group")
-			err = c.groups.DeleteAndWait(ctx, vnetResourceGroup)
-			if err != nil {
-				errs = append(errs, err)
-			}
-		}
-		// Only delete peering if CI=true and RP_MODE=development
-		if env.IsLocalDevelopmentMode() {
-			r, err := azure.ParseResourceID(c.ciParentVnet)
-			if err == nil {
-				err = c.ciParentVnetPeerings.DeleteAndWait(ctx, r.ResourceGroup, r.ResourceName, vnetResourceGroup+"-peer")
-			}
-			if err != nil {
-				errs = append(errs, err)
-			}
-		}
-	} else {
-		// Deleting the deployment does not clean up the associated resources
-		c.log.Info("deleting deployment")
-		err = c.deployments.DeleteAndWait(ctx, vnetResourceGroup, clusterName)
-		if err != nil {
-			errs = append(errs, err)
-		}
-
-		c.log.Info("deleting master/worker subnets")
-		err = c.subnets.DeleteAndWait(ctx, vnetResourceGroup, "dev-vnet", clusterName+"-master")
-		if err != nil {
-			errs = append(errs, err)
-		}
-
-		err = c.subnets.DeleteAndWait(ctx, vnetResourceGroup, "dev-vnet", clusterName+"-worker")
-		if err != nil {
-			errs = append(errs, err)
-		}
-
-		c.log.Info("deleting route table")
-		err = c.routetables.DeleteAndWait(ctx, vnetResourceGroup, clusterName+"-rt")
-		if err != nil {
-			errs = append(errs, err)
-		}
+	switch {
+	case c.ci && env.IsLocalDevelopmentMode(): // PR E2E
+		errs = append(errs,
+			c.deleteCluster(ctx, vnetResourceGroup, clusterName),
+			c.deleteClusterResourceGroup(ctx, vnetResourceGroup),
+			c.deleteVnetPeerings(ctx, vnetResourceGroup),
+		)
+	case c.ci: // Prod E2E
+		errs = append(errs, c.deleteClusterResourceGroup(ctx, vnetResourceGroup))
+	default:
+		errs = append(errs,
+			c.deleteRoleAssignments(ctx, vnetResourceGroup, clusterName),
+			c.deleteCluster(ctx, vnetResourceGroup, clusterName),
+			c.deleteDeployment(ctx, vnetResourceGroup, clusterName), // Deleting the deployment does not clean up the associated resources
+			c.deleteVnetResources(ctx, vnetResourceGroup, "dev-vnet", clusterName),
+		)
 	}
 
 	c.log.Info("done")
-
-	if errs != nil {
-		return errs // https://golang.org/doc/faq#nil_error
-	}
-
-	return nil
+	return errors.Join(errs...)
 }
 
 // createCluster created new clusters, based on where it is running.
@@ -647,10 +603,15 @@ func (c *Cluster) fixupNSGs(ctx context.Context, vnetResourceGroup, clusterName
 	return nil
 }
 
-func (c *Cluster) deleteRoleAssignments(ctx context.Context, vnetResourceGroup, appID string) error {
-	spObjID, err := utilgraph.GetServicePrincipalIDByAppID(ctx, c.spGraphClient, appID)
+func (c *Cluster) deleteRoleAssignments(ctx context.Context, vnetResourceGroup, clusterName string) error {
+	c.log.Print("deleting role assignments")
+	oc, err := c.openshiftclustersv20200430.Get(ctx, vnetResourceGroup, clusterName)
 	if err != nil {
-		return err
+		return fmt.Errorf("error getting cluster document: %w", err)
+	}
+	spObjID, err := utilgraph.GetServicePrincipalIDByAppID(ctx, c.spGraphClient, *oc.OpenShiftClusterProperties.ServicePrincipalProfile.ClientID)
+	if err != nil {
+		return fmt.Errorf("error getting service principal for cluster: %w", err)
 	}
 	if spObjID == nil {
 		return nil
@@ -658,7 +619,7 @@ func (c *Cluster) deleteRoleAssignments(ctx context.Context, vnetResourceGroup,
 
 	roleAssignments, err := c.roleassignments.ListForResourceGroup(ctx, vnetResourceGroup, fmt.Sprintf("principalId eq '%s'", *spObjID))
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing role assignments for service principal: %w", err)
 	}
 
 	for _, roleAssignment := range roleAssignments {
@@ -670,7 +631,7 @@ func (c *Cluster) deleteRoleAssignments(ctx context.Context, vnetResourceGroup,
 			c.log.Infof("deleting role assignment %s", *roleAssignment.Name)
 			_, err = c.roleassignments.Delete(ctx, *roleAssignment.Scope, *roleAssignment.Name)
 			if err != nil {
-				return err
+				return fmt.Errorf("error deleting role assignment %s: %w", *roleAssignment.Name, err)
 			}
 		}
 	}
@@ -678,6 +639,71 @@ func (c *Cluster) deleteRoleAssignments(ctx context.Context, vnetResourceGroup,
 	return nil
 }
 
+func (c *Cluster) deleteCluster(ctx context.Context, resourceGroup, clusterName string) error {
+	c.log.Printf("deleting cluster %s", clusterName)
+	if err := c.openshiftclustersv20200430.DeleteAndWait(ctx, resourceGroup, clusterName); err != nil {
+		return fmt.Errorf("error deleting cluster %s: %w", clusterName, err)
+	}
+	return nil
+}
+
+func (c *Cluster) deleteClusterResourceGroup(ctx context.Context, resourceGroup string) error {
+	if _, err := c.groups.Get(ctx, resourceGroup); err != nil {
+		c.log.Printf("error getting resource group %s, skipping deletion: %v", resourceGroup, err)
+		return nil
+	}
+
+	c.log.Printf("deleting resource group %s", resourceGroup)
+	if err := c.groups.DeleteAndWait(ctx, resourceGroup); err != nil {
+		return fmt.Errorf("error deleting resource group: %w", err)
+	}
+
+	return nil
+}
+
+func (c *Cluster) deleteVnetPeerings(ctx context.Context, resourceGroup string) error {
+	r, err := azure.ParseResourceID(c.ciParentVnet)
+	if err == nil {
+		err = c.ciParentVnetPeerings.DeleteAndWait(ctx, r.ResourceGroup, r.ResourceName, resourceGroup+"-peer")
+	}
+	if err != nil {
+		return fmt.Errorf("error deleting vnet peerings: %w", err)
+	}
+
+	return nil
+}
+
+func (c *Cluster) deleteDeployment(ctx context.Context, resourceGroup, clusterName string) error {
+	c.log.Info("deleting deployment")
+	if err := c.deployments.DeleteAndWait(ctx, resourceGroup, clusterName); err != nil {
+		return fmt.Errorf("error deleting deployment: %w", err)
+	}
+	return nil
+}
+
+func (c *Cluster) deleteVnetResources(ctx context.Context, resourceGroup, vnetName, clusterName string) error {
+	var errs []error
+
+	c.log.Info("deleting master/worker subnets")
+	if err := c.subnets.DeleteAndWait(ctx, resourceGroup, vnetName, clusterName+"-master"); err != nil {
+		c.log.Errorf("error when deleting master subnet: %v", err)
+		errs = append(errs, err)
+	}
+
+	if err := c.subnets.DeleteAndWait(ctx, resourceGroup, vnetName, clusterName+"-worker"); err != nil {
+		c.log.Errorf("error when deleting worker subnet: %v", err)
+		errs = append(errs, err)
+	}
+
+	c.log.Info("deleting route table")
+	if err := c.routetables.DeleteAndWait(ctx, resourceGroup, clusterName+"-rt"); err != nil {
+		c.log.Errorf("error when deleting route table: %v", err)
+		errs = append(errs, err)
+	}
+
+	return errors.Join(errs...)
+}
+
 func (c *Cluster) peerSubnetsToCI(ctx context.Context, vnetResourceGroup, clusterName string) error {
 	cluster := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/dev-vnet", c.env.SubscriptionID(), vnetResourceGroup)
 
diff --git a/pkg/util/mocks/azureclient/mgmt/authorization/authorization.go b/pkg/util/mocks/azureclient/mgmt/authorization/authorization.go
index ecab9c846..61f0e9ac8 100644
--- a/pkg/util/mocks/azureclient/mgmt/authorization/authorization.go
+++ b/pkg/util/mocks/azureclient/mgmt/authorization/authorization.go
@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization (interfaces: PermissionsClient,RoleAssignmentsClient,DenyAssignmentClient,RoleDefinitionsClient)
+// Source: github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization (interfaces: RoleAssignmentsClient,DenyAssignmentClient,RoleDefinitionsClient)
 
 // Package mock_authorization is a generated GoMock package.
 package mock_authorization
@@ -12,59 +12,6 @@ import (
 	gomock "github.com/golang/mock/gomock"
 )
 
-// MockPermissionsClient is a mock of PermissionsClient interface.
-type MockPermissionsClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockPermissionsClientMockRecorder
-}
-
-// MockPermissionsClientMockRecorder is the mock recorder for MockPermissionsClient.
-type MockPermissionsClientMockRecorder struct {
-	mock *MockPermissionsClient
-}
-
-// NewMockPermissionsClient creates a new mock instance.
-func NewMockPermissionsClient(ctrl *gomock.Controller) *MockPermissionsClient {
-	mock := &MockPermissionsClient{ctrl: ctrl}
-	mock.recorder = &MockPermissionsClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockPermissionsClient) EXPECT() *MockPermissionsClientMockRecorder {
-	return m.recorder
-}
-
-// ListForResource mocks base method.
-func (m *MockPermissionsClient) ListForResource(arg0 context.Context, arg1, arg2, arg3, arg4, arg5 string) ([]authorization.Permission, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ListForResource", arg0, arg1, arg2, arg3, arg4, arg5)
-	ret0, _ := ret[0].([]authorization.Permission)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ListForResource indicates an expected call of ListForResource.
-func (mr *MockPermissionsClientMockRecorder) ListForResource(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListForResource", reflect.TypeOf((*MockPermissionsClient)(nil).ListForResource), arg0, arg1, arg2, arg3, arg4, arg5)
-}
-
-// ListForResourceGroup mocks base method.
-func (m *MockPermissionsClient) ListForResourceGroup(arg0 context.Context, arg1 string) ([]authorization.Permission, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ListForResourceGroup", arg0, arg1)
-	ret0, _ := ret[0].([]authorization.Permission)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ListForResourceGroup indicates an expected call of ListForResourceGroup.
-func (mr *MockPermissionsClientMockRecorder) ListForResourceGroup(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListForResourceGroup", reflect.TypeOf((*MockPermissionsClient)(nil).ListForResourceGroup), arg0, arg1)
-}
-
 // MockRoleAssignmentsClient is a mock of RoleAssignmentsClient interface.
 type MockRoleAssignmentsClient struct {
 	ctrl     *gomock.Controller
diff --git a/pkg/util/permissions/permissions.go b/pkg/util/permissions/permissions.go
deleted file mode 100644
index 29e3b72c4..000000000
--- a/pkg/util/permissions/permissions.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package permissions
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
-
-import (
-	"regexp"
-	"strings"
-
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-)
-
-// CanDoAction returns true if a given action is granted by a set of permissions
-func CanDoAction(ps []mgmtauthorization.Permission, a string) (bool, error) {
-	for _, p := range ps {
-		var matched bool
-
-		for _, action := range *p.Actions {
-			action := regexp.QuoteMeta(action)
-			action = "(?i)^" + strings.ReplaceAll(action, `\*`, ".*") + "$"
-			rx, err := regexp.Compile(action)
-			if err != nil {
-				return false, err
-			}
-			if rx.MatchString(a) {
-				matched = true
-				break
-			}
-		}
-		if !matched {
-			continue
-		}
-
-		for _, notAction := range *p.NotActions {
-			notAction := regexp.QuoteMeta(notAction)
-			notAction = "(?i)^" + strings.ReplaceAll(notAction, `\*`, ".*") + "$"
-			rx, err := regexp.Compile(notAction)
-			if err != nil {
-				return false, err
-			}
-			if rx.MatchString(a) {
-				matched = false
-				break
-			}
-		}
-		if matched {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}
diff --git a/pkg/util/permissions/permissions_test.go b/pkg/util/permissions/permissions_test.go
deleted file mode 100644
index 6a5ef2682..000000000
--- a/pkg/util/permissions/permissions_test.go
+++ /dev/null
@@ -1,92 +0,0 @@
-package permissions
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the Apache License 2.0.
-
-import (
-	"testing"
-
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-)
-
-func TestCanDoAction(t *testing.T) {
-	tests := []struct {
-		name        string
-		permissions []mgmtauthorization.Permission
-		action      string
-		want        bool
-	}{
-		{
-			name:   "empty permissions list",
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-		},
-		{
-			name: "has permission - exact",
-			permissions: []mgmtauthorization.Permission{
-				{
-					Actions:    &[]string{"Microsoft.Compute/virtualMachines/*"},
-					NotActions: &[]string{},
-				},
-				{
-					Actions:    &[]string{"Microsoft.Network/virtualNetworks/subnets/join/action"},
-					NotActions: &[]string{},
-				},
-			},
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-			want:   true,
-		},
-		{
-			name: "has permission - wildcard",
-			permissions: []mgmtauthorization.Permission{{
-				Actions:    &[]string{"Microsoft.Network/virtualNetworks/subnets/*/action"},
-				NotActions: &[]string{},
-			}},
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-			want:   true,
-		},
-		{
-			name: "has permission - exact, conflict",
-			permissions: []mgmtauthorization.Permission{
-				{
-					Actions:    &[]string{"Microsoft.Network/virtualNetworks/subnets/join/action"},
-					NotActions: &[]string{},
-				},
-				{
-					Actions:    &[]string{},
-					NotActions: &[]string{"Microsoft.Network/virtualNetworks/subnets/join/action"},
-				},
-			},
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-			want:   true,
-		},
-		{
-			name: "has permission excluded - exact",
-			permissions: []mgmtauthorization.Permission{{
-				Actions:    &[]string{"Microsoft.Network/*"},
-				NotActions: &[]string{"Microsoft.Network/virtualNetworks/subnets/join/action"},
-			}},
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-		},
-		{
-			name: "has permission excluded - wildcard",
-			permissions: []mgmtauthorization.Permission{{
-				Actions:    &[]string{"Microsoft.Network/*"},
-				NotActions: &[]string{"Microsoft.Network/virtualNetworks/subnets/*/action"},
-			}},
-			action: "Microsoft.Network/virtualNetworks/subnets/join/action",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			ok, err := CanDoAction(test.permissions, test.action)
-			if err != nil {
-				t.Fatalf("unexpected error: %#v", err)
-			}
-
-			if ok != test.want {
-				t.Errorf("expected result %#v, got %#v", test.want, ok)
-			}
-		})
-	}
-}
diff --git a/pkg/validate/dynamic/diskencryptionset_test.go b/pkg/validate/dynamic/diskencryptionset_test.go
index 3b684ff21..da208e83f 100644
--- a/pkg/validate/dynamic/diskencryptionset_test.go
+++ b/pkg/validate/dynamic/diskencryptionset_test.go
@@ -11,7 +11,6 @@ import (
 	"testing"
 
 	mgmtcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2020-06-01/compute"
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
 	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
@@ -19,7 +18,10 @@ import (
 	"github.com/sirupsen/logrus"
 
 	"github.com/Azure/ARO-RP/pkg/api"
-	mock_authorization "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/authorization"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
+	mock_remotepdp "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/authz/remotepdp"
+	mock_azcore "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/azuresdk/azcore"
 	mock_compute "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/compute"
 	utilerror "github.com/Azure/ARO-RP/test/util/error"
 )
@@ -44,10 +46,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 
 		t.Run(string(authorizerType), func(t *testing.T) {
 			for _, tt := range []struct {
-				name    string
-				oc      *api.OpenShiftCluster
-				mocks   func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc)
-				wantErr string
+				name        string
+				oc          *api.OpenShiftCluster
+				actionInfos []remotepdp.ActionInfo
+				mocks       func(*mock_compute.MockDiskEncryptionSetsClient, *mock_remotepdp.MockRemotePDPClient, *mock_azcore.MockTokenCredential, context.CancelFunc)
+				wantErr     string
 			}{
 				{
 					name: "no disk encryption set provided",
@@ -66,13 +69,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Return(validDiskEncryptionAuthorizationDecision, nil)
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{Location: to.StringPtr("eastus")}, nil)
@@ -91,13 +92,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Return(validDiskEncryptionAuthorizationDecision, nil)
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{Location: to.StringPtr("eastus")}, nil)
@@ -116,19 +115,21 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR2.ResourceGroup, fakeDesR2.Provider, "", fakeDesR2.ResourceType, fakeDesR2.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							DoAndReturn(func(_ context.Context, authReq remotepdp.AuthorizationRequest) (*remotepdp.AuthorizationDecisionResponse, error) {
+								cancel() // wait.PollImmediateUntil will always be invoked at least once
+								switch authReq.Resource.Id {
+								case fakeDesR1.String():
+									return validDiskEncryptionAuthorizationDecision, nil
+								case fakeDesR2.String():
+									return validDiskEncryptionAuthorizationDecision, nil
+								}
+								return invalidDiskEncryptionAuthorizationDecisionsReadNotAllowed, nil
+							},
+							).AnyTimes()
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{Location: to.StringPtr("eastus")}, nil)
@@ -150,13 +151,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Return(validDiskEncryptionAuthorizationDecision, nil)
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{}, autorest.DetailedError{StatusCode: http.StatusNotFound})
@@ -176,9 +175,10 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
 							Return(nil, errors.New("fakeerr"))
 					},
 					wantErr: "fakeerr",
@@ -196,13 +196,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Return(validDiskEncryptionAuthorizationDecision, nil)
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{}, errors.New("fakeerr"))
@@ -222,10 +220,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Do(func(arg0, arg1 interface{}) {
 								cancel()
 							})
 					},
@@ -244,16 +243,21 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR2.ResourceGroup, fakeDesR2.Provider, "", fakeDesR2.ResourceType, fakeDesR2.ResourceName).
-							Return(nil, autorest.DetailedError{StatusCode: http.StatusNotFound})
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							DoAndReturn(func(_ context.Context, authReq remotepdp.AuthorizationRequest) (*remotepdp.AuthorizationDecisionResponse, error) {
+								cancel() // wait.PollImmediateUntil will always be invoked at least once
+								switch authReq.Resource.Id {
+								case fakeDesR1.String():
+									return validDiskEncryptionAuthorizationDecision, nil
+								case fakeDesR2.String():
+									return nil, autorest.DetailedError{StatusCode: http.StatusNotFound}
+								}
+								return invalidDiskEncryptionAuthorizationDecisionsReadNotAllowed, nil
+							},
+							).AnyTimes()
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{Location: to.StringPtr("eastus")}, nil)
@@ -273,13 +277,11 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 							}},
 						},
 					},
-					mocks: func(permissions *mock_authorization.MockPermissionsClient, diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, cancel context.CancelFunc) {
-						permissions.EXPECT().
-							ListForResource(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.Provider, "", fakeDesR1.ResourceType, fakeDesR1.ResourceName).
-							Return([]mgmtauthorization.Permission{{
-								Actions:    &[]string{"Microsoft.Compute/diskEncryptionSets/read"},
-								NotActions: &[]string{},
-							}}, nil)
+					mocks: func(diskEncryptionSets *mock_compute.MockDiskEncryptionSetsClient, pdpClient *mock_remotepdp.MockRemotePDPClient, tokenCred *mock_azcore.MockTokenCredential, cancel context.CancelFunc) {
+						mockTokenCredential(tokenCred)
+						pdpClient.EXPECT().
+							CheckAccess(gomock.Any(), gomock.Any()).
+							Return(validDiskEncryptionAuthorizationDecision, nil)
 						diskEncryptionSets.EXPECT().
 							Get(gomock.Any(), fakeDesR1.ResourceGroup, fakeDesR1.ResourceName).
 							Return(mgmtcompute.DiskEncryptionSet{Location: to.StringPtr("westeurope")}, nil)
@@ -294,18 +296,21 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 					controller := gomock.NewController(t)
 					defer controller.Finish()
 
-					permissionsClient := mock_authorization.NewMockPermissionsClient(controller)
 					diskEncryptionSetsClient := mock_compute.NewMockDiskEncryptionSetsClient(controller)
+					tokenCred := mock_azcore.NewMockTokenCredential(controller)
+					remotePDPClient := mock_remotepdp.NewMockRemotePDPClient(controller)
 
 					if tt.mocks != nil {
-						tt.mocks(permissionsClient, diskEncryptionSetsClient, cancel)
+						tt.mocks(diskEncryptionSetsClient, remotePDPClient, tokenCred, cancel)
 					}
 
 					dv := &dynamic{
-						authorizerType:     authorizerType,
-						log:                logrus.NewEntry(logrus.StandardLogger()),
-						permissions:        permissionsClient,
-						diskEncryptionSets: diskEncryptionSetsClient,
+						azEnv:                      &azureclient.PublicCloud,
+						authorizerType:             authorizerType,
+						log:                        logrus.NewEntry(logrus.StandardLogger()),
+						diskEncryptionSets:         diskEncryptionSetsClient,
+						pdpClient:                  remotePDPClient,
+						checkAccessSubjectInfoCred: tokenCred,
 					}
 
 					err := dv.ValidateDiskEncryptionSets(ctx, tt.oc)
@@ -315,3 +320,22 @@ func TestValidateDiskEncryptionSets(t *testing.T) {
 		})
 	}
 }
+
+var (
+	invalidDiskEncryptionAuthorizationDecisionsReadNotAllowed = &remotepdp.AuthorizationDecisionResponse{
+		Value: []remotepdp.AuthorizationDecision{
+			{
+				ActionId:       "Microsoft.Compute/diskEncryptionSets/read",
+				AccessDecision: remotepdp.NotAllowed,
+			},
+		},
+	}
+	validDiskEncryptionAuthorizationDecision = &remotepdp.AuthorizationDecisionResponse{
+		Value: []remotepdp.AuthorizationDecision{
+			{
+				ActionId:       "Microsoft.Compute/diskEncryptionSets/read",
+				AccessDecision: remotepdp.Allowed,
+			},
+		},
+	}
+)
diff --git a/pkg/validate/dynamic/dynamic.go b/pkg/validate/dynamic/dynamic.go
index b8d28671d..ba87cfa16 100644
--- a/pkg/validate/dynamic/dynamic.go
+++ b/pkg/validate/dynamic/dynamic.go
@@ -25,11 +25,8 @@ import (
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
-	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/compute"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/network"
-	"github.com/Azure/ARO-RP/pkg/util/permissions"
-	"github.com/Azure/ARO-RP/pkg/util/steps"
 	"github.com/Azure/ARO-RP/pkg/util/token"
 )
 
@@ -87,7 +84,6 @@ type dynamic struct {
 	env                        env.Interface
 	azEnv                      *azureclient.AROEnvironment
 
-	permissions                           authorization.PermissionsClient
 	virtualNetworks                       virtualNetworksGetClient
 	diskEncryptionSets                    compute.DiskEncryptionSetsClient
 	resourceSkusClient                    compute.ResourceSkusClient
@@ -125,7 +121,6 @@ func NewValidator(
 
 		spComputeUsage: compute.NewUsageClient(azEnv, subscriptionID, authorizer),
 		spNetworkUsage: network.NewUsageClient(azEnv, subscriptionID, authorizer),
-		permissions:    authorization.NewPermissionsClient(azEnv, subscriptionID, authorizer),
 		virtualNetworks: newVirtualNetworksCache(
 			network.NewVirtualNetworksClient(azEnv, subscriptionID, authorizer),
 		),
@@ -397,12 +392,8 @@ func (dv *dynamic) validateActions(ctx context.Context, r *azure.Resource, actio
 	defer cancel()
 
 	c := closure{dv: dv, ctx: ctx, resource: r, actions: actions}
-	conditionalFunc := c.usingListPermissions
-	if dv.pdpClient != nil {
-		conditionalFunc = c.usingCheckAccessV2
-	}
 
-	return wait.PollImmediateUntil(30*time.Second, conditionalFunc, timeoutCtx.Done())
+	return wait.PollImmediateUntil(30*time.Second, c.usingCheckAccessV2, timeoutCtx.Done())
 }
 
 // closure is the closure used in PollImmediateUntil's ConditionalFunc
@@ -414,47 +405,8 @@ type closure struct {
 	oid      *string
 }
 
-// usingListPermissions is how the current check is done
-func (c closure) usingListPermissions() (bool, error) {
-	c.dv.log.Debug("retry validateActions with ListPermissions")
-	perms, err := c.dv.permissions.ListForResource(
-		c.ctx,
-		c.resource.ResourceGroup,
-		c.resource.Provider,
-		"",
-		c.resource.ResourceType,
-		c.resource.ResourceName,
-	)
-	if err != nil {
-		return false, err
-	}
-
-	// If we get a StatusForbidden, try refreshing the SP (since with a
-	// brand-new SP it might take time to propagate)
-	if detailedErr, ok := err.(autorest.DetailedError); ok &&
-		detailedErr.StatusCode == http.StatusForbidden {
-		return false, steps.ErrWantRefresh
-	}
-	if err != nil {
-		return false, err
-	}
-
-	for _, action := range c.actions {
-		ok, err := permissions.CanDoAction(perms, action)
-		if !ok || err != nil {
-			// TODO(jminter): I don't understand if there are genuinely
-			// cases where CanDoAction can return false then true shortly
-			// after. I'm a little skeptical; if it can't happen we can
-			// simplify this code.  We should add a metric on this.
-			return false, err
-		}
-	}
-	return true, nil
-}
-
 // usingCheckAccessV2 uses the new RBAC checkAccessV2 API
 func (c closure) usingCheckAccessV2() (bool, error) {
-	// TODO remove this when fully migrated to CheckAccess
 	c.dv.log.Info("validateActions with CheckAccessV2")
 
 	// reusing oid during retries
diff --git a/pkg/validate/dynamic/dynamic_test.go b/pkg/validate/dynamic/dynamic_test.go
index 50e9911f8..540b9a264 100644
--- a/pkg/validate/dynamic/dynamic_test.go
+++ b/pkg/validate/dynamic/dynamic_test.go
@@ -7,14 +7,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/http"
 	"testing"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	mgmtnetwork "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2020-08-01/network"
-	mgmtauthorization "github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-09-01-preview/authorization"
-	"github.com/Azure/go-autorest/autorest"
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/to"
 	"github.com/golang/mock/gomock"
@@ -25,7 +22,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
 	mock_remotepdp "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/authz/remotepdp"
 	mock_azcore "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/azuresdk/azcore"
-	mock_authorization "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/authorization"
 	mock_network "github.com/Azure/ARO-RP/pkg/util/mocks/azureclient/mgmt/network"
 	utilerror "github.com/Azure/ARO-RP/test/util/error"
 )
@@ -48,122 +44,6 @@ var (
 	workerNSGv1       = resourceGroupID + "/providers/Microsoft.Network/networkSecurityGroups/aro-node-nsg"
 )
 
-func TestValidateVnetPermissions(t *testing.T) {
-	ctx := context.Background()
-
-	resourceType := "virtualNetworks"
-	resourceProvider := "Microsoft.Network"
-
-	for _, tt := range []struct {
-		name    string
-		mocks   func(*mock_authorization.MockPermissionsClient, context.CancelFunc)
-		wantErr string
-	}{
-		{
-			name: "pass",
-			mocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, resourceProvider, "", resourceType, vnetName).
-					Return([]mgmtauthorization.Permission{
-						{
-							Actions: &[]string{
-								"Microsoft.Network/virtualNetworks/join/action",
-								"Microsoft.Network/virtualNetworks/read",
-								"Microsoft.Network/virtualNetworks/write",
-								"Microsoft.Network/virtualNetworks/subnets/join/action",
-								"Microsoft.Network/virtualNetworks/subnets/read",
-								"Microsoft.Network/virtualNetworks/subnets/write",
-							},
-							NotActions: &[]string{},
-						},
-					}, nil)
-			},
-		},
-		{
-			name: "fail: missing permissions",
-			mocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, resourceProvider, "", resourceType, vnetName).
-					Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
-						cancel()
-					}).
-					Return(
-						[]mgmtauthorization.Permission{
-							{
-								Actions:    &[]string{},
-								NotActions: &[]string{},
-							},
-						},
-						nil,
-					)
-			},
-			wantErr: "400: InvalidServicePrincipalPermissions: : The cluster service principal (Application ID: fff51942-b1f9-4119-9453-aaa922259eb7) does not have Network Contributor role on vnet '" + vnetID + "'.",
-		},
-		{
-			name: "fail: not found",
-			mocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, resourceProvider, "", resourceType, vnetName).
-					Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
-						cancel()
-					}).
-					Return(
-						nil,
-						autorest.DetailedError{
-							StatusCode: http.StatusNotFound,
-						},
-					)
-			},
-			wantErr: "400: InvalidLinkedVNet: : The vnet '" + vnetID + "' could not be found.",
-		},
-		{
-			name: "fail: fp/sp has no permission on the target vnet (forbidden error)",
-			mocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, resourceProvider, "", resourceType, vnetName).
-					Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
-						cancel()
-					}).
-					Return(
-						nil,
-						autorest.DetailedError{
-							StatusCode: http.StatusForbidden,
-							Message:    "some forbidden error on the resource.",
-						},
-					)
-			},
-
-			wantErr: "400: InvalidServicePrincipalPermissions: : The cluster service principal (Application ID: fff51942-b1f9-4119-9453-aaa922259eb7) does not have Network Contributor role on vnet '" + vnetID + "'.\nOriginal error message: some forbidden error on the resource.",
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			controller := gomock.NewController(t)
-			defer controller.Finish()
-
-			ctx, cancel := context.WithCancel(ctx)
-			defer cancel()
-
-			permissionsClient := mock_authorization.NewMockPermissionsClient(controller)
-			tt.mocks(permissionsClient, cancel)
-
-			dv := &dynamic{
-				appID:          "fff51942-b1f9-4119-9453-aaa922259eb7",
-				authorizerType: AuthorizerClusterServicePrincipal,
-				log:            logrus.NewEntry(logrus.StandardLogger()),
-				permissions:    permissionsClient,
-			}
-
-			vnetr, err := azure.ParseResourceID(vnetID)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			err = dv.validateVnetPermissions(ctx, vnetr)
-			utilerror.AssertErrorMessage(t, err, tt.wantErr)
-		})
-	}
-}
-
 func TestGetRouteTableID(t *testing.T) {
 	for _, tt := range []struct {
 		name       string
@@ -272,324 +152,6 @@ func TestGetNatGatewayID(t *testing.T) {
 	}
 }
 
-func TestValidateRouteTablesPermissions(t *testing.T) {
-	ctx := context.Background()
-
-	for _, tt := range []struct {
-		name            string
-		subnet          Subnet
-		permissionMocks func(*mock_authorization.MockPermissionsClient, context.CancelFunc)
-		vnetMocks       func(*mock_network.MockVirtualNetworksClient, mgmtnetwork.VirtualNetwork)
-		wantErr         string
-	}{
-		{
-			name:   "fail: failed to get vnet",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, errors.New("failed to get vnet"))
-			},
-			wantErr: "failed to get vnet",
-		},
-		{
-			name:   "fail: master subnet doesn't exist",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnet.Subnets = nil
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			wantErr: "400: InvalidLinkedVNet: : The provided subnet '" + masterSubnet + "' could not be found.",
-		},
-		{
-			name:   "fail: worker subnet ID doesn't exist",
-			subnet: Subnet{ID: workerSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				(*vnet.Subnets)[1].ID = to.StringPtr("not valid")
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			wantErr: "400: InvalidLinkedVNet: : The provided subnet '" + workerSubnet + "' could not be found.",
-		},
-		{
-			name:   "fail: permissions don't exist",
-			subnet: Subnet{ID: workerSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			permissionMocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, "Microsoft.Network", "", "routeTables", gomock.Any()).
-					Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
-						cancel()
-					}).
-					Return(
-						[]mgmtauthorization.Permission{
-							{
-								Actions:    &[]string{},
-								NotActions: &[]string{},
-							},
-						},
-						nil,
-					)
-			},
-			wantErr: "400: InvalidServicePrincipalPermissions: : The cluster service principal does not have Network Contributor role on route table '" + workerRtID + "'.",
-		},
-		{
-			name:   "pass",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			permissionMocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, "Microsoft.Network", "", "routeTables", gomock.Any()).
-					AnyTimes().
-					Return([]mgmtauthorization.Permission{
-						{
-							Actions: &[]string{
-								"Microsoft.Network/routeTables/join/action",
-								"Microsoft.Network/routeTables/read",
-								"Microsoft.Network/routeTables/write",
-							},
-							NotActions: &[]string{},
-						},
-					}, nil)
-			},
-		},
-		{
-			name:   "pass: no route table to check",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				(*vnet.Subnets)[0].RouteTable = nil
-				(*vnet.Subnets)[1].RouteTable = nil
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			controller := gomock.NewController(t)
-			defer controller.Finish()
-
-			ctx, cancel := context.WithCancel(ctx)
-			defer cancel()
-
-			permissionsClient := mock_authorization.NewMockPermissionsClient(controller)
-			vnetClient := mock_network.NewMockVirtualNetworksClient(controller)
-
-			vnet := &mgmtnetwork.VirtualNetwork{
-				ID: &vnetID,
-				VirtualNetworkPropertiesFormat: &mgmtnetwork.VirtualNetworkPropertiesFormat{
-					Subnets: &[]mgmtnetwork.Subnet{
-						{
-							ID: &masterSubnet,
-							SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-								RouteTable: &mgmtnetwork.RouteTable{
-									ID: &masterRtID,
-								},
-							},
-						},
-						{
-							ID: &workerSubnet,
-							SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-								RouteTable: &mgmtnetwork.RouteTable{
-									ID: &workerRtID,
-								},
-							},
-						},
-					},
-				},
-			}
-
-			dv := &dynamic{
-				authorizerType:  AuthorizerClusterServicePrincipal,
-				log:             logrus.NewEntry(logrus.StandardLogger()),
-				permissions:     permissionsClient,
-				virtualNetworks: vnetClient,
-			}
-
-			if tt.permissionMocks != nil {
-				tt.permissionMocks(permissionsClient, cancel)
-			}
-
-			if tt.vnetMocks != nil {
-				tt.vnetMocks(vnetClient, *vnet)
-			}
-
-			err := dv.validateRouteTablePermissions(ctx, tt.subnet)
-			utilerror.AssertErrorMessage(t, err, tt.wantErr)
-		})
-	}
-}
-
-func TestValidateNatGatewaysPermissions(t *testing.T) {
-	ctx := context.Background()
-
-	for _, tt := range []struct {
-		name            string
-		subnet          Subnet
-		permissionMocks func(*mock_authorization.MockPermissionsClient, context.CancelFunc)
-		vnetMocks       func(*mock_network.MockVirtualNetworksClient, mgmtnetwork.VirtualNetwork)
-		wantErr         string
-	}{
-		{
-			name:   "fail: failed to get vnet",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, errors.New("failed to get vnet"))
-			},
-			wantErr: "failed to get vnet",
-		},
-		{
-			name:   "fail: master subnet doesn't exist",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnet.Subnets = nil
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			wantErr: "400: InvalidLinkedVNet: : The provided subnet '" + masterSubnet + "' could not be found.",
-		},
-		{
-			name:   "fail: worker subnet ID doesn't exist",
-			subnet: Subnet{ID: workerSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				(*vnet.Subnets)[1].ID = to.StringPtr("not valid")
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			wantErr: "400: InvalidLinkedVNet: : The provided subnet '" + workerSubnet + "' could not be found.",
-		},
-		{
-			name:   "fail: permissions don't exist",
-			subnet: Subnet{ID: workerSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			permissionMocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, "Microsoft.Network", "", "natGateways", gomock.Any()).
-					Do(func(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) {
-						cancel()
-					}).
-					Return(
-						[]mgmtauthorization.Permission{
-							{
-								Actions:    &[]string{},
-								NotActions: &[]string{},
-							},
-						},
-						nil,
-					)
-			},
-			wantErr: "400: InvalidServicePrincipalPermissions: : The cluster service principal does not have Network Contributor role on nat gateway '" + workerNgID + "'.",
-		},
-		{
-			name:   "pass",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-			permissionMocks: func(permissionsClient *mock_authorization.MockPermissionsClient, cancel context.CancelFunc) {
-				permissionsClient.EXPECT().
-					ListForResource(gomock.Any(), resourceGroupName, "Microsoft.Network", "", "natGateways", gomock.Any()).
-					AnyTimes().
-					Return([]mgmtauthorization.Permission{
-						{
-							Actions: &[]string{
-								"Microsoft.Network/natGateways/join/action",
-								"Microsoft.Network/natGateways/read",
-								"Microsoft.Network/natGateways/write",
-							},
-							NotActions: &[]string{},
-						},
-					}, nil)
-			},
-		},
-		{
-			name:   "pass: no nat gateway to check",
-			subnet: Subnet{ID: masterSubnet},
-			vnetMocks: func(vnetClient *mock_network.MockVirtualNetworksClient, vnet mgmtnetwork.VirtualNetwork) {
-				(*vnet.Subnets)[0].NatGateway = nil
-				(*vnet.Subnets)[1].NatGateway = nil
-				vnetClient.EXPECT().
-					Get(gomock.Any(), resourceGroupName, vnetName, "").
-					Return(vnet, nil)
-			},
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			controller := gomock.NewController(t)
-			defer controller.Finish()
-
-			ctx, cancel := context.WithCancel(ctx)
-			defer cancel()
-
-			permissionsClient := mock_authorization.NewMockPermissionsClient(controller)
-			vnetClient := mock_network.NewMockVirtualNetworksClient(controller)
-
-			vnet := &mgmtnetwork.VirtualNetwork{
-				ID: &vnetID,
-				VirtualNetworkPropertiesFormat: &mgmtnetwork.VirtualNetworkPropertiesFormat{
-					Subnets: &[]mgmtnetwork.Subnet{
-						{
-							ID: &masterSubnet,
-							SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-								NatGateway: &mgmtnetwork.SubResource{
-									ID: &masterNgID,
-								},
-							},
-						},
-						{
-							ID: &workerSubnet,
-							SubnetPropertiesFormat: &mgmtnetwork.SubnetPropertiesFormat{
-								NatGateway: &mgmtnetwork.SubResource{
-									ID: &workerNgID,
-								},
-							},
-						},
-					},
-				},
-			}
-
-			dv := &dynamic{
-				authorizerType:  AuthorizerClusterServicePrincipal,
-				log:             logrus.NewEntry(logrus.StandardLogger()),
-				permissions:     permissionsClient,
-				virtualNetworks: vnetClient,
-			}
-
-			if tt.permissionMocks != nil {
-				tt.permissionMocks(permissionsClient, cancel)
-			}
-
-			if tt.vnetMocks != nil {
-				tt.vnetMocks(vnetClient, *vnet)
-			}
-
-			err := dv.validateNatGatewayPermissions(ctx, tt.subnet)
-			utilerror.AssertErrorMessage(t, err, tt.wantErr)
-		})
-	}
-}
-
 func TestValidateCIDRRanges(t *testing.T) {
 	ctx := context.Background()
 
@@ -1131,7 +693,7 @@ func mockTokenCredential(tokenCred *mock_azcore.MockTokenCredential) {
 		Return(mockAccessToken, nil)
 }
 
-func TestValidateVnetPermissionsWithCheckAccess(t *testing.T) {
+func TestValidateVnetPermissions(t *testing.T) {
 	ctx := context.Background()
 
 	for _, tt := range []struct {
@@ -1289,7 +851,7 @@ var (
 	}
 )
 
-func TestValidateRouteTablesPermissionsWithCheckAccess(t *testing.T) {
+func TestValidateRouteTablesPermissions(t *testing.T) {
 	ctx := context.Background()
 
 	for _, tt := range []struct {
@@ -1504,7 +1066,7 @@ var (
 	}
 )
 
-func TestValidateNatGatewaysPermissionsWithCheckAccess(t *testing.T) {
+func TestValidateNatGatewaysPermissions(t *testing.T) {
 	ctx := context.Background()
 
 	for _, tt := range []struct {
diff --git a/pkg/validate/openshiftcluster_validatedynamic.go b/pkg/validate/openshiftcluster_validatedynamic.go
index 46fccef48..0e878caf0 100644
--- a/pkg/validate/openshiftcluster_validatedynamic.go
+++ b/pkg/validate/openshiftcluster_validatedynamic.go
@@ -19,7 +19,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/api"
 	"github.com/Azure/ARO-RP/pkg/env"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/authz/remotepdp"
-	"github.com/Azure/ARO-RP/pkg/util/feature"
 	"github.com/Azure/ARO-RP/pkg/validate/dynamic"
 )
 
@@ -134,20 +133,12 @@ func (dv *openShiftClusterDynamicValidator) Dynamic(ctx context.Context) error {
 		return err
 	}
 
-	if useCheckAccess || feature.IsRegisteredForFeature(
-		dv.subscriptionDoc.Subscription.Properties,
-		api.FeatureFlagCheckAccessTestToggle,
-	) {
-		// TODO remove after successfully migrating to CheckAccess
-		dv.log.Info("Using CheckAccess instead of ListPermissions")
-
-		aroEnv := dv.env.Environment()
-		pdpClient = remotepdp.NewRemotePDPClient(
-			fmt.Sprintf(aroEnv.Endpoint, dv.env.Location()),
-			aroEnv.OAuthScope,
-			fpClientCred,
-		)
-	}
+	aroEnv := dv.env.Environment()
+	pdpClient = remotepdp.NewRemotePDPClient(
+		fmt.Sprintf(aroEnv.Endpoint, dv.env.Location()),
+		aroEnv.OAuthScope,
+		fpClientCred,
+	)
 
 	scopes := []string{dv.env.Environment().ResourceManagerScope}
 	err = ensureAccessTokenClaims(ctx, spClientCred, scopes)
diff --git a/test/util/clienthelper/hookclient.go b/test/util/clienthelper/hookclient.go
index 49b988adf..767e6c90d 100644
--- a/test/util/clienthelper/hookclient.go
+++ b/test/util/clienthelper/hookclient.go
@@ -18,59 +18,110 @@ type hookFunc func(obj client.Object) error
 type HookingClient struct {
 	f client.WithWatch
 
-	getHook    []getFunc
-	deleteHook []hookFunc
-	createHook []hookFunc
-	updateHook []hookFunc
-	patchHook  []hookFunc
+	preGetHook    []getFunc
+	preDeleteHook []hookFunc
+	preCreateHook []hookFunc
+	preUpdateHook []hookFunc
+	prePatchHook  []hookFunc
+
+	postGetHook    []getFunc
+	postDeleteHook []hookFunc
+	postCreateHook []hookFunc
+	postUpdateHook []hookFunc
+	postPatchHook  []hookFunc
 }
 
 var _ client.Client = &HookingClient{}
 
-// NewHookingClient creates a
+// NewHookingClient creates a client which allows hooks to be added before and
+// after the client event. Errors returned in the hooks are returned to the
+// caller directly, to simulate issues such as disconnections or errors.
+// Prehooks that cause errors will cause the underlying wrapped client to not be
+// called.
 func NewHookingClient(c client.WithWatch) *HookingClient {
 	return &HookingClient{
-		f:          c,
-		getHook:    []getFunc{},
-		deleteHook: []hookFunc{},
-		createHook: []hookFunc{},
-		updateHook: []hookFunc{},
-		patchHook:  []hookFunc{},
+		f:             c,
+		preGetHook:    []getFunc{},
+		preDeleteHook: []hookFunc{},
+		preCreateHook: []hookFunc{},
+		preUpdateHook: []hookFunc{},
+		prePatchHook:  []hookFunc{},
+
+		postGetHook:    []getFunc{},
+		postDeleteHook: []hookFunc{},
+		postCreateHook: []hookFunc{},
+		postUpdateHook: []hookFunc{},
+		postPatchHook:  []hookFunc{},
 	}
 }
 
 func (c *HookingClient) WithGetHook(f getFunc) *HookingClient {
-	c.getHook = append(c.getHook, f)
+	c.postGetHook = append(c.postGetHook, f)
 	return c
 }
 
 func (c *HookingClient) WithDeleteHook(f hookFunc) *HookingClient {
-	c.deleteHook = append(c.deleteHook, f)
+	c.postDeleteHook = append(c.postDeleteHook, f)
 	return c
 }
 
 func (c *HookingClient) WithCreateHook(f hookFunc) *HookingClient {
-	c.createHook = append(c.createHook, f)
+	c.postCreateHook = append(c.postCreateHook, f)
 	return c
 }
 func (c *HookingClient) WithUpdateHook(f hookFunc) *HookingClient {
-	c.updateHook = append(c.updateHook, f)
+	c.postUpdateHook = append(c.postUpdateHook, f)
 	return c
 }
 func (c *HookingClient) WithPatchHook(f hookFunc) *HookingClient {
-	c.patchHook = append(c.patchHook, f)
+	c.postPatchHook = append(c.postPatchHook, f)
+	return c
+}
+
+func (c *HookingClient) WithPreGetHook(f getFunc) *HookingClient {
+	c.preGetHook = append(c.preGetHook, f)
+	return c
+}
+
+func (c *HookingClient) WithPreDeleteHook(f hookFunc) *HookingClient {
+	c.preDeleteHook = append(c.preDeleteHook, f)
+	return c
+}
+
+func (c *HookingClient) WithPreCreateHook(f hookFunc) *HookingClient {
+	c.preCreateHook = append(c.preCreateHook, f)
+	return c
+}
+func (c *HookingClient) WithPreUpdateHook(f hookFunc) *HookingClient {
+	c.preUpdateHook = append(c.preUpdateHook, f)
+	return c
+}
+func (c *HookingClient) WithPrePatchHook(f hookFunc) *HookingClient {
+	c.prePatchHook = append(c.prePatchHook, f)
 	return c
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Reader.Get]
 func (c *HookingClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object) error {
-	for _, h := range c.getHook {
+	for _, h := range c.preGetHook {
 		err := h(key, obj)
 		if err != nil {
 			return err
 		}
 	}
-	return c.f.Get(ctx, key, obj)
+
+	err := c.f.Get(ctx, key, obj)
+	if err != nil {
+		return err
+	}
+
+	for _, h := range c.postGetHook {
+		err := h(key, obj)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Reader.List]
@@ -85,24 +136,48 @@ func (c *HookingClient) Watch(ctx context.Context, list client.ObjectList, opts
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Writer.Create]
 func (c *HookingClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
-	for _, h := range c.createHook {
+	for _, h := range c.preCreateHook {
 		err := h(obj)
 		if err != nil {
 			return err
 		}
 	}
-	return c.f.Create(ctx, obj, opts...)
+
+	err := c.f.Create(ctx, obj, opts...)
+	if err != nil {
+		return err
+	}
+
+	for _, h := range c.postCreateHook {
+		err := h(obj)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Writer.Delete]
 func (c *HookingClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error {
-	for _, h := range c.deleteHook {
+	for _, h := range c.preDeleteHook {
 		err := h(obj)
 		if err != nil {
 			return err
 		}
 	}
-	return c.f.Delete(ctx, obj, opts...)
+
+	err := c.f.Delete(ctx, obj, opts...)
+	if err != nil {
+		return err
+	}
+
+	for _, h := range c.postDeleteHook {
+		err := h(obj)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Writer.DeleteAllOf]
@@ -112,24 +187,48 @@ func (c *HookingClient) DeleteAllOf(ctx context.Context, obj client.Object, opts
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Writer.Update]
 func (c *HookingClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error {
-	for _, h := range c.updateHook {
+	for _, h := range c.preUpdateHook {
 		err := h(obj)
 		if err != nil {
 			return err
 		}
 	}
-	return c.f.Update(ctx, obj, opts...)
+
+	err := c.f.Update(ctx, obj, opts...)
+	if err != nil {
+		return err
+	}
+
+	for _, h := range c.postUpdateHook {
+		err := h(obj)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Writer.Patch]
 func (c *HookingClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error {
-	for _, h := range c.patchHook {
+	for _, h := range c.prePatchHook {
 		err := h(obj)
 		if err != nil {
 			return err
 		}
 	}
-	return c.f.Patch(ctx, obj, patch, opts...)
+
+	err := c.f.Patch(ctx, obj, patch, opts...)
+	if err != nil {
+		return err
+	}
+
+	for _, h := range c.postPatchHook {
+		err := h(obj)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 // See [sigs.k8s.io/controller-runtime/pkg/client.Client.Scheme]
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go
new file mode 100644
index 000000000..faa98c9dc
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go
@@ -0,0 +1,9 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright 2017 Microsoft Corporation. All rights reserved.
+// Use of this source code is governed by an MIT
+// license that can be found in the LICENSE file.
+
+// Package to contains various type-conversion helper functions.
+package to
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go
new file mode 100644
index 000000000..e0e4817b9
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go
@@ -0,0 +1,21 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package to
+
+// Ptr returns a pointer to the provided value.
+func Ptr[T any](v T) *T {
+	return &v
+}
+
+// SliceOfPtrs returns a slice of *T from the specified values.
+func SliceOfPtrs[T any](vv ...T) []*T {
+	slc := make([]*T, len(vv))
+	for i := range vv {
+		slc[i] = Ptr(vv[i])
+	}
+	return slc
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
index ddb24d810..7ea119ab3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md
@@ -1,10 +1,53 @@
 # Release History
 
+## 1.4.0 (2023-10-10)
+
+### Bugs Fixed
+* `ManagedIdentityCredential` will now retry when IMDS responds 410 or 503
+
+## 1.4.0-beta.5 (2023-09-12)
+
+### Features Added
+* Service principal credentials can request CAE tokens
+
+### Breaking Changes
+> These changes affect only code written against a beta version such as v1.4.0-beta.4
+* Whether `GetToken` requests a CAE token is now determined by `TokenRequestOptions.EnableCAE`. Azure
+  SDK clients which support CAE will set this option automatically. Credentials no longer request CAE
+  tokens by default or observe the environment variable "AZURE_IDENTITY_DISABLE_CP1".
+
+### Bugs Fixed
+* Credential chains such as `DefaultAzureCredential` now try their next credential, if any, when
+  managed identity authentication fails in a Docker Desktop container
+  ([#21417](https://github.com/Azure/azure-sdk-for-go/issues/21417))
+
+## 1.4.0-beta.4 (2023-08-16)
+
+### Other Changes
+* Upgraded dependencies
+
 ## 1.3.1 (2023-08-16)
 
 ### Other Changes
 * Upgraded dependencies
 
+## 1.4.0-beta.3 (2023-08-08)
+
+### Bugs Fixed
+* One invocation of `AzureCLICredential.GetToken()` and `OnBehalfOfCredential.GetToken()`
+  can no longer make two authentication attempts
+
+## 1.4.0-beta.2 (2023-07-14)
+
+### Other Changes
+* `DefaultAzureCredentialOptions.TenantID` applies to workload identity authentication
+* Upgraded dependencies
+
+## 1.4.0-beta.1 (2023-06-06)
+
+### Other Changes
+* Re-enabled CAE support as in v1.3.0-beta.3
+
 ## 1.3.0 (2023-05-09)
 
 ### Breaking Changes
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
index 7b7515eba..fef099813 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md
@@ -76,12 +76,14 @@ azlog.SetListener(func(event azlog.Event, s string) {
 azlog.SetEvents(azidentity.EventAuthentication)
 ```
 
+<a id="dac"></a>
 ## Troubleshoot DefaultAzureCredential authentication issues
 
 | Error |Description| Mitigation |
 |---|---|---|
 |"DefaultAzureCredential failed to acquire a token"|No credential in the `DefaultAzureCredential` chain provided a token|<ul><li>[Enable logging](#enable-and-configure-logging) to get further diagnostic information.</li><li>Consult the troubleshooting guide for underlying credential types for more information.</li><ul><li>[EnvironmentCredential](#troubleshoot-environmentcredential-authentication-issues)</li><li>[ManagedIdentityCredential](#troubleshoot-managedidentitycredential-authentication-issues)</li><li>[AzureCLICredential](#troubleshoot-azureclicredential-authentication-issues)</li></ul>|
 |Error from the client with a status code of 401 or 403|Authentication succeeded but the authorizing Azure service responded with a 401 (Unauthorized), or 403 (Forbidden) status code|<ul><li>[Enable logging](#enable-and-configure-logging) to determine which credential in the chain returned the authenticating token.</li><li>If an unexpected credential is returning a token, check application configuration such as environment variables.</li><li>Ensure the correct role is assigned to the authenticated identity. For example, a service specific role rather than the subscription Owner role.</li></ul>|
+|"managed identity timed out"|`DefaultAzureCredential` sets a short timeout on its first managed identity authentication attempt to prevent very long timeouts during local development when no managed identity is available. That timeout causes this error in production when an application requests a token before the hosting environment is ready to provide one.|Use [ManagedIdentityCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ManagedIdentityCredential) directly, at least in production. It doesn't set a timeout on its authentication attempts.|
 
 ## Troubleshoot EnvironmentCredential authentication issues
 
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
index 739ff49c1..10b742ce1 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go
@@ -10,12 +10,12 @@ import (
 	"bytes"
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"regexp"
-	"strings"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud"
@@ -41,65 +41,18 @@ const (
 	organizationsTenantID   = "organizations"
 	developerSignOnClientID = "04b07795-8ddb-461a-bbee-02f9e1bf7b46"
 	defaultSuffix           = "/.default"
-	tenantIDValidationErr   = "invalid tenantID. You can locate your tenantID by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names"
 )
 
 var (
 	// capability CP1 indicates the client application is capable of handling CAE claims challenges
-	cp1 = []string{"CP1"}
-	// CP1 is disabled until CAE support is added back
-	disableCP1 = true
+	cp1                = []string{"CP1"}
+	errInvalidTenantID = errors.New("invalid tenantID. You can locate your tenantID by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names")
 )
 
-var getConfidentialClient = func(clientID, tenantID string, cred confidential.Credential, co *azcore.ClientOptions, additionalOpts ...confidential.Option) (confidentialClient, error) {
-	if !validTenantID(tenantID) {
-		return confidential.Client{}, errors.New(tenantIDValidationErr)
-	}
-	authorityHost, err := setAuthorityHost(co.Cloud)
-	if err != nil {
-		return confidential.Client{}, err
-	}
-	authority := runtime.JoinPaths(authorityHost, tenantID)
-	o := []confidential.Option{
-		confidential.WithAzureRegion(os.Getenv(azureRegionalAuthorityName)),
-		confidential.WithHTTPClient(newPipelineAdapter(co)),
-	}
-	if !disableCP1 {
-		o = append(o, confidential.WithClientCapabilities(cp1))
-	}
-	o = append(o, additionalOpts...)
-	if strings.ToLower(tenantID) == "adfs" {
-		o = append(o, confidential.WithInstanceDiscovery(false))
-	}
-	return confidential.New(authority, clientID, cred, o...)
-}
-
-var getPublicClient = func(clientID, tenantID string, co *azcore.ClientOptions, additionalOpts ...public.Option) (public.Client, error) {
-	if !validTenantID(tenantID) {
-		return public.Client{}, errors.New(tenantIDValidationErr)
-	}
-	authorityHost, err := setAuthorityHost(co.Cloud)
-	if err != nil {
-		return public.Client{}, err
-	}
-	o := []public.Option{
-		public.WithAuthority(runtime.JoinPaths(authorityHost, tenantID)),
-		public.WithHTTPClient(newPipelineAdapter(co)),
-	}
-	if !disableCP1 {
-		o = append(o, public.WithClientCapabilities(cp1))
-	}
-	o = append(o, additionalOpts...)
-	if strings.ToLower(tenantID) == "adfs" {
-		o = append(o, public.WithInstanceDiscovery(false))
-	}
-	return public.New(clientID, o...)
-}
-
 // setAuthorityHost initializes the authority host for credentials. Precedence is:
-// 1. cloud.Configuration.ActiveDirectoryAuthorityHost value set by user
-// 2. value of AZURE_AUTHORITY_HOST
-// 3. default: Azure Public Cloud
+//  1. cloud.Configuration.ActiveDirectoryAuthorityHost value set by user
+//  2. value of AZURE_AUTHORITY_HOST
+//  3. default: Azure Public Cloud
 func setAuthorityHost(cc cloud.Configuration) (string, error) {
 	host := cc.ActiveDirectoryAuthorityHost
 	if host == "" {
@@ -121,6 +74,41 @@ func setAuthorityHost(cc cloud.Configuration) (string, error) {
 	return host, nil
 }
 
+// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
+func resolveAdditionalTenants(tenants []string) []string {
+	if len(tenants) == 0 {
+		return nil
+	}
+	for _, t := range tenants {
+		// a wildcard makes all other values redundant
+		if t == "*" {
+			return []string{"*"}
+		}
+	}
+	cp := make([]string, len(tenants))
+	copy(cp, tenants)
+	return cp
+}
+
+// resolveTenant returns the correct tenant for a token request
+func resolveTenant(defaultTenant, specified, credName string, additionalTenants []string) (string, error) {
+	if specified == "" || specified == defaultTenant {
+		return defaultTenant, nil
+	}
+	if defaultTenant == "adfs" {
+		return "", errors.New("ADFS doesn't support tenants")
+	}
+	if !validTenantID(specified) {
+		return "", errInvalidTenantID
+	}
+	for _, t := range additionalTenants {
+		if t == "*" || t == specified {
+			return specified, nil
+		}
+	}
+	return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, credName, specified)
+}
+
 // validTenantID return true is it receives a valid tenantID, returns false otherwise
 func validTenantID(tenantID string) bool {
 	match, err := regexp.MatchString("^[0-9a-zA-Z-.]+$", tenantID)
@@ -173,7 +161,7 @@ func (p pipelineAdapter) Do(r *http.Request) (*http.Response, error) {
 }
 
 // enables fakes for test scenarios
-type confidentialClient interface {
+type msalConfidentialClient interface {
 	AcquireTokenSilent(ctx context.Context, scopes []string, options ...confidential.AcquireSilentOption) (confidential.AuthResult, error)
 	AcquireTokenByAuthCode(ctx context.Context, code string, redirectURI string, scopes []string, options ...confidential.AcquireByAuthCodeOption) (confidential.AuthResult, error)
 	AcquireTokenByCredential(ctx context.Context, scopes []string, options ...confidential.AcquireByCredentialOption) (confidential.AuthResult, error)
@@ -181,7 +169,7 @@ type confidentialClient interface {
 }
 
 // enables fakes for test scenarios
-type publicClient interface {
+type msalPublicClient interface {
 	AcquireTokenSilent(ctx context.Context, scopes []string, options ...public.AcquireSilentOption) (public.AuthResult, error)
 	AcquireTokenByUsernamePassword(ctx context.Context, scopes []string, username string, password string, options ...public.AcquireByUsernamePasswordOption) (public.AuthResult, error)
 	AcquireTokenByDeviceCode(ctx context.Context, scopes []string, options ...public.AcquireByDeviceCodeOption) (public.DeviceCode, error)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
index 33ff13c09..55a0d6543 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go
@@ -17,10 +17,12 @@ import (
 	"regexp"
 	"runtime"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
 )
 
 const (
@@ -47,14 +49,14 @@ type AzureCLICredentialOptions struct {
 // init returns an instance of AzureCLICredentialOptions initialized with default values.
 func (o *AzureCLICredentialOptions) init() {
 	if o.tokenProvider == nil {
-		o.tokenProvider = defaultTokenProvider()
+		o.tokenProvider = defaultTokenProvider
 	}
 }
 
 // AzureCLICredential authenticates as the identity logged in to the Azure CLI.
 type AzureCLICredential struct {
-	s             *syncer
-	tokenProvider azureCLITokenProvider
+	mu   *sync.Mutex
+	opts AzureCLICredentialOptions
 }
 
 // NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options.
@@ -64,9 +66,8 @@ func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredent
 		cp = *options
 	}
 	cp.init()
-	c := AzureCLICredential{tokenProvider: cp.tokenProvider}
-	c.s = newSyncer(credNameAzureCLI, cp.TenantID, cp.AdditionallyAllowedTenants, c.requestToken, c.requestToken)
-	return &c, nil
+	cp.AdditionallyAllowedTenants = resolveAdditionalTenants(cp.AdditionallyAllowedTenants)
+	return &AzureCLICredential{mu: &sync.Mutex{}, opts: cp}, nil
 }
 
 // GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI.
@@ -75,13 +76,15 @@ func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequ
 	if len(opts.Scopes) != 1 {
 		return azcore.AccessToken{}, errors.New(credNameAzureCLI + ": GetToken() requires exactly one scope")
 	}
-	// CLI expects an AAD v1 resource, not a v2 scope
+	tenant, err := resolveTenant(c.opts.TenantID, opts.TenantID, credNameAzureCLI, c.opts.AdditionallyAllowedTenants)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	// pass the CLI an AAD v1 resource because we don't know which CLI version is installed and older ones don't support v2 scopes
 	opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	b, err := c.tokenProvider(ctx, opts.Scopes[0], opts.TenantID)
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	b, err := c.opts.tokenProvider(ctx, opts.Scopes[0], tenant)
 	if err != nil {
 		return azcore.AccessToken{}, err
 	}
@@ -89,61 +92,61 @@ func (c *AzureCLICredential) requestToken(ctx context.Context, opts policy.Token
 	if err != nil {
 		return azcore.AccessToken{}, err
 	}
+	msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", credNameAzureCLI, strings.Join(opts.Scopes, ", "))
+	log.Write(EventAuthentication, msg)
 	return at, nil
 }
 
-func defaultTokenProvider() func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
-	return func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
-		match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
-		if err != nil {
-			return nil, err
-		}
-		if !match {
-			return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
-		}
-
-		// set a default timeout for this authentication iff the application hasn't done so already
-		var cancel context.CancelFunc
-		if _, hasDeadline := ctx.Deadline(); !hasDeadline {
-			ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
-			defer cancel()
-		}
-
-		commandLine := "az account get-access-token -o json --resource " + resource
-		if tenantID != "" {
-			commandLine += " --tenant " + tenantID
-		}
-		var cliCmd *exec.Cmd
-		if runtime.GOOS == "windows" {
-			dir := os.Getenv("SYSTEMROOT")
-			if dir == "" {
-				return nil, newCredentialUnavailableError(credNameAzureCLI, "environment variable 'SYSTEMROOT' has no value")
-			}
-			cliCmd = exec.CommandContext(ctx, "cmd.exe", "/c", commandLine)
-			cliCmd.Dir = dir
-		} else {
-			cliCmd = exec.CommandContext(ctx, "/bin/sh", "-c", commandLine)
-			cliCmd.Dir = "/bin"
-		}
-		cliCmd.Env = os.Environ()
-		var stderr bytes.Buffer
-		cliCmd.Stderr = &stderr
-
-		output, err := cliCmd.Output()
-		if err != nil {
-			msg := stderr.String()
-			var exErr *exec.ExitError
-			if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.HasPrefix(msg, "'az' is not recognized") {
-				msg = "Azure CLI not found on path"
-			}
-			if msg == "" {
-				msg = err.Error()
-			}
-			return nil, newCredentialUnavailableError(credNameAzureCLI, msg)
-		}
-
-		return output, nil
+var defaultTokenProvider azureCLITokenProvider = func(ctx context.Context, resource string, tenantID string) ([]byte, error) {
+	match, err := regexp.MatchString("^[0-9a-zA-Z-.:/]+$", resource)
+	if err != nil {
+		return nil, err
 	}
+	if !match {
+		return nil, fmt.Errorf(`%s: unexpected scope "%s". Only alphanumeric characters and ".", ";", "-", and "/" are allowed`, credNameAzureCLI, resource)
+	}
+
+	// set a default timeout for this authentication iff the application hasn't done so already
+	var cancel context.CancelFunc
+	if _, hasDeadline := ctx.Deadline(); !hasDeadline {
+		ctx, cancel = context.WithTimeout(ctx, timeoutCLIRequest)
+		defer cancel()
+	}
+
+	commandLine := "az account get-access-token -o json --resource " + resource
+	if tenantID != "" {
+		commandLine += " --tenant " + tenantID
+	}
+	var cliCmd *exec.Cmd
+	if runtime.GOOS == "windows" {
+		dir := os.Getenv("SYSTEMROOT")
+		if dir == "" {
+			return nil, newCredentialUnavailableError(credNameAzureCLI, "environment variable 'SYSTEMROOT' has no value")
+		}
+		cliCmd = exec.CommandContext(ctx, "cmd.exe", "/c", commandLine)
+		cliCmd.Dir = dir
+	} else {
+		cliCmd = exec.CommandContext(ctx, "/bin/sh", "-c", commandLine)
+		cliCmd.Dir = "/bin"
+	}
+	cliCmd.Env = os.Environ()
+	var stderr bytes.Buffer
+	cliCmd.Stderr = &stderr
+
+	output, err := cliCmd.Output()
+	if err != nil {
+		msg := stderr.String()
+		var exErr *exec.ExitError
+		if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.HasPrefix(msg, "'az' is not recognized") {
+			msg = "Azure CLI not found on path"
+		}
+		if msg == "" {
+			msg = err.Error()
+		}
+		return nil, newCredentialUnavailableError(credNameAzureCLI, msg)
+	}
+
+	return output, nil
 }
 
 func (c *AzureCLICredential) createAccessToken(tk []byte) (azcore.AccessToken, error) {
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
index 3b443e8ee..9002ea0b0 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml
@@ -26,22 +26,9 @@ stages:
   parameters:
     RunLiveTests: true
     ServiceDirectory: 'azidentity'
-    PreSteps:
-      - pwsh: |
-          [System.Convert]::FromBase64String($env:PFX_CONTENTS) | Set-Content -Path $(Agent.TempDirectory)/test.pfx -AsByteStream
-          Set-Content -Path $(Agent.TempDirectory)/test.pem -Value $env:PEM_CONTENTS
-          [System.Convert]::FromBase64String($env:SNI_CONTENTS) | Set-Content -Path $(Agent.TempDirectory)/testsni.pfx -AsByteStream
-        env:
-          PFX_CONTENTS: $(net-identity-spcert-pfx)
-          PEM_CONTENTS: $(net-identity-spcert-pem)
-          SNI_CONTENTS: $(net-identity-spcert-sni)
-    EnvVars:
-      AZURE_IDENTITY_TEST_TENANTID: $(net-identity-tenantid)
-      AZURE_IDENTITY_TEST_USERNAME: $(net-identity-username)
-      AZURE_IDENTITY_TEST_PASSWORD: $(net-identity-password)
-      IDENTITY_SP_TENANT_ID: $(net-identity-sp-tenantid)
-      IDENTITY_SP_CLIENT_ID: $(net-identity-sp-clientid)
-      IDENTITY_SP_CLIENT_SECRET: $(net-identity-sp-clientsecret)
-      IDENTITY_SP_CERT_PEM: $(Agent.TempDirectory)/test.pem
-      IDENTITY_SP_CERT_PFX: $(Agent.TempDirectory)/test.pfx
-      IDENTITY_SP_CERT_SNI: $(Agent.TempDirectory)/testsni.pfx
+    CloudConfig:
+      Public:
+        SubscriptionConfigurations:
+          - $(sub-config-azure-cloud-test-resources)
+          # Contains alternate tenant, AAD app and cert info for testing
+          - $(sub-config-identity-test-resources)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
index d9d22996c..303d5fc09 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go
@@ -24,8 +24,7 @@ const credNameAssertion = "ClientAssertionCredential"
 //
 // [Azure AD documentation]: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format
 type ClientAssertionCredential struct {
-	client confidentialClient
-	s      *syncer
+	client *confidentialClient
 }
 
 // ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.
@@ -56,28 +55,21 @@ func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(c
 			return getAssertion(ctx)
 		},
 	)
-	c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
+	msalOpts := confidentialClientOptions{
+		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+		ClientOptions:              options.ClientOptions,
+		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+	}
+	c, err := newConfidentialClient(tenantID, clientID, credNameAssertion, cred, msalOpts)
 	if err != nil {
 		return nil, err
 	}
-	cac := ClientAssertionCredential{client: c}
-	cac.s = newSyncer(credNameAssertion, tenantID, options.AdditionallyAllowedTenants, cac.requestToken, cac.silentAuth)
-	return &cac, nil
+	return &ClientAssertionCredential{client: c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientAssertionCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientAssertionCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*ClientAssertionCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
index 804eba899..d3300e305 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go
@@ -42,8 +42,7 @@ type ClientCertificateCredentialOptions struct {
 
 // ClientCertificateCredential authenticates a service principal with a certificate.
 type ClientCertificateCredential struct {
-	client confidentialClient
-	s      *syncer
+	client *confidentialClient
 }
 
 // NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults.
@@ -58,33 +57,22 @@ func NewClientCertificateCredential(tenantID string, clientID string, certs []*x
 	if err != nil {
 		return nil, err
 	}
-	var o []confidential.Option
-	if options.SendCertificateChain {
-		o = append(o, confidential.WithX5C())
+	msalOpts := confidentialClientOptions{
+		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+		ClientOptions:              options.ClientOptions,
+		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+		SendX5C:                    options.SendCertificateChain,
 	}
-	o = append(o, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
-	c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, o...)
+	c, err := newConfidentialClient(tenantID, clientID, credNameCert, cred, msalOpts)
 	if err != nil {
 		return nil, err
 	}
-	cc := ClientCertificateCredential{client: c}
-	cc.s = newSyncer(credNameCert, tenantID, options.AdditionallyAllowedTenants, cc.requestToken, cc.silentAuth)
-	return &cc, nil
+	return &ClientCertificateCredential{client: c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientCertificateCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientCertificateCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 // ParseCertificates loads certificates and a private key, in PEM or PKCS12 format, for use with NewClientCertificateCredential.
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
index dda21f6b8..d2ff7582b 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go
@@ -33,8 +33,7 @@ type ClientSecretCredentialOptions struct {
 
 // ClientSecretCredential authenticates an application with a client secret.
 type ClientSecretCredential struct {
-	client confidentialClient
-	s      *syncer
+	client *confidentialClient
 }
 
 // NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.
@@ -46,30 +45,21 @@ func NewClientSecretCredential(tenantID string, clientID string, clientSecret st
 	if err != nil {
 		return nil, err
 	}
-	c, err := getConfidentialClient(
-		clientID, tenantID, cred, &options.ClientOptions, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery),
-	)
+	msalOpts := confidentialClientOptions{
+		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+		ClientOptions:              options.ClientOptions,
+		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+	}
+	c, err := newConfidentialClient(tenantID, clientID, credNameSecret, cred, msalOpts)
 	if err != nil {
 		return nil, err
 	}
-	csc := ClientSecretCredential{client: c}
-	csc.s = newSyncer(credNameSecret, tenantID, options.AdditionallyAllowedTenants, csc.requestToken, csc.silentAuth)
-	return &csc, nil
+	return &ClientSecretCredential{c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *ClientSecretCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ClientSecretCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*ClientSecretCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
new file mode 100644
index 000000000..4853a9a00
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go
@@ -0,0 +1,156 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
+)
+
+type confidentialClientOptions struct {
+	azcore.ClientOptions
+
+	AdditionallyAllowedTenants []string
+	// Assertion for on-behalf-of authentication
+	Assertion                         string
+	DisableInstanceDiscovery, SendX5C bool
+}
+
+// confidentialClient wraps the MSAL confidential client
+type confidentialClient struct {
+	cae, noCAE               msalConfidentialClient
+	caeMu, noCAEMu, clientMu *sync.Mutex
+	clientID, tenantID       string
+	cred                     confidential.Credential
+	host                     string
+	name                     string
+	opts                     confidentialClientOptions
+	region                   string
+}
+
+func newConfidentialClient(tenantID, clientID, name string, cred confidential.Credential, opts confidentialClientOptions) (*confidentialClient, error) {
+	if !validTenantID(tenantID) {
+		return nil, errInvalidTenantID
+	}
+	host, err := setAuthorityHost(opts.Cloud)
+	if err != nil {
+		return nil, err
+	}
+	opts.AdditionallyAllowedTenants = resolveAdditionalTenants(opts.AdditionallyAllowedTenants)
+	return &confidentialClient{
+		caeMu:    &sync.Mutex{},
+		clientID: clientID,
+		clientMu: &sync.Mutex{},
+		cred:     cred,
+		host:     host,
+		name:     name,
+		noCAEMu:  &sync.Mutex{},
+		opts:     opts,
+		region:   os.Getenv(azureRegionalAuthorityName),
+		tenantID: tenantID,
+	}, nil
+}
+
+// GetToken requests an access token from MSAL, checking the cache first.
+func (c *confidentialClient) GetToken(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	if len(tro.Scopes) < 1 {
+		return azcore.AccessToken{}, fmt.Errorf("%s.GetToken() requires at least one scope", c.name)
+	}
+	// we don't resolve the tenant for managed identities because they acquire tokens only from their home tenants
+	if c.name != credNameManagedIdentity {
+		tenant, err := c.resolveTenant(tro.TenantID)
+		if err != nil {
+			return azcore.AccessToken{}, err
+		}
+		tro.TenantID = tenant
+	}
+	client, mu, err := c.client(ctx, tro)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	mu.Lock()
+	defer mu.Unlock()
+	var ar confidential.AuthResult
+	if c.opts.Assertion != "" {
+		ar, err = client.AcquireTokenOnBehalfOf(ctx, c.opts.Assertion, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+	} else {
+		ar, err = client.AcquireTokenSilent(ctx, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+		if err != nil {
+			ar, err = client.AcquireTokenByCredential(ctx, tro.Scopes, confidential.WithClaims(tro.Claims), confidential.WithTenantID(tro.TenantID))
+		}
+	}
+	if err != nil {
+		// We could get a credentialUnavailableError from managed identity authentication because in that case the error comes from our code.
+		// We return it directly because it affects the behavior of credential chains. Otherwise, we return AuthenticationFailedError.
+		var unavailableErr *credentialUnavailableError
+		if !errors.As(err, &unavailableErr) {
+			res := getResponseFromError(err)
+			err = newAuthenticationFailedError(c.name, err.Error(), res, err)
+		}
+	} else {
+		msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", c.name, strings.Join(ar.GrantedScopes, ", "))
+		log.Write(EventAuthentication, msg)
+	}
+	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+}
+
+func (c *confidentialClient) client(ctx context.Context, tro policy.TokenRequestOptions) (msalConfidentialClient, *sync.Mutex, error) {
+	c.clientMu.Lock()
+	defer c.clientMu.Unlock()
+	if tro.EnableCAE {
+		if c.cae == nil {
+			client, err := c.newMSALClient(true)
+			if err != nil {
+				return nil, nil, err
+			}
+			c.cae = client
+		}
+		return c.cae, c.caeMu, nil
+	}
+	if c.noCAE == nil {
+		client, err := c.newMSALClient(false)
+		if err != nil {
+			return nil, nil, err
+		}
+		c.noCAE = client
+	}
+	return c.noCAE, c.noCAEMu, nil
+}
+
+func (c *confidentialClient) newMSALClient(enableCAE bool) (msalConfidentialClient, error) {
+	authority := runtime.JoinPaths(c.host, c.tenantID)
+	o := []confidential.Option{
+		confidential.WithAzureRegion(c.region),
+		confidential.WithHTTPClient(newPipelineAdapter(&c.opts.ClientOptions)),
+	}
+	if enableCAE {
+		o = append(o, confidential.WithClientCapabilities(cp1))
+	}
+	if c.opts.SendX5C {
+		o = append(o, confidential.WithX5C())
+	}
+	if c.opts.DisableInstanceDiscovery || strings.ToLower(c.tenantID) == "adfs" {
+		o = append(o, confidential.WithInstanceDiscovery(false))
+	}
+	return confidential.New(authority, c.clientID, c.cred, o...)
+}
+
+// resolveTenant returns the correct tenant for a token request given the client's
+// configuration, or an error when that configuration doesn't allow the specified tenant
+func (c *confidentialClient) resolveTenant(specified string) (string, error) {
+	return resolveTenant(c.tenantID, specified, c.name, c.opts.AdditionallyAllowedTenants)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
index 1e3efdc97..7647c60b1 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go
@@ -21,6 +21,8 @@ import (
 // DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential.
 // These options may not apply to all credentials in the chain.
 type DefaultAzureCredentialOptions struct {
+	// ClientOptions has additional options for credentials that use an Azure SDK HTTP pipeline. These options don't apply
+	// to credential types that authenticate via external tools such as the Azure CLI.
 	azcore.ClientOptions
 
 	// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens. Add
@@ -32,8 +34,7 @@ type DefaultAzureCredentialOptions struct {
 	// from https://login.microsoft.com before authenticating. Setting this to true will skip this request, making
 	// the application responsible for ensuring the configured authority is valid and trustworthy.
 	DisableInstanceDiscovery bool
-	// TenantID identifies the tenant the Azure CLI should authenticate in.
-	// Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
+	// TenantID sets the default tenant for authentication via the Azure CLI and workload identity.
 	TenantID string
 }
 
@@ -83,11 +84,11 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 		creds = append(creds, &defaultCredentialErrorReporter{credType: "EnvironmentCredential", err: err})
 	}
 
-	// workload identity requires values for AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID
 	wic, err := NewWorkloadIdentityCredential(&WorkloadIdentityCredentialOptions{
 		AdditionallyAllowedTenants: additionalTenants,
 		ClientOptions:              options.ClientOptions,
 		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+		TenantID:                   options.TenantID,
 	})
 	if err == nil {
 		creds = append(creds, wic)
@@ -95,6 +96,7 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 		errorMessages = append(errorMessages, credNameWorkloadIdentity+": "+err.Error())
 		creds = append(creds, &defaultCredentialErrorReporter{credType: credNameWorkloadIdentity, err: err})
 	}
+
 	o := &ManagedIdentityCredentialOptions{ClientOptions: options.ClientOptions}
 	if ID, ok := os.LookupEnv(azureClientID); ok {
 		o.ID = ClientID(ID)
@@ -115,9 +117,8 @@ func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*Default
 		creds = append(creds, &defaultCredentialErrorReporter{credType: credNameAzureCLI, err: err})
 	}
 
-	err = defaultAzureCredentialConstructorErrorHandler(len(creds), errorMessages)
-	if err != nil {
-		return nil, err
+	if len(errorMessages) > 0 {
+		log.Writef(EventAuthentication, "NewDefaultAzureCredential failed to initialize some credentials:\n\t%s", strings.Join(errorMessages, "\n\t"))
 	}
 
 	chain, err := NewChainedTokenCredential(creds, nil)
@@ -135,20 +136,6 @@ func (c *DefaultAzureCredential) GetToken(ctx context.Context, opts policy.Token
 
 var _ azcore.TokenCredential = (*DefaultAzureCredential)(nil)
 
-func defaultAzureCredentialConstructorErrorHandler(numberOfSuccessfulCredentials int, errorMessages []string) (err error) {
-	errorMessage := strings.Join(errorMessages, "\n\t")
-
-	if numberOfSuccessfulCredentials == 0 {
-		return errors.New(errorMessage)
-	}
-
-	if len(errorMessages) != 0 {
-		log.Writef(EventAuthentication, "NewDefaultAzureCredential failed to initialize some credentials:\n\t%s", errorMessage)
-	}
-
-	return nil
-}
-
 // defaultCredentialErrorReporter is a substitute for credentials that couldn't be constructed.
 // Its GetToken method always returns a credentialUnavailableError having the same message as
 // the error that prevented constructing the credential. This ensures the message is present
@@ -185,7 +172,7 @@ func (w *timeoutWrapper) GetToken(ctx context.Context, opts policy.TokenRequestO
 		defer cancel()
 		tk, err = w.mic.GetToken(c, opts)
 		if isAuthFailedDueToContext(err) {
-			err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out")
+			err = newCredentialUnavailableError(credNameManagedIdentity, "managed identity timed out. See https://aka.ms/azsdk/go/identity/troubleshoot#dac for more information")
 		} else {
 			// some managed identity implementation is available, so don't apply the timeout to future calls
 			w.timeout = 0
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
index 108e83c43..d245c269a 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go
@@ -12,7 +12,6 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
 )
 
 const credNameDeviceCode = "DeviceCodeCredential"
@@ -74,10 +73,7 @@ type DeviceCodeMessage struct {
 // If a web browser is available, InteractiveBrowserCredential is more convenient because it
 // automatically opens a browser to the login page.
 type DeviceCodeCredential struct {
-	account public.Account
-	client  publicClient
-	s       *syncer
-	prompt  func(context.Context, DeviceCodeMessage) error
+	client *publicClient
 }
 
 // NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options.
@@ -87,50 +83,24 @@ func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeC
 		cp = *options
 	}
 	cp.init()
-	c, err := getPublicClient(
-		cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery),
-	)
+	msalOpts := publicClientOptions{
+		AdditionallyAllowedTenants: cp.AdditionallyAllowedTenants,
+		ClientOptions:              cp.ClientOptions,
+		DeviceCodePrompt:           cp.UserPrompt,
+		DisableInstanceDiscovery:   cp.DisableInstanceDiscovery,
+	}
+	c, err := newPublicClient(cp.TenantID, cp.ClientID, credNameDeviceCode, msalOpts)
 	if err != nil {
 		return nil, err
 	}
-	cred := DeviceCodeCredential{client: c, prompt: cp.UserPrompt}
-	cred.s = newSyncer(credNameDeviceCode, cp.TenantID, cp.AdditionallyAllowedTenants, cred.requestToken, cred.silentAuth)
-	return &cred, nil
+	c.name = credNameDeviceCode
+	return &DeviceCodeCredential{client: c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication.
 // This method is called automatically by Azure SDK clients.
 func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *DeviceCodeCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	dc, err := c.client.AcquireTokenByDeviceCode(ctx, opts.Scopes, public.WithTenantID(opts.TenantID))
-	if err != nil {
-		return azcore.AccessToken{}, err
-	}
-	err = c.prompt(ctx, DeviceCodeMessage{
-		Message:         dc.Result.Message,
-		UserCode:        dc.Result.UserCode,
-		VerificationURL: dc.Result.VerificationURL,
-	})
-	if err != nil {
-		return azcore.AccessToken{}, err
-	}
-	ar, err := dc.AuthenticationResult(ctx)
-	if err != nil {
-		return azcore.AccessToken{}, err
-	}
-	c.account = ar.Account
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *DeviceCodeCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
-		public.WithSilentAccount(c.account),
-		public.WithTenantID(opts.TenantID),
-	)
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*DeviceCodeCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
index 86d8976a4..e1a21e003 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go
@@ -11,9 +11,9 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo"
 	msal "github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors"
 )
@@ -57,17 +57,16 @@ func (e *AuthenticationFailedError) Error() string {
 	fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
 	fmt.Fprintf(msg, "RESPONSE %s\n", e.RawResponse.Status)
 	fmt.Fprintln(msg, "--------------------------------------------------------------------------------")
-	body, err := io.ReadAll(e.RawResponse.Body)
-	e.RawResponse.Body.Close()
-	if err != nil {
+	body, err := runtime.Payload(e.RawResponse)
+	switch {
+	case err != nil:
 		fmt.Fprintf(msg, "Error reading response body: %v", err)
-	} else if len(body) > 0 {
-		e.RawResponse.Body = io.NopCloser(bytes.NewReader(body))
+	case len(body) > 0:
 		if err := json.Indent(msg, body, "", "  "); err != nil {
 			// failed to pretty-print so just dump it verbatim
 			fmt.Fprint(msg, string(body))
 		}
-	} else {
+	default:
 		fmt.Fprint(msg, "Response contained no body")
 	}
 	fmt.Fprintln(msg, "\n--------------------------------------------------------------------------------")
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
index 4868d22c3..08f3efbf3 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
 )
 
 const credNameBrowser = "InteractiveBrowserCredential"
@@ -56,10 +55,7 @@ func (o *InteractiveBrowserCredentialOptions) init() {
 
 // InteractiveBrowserCredential opens a browser to interactively authenticate a user.
 type InteractiveBrowserCredential struct {
-	account public.Account
-	client  publicClient
-	options InteractiveBrowserCredentialOptions
-	s       *syncer
+	client *publicClient
 }
 
 // NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options.
@@ -69,38 +65,22 @@ func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOption
 		cp = *options
 	}
 	cp.init()
-	c, err := getPublicClient(cp.ClientID, cp.TenantID, &cp.ClientOptions, public.WithInstanceDiscovery(!cp.DisableInstanceDiscovery))
+	msalOpts := publicClientOptions{
+		ClientOptions:            cp.ClientOptions,
+		DisableInstanceDiscovery: cp.DisableInstanceDiscovery,
+		LoginHint:                cp.LoginHint,
+		RedirectURL:              cp.RedirectURL,
+	}
+	c, err := newPublicClient(cp.TenantID, cp.ClientID, credNameBrowser, msalOpts)
 	if err != nil {
 		return nil, err
 	}
-	ibc := InteractiveBrowserCredential{client: c, options: cp}
-	ibc.s = newSyncer(credNameBrowser, cp.TenantID, cp.AdditionallyAllowedTenants, ibc.requestToken, ibc.silentAuth)
-	return &ibc, nil
+	return &InteractiveBrowserCredential{client: c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *InteractiveBrowserCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenInteractive(ctx, opts.Scopes,
-		public.WithLoginHint(c.options.LoginHint),
-		public.WithRedirectURI(c.options.RedirectURL),
-		public.WithTenantID(opts.TenantID),
-	)
-	if err == nil {
-		c.account = ar.Account
-	}
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *InteractiveBrowserCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
-		public.WithSilentAccount(c.account),
-		public.WithTenantID(opts.TenantID),
-	)
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*InteractiveBrowserCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
index d7b4a32a5..fdc3c1f67 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go
@@ -84,13 +84,15 @@ func setIMDSRetryOptionDefaults(o *policy.RetryOptions) {
 	}
 	if o.StatusCodes == nil {
 		o.StatusCodes = []int{
-			// IMDS docs recommend retrying 404, 429 and all 5xx
-			// https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#error-handling
+			// IMDS docs recommend retrying 404, 410, 429 and 5xx
+			// https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#error-handling
 			http.StatusNotFound,                      // 404
+			http.StatusGone,                          // 410
 			http.StatusTooManyRequests,               // 429
 			http.StatusInternalServerError,           // 500
 			http.StatusNotImplemented,                // 501
 			http.StatusBadGateway,                    // 502
+			http.StatusServiceUnavailable,            // 503
 			http.StatusGatewayTimeout,                // 504
 			http.StatusHTTPVersionNotSupported,       // 505
 			http.StatusVariantAlsoNegotiates,         // 506
@@ -175,11 +177,25 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 		return c.createAccessToken(resp)
 	}
 
-	if c.msiType == msiTypeIMDS && resp.StatusCode == 400 {
-		if id != nil {
-			return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
+	if c.msiType == msiTypeIMDS {
+		switch resp.StatusCode {
+		case http.StatusBadRequest:
+			if id != nil {
+				return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
+			}
+			msg := "failed to authenticate a system assigned identity"
+			if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
+				msg += fmt.Sprintf(". The endpoint responded with %s", body)
+			}
+			return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
+		case http.StatusForbidden:
+			// Docker Desktop runs a proxy that responds 403 to IMDS token requests. If we get that response,
+			// we return credentialUnavailableError so credential chains continue to their next credential
+			body, err := runtime.Payload(resp)
+			if err == nil && strings.Contains(string(body), "A socket operation was attempted to an unreachable network") {
+				return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("unexpected response %q", string(body)))
+			}
 		}
-		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, "no default identity is assigned to this resource")
 	}
 
 	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
index c6710ae52..35c5e6725 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go
@@ -8,7 +8,6 @@ package azidentity
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"strings"
 
@@ -71,9 +70,8 @@ type ManagedIdentityCredentialOptions struct {
 // user-assigned identity. See Azure Active Directory documentation for more information about managed identities:
 // https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
 type ManagedIdentityCredential struct {
-	client confidentialClient
+	client *confidentialClient
 	mic    *managedIdentityClient
-	s      *syncer
 }
 
 // NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options.
@@ -93,35 +91,23 @@ func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*M
 	if options.ID != nil {
 		clientID = options.ID.String()
 	}
-	// similarly, it's okay to give MSAL an incorrect authority URL because that URL won't be used
-	c, err := confidential.New("https://login.microsoftonline.com/common", clientID, cred)
+	// similarly, it's okay to give MSAL an incorrect tenant because MSAL won't use the value
+	c, err := newConfidentialClient("common", clientID, credNameManagedIdentity, cred, confidentialClientOptions{})
 	if err != nil {
 		return nil, err
 	}
-	m := ManagedIdentityCredential{client: c, mic: mic}
-	m.s = newSyncer(credNameManagedIdentity, "", nil, m.requestToken, m.silentAuth)
-	return &m, nil
+	return &ManagedIdentityCredential{client: c, mic: mic}, nil
 }
 
 // GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients.
 func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
 	if len(opts.Scopes) != 1 {
-		err := errors.New(credNameManagedIdentity + ": GetToken() requires exactly one scope")
+		err := fmt.Errorf("%s.GetToken() requires exactly one scope", credNameManagedIdentity)
 		return azcore.AccessToken{}, err
 	}
 	// managed identity endpoints require an AADv1 resource (i.e. token audience), not a v2 scope, so we remove "/.default" here
 	opts.Scopes = []string{strings.TrimSuffix(opts.Scopes[0], defaultSuffix)}
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *ManagedIdentityCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenByCredential(ctx, opts.Scopes)
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *ManagedIdentityCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes)
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*ManagedIdentityCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
index 3e173f47d..2b360b681 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go
@@ -25,9 +25,7 @@ const credNameOBO = "OnBehalfOfCredential"
 //
 // [Azure Active Directory documentation]: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
 type OnBehalfOfCredential struct {
-	assertion string
-	client    confidentialClient
-	s         *syncer
+	client *confidentialClient
 }
 
 // OnBehalfOfCredentialOptions contains optional parameters for OnBehalfOfCredential
@@ -72,28 +70,23 @@ func newOnBehalfOfCredential(tenantID, clientID, userAssertion string, cred conf
 	if options == nil {
 		options = &OnBehalfOfCredentialOptions{}
 	}
-	opts := []confidential.Option{}
-	if options.SendCertificateChain {
-		opts = append(opts, confidential.WithX5C())
+	opts := confidentialClientOptions{
+		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+		Assertion:                  userAssertion,
+		ClientOptions:              options.ClientOptions,
+		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+		SendX5C:                    options.SendCertificateChain,
 	}
-	opts = append(opts, confidential.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
-	c, err := getConfidentialClient(clientID, tenantID, cred, &options.ClientOptions, opts...)
+	c, err := newConfidentialClient(tenantID, clientID, credNameOBO, cred, opts)
 	if err != nil {
 		return nil, err
 	}
-	obo := OnBehalfOfCredential{assertion: userAssertion, client: c}
-	obo.s = newSyncer(credNameOBO, tenantID, options.AdditionallyAllowedTenants, obo.requestToken, obo.requestToken)
-	return &obo, nil
+	return &OnBehalfOfCredential{c}, nil
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (o *OnBehalfOfCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return o.s.GetToken(ctx, opts)
-}
-
-func (o *OnBehalfOfCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := o.client.AcquireTokenOnBehalfOf(ctx, o.assertion, opts.Scopes, confidential.WithTenantID(opts.TenantID))
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return o.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*OnBehalfOfCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
new file mode 100644
index 000000000..6512d3e25
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go
@@ -0,0 +1,178 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package azidentity
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
+)
+
+type publicClientOptions struct {
+	azcore.ClientOptions
+
+	AdditionallyAllowedTenants []string
+	DeviceCodePrompt           func(context.Context, DeviceCodeMessage) error
+	DisableInstanceDiscovery   bool
+	LoginHint, RedirectURL     string
+	Username, Password         string
+}
+
+// publicClient wraps the MSAL public client
+type publicClient struct {
+	account                  public.Account
+	cae, noCAE               msalPublicClient
+	caeMu, noCAEMu, clientMu *sync.Mutex
+	clientID, tenantID       string
+	host                     string
+	name                     string
+	opts                     publicClientOptions
+}
+
+func newPublicClient(tenantID, clientID, name string, o publicClientOptions) (*publicClient, error) {
+	if !validTenantID(tenantID) {
+		return nil, errInvalidTenantID
+	}
+	host, err := setAuthorityHost(o.Cloud)
+	if err != nil {
+		return nil, err
+	}
+	o.AdditionallyAllowedTenants = resolveAdditionalTenants(o.AdditionallyAllowedTenants)
+	return &publicClient{
+		caeMu:    &sync.Mutex{},
+		clientID: clientID,
+		clientMu: &sync.Mutex{},
+		host:     host,
+		name:     name,
+		noCAEMu:  &sync.Mutex{},
+		opts:     o,
+		tenantID: tenantID,
+	}, nil
+}
+
+// GetToken requests an access token from MSAL, checking the cache first.
+func (p *publicClient) GetToken(ctx context.Context, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	if len(tro.Scopes) < 1 {
+		return azcore.AccessToken{}, fmt.Errorf("%s.GetToken() requires at least one scope", p.name)
+	}
+	tenant, err := p.resolveTenant(tro.TenantID)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	client, mu, err := p.client(tro)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	mu.Lock()
+	defer mu.Unlock()
+	ar, err := client.AcquireTokenSilent(ctx, tro.Scopes, public.WithSilentAccount(p.account), public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+	if err == nil {
+		return p.token(ar, err)
+	}
+	at, err := p.reqToken(ctx, client, tro)
+	if err == nil {
+		msg := fmt.Sprintf("%s.GetToken() acquired a token for scope %q", p.name, strings.Join(ar.GrantedScopes, ", "))
+		log.Write(EventAuthentication, msg)
+	}
+	return at, err
+}
+
+// reqToken requests a token from the MSAL public client. It's separate from GetToken() to enable Authenticate() to bypass the cache.
+func (p *publicClient) reqToken(ctx context.Context, c msalPublicClient, tro policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	tenant, err := p.resolveTenant(tro.TenantID)
+	if err != nil {
+		return azcore.AccessToken{}, err
+	}
+	var ar public.AuthResult
+	switch p.name {
+	case credNameBrowser:
+		ar, err = c.AcquireTokenInteractive(ctx, tro.Scopes,
+			public.WithClaims(tro.Claims),
+			public.WithLoginHint(p.opts.LoginHint),
+			public.WithRedirectURI(p.opts.RedirectURL),
+			public.WithTenantID(tenant),
+		)
+	case credNameDeviceCode:
+		dc, e := c.AcquireTokenByDeviceCode(ctx, tro.Scopes, public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+		if e != nil {
+			return azcore.AccessToken{}, e
+		}
+		err = p.opts.DeviceCodePrompt(ctx, DeviceCodeMessage{
+			Message:         dc.Result.Message,
+			UserCode:        dc.Result.UserCode,
+			VerificationURL: dc.Result.VerificationURL,
+		})
+		if err == nil {
+			ar, err = dc.AuthenticationResult(ctx)
+		}
+	case credNameUserPassword:
+		ar, err = c.AcquireTokenByUsernamePassword(ctx, tro.Scopes, p.opts.Username, p.opts.Password, public.WithClaims(tro.Claims), public.WithTenantID(tenant))
+	default:
+		return azcore.AccessToken{}, fmt.Errorf("unknown credential %q", p.name)
+	}
+	return p.token(ar, err)
+}
+
+func (p *publicClient) client(tro policy.TokenRequestOptions) (msalPublicClient, *sync.Mutex, error) {
+	p.clientMu.Lock()
+	defer p.clientMu.Unlock()
+	if tro.EnableCAE {
+		if p.cae == nil {
+			client, err := p.newMSALClient(true)
+			if err != nil {
+				return nil, nil, err
+			}
+			p.cae = client
+		}
+		return p.cae, p.caeMu, nil
+	}
+	if p.noCAE == nil {
+		client, err := p.newMSALClient(false)
+		if err != nil {
+			return nil, nil, err
+		}
+		p.noCAE = client
+	}
+	return p.noCAE, p.noCAEMu, nil
+}
+
+func (p *publicClient) newMSALClient(enableCAE bool) (msalPublicClient, error) {
+	o := []public.Option{
+		public.WithAuthority(runtime.JoinPaths(p.host, p.tenantID)),
+		public.WithHTTPClient(newPipelineAdapter(&p.opts.ClientOptions)),
+	}
+	if enableCAE {
+		o = append(o, public.WithClientCapabilities(cp1))
+	}
+	if p.opts.DisableInstanceDiscovery || strings.ToLower(p.tenantID) == "adfs" {
+		o = append(o, public.WithInstanceDiscovery(false))
+	}
+	return public.New(p.clientID, o...)
+}
+
+func (p *publicClient) token(ar public.AuthResult, err error) (azcore.AccessToken, error) {
+	if err == nil {
+		p.account = ar.Account
+	} else {
+		res := getResponseFromError(err)
+		err = newAuthenticationFailedError(p.name, err.Error(), res, err)
+	}
+	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+}
+
+// resolveTenant returns the correct tenant for a token request given the client's
+// configuration, or an error when that configuration doesn't allow the specified tenant
+func (p *publicClient) resolveTenant(specified string) (string, error) {
+	return resolveTenant(p.tenantID, specified, p.name, p.opts.AdditionallyAllowedTenants)
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
deleted file mode 100644
index ae3855599..000000000
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/syncer.go
+++ /dev/null
@@ -1,130 +0,0 @@
-//go:build go1.18
-// +build go1.18
-
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-package azidentity
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-	"sync"
-
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
-	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/Azure/azure-sdk-for-go/sdk/internal/log"
-)
-
-type authFn func(context.Context, policy.TokenRequestOptions) (azcore.AccessToken, error)
-
-// syncer synchronizes authentication calls so that goroutines can share a credential instance
-type syncer struct {
-	addlTenants      []string
-	authing          bool
-	cond             *sync.Cond
-	reqToken, silent authFn
-	name, tenant     string
-}
-
-func newSyncer(name, tenant string, additionalTenants []string, reqToken, silentAuth authFn) *syncer {
-	return &syncer{
-		addlTenants: resolveAdditionalTenants(additionalTenants),
-		cond:        &sync.Cond{L: &sync.Mutex{}},
-		name:        name,
-		reqToken:    reqToken,
-		silent:      silentAuth,
-		tenant:      tenant,
-	}
-}
-
-// GetToken ensures that only one goroutine authenticates at a time
-func (s *syncer) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	var at azcore.AccessToken
-	var err error
-	if len(opts.Scopes) == 0 {
-		return at, errors.New(s.name + ".GetToken() requires at least one scope")
-	}
-	// we don't resolve the tenant for managed identities because they can acquire tokens only from their home tenants
-	if s.name != credNameManagedIdentity {
-		tenant, err := s.resolveTenant(opts.TenantID)
-		if err != nil {
-			return at, err
-		}
-		opts.TenantID = tenant
-	}
-	auth := false
-	s.cond.L.Lock()
-	defer s.cond.L.Unlock()
-	for {
-		at, err = s.silent(ctx, opts)
-		if err == nil {
-			// got a token
-			break
-		}
-		if !s.authing {
-			// this goroutine will request a token
-			s.authing, auth = true, true
-			break
-		}
-		// another goroutine is acquiring a token; wait for it to finish, then try silent auth again
-		s.cond.Wait()
-	}
-	if auth {
-		s.authing = false
-		at, err = s.reqToken(ctx, opts)
-		s.cond.Broadcast()
-	}
-	if err != nil {
-		// Return credentialUnavailableError directly because that type affects the behavior of credential chains.
-		// Otherwise, return AuthenticationFailedError.
-		var unavailableErr *credentialUnavailableError
-		if !errors.As(err, &unavailableErr) {
-			res := getResponseFromError(err)
-			err = newAuthenticationFailedError(s.name, err.Error(), res, err)
-		}
-	} else if log.Should(EventAuthentication) {
-		scope := strings.Join(opts.Scopes, ", ")
-		msg := fmt.Sprintf(`%s.GetToken() acquired a token for scope "%s"\n`, s.name, scope)
-		log.Write(EventAuthentication, msg)
-	}
-	return at, err
-}
-
-// resolveTenant returns the correct tenant for a token request given the credential's
-// configuration, or an error when the specified tenant isn't allowed by that configuration
-func (s *syncer) resolveTenant(requested string) (string, error) {
-	if requested == "" || requested == s.tenant {
-		return s.tenant, nil
-	}
-	if s.tenant == "adfs" {
-		return "", errors.New("ADFS doesn't support tenants")
-	}
-	if !validTenantID(requested) {
-		return "", errors.New(tenantIDValidationErr)
-	}
-	for _, t := range s.addlTenants {
-		if t == "*" || t == requested {
-			return requested, nil
-		}
-	}
-	return "", fmt.Errorf(`%s isn't configured to acquire tokens for tenant %q. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to allow acquiring tokens for any tenant`, s.name, requested)
-}
-
-// resolveAdditionalTenants returns a copy of tenants, simplified when tenants contains a wildcard
-func resolveAdditionalTenants(tenants []string) []string {
-	if len(tenants) == 0 {
-		return nil
-	}
-	for _, t := range tenants {
-		// a wildcard makes all other values redundant
-		if t == "*" {
-			return []string{"*"}
-		}
-	}
-	cp := make([]string, len(tenants))
-	copy(cp, tenants)
-	return cp
-}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1 b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1
new file mode 100644
index 000000000..fe0183add
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1
@@ -0,0 +1,36 @@
+[CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = 'Medium')]
+param (
+    # Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
+    [Parameter(ValueFromRemainingArguments = $true)]
+    $RemainingArguments
+)
+
+if (!$CI) {
+    # TODO: Remove this once auto-cloud config downloads are supported locally
+    Write-Host "Skipping cert setup in local testing mode"
+    return
+}
+
+if ($EnvironmentVariables -eq $null -or $EnvironmentVariables.Count -eq 0) {
+    throw "EnvironmentVariables must be set in the calling script New-TestResources.ps1"
+}
+
+$tmp = $env:TEMP ? $env:TEMP : [System.IO.Path]::GetTempPath()
+$pfxPath = Join-Path $tmp "test.pfx"
+$pemPath = Join-Path $tmp "test.pem"
+$sniPath = Join-Path $tmp "testsni.pfx"
+
+Write-Host "Creating identity test files: $pfxPath $pemPath $sniPath"
+
+[System.Convert]::FromBase64String($EnvironmentVariables['PFX_CONTENTS']) | Set-Content -Path $pfxPath -AsByteStream
+Set-Content -Path $pemPath -Value $EnvironmentVariables['PEM_CONTENTS']
+[System.Convert]::FromBase64String($EnvironmentVariables['SNI_CONTENTS']) | Set-Content -Path $sniPath -AsByteStream
+
+# Set for pipeline
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_PFX;]$pfxPath"
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_PEM;]$pemPath"
+Write-Host "##vso[task.setvariable variable=IDENTITY_SP_CERT_SNI;]$sniPath"
+# Set for local
+$env:IDENTITY_SP_CERT_PFX = $pfxPath
+$env:IDENTITY_SP_CERT_PEM = $pemPath
+$env:IDENTITY_SP_CERT_SNI = $sniPath
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep
new file mode 100644
index 000000000..b3490d3b5
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep
@@ -0,0 +1 @@
+param baseName string
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
index 8e652e33f..f787ec0ce 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
-	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
 )
 
 const credNameUserPassword = "UsernamePasswordCredential"
@@ -36,10 +35,7 @@ type UsernamePasswordCredentialOptions struct {
 // with any form of multi-factor authentication, and the application must already have user or admin consent.
 // This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.
 type UsernamePasswordCredential struct {
-	account            public.Account
-	client             publicClient
-	password, username string
-	s                  *syncer
+	client *publicClient
 }
 
 // NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user
@@ -48,34 +44,23 @@ func NewUsernamePasswordCredential(tenantID string, clientID string, username st
 	if options == nil {
 		options = &UsernamePasswordCredentialOptions{}
 	}
-	c, err := getPublicClient(clientID, tenantID, &options.ClientOptions, public.WithInstanceDiscovery(!options.DisableInstanceDiscovery))
+	opts := publicClientOptions{
+		AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
+		ClientOptions:              options.ClientOptions,
+		DisableInstanceDiscovery:   options.DisableInstanceDiscovery,
+		Password:                   password,
+		Username:                   username,
+	}
+	c, err := newPublicClient(tenantID, clientID, credNameUserPassword, opts)
 	if err != nil {
 		return nil, err
 	}
-	upc := UsernamePasswordCredential{client: c, password: password, username: username}
-	upc.s = newSyncer(credNameUserPassword, tenantID, options.AdditionallyAllowedTenants, upc.requestToken, upc.silentAuth)
-	return &upc, nil
+	return &UsernamePasswordCredential{client: c}, err
 }
 
 // GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.
 func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	return c.s.GetToken(ctx, opts)
-}
-
-func (c *UsernamePasswordCredential) requestToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenByUsernamePassword(ctx, opts.Scopes, c.username, c.password, public.WithTenantID(opts.TenantID))
-	if err == nil {
-		c.account = ar.Account
-	}
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
-}
-
-func (c *UsernamePasswordCredential) silentAuth(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
-	ar, err := c.client.AcquireTokenSilent(ctx, opts.Scopes,
-		public.WithSilentAccount(c.account),
-		public.WithTenantID(opts.TenantID),
-	)
-	return azcore.AccessToken{Token: ar.AccessToken, ExpiresOn: ar.ExpiresOn.UTC()}, err
+	return c.client.GetToken(ctx, opts)
 }
 
 var _ azcore.TokenCredential = (*UsernamePasswordCredential)(nil)
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
index 38a1f420b..65e74e31e 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go
@@ -11,5 +11,5 @@ const (
 	component = "azidentity"
 
 	// Version is the semantic version (see http://semver.org) of this module.
-	version = "v1.3.1"
+	version = "v1.4.0"
 )
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
index 7bfb34367..7e016324d 100644
--- a/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go
@@ -47,7 +47,7 @@ type WorkloadIdentityCredentialOptions struct {
 	DisableInstanceDiscovery bool
 	// TenantID of the service principal. Defaults to the value of the environment variable AZURE_TENANT_ID.
 	TenantID string
-	// TokenFilePath is the path a file containing the workload identity token. Defaults to the value of the
+	// TokenFilePath is the path of a file containing a Kubernetes service account token. Defaults to the value of the
 	// environment variable AZURE_FEDERATED_TOKEN_FILE.
 	TokenFilePath string
 }
@@ -88,7 +88,7 @@ func NewWorkloadIdentityCredential(options *WorkloadIdentityCredentialOptions) (
 		return nil, err
 	}
 	// we want "WorkloadIdentityCredential" in log messages, not "ClientAssertionCredential"
-	cred.s.name = credNameWorkloadIdentity
+	cred.client.name = credNameWorkloadIdentity
 	w.cred = cred
 	return &w, nil
 }
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/CHANGELOG.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/CHANGELOG.md
new file mode 100644
index 000000000..77a737e73
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/CHANGELOG.md
@@ -0,0 +1,83 @@
+# Release History
+
+## 1.4.0 (2023-11-24)
+### Features Added
+
+- Support for test fakes and OpenTelemetry trace spans.
+
+
+## 1.3.0 (2023-10-27)
+### Features Added
+
+- New value `ManagedHsmSKUNameCustomB6` added to enum type `ManagedHsmSKUName`
+- New enum type `ManagedServiceIdentityType` with values `ManagedServiceIdentityTypeNone`, `ManagedServiceIdentityTypeSystemAssigned`, `ManagedServiceIdentityTypeSystemAssignedUserAssigned`, `ManagedServiceIdentityTypeUserAssigned`
+- New struct `ManagedServiceIdentity`
+- New struct `UserAssignedIdentity`
+- New field `Identity` in struct `MHSMPrivateEndpointConnection`
+- New field `Identity` in struct `MHSMPrivateLinkResource`
+- New field `Identity` in struct `ManagedHsm`
+
+
+## 1.2.0 (2023-04-28)
+### Features Added
+
+- New value `JSONWebKeyOperationRelease` added to enum type `JSONWebKeyOperation`
+- New value `KeyPermissionsGetrotationpolicy`, `KeyPermissionsRelease`, `KeyPermissionsRotate`, `KeyPermissionsSetrotationpolicy` added to enum type `KeyPermissions`
+- New enum type `ActivationStatus` with values `ActivationStatusActive`, `ActivationStatusFailed`, `ActivationStatusNotActivated`, `ActivationStatusUnknown`
+- New enum type `GeoReplicationRegionProvisioningState` with values `GeoReplicationRegionProvisioningStateCleanup`, `GeoReplicationRegionProvisioningStateDeleting`, `GeoReplicationRegionProvisioningStateFailed`, `GeoReplicationRegionProvisioningStatePreprovisioning`, `GeoReplicationRegionProvisioningStateProvisioning`, `GeoReplicationRegionProvisioningStateSucceeded`
+- New enum type `KeyRotationPolicyActionType` with values `KeyRotationPolicyActionTypeNotify`, `KeyRotationPolicyActionTypeRotate`
+- New function `*ClientFactory.NewMHSMRegionsClient() *MHSMRegionsClient`
+- New function `*ClientFactory.NewManagedHsmKeysClient() *ManagedHsmKeysClient`
+- New function `NewMHSMRegionsClient(string, azcore.TokenCredential, *arm.ClientOptions) (*MHSMRegionsClient, error)`
+- New function `*MHSMRegionsClient.NewListByResourcePager(string, string, *MHSMRegionsClientListByResourceOptions) *runtime.Pager[MHSMRegionsClientListByResourceResponse]`
+- New function `NewManagedHsmKeysClient(string, azcore.TokenCredential, *arm.ClientOptions) (*ManagedHsmKeysClient, error)`
+- New function `*ManagedHsmKeysClient.CreateIfNotExist(context.Context, string, string, string, ManagedHsmKeyCreateParameters, *ManagedHsmKeysClientCreateIfNotExistOptions) (ManagedHsmKeysClientCreateIfNotExistResponse, error)`
+- New function `*ManagedHsmKeysClient.Get(context.Context, string, string, string, *ManagedHsmKeysClientGetOptions) (ManagedHsmKeysClientGetResponse, error)`
+- New function `*ManagedHsmKeysClient.GetVersion(context.Context, string, string, string, string, *ManagedHsmKeysClientGetVersionOptions) (ManagedHsmKeysClientGetVersionResponse, error)`
+- New function `*ManagedHsmKeysClient.NewListPager(string, string, *ManagedHsmKeysClientListOptions) *runtime.Pager[ManagedHsmKeysClientListResponse]`
+- New function `*ManagedHsmKeysClient.NewListVersionsPager(string, string, string, *ManagedHsmKeysClientListVersionsOptions) *runtime.Pager[ManagedHsmKeysClientListVersionsResponse]`
+- New function `*ManagedHsmsClient.CheckMhsmNameAvailability(context.Context, CheckMhsmNameAvailabilityParameters, *ManagedHsmsClientCheckMhsmNameAvailabilityOptions) (ManagedHsmsClientCheckMhsmNameAvailabilityResponse, error)`
+- New struct `Action`
+- New struct `CheckMhsmNameAvailabilityParameters`
+- New struct `CheckMhsmNameAvailabilityResult`
+- New struct `KeyReleasePolicy`
+- New struct `KeyRotationPolicyAttributes`
+- New struct `LifetimeAction`
+- New struct `MHSMGeoReplicatedRegion`
+- New struct `MHSMRegionsListResult`
+- New struct `ManagedHSMSecurityDomainProperties`
+- New struct `ManagedHsmAction`
+- New struct `ManagedHsmKey`
+- New struct `ManagedHsmKeyAttributes`
+- New struct `ManagedHsmKeyCreateParameters`
+- New struct `ManagedHsmKeyListResult`
+- New struct `ManagedHsmKeyProperties`
+- New struct `ManagedHsmKeyReleasePolicy`
+- New struct `ManagedHsmKeyRotationPolicyAttributes`
+- New struct `ManagedHsmLifetimeAction`
+- New struct `ManagedHsmRotationPolicy`
+- New struct `ManagedHsmTrigger`
+- New struct `ProxyResourceWithoutSystemData`
+- New struct `RotationPolicy`
+- New struct `Trigger`
+- New field `ReleasePolicy` in struct `KeyProperties`
+- New field `RotationPolicy` in struct `KeyProperties`
+- New field `Etag` in struct `MHSMPrivateEndpointConnectionItem`
+- New field `ID` in struct `MHSMPrivateEndpointConnectionItem`
+- New field `Regions` in struct `ManagedHsmProperties`
+- New field `SecurityDomainProperties` in struct `ManagedHsmProperties`
+
+
+## 1.1.0 (2023-04-06)
+### Features Added
+
+- New struct `ClientFactory` which is a client factory used to create any client in this module
+
+
+## 1.0.0 (2022-05-16)
+
+The package of `github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault` is using our [next generation design principles](https://azure.github.io/azure-sdk/general_introduction.html) since version 1.0.0, which contains breaking changes.
+
+To migrate the existing applications to the latest version, please refer to [Migration Guide](https://aka.ms/azsdk/go/mgmt/migration).
+
+To learn more, please refer to our documentation [Quick Start](https://aka.ms/azsdk/go/mgmt).
\ No newline at end of file
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/LICENSE.txt b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/LICENSE.txt
new file mode 100644
index 000000000..dc0c2ffb3
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/LICENSE.txt
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Microsoft Corporation. All rights reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/README.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/README.md
new file mode 100644
index 000000000..c394a2d43
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/README.md
@@ -0,0 +1,98 @@
+# Azure Key Vault Module for Go
+
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault)](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault)
+
+The `armkeyvault` module provides operations for working with Azure Key Vault.
+
+[Source code](https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/resourcemanager/keyvault/armkeyvault)
+
+# Getting started
+
+## Prerequisites
+
+- an [Azure subscription](https://azure.microsoft.com/free/)
+- Go 1.18 or above (You could download and install the latest version of Go from [here](https://go.dev/doc/install). It will replace the existing Go on your machine. If you want to install multiple Go versions on the same machine, you could refer this [doc](https://go.dev/doc/manage-install).)
+
+## Install the package
+
+This project uses [Go modules](https://github.com/golang/go/wiki/Modules) for versioning and dependency management.
+
+Install the Azure Key Vault module:
+
+```sh
+go get github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault
+```
+
+## Authorization
+
+When creating a client, you will need to provide a credential for authenticating with Azure Key Vault.  The `azidentity` module provides facilities for various ways of authenticating with Azure including client/secret, certificate, managed identity, and more.
+
+```go
+cred, err := azidentity.NewDefaultAzureCredential(nil)
+```
+
+For more information on authentication, please see the documentation for `azidentity` at [pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity).
+
+## Client Factory
+
+Azure Key Vault module consists of one or more clients. We provide a client factory which could be used to create any client in this module.
+
+```go
+clientFactory, err := armkeyvault.NewClientFactory(<subscription ID>, cred, nil)
+```
+
+You can use `ClientOptions` in package `github.com/Azure/azure-sdk-for-go/sdk/azcore/arm` to set endpoint to connect with public and sovereign clouds as well as Azure Stack. For more information, please see the documentation for `azcore` at [pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore).
+
+```go
+options := arm.ClientOptions {
+    ClientOptions: azcore.ClientOptions {
+        Cloud: cloud.AzureChina,
+    },
+}
+clientFactory, err := armkeyvault.NewClientFactory(<subscription ID>, cred, &options)
+```
+
+## Clients
+
+A client groups a set of related APIs, providing access to its functionality.  Create one or more clients to access the APIs you require using client factory.
+
+```go
+client := clientFactory.NewVaultsClient()
+```
+
+## Fakes
+
+The fake package contains types used for constructing in-memory fake servers used in unit tests.
+This allows writing tests to cover various success/error conditions without the need for connecting to a live service.
+
+Please see https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/samples/fakes for details and examples on how to use fakes.
+
+## More sample code
+
+- [Key](https://aka.ms/azsdk/go/mgmt/samples?path=sdk/resourcemanager/keyvault/key)
+- [Secret](https://aka.ms/azsdk/go/mgmt/samples?path=sdk/resourcemanager/keyvault/secret)
+- [Vault](https://aka.ms/azsdk/go/mgmt/samples?path=sdk/resourcemanager/keyvault/vault)
+
+## Provide Feedback
+
+If you encounter bugs or have suggestions, please
+[open an issue](https://github.com/Azure/azure-sdk-for-go/issues) and assign the `Key Vault` label.
+
+# Contributing
+
+This project welcomes contributions and suggestions. Most contributions require
+you to agree to a Contributor License Agreement (CLA) declaring that you have
+the right to, and actually do, grant us the rights to use your contribution.
+For details, visit [https://cla.microsoft.com](https://cla.microsoft.com).
+
+When you submit a pull request, a CLA-bot will automatically determine whether
+you need to provide a CLA and decorate the PR appropriately (e.g., label,
+comment). Simply follow the instructions provided by the bot. You will only
+need to do this once across all repos using our CLA.
+
+This project has adopted the
+[Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information, see the
+[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any
+additional questions or comments.
\ No newline at end of file
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/assets.json b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/assets.json
new file mode 100644
index 000000000..84f2859a2
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/assets.json
@@ -0,0 +1,6 @@
+{
+  "AssetsRepo": "Azure/azure-sdk-assets",
+  "AssetsRepoPrefixPath": "go",
+  "TagPrefix": "go/resourcemanager/keyvault/armkeyvault",
+  "Tag": "go/resourcemanager/keyvault/armkeyvault_820248387e"
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/autorest.md b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/autorest.md
new file mode 100644
index 000000000..25de347af
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/autorest.md
@@ -0,0 +1,15 @@
+### AutoRest Configuration
+
+> see https://aka.ms/autorest
+
+``` yaml
+azure-arm: true
+require:
+- https://github.com/Azure/azure-rest-api-specs/blob/9ec0fcc278aa2128c4fbb2b8a1aa93432d72cce0/specification/keyvault/resource-manager/readme.md
+- https://github.com/Azure/azure-rest-api-specs/blob/9ec0fcc278aa2128c4fbb2b8a1aa93432d72cce0/specification/keyvault/resource-manager/readme.go.md
+license-header: MICROSOFT_MIT_NO_VERSION
+module-version: 1.4.0
+modelerfour:
+  seal-single-value-enum-by-default: true
+tag: package-2023-07
+```
\ No newline at end of file
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/build.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/build.go
new file mode 100644
index 000000000..ef03d7674
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/build.go
@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+// This file enables 'go generate' to regenerate this specific SDK
+//go:generate pwsh ../../../../eng/scripts/build.ps1 -skipBuild -cleanGenerated -format -tidy -generate -removeUnreferencedTypes resourcemanager/keyvault/armkeyvault
+
+package armkeyvault
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/ci.yml b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/ci.yml
new file mode 100644
index 000000000..db5bcb593
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/ci.yml
@@ -0,0 +1,28 @@
+# NOTE: Please refer to https://aka.ms/azsdk/engsys/ci-yaml before editing this file.
+trigger:
+  branches:
+    include:
+      - main
+      - feature/*
+      - hotfix/*
+      - release/*
+  paths:
+    include:
+    - sdk/resourcemanager/keyvault/armkeyvault/
+
+pr:
+  branches:
+    include:
+      - main
+      - feature/*
+      - hotfix/*
+      - release/*
+  paths:
+    include:
+    - sdk/resourcemanager/keyvault/armkeyvault/
+
+stages:
+- template: /eng/pipelines/templates/jobs/archetype-sdk-client.yml
+  parameters:
+    IncludeRelease: true
+    ServiceDirectory: 'resourcemanager/keyvault/armkeyvault'
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/client_factory.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/client_factory.go
new file mode 100644
index 000000000..90daa8e6f
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/client_factory.go
@@ -0,0 +1,105 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+)
+
+// ClientFactory is a client factory used to create any client in this module.
+// Don't use this type directly, use NewClientFactory instead.
+type ClientFactory struct {
+	subscriptionID string
+	credential     azcore.TokenCredential
+	options        *arm.ClientOptions
+}
+
+// NewClientFactory creates a new instance of ClientFactory with the specified values.
+// The parameter values will be propagated to any client created from this factory.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewClientFactory(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*ClientFactory, error) {
+	_, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	return &ClientFactory{
+		subscriptionID: subscriptionID, credential: credential,
+		options: options.Clone(),
+	}, nil
+}
+
+// NewKeysClient creates a new instance of KeysClient.
+func (c *ClientFactory) NewKeysClient() *KeysClient {
+	subClient, _ := NewKeysClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewMHSMPrivateEndpointConnectionsClient creates a new instance of MHSMPrivateEndpointConnectionsClient.
+func (c *ClientFactory) NewMHSMPrivateEndpointConnectionsClient() *MHSMPrivateEndpointConnectionsClient {
+	subClient, _ := NewMHSMPrivateEndpointConnectionsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewMHSMPrivateLinkResourcesClient creates a new instance of MHSMPrivateLinkResourcesClient.
+func (c *ClientFactory) NewMHSMPrivateLinkResourcesClient() *MHSMPrivateLinkResourcesClient {
+	subClient, _ := NewMHSMPrivateLinkResourcesClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewMHSMRegionsClient creates a new instance of MHSMRegionsClient.
+func (c *ClientFactory) NewMHSMRegionsClient() *MHSMRegionsClient {
+	subClient, _ := NewMHSMRegionsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewManagedHsmKeysClient creates a new instance of ManagedHsmKeysClient.
+func (c *ClientFactory) NewManagedHsmKeysClient() *ManagedHsmKeysClient {
+	subClient, _ := NewManagedHsmKeysClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewManagedHsmsClient creates a new instance of ManagedHsmsClient.
+func (c *ClientFactory) NewManagedHsmsClient() *ManagedHsmsClient {
+	subClient, _ := NewManagedHsmsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewOperationsClient creates a new instance of OperationsClient.
+func (c *ClientFactory) NewOperationsClient() *OperationsClient {
+	subClient, _ := NewOperationsClient(c.credential, c.options)
+	return subClient
+}
+
+// NewPrivateEndpointConnectionsClient creates a new instance of PrivateEndpointConnectionsClient.
+func (c *ClientFactory) NewPrivateEndpointConnectionsClient() *PrivateEndpointConnectionsClient {
+	subClient, _ := NewPrivateEndpointConnectionsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewPrivateLinkResourcesClient creates a new instance of PrivateLinkResourcesClient.
+func (c *ClientFactory) NewPrivateLinkResourcesClient() *PrivateLinkResourcesClient {
+	subClient, _ := NewPrivateLinkResourcesClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewSecretsClient creates a new instance of SecretsClient.
+func (c *ClientFactory) NewSecretsClient() *SecretsClient {
+	subClient, _ := NewSecretsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
+
+// NewVaultsClient creates a new instance of VaultsClient.
+func (c *ClientFactory) NewVaultsClient() *VaultsClient {
+	subClient, _ := NewVaultsClient(c.subscriptionID, c.credential, c.options)
+	return subClient
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/constants.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/constants.go
new file mode 100644
index 000000000..0d763ddfb
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/constants.go
@@ -0,0 +1,647 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+const (
+	moduleName    = "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault"
+	moduleVersion = "v1.4.0"
+)
+
+type AccessPolicyUpdateKind string
+
+const (
+	AccessPolicyUpdateKindAdd     AccessPolicyUpdateKind = "add"
+	AccessPolicyUpdateKindRemove  AccessPolicyUpdateKind = "remove"
+	AccessPolicyUpdateKindReplace AccessPolicyUpdateKind = "replace"
+)
+
+// PossibleAccessPolicyUpdateKindValues returns the possible values for the AccessPolicyUpdateKind const type.
+func PossibleAccessPolicyUpdateKindValues() []AccessPolicyUpdateKind {
+	return []AccessPolicyUpdateKind{
+		AccessPolicyUpdateKindAdd,
+		AccessPolicyUpdateKindRemove,
+		AccessPolicyUpdateKindReplace,
+	}
+}
+
+// ActionsRequired - A message indicating if changes on the service provider require any updates on the consumer.
+type ActionsRequired string
+
+const (
+	ActionsRequiredNone ActionsRequired = "None"
+)
+
+// PossibleActionsRequiredValues returns the possible values for the ActionsRequired const type.
+func PossibleActionsRequiredValues() []ActionsRequired {
+	return []ActionsRequired{
+		ActionsRequiredNone,
+	}
+}
+
+// ActivationStatus - Activation Status
+type ActivationStatus string
+
+const (
+	// ActivationStatusActive - The managed HSM Pool is active.
+	ActivationStatusActive ActivationStatus = "Active"
+	// ActivationStatusFailed - Failed to activate managed hsm.
+	ActivationStatusFailed ActivationStatus = "Failed"
+	// ActivationStatusNotActivated - The managed HSM Pool is not yet activated.
+	ActivationStatusNotActivated ActivationStatus = "NotActivated"
+	// ActivationStatusUnknown - An unknown error occurred while activating managed hsm.
+	ActivationStatusUnknown ActivationStatus = "Unknown"
+)
+
+// PossibleActivationStatusValues returns the possible values for the ActivationStatus const type.
+func PossibleActivationStatusValues() []ActivationStatus {
+	return []ActivationStatus{
+		ActivationStatusActive,
+		ActivationStatusFailed,
+		ActivationStatusNotActivated,
+		ActivationStatusUnknown,
+	}
+}
+
+type CertificatePermissions string
+
+const (
+	CertificatePermissionsAll            CertificatePermissions = "all"
+	CertificatePermissionsBackup         CertificatePermissions = "backup"
+	CertificatePermissionsCreate         CertificatePermissions = "create"
+	CertificatePermissionsDelete         CertificatePermissions = "delete"
+	CertificatePermissionsDeleteissuers  CertificatePermissions = "deleteissuers"
+	CertificatePermissionsGet            CertificatePermissions = "get"
+	CertificatePermissionsGetissuers     CertificatePermissions = "getissuers"
+	CertificatePermissionsImport         CertificatePermissions = "import"
+	CertificatePermissionsList           CertificatePermissions = "list"
+	CertificatePermissionsListissuers    CertificatePermissions = "listissuers"
+	CertificatePermissionsManagecontacts CertificatePermissions = "managecontacts"
+	CertificatePermissionsManageissuers  CertificatePermissions = "manageissuers"
+	CertificatePermissionsPurge          CertificatePermissions = "purge"
+	CertificatePermissionsRecover        CertificatePermissions = "recover"
+	CertificatePermissionsRestore        CertificatePermissions = "restore"
+	CertificatePermissionsSetissuers     CertificatePermissions = "setissuers"
+	CertificatePermissionsUpdate         CertificatePermissions = "update"
+)
+
+// PossibleCertificatePermissionsValues returns the possible values for the CertificatePermissions const type.
+func PossibleCertificatePermissionsValues() []CertificatePermissions {
+	return []CertificatePermissions{
+		CertificatePermissionsAll,
+		CertificatePermissionsBackup,
+		CertificatePermissionsCreate,
+		CertificatePermissionsDelete,
+		CertificatePermissionsDeleteissuers,
+		CertificatePermissionsGet,
+		CertificatePermissionsGetissuers,
+		CertificatePermissionsImport,
+		CertificatePermissionsList,
+		CertificatePermissionsListissuers,
+		CertificatePermissionsManagecontacts,
+		CertificatePermissionsManageissuers,
+		CertificatePermissionsPurge,
+		CertificatePermissionsRecover,
+		CertificatePermissionsRestore,
+		CertificatePermissionsSetissuers,
+		CertificatePermissionsUpdate,
+	}
+}
+
+// CreateMode - The vault's create mode to indicate whether the vault need to be recovered or not.
+type CreateMode string
+
+const (
+	CreateModeDefault CreateMode = "default"
+	CreateModeRecover CreateMode = "recover"
+)
+
+// PossibleCreateModeValues returns the possible values for the CreateMode const type.
+func PossibleCreateModeValues() []CreateMode {
+	return []CreateMode{
+		CreateModeDefault,
+		CreateModeRecover,
+	}
+}
+
+// DeletionRecoveryLevel - The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then
+// the object can be permanently deleted by a privileged user; otherwise, only the system can purge the
+// object at the end of the retention interval.
+type DeletionRecoveryLevel string
+
+const (
+	DeletionRecoveryLevelPurgeable                        DeletionRecoveryLevel = "Purgeable"
+	DeletionRecoveryLevelRecoverable                      DeletionRecoveryLevel = "Recoverable"
+	DeletionRecoveryLevelRecoverableProtectedSubscription DeletionRecoveryLevel = "Recoverable+ProtectedSubscription"
+	DeletionRecoveryLevelRecoverablePurgeable             DeletionRecoveryLevel = "Recoverable+Purgeable"
+)
+
+// PossibleDeletionRecoveryLevelValues returns the possible values for the DeletionRecoveryLevel const type.
+func PossibleDeletionRecoveryLevelValues() []DeletionRecoveryLevel {
+	return []DeletionRecoveryLevel{
+		DeletionRecoveryLevelPurgeable,
+		DeletionRecoveryLevelRecoverable,
+		DeletionRecoveryLevelRecoverableProtectedSubscription,
+		DeletionRecoveryLevelRecoverablePurgeable,
+	}
+}
+
+// GeoReplicationRegionProvisioningState - The current provisioning state.
+type GeoReplicationRegionProvisioningState string
+
+const (
+	GeoReplicationRegionProvisioningStateCleanup         GeoReplicationRegionProvisioningState = "Cleanup"
+	GeoReplicationRegionProvisioningStateDeleting        GeoReplicationRegionProvisioningState = "Deleting"
+	GeoReplicationRegionProvisioningStateFailed          GeoReplicationRegionProvisioningState = "Failed"
+	GeoReplicationRegionProvisioningStatePreprovisioning GeoReplicationRegionProvisioningState = "Preprovisioning"
+	GeoReplicationRegionProvisioningStateProvisioning    GeoReplicationRegionProvisioningState = "Provisioning"
+	GeoReplicationRegionProvisioningStateSucceeded       GeoReplicationRegionProvisioningState = "Succeeded"
+)
+
+// PossibleGeoReplicationRegionProvisioningStateValues returns the possible values for the GeoReplicationRegionProvisioningState const type.
+func PossibleGeoReplicationRegionProvisioningStateValues() []GeoReplicationRegionProvisioningState {
+	return []GeoReplicationRegionProvisioningState{
+		GeoReplicationRegionProvisioningStateCleanup,
+		GeoReplicationRegionProvisioningStateDeleting,
+		GeoReplicationRegionProvisioningStateFailed,
+		GeoReplicationRegionProvisioningStatePreprovisioning,
+		GeoReplicationRegionProvisioningStateProvisioning,
+		GeoReplicationRegionProvisioningStateSucceeded,
+	}
+}
+
+// IdentityType - The type of identity.
+type IdentityType string
+
+const (
+	IdentityTypeApplication     IdentityType = "Application"
+	IdentityTypeKey             IdentityType = "Key"
+	IdentityTypeManagedIdentity IdentityType = "ManagedIdentity"
+	IdentityTypeUser            IdentityType = "User"
+)
+
+// PossibleIdentityTypeValues returns the possible values for the IdentityType const type.
+func PossibleIdentityTypeValues() []IdentityType {
+	return []IdentityType{
+		IdentityTypeApplication,
+		IdentityTypeKey,
+		IdentityTypeManagedIdentity,
+		IdentityTypeUser,
+	}
+}
+
+// JSONWebKeyCurveName - The elliptic curve name. For valid values, see JsonWebKeyCurveName.
+type JSONWebKeyCurveName string
+
+const (
+	JSONWebKeyCurveNameP256  JSONWebKeyCurveName = "P-256"
+	JSONWebKeyCurveNameP256K JSONWebKeyCurveName = "P-256K"
+	JSONWebKeyCurveNameP384  JSONWebKeyCurveName = "P-384"
+	JSONWebKeyCurveNameP521  JSONWebKeyCurveName = "P-521"
+)
+
+// PossibleJSONWebKeyCurveNameValues returns the possible values for the JSONWebKeyCurveName const type.
+func PossibleJSONWebKeyCurveNameValues() []JSONWebKeyCurveName {
+	return []JSONWebKeyCurveName{
+		JSONWebKeyCurveNameP256,
+		JSONWebKeyCurveNameP256K,
+		JSONWebKeyCurveNameP384,
+		JSONWebKeyCurveNameP521,
+	}
+}
+
+// JSONWebKeyOperation - The permitted JSON web key operations of the key. For more information, see JsonWebKeyOperation.
+type JSONWebKeyOperation string
+
+const (
+	JSONWebKeyOperationDecrypt   JSONWebKeyOperation = "decrypt"
+	JSONWebKeyOperationEncrypt   JSONWebKeyOperation = "encrypt"
+	JSONWebKeyOperationImport    JSONWebKeyOperation = "import"
+	JSONWebKeyOperationRelease   JSONWebKeyOperation = "release"
+	JSONWebKeyOperationSign      JSONWebKeyOperation = "sign"
+	JSONWebKeyOperationUnwrapKey JSONWebKeyOperation = "unwrapKey"
+	JSONWebKeyOperationVerify    JSONWebKeyOperation = "verify"
+	JSONWebKeyOperationWrapKey   JSONWebKeyOperation = "wrapKey"
+)
+
+// PossibleJSONWebKeyOperationValues returns the possible values for the JSONWebKeyOperation const type.
+func PossibleJSONWebKeyOperationValues() []JSONWebKeyOperation {
+	return []JSONWebKeyOperation{
+		JSONWebKeyOperationDecrypt,
+		JSONWebKeyOperationEncrypt,
+		JSONWebKeyOperationImport,
+		JSONWebKeyOperationRelease,
+		JSONWebKeyOperationSign,
+		JSONWebKeyOperationUnwrapKey,
+		JSONWebKeyOperationVerify,
+		JSONWebKeyOperationWrapKey,
+	}
+}
+
+// JSONWebKeyType - The type of the key. For valid values, see JsonWebKeyType.
+type JSONWebKeyType string
+
+const (
+	JSONWebKeyTypeEC     JSONWebKeyType = "EC"
+	JSONWebKeyTypeECHSM  JSONWebKeyType = "EC-HSM"
+	JSONWebKeyTypeRSA    JSONWebKeyType = "RSA"
+	JSONWebKeyTypeRSAHSM JSONWebKeyType = "RSA-HSM"
+)
+
+// PossibleJSONWebKeyTypeValues returns the possible values for the JSONWebKeyType const type.
+func PossibleJSONWebKeyTypeValues() []JSONWebKeyType {
+	return []JSONWebKeyType{
+		JSONWebKeyTypeEC,
+		JSONWebKeyTypeECHSM,
+		JSONWebKeyTypeRSA,
+		JSONWebKeyTypeRSAHSM,
+	}
+}
+
+type KeyPermissions string
+
+const (
+	KeyPermissionsAll               KeyPermissions = "all"
+	KeyPermissionsBackup            KeyPermissions = "backup"
+	KeyPermissionsCreate            KeyPermissions = "create"
+	KeyPermissionsDecrypt           KeyPermissions = "decrypt"
+	KeyPermissionsDelete            KeyPermissions = "delete"
+	KeyPermissionsEncrypt           KeyPermissions = "encrypt"
+	KeyPermissionsGet               KeyPermissions = "get"
+	KeyPermissionsGetrotationpolicy KeyPermissions = "getrotationpolicy"
+	KeyPermissionsImport            KeyPermissions = "import"
+	KeyPermissionsList              KeyPermissions = "list"
+	KeyPermissionsPurge             KeyPermissions = "purge"
+	KeyPermissionsRecover           KeyPermissions = "recover"
+	KeyPermissionsRelease           KeyPermissions = "release"
+	KeyPermissionsRestore           KeyPermissions = "restore"
+	KeyPermissionsRotate            KeyPermissions = "rotate"
+	KeyPermissionsSetrotationpolicy KeyPermissions = "setrotationpolicy"
+	KeyPermissionsSign              KeyPermissions = "sign"
+	KeyPermissionsUnwrapKey         KeyPermissions = "unwrapKey"
+	KeyPermissionsUpdate            KeyPermissions = "update"
+	KeyPermissionsVerify            KeyPermissions = "verify"
+	KeyPermissionsWrapKey           KeyPermissions = "wrapKey"
+)
+
+// PossibleKeyPermissionsValues returns the possible values for the KeyPermissions const type.
+func PossibleKeyPermissionsValues() []KeyPermissions {
+	return []KeyPermissions{
+		KeyPermissionsAll,
+		KeyPermissionsBackup,
+		KeyPermissionsCreate,
+		KeyPermissionsDecrypt,
+		KeyPermissionsDelete,
+		KeyPermissionsEncrypt,
+		KeyPermissionsGet,
+		KeyPermissionsGetrotationpolicy,
+		KeyPermissionsImport,
+		KeyPermissionsList,
+		KeyPermissionsPurge,
+		KeyPermissionsRecover,
+		KeyPermissionsRelease,
+		KeyPermissionsRestore,
+		KeyPermissionsRotate,
+		KeyPermissionsSetrotationpolicy,
+		KeyPermissionsSign,
+		KeyPermissionsUnwrapKey,
+		KeyPermissionsUpdate,
+		KeyPermissionsVerify,
+		KeyPermissionsWrapKey,
+	}
+}
+
+// KeyRotationPolicyActionType - The type of action.
+type KeyRotationPolicyActionType string
+
+const (
+	KeyRotationPolicyActionTypeNotify KeyRotationPolicyActionType = "notify"
+	KeyRotationPolicyActionTypeRotate KeyRotationPolicyActionType = "rotate"
+)
+
+// PossibleKeyRotationPolicyActionTypeValues returns the possible values for the KeyRotationPolicyActionType const type.
+func PossibleKeyRotationPolicyActionTypeValues() []KeyRotationPolicyActionType {
+	return []KeyRotationPolicyActionType{
+		KeyRotationPolicyActionTypeNotify,
+		KeyRotationPolicyActionTypeRotate,
+	}
+}
+
+// ManagedHsmSKUFamily - SKU Family of the managed HSM Pool
+type ManagedHsmSKUFamily string
+
+const (
+	ManagedHsmSKUFamilyB ManagedHsmSKUFamily = "B"
+)
+
+// PossibleManagedHsmSKUFamilyValues returns the possible values for the ManagedHsmSKUFamily const type.
+func PossibleManagedHsmSKUFamilyValues() []ManagedHsmSKUFamily {
+	return []ManagedHsmSKUFamily{
+		ManagedHsmSKUFamilyB,
+	}
+}
+
+// ManagedHsmSKUName - SKU of the managed HSM Pool
+type ManagedHsmSKUName string
+
+const (
+	ManagedHsmSKUNameCustomB32  ManagedHsmSKUName = "Custom_B32"
+	ManagedHsmSKUNameCustomB6   ManagedHsmSKUName = "Custom_B6"
+	ManagedHsmSKUNameStandardB1 ManagedHsmSKUName = "Standard_B1"
+)
+
+// PossibleManagedHsmSKUNameValues returns the possible values for the ManagedHsmSKUName const type.
+func PossibleManagedHsmSKUNameValues() []ManagedHsmSKUName {
+	return []ManagedHsmSKUName{
+		ManagedHsmSKUNameCustomB32,
+		ManagedHsmSKUNameCustomB6,
+		ManagedHsmSKUNameStandardB1,
+	}
+}
+
+// ManagedServiceIdentityType - Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).
+type ManagedServiceIdentityType string
+
+const (
+	ManagedServiceIdentityTypeNone                       ManagedServiceIdentityType = "None"
+	ManagedServiceIdentityTypeSystemAssigned             ManagedServiceIdentityType = "SystemAssigned"
+	ManagedServiceIdentityTypeSystemAssignedUserAssigned ManagedServiceIdentityType = "SystemAssigned,UserAssigned"
+	ManagedServiceIdentityTypeUserAssigned               ManagedServiceIdentityType = "UserAssigned"
+)
+
+// PossibleManagedServiceIdentityTypeValues returns the possible values for the ManagedServiceIdentityType const type.
+func PossibleManagedServiceIdentityTypeValues() []ManagedServiceIdentityType {
+	return []ManagedServiceIdentityType{
+		ManagedServiceIdentityTypeNone,
+		ManagedServiceIdentityTypeSystemAssigned,
+		ManagedServiceIdentityTypeSystemAssignedUserAssigned,
+		ManagedServiceIdentityTypeUserAssigned,
+	}
+}
+
+// NetworkRuleAction - The default action when no rule from ipRules and from virtualNetworkRules match. This is only used
+// after the bypass property has been evaluated.
+type NetworkRuleAction string
+
+const (
+	NetworkRuleActionAllow NetworkRuleAction = "Allow"
+	NetworkRuleActionDeny  NetworkRuleAction = "Deny"
+)
+
+// PossibleNetworkRuleActionValues returns the possible values for the NetworkRuleAction const type.
+func PossibleNetworkRuleActionValues() []NetworkRuleAction {
+	return []NetworkRuleAction{
+		NetworkRuleActionAllow,
+		NetworkRuleActionDeny,
+	}
+}
+
+// NetworkRuleBypassOptions - Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified
+// the default is 'AzureServices'.
+type NetworkRuleBypassOptions string
+
+const (
+	NetworkRuleBypassOptionsAzureServices NetworkRuleBypassOptions = "AzureServices"
+	NetworkRuleBypassOptionsNone          NetworkRuleBypassOptions = "None"
+)
+
+// PossibleNetworkRuleBypassOptionsValues returns the possible values for the NetworkRuleBypassOptions const type.
+func PossibleNetworkRuleBypassOptionsValues() []NetworkRuleBypassOptions {
+	return []NetworkRuleBypassOptions{
+		NetworkRuleBypassOptionsAzureServices,
+		NetworkRuleBypassOptionsNone,
+	}
+}
+
+// PrivateEndpointConnectionProvisioningState - The current provisioning state.
+type PrivateEndpointConnectionProvisioningState string
+
+const (
+	PrivateEndpointConnectionProvisioningStateCreating     PrivateEndpointConnectionProvisioningState = "Creating"
+	PrivateEndpointConnectionProvisioningStateDeleting     PrivateEndpointConnectionProvisioningState = "Deleting"
+	PrivateEndpointConnectionProvisioningStateDisconnected PrivateEndpointConnectionProvisioningState = "Disconnected"
+	PrivateEndpointConnectionProvisioningStateFailed       PrivateEndpointConnectionProvisioningState = "Failed"
+	PrivateEndpointConnectionProvisioningStateSucceeded    PrivateEndpointConnectionProvisioningState = "Succeeded"
+	PrivateEndpointConnectionProvisioningStateUpdating     PrivateEndpointConnectionProvisioningState = "Updating"
+)
+
+// PossiblePrivateEndpointConnectionProvisioningStateValues returns the possible values for the PrivateEndpointConnectionProvisioningState const type.
+func PossiblePrivateEndpointConnectionProvisioningStateValues() []PrivateEndpointConnectionProvisioningState {
+	return []PrivateEndpointConnectionProvisioningState{
+		PrivateEndpointConnectionProvisioningStateCreating,
+		PrivateEndpointConnectionProvisioningStateDeleting,
+		PrivateEndpointConnectionProvisioningStateDisconnected,
+		PrivateEndpointConnectionProvisioningStateFailed,
+		PrivateEndpointConnectionProvisioningStateSucceeded,
+		PrivateEndpointConnectionProvisioningStateUpdating,
+	}
+}
+
+// PrivateEndpointServiceConnectionStatus - The private endpoint connection status.
+type PrivateEndpointServiceConnectionStatus string
+
+const (
+	PrivateEndpointServiceConnectionStatusApproved     PrivateEndpointServiceConnectionStatus = "Approved"
+	PrivateEndpointServiceConnectionStatusDisconnected PrivateEndpointServiceConnectionStatus = "Disconnected"
+	PrivateEndpointServiceConnectionStatusPending      PrivateEndpointServiceConnectionStatus = "Pending"
+	PrivateEndpointServiceConnectionStatusRejected     PrivateEndpointServiceConnectionStatus = "Rejected"
+)
+
+// PossiblePrivateEndpointServiceConnectionStatusValues returns the possible values for the PrivateEndpointServiceConnectionStatus const type.
+func PossiblePrivateEndpointServiceConnectionStatusValues() []PrivateEndpointServiceConnectionStatus {
+	return []PrivateEndpointServiceConnectionStatus{
+		PrivateEndpointServiceConnectionStatusApproved,
+		PrivateEndpointServiceConnectionStatusDisconnected,
+		PrivateEndpointServiceConnectionStatusPending,
+		PrivateEndpointServiceConnectionStatusRejected,
+	}
+}
+
+// ProvisioningState - Provisioning state.
+type ProvisioningState string
+
+const (
+	// ProvisioningStateActivated - The managed HSM pool is ready for normal use.
+	ProvisioningStateActivated ProvisioningState = "Activated"
+	// ProvisioningStateDeleting - The managed HSM Pool is currently being deleted.
+	ProvisioningStateDeleting ProvisioningState = "Deleting"
+	// ProvisioningStateFailed - Provisioning of the managed HSM Pool has failed.
+	ProvisioningStateFailed ProvisioningState = "Failed"
+	// ProvisioningStateProvisioning - The managed HSM Pool is currently being provisioned.
+	ProvisioningStateProvisioning ProvisioningState = "Provisioning"
+	// ProvisioningStateRestoring - The managed HSM pool is being restored from full HSM backup.
+	ProvisioningStateRestoring ProvisioningState = "Restoring"
+	// ProvisioningStateSecurityDomainRestore - The managed HSM pool is waiting for a security domain restore action.
+	ProvisioningStateSecurityDomainRestore ProvisioningState = "SecurityDomainRestore"
+	// ProvisioningStateSucceeded - The managed HSM Pool has been full provisioned.
+	ProvisioningStateSucceeded ProvisioningState = "Succeeded"
+	// ProvisioningStateUpdating - The managed HSM Pool is currently being updated.
+	ProvisioningStateUpdating ProvisioningState = "Updating"
+)
+
+// PossibleProvisioningStateValues returns the possible values for the ProvisioningState const type.
+func PossibleProvisioningStateValues() []ProvisioningState {
+	return []ProvisioningState{
+		ProvisioningStateActivated,
+		ProvisioningStateDeleting,
+		ProvisioningStateFailed,
+		ProvisioningStateProvisioning,
+		ProvisioningStateRestoring,
+		ProvisioningStateSecurityDomainRestore,
+		ProvisioningStateSucceeded,
+		ProvisioningStateUpdating,
+	}
+}
+
+// PublicNetworkAccess - Control permission to the managed HSM from public networks.
+type PublicNetworkAccess string
+
+const (
+	PublicNetworkAccessDisabled PublicNetworkAccess = "Disabled"
+	PublicNetworkAccessEnabled  PublicNetworkAccess = "Enabled"
+)
+
+// PossiblePublicNetworkAccessValues returns the possible values for the PublicNetworkAccess const type.
+func PossiblePublicNetworkAccessValues() []PublicNetworkAccess {
+	return []PublicNetworkAccess{
+		PublicNetworkAccessDisabled,
+		PublicNetworkAccessEnabled,
+	}
+}
+
+// Reason - The reason that a vault name could not be used. The Reason element is only returned if NameAvailable is false.
+type Reason string
+
+const (
+	ReasonAccountNameInvalid Reason = "AccountNameInvalid"
+	ReasonAlreadyExists      Reason = "AlreadyExists"
+)
+
+// PossibleReasonValues returns the possible values for the Reason const type.
+func PossibleReasonValues() []Reason {
+	return []Reason{
+		ReasonAccountNameInvalid,
+		ReasonAlreadyExists,
+	}
+}
+
+// SKUFamily - SKU family name
+type SKUFamily string
+
+const (
+	SKUFamilyA SKUFamily = "A"
+)
+
+// PossibleSKUFamilyValues returns the possible values for the SKUFamily const type.
+func PossibleSKUFamilyValues() []SKUFamily {
+	return []SKUFamily{
+		SKUFamilyA,
+	}
+}
+
+// SKUName - SKU name to specify whether the key vault is a standard vault or a premium vault.
+type SKUName string
+
+const (
+	SKUNamePremium  SKUName = "premium"
+	SKUNameStandard SKUName = "standard"
+)
+
+// PossibleSKUNameValues returns the possible values for the SKUName const type.
+func PossibleSKUNameValues() []SKUName {
+	return []SKUName{
+		SKUNamePremium,
+		SKUNameStandard,
+	}
+}
+
+type SecretPermissions string
+
+const (
+	SecretPermissionsAll     SecretPermissions = "all"
+	SecretPermissionsBackup  SecretPermissions = "backup"
+	SecretPermissionsDelete  SecretPermissions = "delete"
+	SecretPermissionsGet     SecretPermissions = "get"
+	SecretPermissionsList    SecretPermissions = "list"
+	SecretPermissionsPurge   SecretPermissions = "purge"
+	SecretPermissionsRecover SecretPermissions = "recover"
+	SecretPermissionsRestore SecretPermissions = "restore"
+	SecretPermissionsSet     SecretPermissions = "set"
+)
+
+// PossibleSecretPermissionsValues returns the possible values for the SecretPermissions const type.
+func PossibleSecretPermissionsValues() []SecretPermissions {
+	return []SecretPermissions{
+		SecretPermissionsAll,
+		SecretPermissionsBackup,
+		SecretPermissionsDelete,
+		SecretPermissionsGet,
+		SecretPermissionsList,
+		SecretPermissionsPurge,
+		SecretPermissionsRecover,
+		SecretPermissionsRestore,
+		SecretPermissionsSet,
+	}
+}
+
+type StoragePermissions string
+
+const (
+	StoragePermissionsAll           StoragePermissions = "all"
+	StoragePermissionsBackup        StoragePermissions = "backup"
+	StoragePermissionsDelete        StoragePermissions = "delete"
+	StoragePermissionsDeletesas     StoragePermissions = "deletesas"
+	StoragePermissionsGet           StoragePermissions = "get"
+	StoragePermissionsGetsas        StoragePermissions = "getsas"
+	StoragePermissionsList          StoragePermissions = "list"
+	StoragePermissionsListsas       StoragePermissions = "listsas"
+	StoragePermissionsPurge         StoragePermissions = "purge"
+	StoragePermissionsRecover       StoragePermissions = "recover"
+	StoragePermissionsRegeneratekey StoragePermissions = "regeneratekey"
+	StoragePermissionsRestore       StoragePermissions = "restore"
+	StoragePermissionsSet           StoragePermissions = "set"
+	StoragePermissionsSetsas        StoragePermissions = "setsas"
+	StoragePermissionsUpdate        StoragePermissions = "update"
+)
+
+// PossibleStoragePermissionsValues returns the possible values for the StoragePermissions const type.
+func PossibleStoragePermissionsValues() []StoragePermissions {
+	return []StoragePermissions{
+		StoragePermissionsAll,
+		StoragePermissionsBackup,
+		StoragePermissionsDelete,
+		StoragePermissionsDeletesas,
+		StoragePermissionsGet,
+		StoragePermissionsGetsas,
+		StoragePermissionsList,
+		StoragePermissionsListsas,
+		StoragePermissionsPurge,
+		StoragePermissionsRecover,
+		StoragePermissionsRegeneratekey,
+		StoragePermissionsRestore,
+		StoragePermissionsSet,
+		StoragePermissionsSetsas,
+		StoragePermissionsUpdate,
+	}
+}
+
+// VaultProvisioningState - Provisioning state of the vault.
+type VaultProvisioningState string
+
+const (
+	VaultProvisioningStateRegisteringDNS VaultProvisioningState = "RegisteringDns"
+	VaultProvisioningStateSucceeded      VaultProvisioningState = "Succeeded"
+)
+
+// PossibleVaultProvisioningStateValues returns the possible values for the VaultProvisioningState const type.
+func PossibleVaultProvisioningStateValues() []VaultProvisioningState {
+	return []VaultProvisioningState{
+		VaultProvisioningStateRegisteringDNS,
+		VaultProvisioningStateSucceeded,
+	}
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/keys_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/keys_client.go
new file mode 100644
index 000000000..4942ef7dd
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/keys_client.go
@@ -0,0 +1,398 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// KeysClient contains the methods for the Keys group.
+// Don't use this type directly, use NewKeysClient() instead.
+type KeysClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewKeysClient creates a new instance of KeysClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewKeysClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*KeysClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &KeysClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// CreateIfNotExist - Creates the first version of a new key if it does not exist. If it already exists, then the existing
+// key is returned without any write operations being performed. This API does not create subsequent
+// versions, and does not update existing keys.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group which contains the specified key vault.
+//   - vaultName - The name of the key vault which contains the key to be created.
+//   - keyName - The name of the key to be created. The value you provide may be copied globally for the purpose of running the
+//     service. The value provided should not include personally identifiable or sensitive
+//     information.
+//   - parameters - The parameters used to create the specified key.
+//   - options - KeysClientCreateIfNotExistOptions contains the optional parameters for the KeysClient.CreateIfNotExist method.
+func (client *KeysClient) CreateIfNotExist(ctx context.Context, resourceGroupName string, vaultName string, keyName string, parameters KeyCreateParameters, options *KeysClientCreateIfNotExistOptions) (KeysClientCreateIfNotExistResponse, error) {
+	var err error
+	const operationName = "KeysClient.CreateIfNotExist"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.createIfNotExistCreateRequest(ctx, resourceGroupName, vaultName, keyName, parameters, options)
+	if err != nil {
+		return KeysClientCreateIfNotExistResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return KeysClientCreateIfNotExistResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return KeysClientCreateIfNotExistResponse{}, err
+	}
+	resp, err := client.createIfNotExistHandleResponse(httpResp)
+	return resp, err
+}
+
+// createIfNotExistCreateRequest creates the CreateIfNotExist request.
+func (client *KeysClient) createIfNotExistCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, keyName string, parameters KeyCreateParameters, options *KeysClientCreateIfNotExistOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys/{keyName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// createIfNotExistHandleResponse handles the CreateIfNotExist response.
+func (client *KeysClient) createIfNotExistHandleResponse(resp *http.Response) (KeysClientCreateIfNotExistResponse, error) {
+	result := KeysClientCreateIfNotExistResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Key); err != nil {
+		return KeysClientCreateIfNotExistResponse{}, err
+	}
+	return result, nil
+}
+
+// Get - Gets the current version of the specified key from the specified key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group which contains the specified key vault.
+//   - vaultName - The name of the vault which contains the key to be retrieved.
+//   - keyName - The name of the key to be retrieved.
+//   - options - KeysClientGetOptions contains the optional parameters for the KeysClient.Get method.
+func (client *KeysClient) Get(ctx context.Context, resourceGroupName string, vaultName string, keyName string, options *KeysClientGetOptions) (KeysClientGetResponse, error) {
+	var err error
+	const operationName = "KeysClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, vaultName, keyName, options)
+	if err != nil {
+		return KeysClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return KeysClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return KeysClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *KeysClient) getCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, keyName string, options *KeysClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys/{keyName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *KeysClient) getHandleResponse(resp *http.Response) (KeysClientGetResponse, error) {
+	result := KeysClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Key); err != nil {
+		return KeysClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// GetVersion - Gets the specified version of the specified key in the specified key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group which contains the specified key vault.
+//   - vaultName - The name of the vault which contains the key version to be retrieved.
+//   - keyName - The name of the key version to be retrieved.
+//   - keyVersion - The version of the key to be retrieved.
+//   - options - KeysClientGetVersionOptions contains the optional parameters for the KeysClient.GetVersion method.
+func (client *KeysClient) GetVersion(ctx context.Context, resourceGroupName string, vaultName string, keyName string, keyVersion string, options *KeysClientGetVersionOptions) (KeysClientGetVersionResponse, error) {
+	var err error
+	const operationName = "KeysClient.GetVersion"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getVersionCreateRequest(ctx, resourceGroupName, vaultName, keyName, keyVersion, options)
+	if err != nil {
+		return KeysClientGetVersionResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return KeysClientGetVersionResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return KeysClientGetVersionResponse{}, err
+	}
+	resp, err := client.getVersionHandleResponse(httpResp)
+	return resp, err
+}
+
+// getVersionCreateRequest creates the GetVersion request.
+func (client *KeysClient) getVersionCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, keyName string, keyVersion string, options *KeysClientGetVersionOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys/{keyName}/versions/{keyVersion}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	if keyVersion == "" {
+		return nil, errors.New("parameter keyVersion cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyVersion}", url.PathEscape(keyVersion))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getVersionHandleResponse handles the GetVersion response.
+func (client *KeysClient) getVersionHandleResponse(resp *http.Response) (KeysClientGetVersionResponse, error) {
+	result := KeysClientGetVersionResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Key); err != nil {
+		return KeysClientGetVersionResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListPager - Lists the keys in the specified key vault.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group which contains the specified key vault.
+//   - vaultName - The name of the vault which contains the keys to be retrieved.
+//   - options - KeysClientListOptions contains the optional parameters for the KeysClient.NewListPager method.
+func (client *KeysClient) NewListPager(resourceGroupName string, vaultName string, options *KeysClientListOptions) *runtime.Pager[KeysClientListResponse] {
+	return runtime.NewPager(runtime.PagingHandler[KeysClientListResponse]{
+		More: func(page KeysClientListResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *KeysClientListResponse) (KeysClientListResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "KeysClient.NewListPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listCreateRequest(ctx, resourceGroupName, vaultName, options)
+			}, nil)
+			if err != nil {
+				return KeysClientListResponse{}, err
+			}
+			return client.listHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listCreateRequest creates the List request.
+func (client *KeysClient) listCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *KeysClientListOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listHandleResponse handles the List response.
+func (client *KeysClient) listHandleResponse(resp *http.Response) (KeysClientListResponse, error) {
+	result := KeysClientListResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.KeyListResult); err != nil {
+		return KeysClientListResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListVersionsPager - Lists the versions of the specified key in the specified key vault.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group which contains the specified key vault.
+//   - vaultName - The name of the vault which contains the key versions to be retrieved.
+//   - keyName - The name of the key versions to be retrieved.
+//   - options - KeysClientListVersionsOptions contains the optional parameters for the KeysClient.NewListVersionsPager method.
+func (client *KeysClient) NewListVersionsPager(resourceGroupName string, vaultName string, keyName string, options *KeysClientListVersionsOptions) *runtime.Pager[KeysClientListVersionsResponse] {
+	return runtime.NewPager(runtime.PagingHandler[KeysClientListVersionsResponse]{
+		More: func(page KeysClientListVersionsResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *KeysClientListVersionsResponse) (KeysClientListVersionsResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "KeysClient.NewListVersionsPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listVersionsCreateRequest(ctx, resourceGroupName, vaultName, keyName, options)
+			}, nil)
+			if err != nil {
+				return KeysClientListVersionsResponse{}, err
+			}
+			return client.listVersionsHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listVersionsCreateRequest creates the ListVersions request.
+func (client *KeysClient) listVersionsCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, keyName string, options *KeysClientListVersionsOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/keys/{keyName}/versions"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listVersionsHandleResponse handles the ListVersions response.
+func (client *KeysClient) listVersionsHandleResponse(resp *http.Response) (KeysClientListVersionsResponse, error) {
+	result := KeysClientListVersionsResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.KeyListResult); err != nil {
+		return KeysClientListVersionsResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsmkeys_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsmkeys_client.go
new file mode 100644
index 000000000..eb94d15a9
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsmkeys_client.go
@@ -0,0 +1,407 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// ManagedHsmKeysClient contains the methods for the ManagedHsmKeys group.
+// Don't use this type directly, use NewManagedHsmKeysClient() instead.
+type ManagedHsmKeysClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewManagedHsmKeysClient creates a new instance of ManagedHsmKeysClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewManagedHsmKeysClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*ManagedHsmKeysClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &ManagedHsmKeysClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// CreateIfNotExist - Creates the first version of a new key if it does not exist. If it already exists, then the existing
+// key is returned without any write operations being performed. This API does not create subsequent
+// versions, and does not update existing keys.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group. The name is case insensitive.
+//   - name - The name of the Managed HSM Pool within the specified resource group.
+//   - keyName - The name of the key to be created. The value you provide may be copied globally for the purpose of running the
+//     service. The value provided should not include personally identifiable or sensitive
+//     information.
+//   - parameters - The parameters used to create the specified key.
+//   - options - ManagedHsmKeysClientCreateIfNotExistOptions contains the optional parameters for the ManagedHsmKeysClient.CreateIfNotExist
+//     method.
+func (client *ManagedHsmKeysClient) CreateIfNotExist(ctx context.Context, resourceGroupName string, name string, keyName string, parameters ManagedHsmKeyCreateParameters, options *ManagedHsmKeysClientCreateIfNotExistOptions) (ManagedHsmKeysClientCreateIfNotExistResponse, error) {
+	var err error
+	const operationName = "ManagedHsmKeysClient.CreateIfNotExist"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.createIfNotExistCreateRequest(ctx, resourceGroupName, name, keyName, parameters, options)
+	if err != nil {
+		return ManagedHsmKeysClientCreateIfNotExistResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmKeysClientCreateIfNotExistResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmKeysClientCreateIfNotExistResponse{}, err
+	}
+	resp, err := client.createIfNotExistHandleResponse(httpResp)
+	return resp, err
+}
+
+// createIfNotExistCreateRequest creates the CreateIfNotExist request.
+func (client *ManagedHsmKeysClient) createIfNotExistCreateRequest(ctx context.Context, resourceGroupName string, name string, keyName string, parameters ManagedHsmKeyCreateParameters, options *ManagedHsmKeysClientCreateIfNotExistOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/keys/{keyName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// createIfNotExistHandleResponse handles the CreateIfNotExist response.
+func (client *ManagedHsmKeysClient) createIfNotExistHandleResponse(resp *http.Response) (ManagedHsmKeysClientCreateIfNotExistResponse, error) {
+	result := ManagedHsmKeysClientCreateIfNotExistResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmKey); err != nil {
+		return ManagedHsmKeysClientCreateIfNotExistResponse{}, err
+	}
+	return result, nil
+}
+
+// Get - Gets the current version of the specified key from the specified managed HSM.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group. The name is case insensitive.
+//   - name - The name of the Managed HSM Pool within the specified resource group.
+//   - keyName - The name of the key to be created. The value you provide may be copied globally for the purpose of running the
+//     service. The value provided should not include personally identifiable or sensitive
+//     information.
+//   - options - ManagedHsmKeysClientGetOptions contains the optional parameters for the ManagedHsmKeysClient.Get method.
+func (client *ManagedHsmKeysClient) Get(ctx context.Context, resourceGroupName string, name string, keyName string, options *ManagedHsmKeysClientGetOptions) (ManagedHsmKeysClientGetResponse, error) {
+	var err error
+	const operationName = "ManagedHsmKeysClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, name, keyName, options)
+	if err != nil {
+		return ManagedHsmKeysClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmKeysClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmKeysClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *ManagedHsmKeysClient) getCreateRequest(ctx context.Context, resourceGroupName string, name string, keyName string, options *ManagedHsmKeysClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/keys/{keyName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *ManagedHsmKeysClient) getHandleResponse(resp *http.Response) (ManagedHsmKeysClientGetResponse, error) {
+	result := ManagedHsmKeysClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmKey); err != nil {
+		return ManagedHsmKeysClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// GetVersion - Gets the specified version of the specified key in the specified managed HSM.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group. The name is case insensitive.
+//   - name - The name of the Managed HSM Pool within the specified resource group.
+//   - keyName - The name of the key to be created. The value you provide may be copied globally for the purpose of running the
+//     service. The value provided should not include personally identifiable or sensitive
+//     information.
+//   - keyVersion - The version of the key to be retrieved.
+//   - options - ManagedHsmKeysClientGetVersionOptions contains the optional parameters for the ManagedHsmKeysClient.GetVersion
+//     method.
+func (client *ManagedHsmKeysClient) GetVersion(ctx context.Context, resourceGroupName string, name string, keyName string, keyVersion string, options *ManagedHsmKeysClientGetVersionOptions) (ManagedHsmKeysClientGetVersionResponse, error) {
+	var err error
+	const operationName = "ManagedHsmKeysClient.GetVersion"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getVersionCreateRequest(ctx, resourceGroupName, name, keyName, keyVersion, options)
+	if err != nil {
+		return ManagedHsmKeysClientGetVersionResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmKeysClientGetVersionResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmKeysClientGetVersionResponse{}, err
+	}
+	resp, err := client.getVersionHandleResponse(httpResp)
+	return resp, err
+}
+
+// getVersionCreateRequest creates the GetVersion request.
+func (client *ManagedHsmKeysClient) getVersionCreateRequest(ctx context.Context, resourceGroupName string, name string, keyName string, keyVersion string, options *ManagedHsmKeysClientGetVersionOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/keys/{keyName}/versions/{keyVersion}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	if keyVersion == "" {
+		return nil, errors.New("parameter keyVersion cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyVersion}", url.PathEscape(keyVersion))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getVersionHandleResponse handles the GetVersion response.
+func (client *ManagedHsmKeysClient) getVersionHandleResponse(resp *http.Response) (ManagedHsmKeysClientGetVersionResponse, error) {
+	result := ManagedHsmKeysClientGetVersionResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmKey); err != nil {
+		return ManagedHsmKeysClientGetVersionResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListPager - Lists the keys in the specified managed HSM.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group. The name is case insensitive.
+//   - name - The name of the Managed HSM Pool within the specified resource group.
+//   - options - ManagedHsmKeysClientListOptions contains the optional parameters for the ManagedHsmKeysClient.NewListPager method.
+func (client *ManagedHsmKeysClient) NewListPager(resourceGroupName string, name string, options *ManagedHsmKeysClientListOptions) *runtime.Pager[ManagedHsmKeysClientListResponse] {
+	return runtime.NewPager(runtime.PagingHandler[ManagedHsmKeysClientListResponse]{
+		More: func(page ManagedHsmKeysClientListResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *ManagedHsmKeysClientListResponse) (ManagedHsmKeysClientListResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "ManagedHsmKeysClient.NewListPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listCreateRequest(ctx, resourceGroupName, name, options)
+			}, nil)
+			if err != nil {
+				return ManagedHsmKeysClientListResponse{}, err
+			}
+			return client.listHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listCreateRequest creates the List request.
+func (client *ManagedHsmKeysClient) listCreateRequest(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmKeysClientListOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/keys"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listHandleResponse handles the List response.
+func (client *ManagedHsmKeysClient) listHandleResponse(resp *http.Response) (ManagedHsmKeysClientListResponse, error) {
+	result := ManagedHsmKeysClientListResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmKeyListResult); err != nil {
+		return ManagedHsmKeysClientListResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListVersionsPager - Lists the versions of the specified key in the specified managed HSM.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the resource group. The name is case insensitive.
+//   - name - The name of the Managed HSM Pool within the specified resource group.
+//   - keyName - The name of the key to be created. The value you provide may be copied globally for the purpose of running the
+//     service. The value provided should not include personally identifiable or sensitive
+//     information.
+//   - options - ManagedHsmKeysClientListVersionsOptions contains the optional parameters for the ManagedHsmKeysClient.NewListVersionsPager
+//     method.
+func (client *ManagedHsmKeysClient) NewListVersionsPager(resourceGroupName string, name string, keyName string, options *ManagedHsmKeysClientListVersionsOptions) *runtime.Pager[ManagedHsmKeysClientListVersionsResponse] {
+	return runtime.NewPager(runtime.PagingHandler[ManagedHsmKeysClientListVersionsResponse]{
+		More: func(page ManagedHsmKeysClientListVersionsResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *ManagedHsmKeysClientListVersionsResponse) (ManagedHsmKeysClientListVersionsResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "ManagedHsmKeysClient.NewListVersionsPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listVersionsCreateRequest(ctx, resourceGroupName, name, keyName, options)
+			}, nil)
+			if err != nil {
+				return ManagedHsmKeysClientListVersionsResponse{}, err
+			}
+			return client.listVersionsHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listVersionsCreateRequest creates the ListVersions request.
+func (client *ManagedHsmKeysClient) listVersionsCreateRequest(ctx context.Context, resourceGroupName string, name string, keyName string, options *ManagedHsmKeysClientListVersionsOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/keys/{keyName}/versions"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if keyName == "" {
+		return nil, errors.New("parameter keyName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{keyName}", url.PathEscape(keyName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listVersionsHandleResponse handles the ListVersions response.
+func (client *ManagedHsmKeysClient) listVersionsHandleResponse(resp *http.Response) (ManagedHsmKeysClientListVersionsResponse, error) {
+	result := ManagedHsmKeysClientListVersionsResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmKeyListResult); err != nil {
+		return ManagedHsmKeysClientListVersionsResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsms_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsms_client.go
new file mode 100644
index 000000000..169d9b8be
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/managedhsms_client.go
@@ -0,0 +1,720 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// ManagedHsmsClient contains the methods for the ManagedHsms group.
+// Don't use this type directly, use NewManagedHsmsClient() instead.
+type ManagedHsmsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewManagedHsmsClient creates a new instance of ManagedHsmsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewManagedHsmsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*ManagedHsmsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &ManagedHsmsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// CheckMhsmNameAvailability - Checks that the managed hsm name is valid and is not already in use.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - mhsmName - The name of the managed hsm.
+//   - options - ManagedHsmsClientCheckMhsmNameAvailabilityOptions contains the optional parameters for the ManagedHsmsClient.CheckMhsmNameAvailability
+//     method.
+func (client *ManagedHsmsClient) CheckMhsmNameAvailability(ctx context.Context, mhsmName CheckMhsmNameAvailabilityParameters, options *ManagedHsmsClientCheckMhsmNameAvailabilityOptions) (ManagedHsmsClientCheckMhsmNameAvailabilityResponse, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.CheckMhsmNameAvailability"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.checkMhsmNameAvailabilityCreateRequest(ctx, mhsmName, options)
+	if err != nil {
+		return ManagedHsmsClientCheckMhsmNameAvailabilityResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmsClientCheckMhsmNameAvailabilityResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmsClientCheckMhsmNameAvailabilityResponse{}, err
+	}
+	resp, err := client.checkMhsmNameAvailabilityHandleResponse(httpResp)
+	return resp, err
+}
+
+// checkMhsmNameAvailabilityCreateRequest creates the CheckMhsmNameAvailability request.
+func (client *ManagedHsmsClient) checkMhsmNameAvailabilityCreateRequest(ctx context.Context, mhsmName CheckMhsmNameAvailabilityParameters, options *ManagedHsmsClientCheckMhsmNameAvailabilityOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/checkMhsmNameAvailability"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPost, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, mhsmName); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// checkMhsmNameAvailabilityHandleResponse handles the CheckMhsmNameAvailability response.
+func (client *ManagedHsmsClient) checkMhsmNameAvailabilityHandleResponse(resp *http.Response) (ManagedHsmsClientCheckMhsmNameAvailabilityResponse, error) {
+	result := ManagedHsmsClientCheckMhsmNameAvailabilityResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.CheckMhsmNameAvailabilityResult); err != nil {
+		return ManagedHsmsClientCheckMhsmNameAvailabilityResponse{}, err
+	}
+	return result, nil
+}
+
+// BeginCreateOrUpdate - Create or update a managed HSM Pool in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - parameters - Parameters to create or update the managed HSM Pool
+//   - options - ManagedHsmsClientBeginCreateOrUpdateOptions contains the optional parameters for the ManagedHsmsClient.BeginCreateOrUpdate
+//     method.
+func (client *ManagedHsmsClient) BeginCreateOrUpdate(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginCreateOrUpdateOptions) (*runtime.Poller[ManagedHsmsClientCreateOrUpdateResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.createOrUpdate(ctx, resourceGroupName, name, parameters, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[ManagedHsmsClientCreateOrUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[ManagedHsmsClientCreateOrUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// CreateOrUpdate - Create or update a managed HSM Pool in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *ManagedHsmsClient) createOrUpdate(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginCreateOrUpdateOptions) (*http.Response, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.BeginCreateOrUpdate"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.createOrUpdateCreateRequest(ctx, resourceGroupName, name, parameters, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// createOrUpdateCreateRequest creates the CreateOrUpdate request.
+func (client *ManagedHsmsClient) createOrUpdateCreateRequest(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginCreateOrUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// BeginDelete - Deletes the specified managed HSM Pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - The name of the managed HSM Pool to delete
+//   - options - ManagedHsmsClientBeginDeleteOptions contains the optional parameters for the ManagedHsmsClient.BeginDelete method.
+func (client *ManagedHsmsClient) BeginDelete(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmsClientBeginDeleteOptions) (*runtime.Poller[ManagedHsmsClientDeleteResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.deleteOperation(ctx, resourceGroupName, name, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[ManagedHsmsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[ManagedHsmsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// Delete - Deletes the specified managed HSM Pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *ManagedHsmsClient) deleteOperation(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmsClientBeginDeleteOptions) (*http.Response, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.BeginDelete"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.deleteCreateRequest(ctx, resourceGroupName, name, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// deleteCreateRequest creates the Delete request.
+func (client *ManagedHsmsClient) deleteCreateRequest(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmsClientBeginDeleteOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodDelete, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// Get - Gets the specified managed HSM Pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - The name of the managed HSM Pool.
+//   - options - ManagedHsmsClientGetOptions contains the optional parameters for the ManagedHsmsClient.Get method.
+func (client *ManagedHsmsClient) Get(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmsClientGetOptions) (ManagedHsmsClientGetResponse, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, name, options)
+	if err != nil {
+		return ManagedHsmsClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmsClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmsClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *ManagedHsmsClient) getCreateRequest(ctx context.Context, resourceGroupName string, name string, options *ManagedHsmsClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *ManagedHsmsClient) getHandleResponse(resp *http.Response) (ManagedHsmsClientGetResponse, error) {
+	result := ManagedHsmsClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsm); err != nil {
+		return ManagedHsmsClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// GetDeleted - Gets the specified deleted managed HSM.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - name - The name of the deleted managed HSM.
+//   - location - The location of the deleted managed HSM.
+//   - options - ManagedHsmsClientGetDeletedOptions contains the optional parameters for the ManagedHsmsClient.GetDeleted method.
+func (client *ManagedHsmsClient) GetDeleted(ctx context.Context, name string, location string, options *ManagedHsmsClientGetDeletedOptions) (ManagedHsmsClientGetDeletedResponse, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.GetDeleted"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getDeletedCreateRequest(ctx, name, location, options)
+	if err != nil {
+		return ManagedHsmsClientGetDeletedResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return ManagedHsmsClientGetDeletedResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return ManagedHsmsClientGetDeletedResponse{}, err
+	}
+	resp, err := client.getDeletedHandleResponse(httpResp)
+	return resp, err
+}
+
+// getDeletedCreateRequest creates the GetDeleted request.
+func (client *ManagedHsmsClient) getDeletedCreateRequest(ctx context.Context, name string, location string, options *ManagedHsmsClientGetDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedManagedHSMs/{name}"
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if location == "" {
+		return nil, errors.New("parameter location cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{location}", url.PathEscape(location))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getDeletedHandleResponse handles the GetDeleted response.
+func (client *ManagedHsmsClient) getDeletedHandleResponse(resp *http.Response) (ManagedHsmsClientGetDeletedResponse, error) {
+	result := ManagedHsmsClientGetDeletedResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.DeletedManagedHsm); err != nil {
+		return ManagedHsmsClientGetDeletedResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListByResourceGroupPager - The List operation gets information about the managed HSM Pools associated with the subscription
+// and within the specified resource group.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - options - ManagedHsmsClientListByResourceGroupOptions contains the optional parameters for the ManagedHsmsClient.NewListByResourceGroupPager
+//     method.
+func (client *ManagedHsmsClient) NewListByResourceGroupPager(resourceGroupName string, options *ManagedHsmsClientListByResourceGroupOptions) *runtime.Pager[ManagedHsmsClientListByResourceGroupResponse] {
+	return runtime.NewPager(runtime.PagingHandler[ManagedHsmsClientListByResourceGroupResponse]{
+		More: func(page ManagedHsmsClientListByResourceGroupResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *ManagedHsmsClientListByResourceGroupResponse) (ManagedHsmsClientListByResourceGroupResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "ManagedHsmsClient.NewListByResourceGroupPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listByResourceGroupCreateRequest(ctx, resourceGroupName, options)
+			}, nil)
+			if err != nil {
+				return ManagedHsmsClientListByResourceGroupResponse{}, err
+			}
+			return client.listByResourceGroupHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listByResourceGroupCreateRequest creates the ListByResourceGroup request.
+func (client *ManagedHsmsClient) listByResourceGroupCreateRequest(ctx context.Context, resourceGroupName string, options *ManagedHsmsClientListByResourceGroupOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByResourceGroupHandleResponse handles the ListByResourceGroup response.
+func (client *ManagedHsmsClient) listByResourceGroupHandleResponse(resp *http.Response) (ManagedHsmsClientListByResourceGroupResponse, error) {
+	result := ManagedHsmsClientListByResourceGroupResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmListResult); err != nil {
+		return ManagedHsmsClientListByResourceGroupResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListBySubscriptionPager - The List operation gets information about the managed HSM Pools associated with the subscription.
+//
+// Generated from API version 2023-07-01
+//   - options - ManagedHsmsClientListBySubscriptionOptions contains the optional parameters for the ManagedHsmsClient.NewListBySubscriptionPager
+//     method.
+func (client *ManagedHsmsClient) NewListBySubscriptionPager(options *ManagedHsmsClientListBySubscriptionOptions) *runtime.Pager[ManagedHsmsClientListBySubscriptionResponse] {
+	return runtime.NewPager(runtime.PagingHandler[ManagedHsmsClientListBySubscriptionResponse]{
+		More: func(page ManagedHsmsClientListBySubscriptionResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *ManagedHsmsClientListBySubscriptionResponse) (ManagedHsmsClientListBySubscriptionResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "ManagedHsmsClient.NewListBySubscriptionPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listBySubscriptionCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return ManagedHsmsClientListBySubscriptionResponse{}, err
+			}
+			return client.listBySubscriptionHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listBySubscriptionCreateRequest creates the ListBySubscription request.
+func (client *ManagedHsmsClient) listBySubscriptionCreateRequest(ctx context.Context, options *ManagedHsmsClientListBySubscriptionOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/managedHSMs"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listBySubscriptionHandleResponse handles the ListBySubscription response.
+func (client *ManagedHsmsClient) listBySubscriptionHandleResponse(resp *http.Response) (ManagedHsmsClientListBySubscriptionResponse, error) {
+	result := ManagedHsmsClientListBySubscriptionResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ManagedHsmListResult); err != nil {
+		return ManagedHsmsClientListBySubscriptionResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListDeletedPager - The List operation gets information about the deleted managed HSMs associated with the subscription.
+//
+// Generated from API version 2023-07-01
+//   - options - ManagedHsmsClientListDeletedOptions contains the optional parameters for the ManagedHsmsClient.NewListDeletedPager
+//     method.
+func (client *ManagedHsmsClient) NewListDeletedPager(options *ManagedHsmsClientListDeletedOptions) *runtime.Pager[ManagedHsmsClientListDeletedResponse] {
+	return runtime.NewPager(runtime.PagingHandler[ManagedHsmsClientListDeletedResponse]{
+		More: func(page ManagedHsmsClientListDeletedResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *ManagedHsmsClientListDeletedResponse) (ManagedHsmsClientListDeletedResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "ManagedHsmsClient.NewListDeletedPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listDeletedCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return ManagedHsmsClientListDeletedResponse{}, err
+			}
+			return client.listDeletedHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listDeletedCreateRequest creates the ListDeleted request.
+func (client *ManagedHsmsClient) listDeletedCreateRequest(ctx context.Context, options *ManagedHsmsClientListDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/deletedManagedHSMs"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listDeletedHandleResponse handles the ListDeleted response.
+func (client *ManagedHsmsClient) listDeletedHandleResponse(resp *http.Response) (ManagedHsmsClientListDeletedResponse, error) {
+	result := ManagedHsmsClientListDeletedResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.DeletedManagedHsmListResult); err != nil {
+		return ManagedHsmsClientListDeletedResponse{}, err
+	}
+	return result, nil
+}
+
+// BeginPurgeDeleted - Permanently deletes the specified managed HSM.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - name - The name of the soft-deleted managed HSM.
+//   - location - The location of the soft-deleted managed HSM.
+//   - options - ManagedHsmsClientBeginPurgeDeletedOptions contains the optional parameters for the ManagedHsmsClient.BeginPurgeDeleted
+//     method.
+func (client *ManagedHsmsClient) BeginPurgeDeleted(ctx context.Context, name string, location string, options *ManagedHsmsClientBeginPurgeDeletedOptions) (*runtime.Poller[ManagedHsmsClientPurgeDeletedResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.purgeDeleted(ctx, name, location, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[ManagedHsmsClientPurgeDeletedResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[ManagedHsmsClientPurgeDeletedResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// PurgeDeleted - Permanently deletes the specified managed HSM.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *ManagedHsmsClient) purgeDeleted(ctx context.Context, name string, location string, options *ManagedHsmsClientBeginPurgeDeletedOptions) (*http.Response, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.BeginPurgeDeleted"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.purgeDeletedCreateRequest(ctx, name, location, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusAccepted) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// purgeDeletedCreateRequest creates the PurgeDeleted request.
+func (client *ManagedHsmsClient) purgeDeletedCreateRequest(ctx context.Context, name string, location string, options *ManagedHsmsClientBeginPurgeDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedManagedHSMs/{name}/purge"
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if location == "" {
+		return nil, errors.New("parameter location cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{location}", url.PathEscape(location))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPost, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// BeginUpdate - Update a managed HSM Pool in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - parameters - Parameters to patch the managed HSM Pool
+//   - options - ManagedHsmsClientBeginUpdateOptions contains the optional parameters for the ManagedHsmsClient.BeginUpdate method.
+func (client *ManagedHsmsClient) BeginUpdate(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginUpdateOptions) (*runtime.Poller[ManagedHsmsClientUpdateResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.update(ctx, resourceGroupName, name, parameters, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[ManagedHsmsClientUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[ManagedHsmsClientUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// Update - Update a managed HSM Pool in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *ManagedHsmsClient) update(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginUpdateOptions) (*http.Response, error) {
+	var err error
+	const operationName = "ManagedHsmsClient.BeginUpdate"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.updateCreateRequest(ctx, resourceGroupName, name, parameters, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// updateCreateRequest creates the Update request.
+func (client *ManagedHsmsClient) updateCreateRequest(ctx context.Context, resourceGroupName string, name string, parameters ManagedHsm, options *ManagedHsmsClientBeginUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPatch, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivateendpointconnections_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivateendpointconnections_client.go
new file mode 100644
index 000000000..41cf70240
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivateendpointconnections_client.go
@@ -0,0 +1,348 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// MHSMPrivateEndpointConnectionsClient contains the methods for the MHSMPrivateEndpointConnections group.
+// Don't use this type directly, use NewMHSMPrivateEndpointConnectionsClient() instead.
+type MHSMPrivateEndpointConnectionsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewMHSMPrivateEndpointConnectionsClient creates a new instance of MHSMPrivateEndpointConnectionsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewMHSMPrivateEndpointConnectionsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*MHSMPrivateEndpointConnectionsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &MHSMPrivateEndpointConnectionsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// BeginDelete - Deletes the specified private endpoint connection associated with the managed hsm pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the managed hsm pool.
+//   - options - MHSMPrivateEndpointConnectionsClientBeginDeleteOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.BeginDelete
+//     method.
+func (client *MHSMPrivateEndpointConnectionsClient) BeginDelete(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, options *MHSMPrivateEndpointConnectionsClientBeginDeleteOptions) (*runtime.Poller[MHSMPrivateEndpointConnectionsClientDeleteResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.deleteOperation(ctx, resourceGroupName, name, privateEndpointConnectionName, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[MHSMPrivateEndpointConnectionsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[MHSMPrivateEndpointConnectionsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// Delete - Deletes the specified private endpoint connection associated with the managed hsm pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *MHSMPrivateEndpointConnectionsClient) deleteOperation(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, options *MHSMPrivateEndpointConnectionsClientBeginDeleteOptions) (*http.Response, error) {
+	var err error
+	const operationName = "MHSMPrivateEndpointConnectionsClient.BeginDelete"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.deleteCreateRequest(ctx, resourceGroupName, name, privateEndpointConnectionName, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// deleteCreateRequest creates the Delete request.
+func (client *MHSMPrivateEndpointConnectionsClient) deleteCreateRequest(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, options *MHSMPrivateEndpointConnectionsClientBeginDeleteOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodDelete, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// Get - Gets the specified private endpoint connection associated with the managed HSM Pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the managed hsm pool.
+//   - options - MHSMPrivateEndpointConnectionsClientGetOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.Get
+//     method.
+func (client *MHSMPrivateEndpointConnectionsClient) Get(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, options *MHSMPrivateEndpointConnectionsClientGetOptions) (MHSMPrivateEndpointConnectionsClientGetResponse, error) {
+	var err error
+	const operationName = "MHSMPrivateEndpointConnectionsClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, name, privateEndpointConnectionName, options)
+	if err != nil {
+		return MHSMPrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return MHSMPrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return MHSMPrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *MHSMPrivateEndpointConnectionsClient) getCreateRequest(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, options *MHSMPrivateEndpointConnectionsClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *MHSMPrivateEndpointConnectionsClient) getHandleResponse(resp *http.Response) (MHSMPrivateEndpointConnectionsClientGetResponse, error) {
+	result := MHSMPrivateEndpointConnectionsClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.MHSMPrivateEndpointConnection); err != nil {
+		return MHSMPrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListByResourcePager - The List operation gets information about the private endpoint connections associated with the
+// managed HSM Pool.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - options - MHSMPrivateEndpointConnectionsClientListByResourceOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.NewListByResourcePager
+//     method.
+func (client *MHSMPrivateEndpointConnectionsClient) NewListByResourcePager(resourceGroupName string, name string, options *MHSMPrivateEndpointConnectionsClientListByResourceOptions) *runtime.Pager[MHSMPrivateEndpointConnectionsClientListByResourceResponse] {
+	return runtime.NewPager(runtime.PagingHandler[MHSMPrivateEndpointConnectionsClientListByResourceResponse]{
+		More: func(page MHSMPrivateEndpointConnectionsClientListByResourceResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *MHSMPrivateEndpointConnectionsClientListByResourceResponse) (MHSMPrivateEndpointConnectionsClientListByResourceResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "MHSMPrivateEndpointConnectionsClient.NewListByResourcePager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listByResourceCreateRequest(ctx, resourceGroupName, name, options)
+			}, nil)
+			if err != nil {
+				return MHSMPrivateEndpointConnectionsClientListByResourceResponse{}, err
+			}
+			return client.listByResourceHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listByResourceCreateRequest creates the ListByResource request.
+func (client *MHSMPrivateEndpointConnectionsClient) listByResourceCreateRequest(ctx context.Context, resourceGroupName string, name string, options *MHSMPrivateEndpointConnectionsClientListByResourceOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/privateEndpointConnections"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByResourceHandleResponse handles the ListByResource response.
+func (client *MHSMPrivateEndpointConnectionsClient) listByResourceHandleResponse(resp *http.Response) (MHSMPrivateEndpointConnectionsClientListByResourceResponse, error) {
+	result := MHSMPrivateEndpointConnectionsClientListByResourceResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.MHSMPrivateEndpointConnectionsListResult); err != nil {
+		return MHSMPrivateEndpointConnectionsClientListByResourceResponse{}, err
+	}
+	return result, nil
+}
+
+// Put - Updates the specified private endpoint connection associated with the managed hsm pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the managed hsm pool.
+//   - properties - The intended state of private endpoint connection.
+//   - options - MHSMPrivateEndpointConnectionsClientPutOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.Put
+//     method.
+func (client *MHSMPrivateEndpointConnectionsClient) Put(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, properties MHSMPrivateEndpointConnection, options *MHSMPrivateEndpointConnectionsClientPutOptions) (MHSMPrivateEndpointConnectionsClientPutResponse, error) {
+	var err error
+	const operationName = "MHSMPrivateEndpointConnectionsClient.Put"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.putCreateRequest(ctx, resourceGroupName, name, privateEndpointConnectionName, properties, options)
+	if err != nil {
+		return MHSMPrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return MHSMPrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return MHSMPrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	resp, err := client.putHandleResponse(httpResp)
+	return resp, err
+}
+
+// putCreateRequest creates the Put request.
+func (client *MHSMPrivateEndpointConnectionsClient) putCreateRequest(ctx context.Context, resourceGroupName string, name string, privateEndpointConnectionName string, properties MHSMPrivateEndpointConnection, options *MHSMPrivateEndpointConnectionsClientPutOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, properties); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// putHandleResponse handles the Put response.
+func (client *MHSMPrivateEndpointConnectionsClient) putHandleResponse(resp *http.Response) (MHSMPrivateEndpointConnectionsClientPutResponse, error) {
+	result := MHSMPrivateEndpointConnectionsClientPutResponse{}
+	if val := resp.Header.Get("Azure-AsyncOperation"); val != "" {
+		result.AzureAsyncOperation = &val
+	}
+	if val := resp.Header.Get("Retry-After"); val != "" {
+		retryAfter32, err := strconv.ParseInt(val, 10, 32)
+		retryAfter := int32(retryAfter32)
+		if err != nil {
+			return MHSMPrivateEndpointConnectionsClientPutResponse{}, err
+		}
+		result.RetryAfter = &retryAfter
+	}
+	if err := runtime.UnmarshalAsJSON(resp, &result.MHSMPrivateEndpointConnection); err != nil {
+		return MHSMPrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivatelinkresources_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivatelinkresources_client.go
new file mode 100644
index 000000000..319d6a7e8
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmprivatelinkresources_client.go
@@ -0,0 +1,110 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// MHSMPrivateLinkResourcesClient contains the methods for the MHSMPrivateLinkResources group.
+// Don't use this type directly, use NewMHSMPrivateLinkResourcesClient() instead.
+type MHSMPrivateLinkResourcesClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewMHSMPrivateLinkResourcesClient creates a new instance of MHSMPrivateLinkResourcesClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewMHSMPrivateLinkResourcesClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*MHSMPrivateLinkResourcesClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &MHSMPrivateLinkResourcesClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// ListByMHSMResource - Gets the private link resources supported for the managed hsm pool.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - options - MHSMPrivateLinkResourcesClientListByMHSMResourceOptions contains the optional parameters for the MHSMPrivateLinkResourcesClient.ListByMHSMResource
+//     method.
+func (client *MHSMPrivateLinkResourcesClient) ListByMHSMResource(ctx context.Context, resourceGroupName string, name string, options *MHSMPrivateLinkResourcesClientListByMHSMResourceOptions) (MHSMPrivateLinkResourcesClientListByMHSMResourceResponse, error) {
+	var err error
+	const operationName = "MHSMPrivateLinkResourcesClient.ListByMHSMResource"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.listByMHSMResourceCreateRequest(ctx, resourceGroupName, name, options)
+	if err != nil {
+		return MHSMPrivateLinkResourcesClientListByMHSMResourceResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return MHSMPrivateLinkResourcesClientListByMHSMResourceResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return MHSMPrivateLinkResourcesClientListByMHSMResourceResponse{}, err
+	}
+	resp, err := client.listByMHSMResourceHandleResponse(httpResp)
+	return resp, err
+}
+
+// listByMHSMResourceCreateRequest creates the ListByMHSMResource request.
+func (client *MHSMPrivateLinkResourcesClient) listByMHSMResourceCreateRequest(ctx context.Context, resourceGroupName string, name string, options *MHSMPrivateLinkResourcesClientListByMHSMResourceOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/privateLinkResources"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByMHSMResourceHandleResponse handles the ListByMHSMResource response.
+func (client *MHSMPrivateLinkResourcesClient) listByMHSMResourceHandleResponse(resp *http.Response) (MHSMPrivateLinkResourcesClientListByMHSMResourceResponse, error) {
+	result := MHSMPrivateLinkResourcesClientListByMHSMResourceResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.MHSMPrivateLinkResourceListResult); err != nil {
+		return MHSMPrivateLinkResourcesClientListByMHSMResourceResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmregions_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmregions_client.go
new file mode 100644
index 000000000..15acd3c3a
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/mhsmregions_client.go
@@ -0,0 +1,110 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// MHSMRegionsClient contains the methods for the MHSMRegions group.
+// Don't use this type directly, use NewMHSMRegionsClient() instead.
+type MHSMRegionsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewMHSMRegionsClient creates a new instance of MHSMRegionsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewMHSMRegionsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*MHSMRegionsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &MHSMRegionsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// NewListByResourcePager - The List operation gets information about the regions associated with the managed HSM Pool.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the managed HSM pool.
+//   - name - Name of the managed HSM Pool
+//   - options - MHSMRegionsClientListByResourceOptions contains the optional parameters for the MHSMRegionsClient.NewListByResourcePager
+//     method.
+func (client *MHSMRegionsClient) NewListByResourcePager(resourceGroupName string, name string, options *MHSMRegionsClientListByResourceOptions) *runtime.Pager[MHSMRegionsClientListByResourceResponse] {
+	return runtime.NewPager(runtime.PagingHandler[MHSMRegionsClientListByResourceResponse]{
+		More: func(page MHSMRegionsClientListByResourceResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *MHSMRegionsClientListByResourceResponse) (MHSMRegionsClientListByResourceResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "MHSMRegionsClient.NewListByResourcePager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listByResourceCreateRequest(ctx, resourceGroupName, name, options)
+			}, nil)
+			if err != nil {
+				return MHSMRegionsClientListByResourceResponse{}, err
+			}
+			return client.listByResourceHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listByResourceCreateRequest creates the ListByResource request.
+func (client *MHSMRegionsClient) listByResourceCreateRequest(ctx context.Context, resourceGroupName string, name string, options *MHSMRegionsClientListByResourceOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/managedHSMs/{name}/regions"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if name == "" {
+		return nil, errors.New("parameter name cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{name}", url.PathEscape(name))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByResourceHandleResponse handles the ListByResource response.
+func (client *MHSMRegionsClient) listByResourceHandleResponse(resp *http.Response) (MHSMRegionsClientListByResourceResponse, error) {
+	result := MHSMRegionsClientListByResourceResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.MHSMRegionsListResult); err != nil {
+		return MHSMRegionsClientListByResourceResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models.go
new file mode 100644
index 000000000..edf63b437
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models.go
@@ -0,0 +1,1402 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import "time"
+
+// AccessPolicyEntry - An identity that have access to the key vault. All identities in the array must use the same tenant
+// ID as the key vault's tenant ID.
+type AccessPolicyEntry struct {
+	// REQUIRED; The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault.
+	// The object ID must be unique for the list of access policies.
+	ObjectID *string
+
+	// REQUIRED; Permissions the identity has for keys, secrets and certificates.
+	Permissions *Permissions
+
+	// REQUIRED; The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
+	TenantID *string
+
+	// Application ID of the client making request on behalf of a principal
+	ApplicationID *string
+}
+
+type Action struct {
+	// The type of action.
+	Type *KeyRotationPolicyActionType
+}
+
+// CheckMhsmNameAvailabilityParameters - The parameters used to check the availability of the managed hsm name.
+type CheckMhsmNameAvailabilityParameters struct {
+	// REQUIRED; The managed hsm name.
+	Name *string
+}
+
+// CheckMhsmNameAvailabilityResult - The CheckMhsmNameAvailability operation response.
+type CheckMhsmNameAvailabilityResult struct {
+	// READ-ONLY; An error message explaining the Reason value in more detail.
+	Message *string
+
+	// READ-ONLY; A boolean value that indicates whether the name is available for you to use. If true, the name is available.
+	// If false, the name has already been taken or is invalid and cannot be used.
+	NameAvailable *bool
+
+	// READ-ONLY; The reason that a managed hsm name could not be used. The reason element is only returned if NameAvailable is
+	// false.
+	Reason *Reason
+}
+
+// CheckNameAvailabilityResult - The CheckNameAvailability operation response.
+type CheckNameAvailabilityResult struct {
+	// READ-ONLY; An error message explaining the Reason value in more detail.
+	Message *string
+
+	// READ-ONLY; A boolean value that indicates whether the name is available for you to use. If true, the name is available.
+	// If false, the name has already been taken or is invalid and cannot be used.
+	NameAvailable *bool
+
+	// READ-ONLY; The reason that a vault name could not be used. The Reason element is only returned if NameAvailable is false.
+	Reason *Reason
+}
+
+type DeletedManagedHsm struct {
+	// Properties of the deleted managed HSM
+	Properties *DeletedManagedHsmProperties
+
+	// READ-ONLY; The Azure Resource Manager resource ID for the deleted managed HSM Pool.
+	ID *string
+
+	// READ-ONLY; The name of the managed HSM Pool.
+	Name *string
+
+	// READ-ONLY; The resource type of the managed HSM Pool.
+	Type *string
+}
+
+// DeletedManagedHsmListResult - List of deleted managed HSM Pools
+type DeletedManagedHsmListResult struct {
+	// The URL to get the next set of deleted managed HSM Pools.
+	NextLink *string
+
+	// The list of deleted managed HSM Pools.
+	Value []*DeletedManagedHsm
+}
+
+// DeletedManagedHsmProperties - Properties of the deleted managed HSM.
+type DeletedManagedHsmProperties struct {
+	// READ-ONLY; The deleted date.
+	DeletionDate *time.Time
+
+	// READ-ONLY; The location of the original managed HSM.
+	Location *string
+
+	// READ-ONLY; The resource id of the original managed HSM.
+	MhsmID *string
+
+	// READ-ONLY; Purge protection status of the original managed HSM.
+	PurgeProtectionEnabled *bool
+
+	// READ-ONLY; The scheduled purged date.
+	ScheduledPurgeDate *time.Time
+
+	// READ-ONLY; Tags of the original managed HSM.
+	Tags map[string]*string
+}
+
+// DeletedVault - Deleted vault information with extended details.
+type DeletedVault struct {
+	// Properties of the vault
+	Properties *DeletedVaultProperties
+
+	// READ-ONLY; The resource ID for the deleted key vault.
+	ID *string
+
+	// READ-ONLY; The name of the key vault.
+	Name *string
+
+	// READ-ONLY; The resource type of the key vault.
+	Type *string
+}
+
+// DeletedVaultListResult - List of vaults
+type DeletedVaultListResult struct {
+	// The URL to get the next set of deleted vaults.
+	NextLink *string
+
+	// The list of deleted vaults.
+	Value []*DeletedVault
+}
+
+// DeletedVaultProperties - Properties of the deleted vault.
+type DeletedVaultProperties struct {
+	// READ-ONLY; The deleted date.
+	DeletionDate *time.Time
+
+	// READ-ONLY; The location of the original vault.
+	Location *string
+
+	// READ-ONLY; Purge protection status of the original vault.
+	PurgeProtectionEnabled *bool
+
+	// READ-ONLY; The scheduled purged date.
+	ScheduledPurgeDate *time.Time
+
+	// READ-ONLY; Tags of the original vault.
+	Tags map[string]*string
+
+	// READ-ONLY; The resource id of the original vault.
+	VaultID *string
+}
+
+// DimensionProperties - Type of operation: get, read, delete, etc.
+type DimensionProperties struct {
+	// Display name of dimension.
+	DisplayName *string
+
+	// Name of dimension.
+	Name *string
+
+	// Property to specify whether the dimension should be exported for Shoebox.
+	ToBeExportedForShoebox *bool
+}
+
+// IPRule - A rule governing the accessibility of a vault from a specific ip address or ip range.
+type IPRule struct {
+	// REQUIRED; An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses
+	// that start with 124.56.78).
+	Value *string
+}
+
+// Key - The key resource.
+type Key struct {
+	// REQUIRED; The properties of the key.
+	Properties *KeyProperties
+
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Azure location of the key vault resource.
+	Location *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// KeyAttributes - The object attributes managed by the Azure Key Vault service.
+type KeyAttributes struct {
+	// Determines whether or not the object is enabled.
+	Enabled *bool
+
+	// Expiry date in seconds since 1970-01-01T00:00:00Z.
+	Expires *int64
+
+	// Indicates if the private key can be exported.
+	Exportable *bool
+
+	// Not before date in seconds since 1970-01-01T00:00:00Z.
+	NotBefore *int64
+
+	// READ-ONLY; Creation time in seconds since 1970-01-01T00:00:00Z.
+	Created *int64
+
+	// READ-ONLY; The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object
+	// can be permanently deleted by a privileged user; otherwise, only the system can purge the
+	// object at the end of the retention interval.
+	RecoveryLevel *DeletionRecoveryLevel
+
+	// READ-ONLY; Last updated time in seconds since 1970-01-01T00:00:00Z.
+	Updated *int64
+}
+
+// KeyCreateParameters - The parameters used to create a key.
+type KeyCreateParameters struct {
+	// REQUIRED; The properties of the key to be created.
+	Properties *KeyProperties
+
+	// The tags that will be assigned to the key.
+	Tags map[string]*string
+}
+
+// KeyListResult - The page of keys.
+type KeyListResult struct {
+	// The URL to get the next page of keys.
+	NextLink *string
+
+	// The key resources.
+	Value []*Key
+}
+
+// KeyProperties - The properties of the key.
+type KeyProperties struct {
+	// The attributes of the key.
+	Attributes *KeyAttributes
+
+	// The elliptic curve name. For valid values, see JsonWebKeyCurveName.
+	CurveName *JSONWebKeyCurveName
+	KeyOps    []*JSONWebKeyOperation
+
+	// The key size in bits. For example: 2048, 3072, or 4096 for RSA.
+	KeySize *int32
+
+	// The type of the key. For valid values, see JsonWebKeyType.
+	Kty *JSONWebKeyType
+
+	// Key release policy in response. It will be used for both output and input. Omitted if empty
+	ReleasePolicy *KeyReleasePolicy
+
+	// Key rotation policy in response. It will be used for both output and input. Omitted if empty
+	RotationPolicy *RotationPolicy
+
+	// READ-ONLY; The URI to retrieve the current version of the key.
+	KeyURI *string
+
+	// READ-ONLY; The URI to retrieve the specific version of the key.
+	KeyURIWithVersion *string
+}
+
+type KeyReleasePolicy struct {
+	// Content type and version of key release policy
+	ContentType *string
+
+	// Blob encoding the policy rules under which the key can be released.
+	Data []byte
+}
+
+type KeyRotationPolicyAttributes struct {
+	// The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'.
+	ExpiryTime *string
+
+	// READ-ONLY; Creation time in seconds since 1970-01-01T00:00:00Z.
+	Created *int64
+
+	// READ-ONLY; Last updated time in seconds since 1970-01-01T00:00:00Z.
+	Updated *int64
+}
+
+type LifetimeAction struct {
+	// The action of key rotation policy lifetimeAction.
+	Action *Action
+
+	// The trigger of key rotation policy lifetimeAction.
+	Trigger *Trigger
+}
+
+// LogSpecification - Log specification of operation.
+type LogSpecification struct {
+	// Blob duration of specification.
+	BlobDuration *string
+
+	// Display name of log specification.
+	DisplayName *string
+
+	// Name of log specification.
+	Name *string
+}
+
+// MHSMGeoReplicatedRegion - A region that this managed HSM Pool has been extended to.
+type MHSMGeoReplicatedRegion struct {
+	// A boolean value that indicates whether the region is the primary region or a secondary region.
+	IsPrimary *bool
+
+	// Name of the geo replicated region.
+	Name *string
+
+	// READ-ONLY; Provisioning state of the geo replicated region.
+	ProvisioningState *GeoReplicationRegionProvisioningState
+}
+
+// MHSMIPRule - A rule governing the accessibility of a managed HSM pool from a specific IP address or IP range.
+type MHSMIPRule struct {
+	// REQUIRED; An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses
+	// that start with 124.56.78).
+	Value *string
+}
+
+// MHSMNetworkRuleSet - A set of rules governing the network accessibility of a managed hsm pool.
+type MHSMNetworkRuleSet struct {
+	// Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.
+	Bypass *NetworkRuleBypassOptions
+
+	// The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property
+	// has been evaluated.
+	DefaultAction *NetworkRuleAction
+
+	// The list of IP address rules.
+	IPRules []*MHSMIPRule
+
+	// The list of virtual network rules.
+	VirtualNetworkRules []*MHSMVirtualNetworkRule
+}
+
+// MHSMPrivateEndpoint - Private endpoint object properties.
+type MHSMPrivateEndpoint struct {
+	// READ-ONLY; Full identifier of the private endpoint resource.
+	ID *string
+}
+
+// MHSMPrivateEndpointConnection - Private endpoint connection resource.
+type MHSMPrivateEndpointConnection struct {
+	// Modified whenever there is a change in the state of private endpoint connection.
+	Etag *string
+
+	// Managed service identity (system assigned and/or user assigned identities)
+	Identity *ManagedServiceIdentity
+
+	// The supported Azure location where the managed HSM Pool should be created.
+	Location *string
+
+	// Resource properties.
+	Properties *MHSMPrivateEndpointConnectionProperties
+
+	// SKU details
+	SKU *ManagedHsmSKU
+
+	// Resource tags
+	Tags map[string]*string
+
+	// READ-ONLY; The Azure Resource Manager resource ID for the managed HSM Pool.
+	ID *string
+
+	// READ-ONLY; The name of the managed HSM Pool.
+	Name *string
+
+	// READ-ONLY; Metadata pertaining to creation and last modification of the key vault resource.
+	SystemData *SystemData
+
+	// READ-ONLY; The resource type of the managed HSM Pool.
+	Type *string
+}
+
+// MHSMPrivateEndpointConnectionItem - Private endpoint connection item.
+type MHSMPrivateEndpointConnectionItem struct {
+	// Modified whenever there is a change in the state of private endpoint connection.
+	Etag *string
+
+	// Id of private endpoint connection.
+	ID *string
+
+	// Private endpoint connection properties.
+	Properties *MHSMPrivateEndpointConnectionProperties
+}
+
+// MHSMPrivateEndpointConnectionProperties - Properties of the private endpoint connection resource.
+type MHSMPrivateEndpointConnectionProperties struct {
+	// Properties of the private endpoint object.
+	PrivateEndpoint *MHSMPrivateEndpoint
+
+	// Approval state of the private link connection.
+	PrivateLinkServiceConnectionState *MHSMPrivateLinkServiceConnectionState
+
+	// Provisioning state of the private endpoint connection.
+	ProvisioningState *PrivateEndpointConnectionProvisioningState
+}
+
+// MHSMPrivateEndpointConnectionsListResult - List of private endpoint connections associated with a managed HSM Pools
+type MHSMPrivateEndpointConnectionsListResult struct {
+	// The URL to get the next set of managed HSM Pools.
+	NextLink *string
+
+	// The private endpoint connection associated with a managed HSM Pools.
+	Value []*MHSMPrivateEndpointConnection
+}
+
+// MHSMPrivateLinkResource - A private link resource
+type MHSMPrivateLinkResource struct {
+	// Managed service identity (system assigned and/or user assigned identities)
+	Identity *ManagedServiceIdentity
+
+	// The supported Azure location where the managed HSM Pool should be created.
+	Location *string
+
+	// Resource properties.
+	Properties *MHSMPrivateLinkResourceProperties
+
+	// SKU details
+	SKU *ManagedHsmSKU
+
+	// Resource tags
+	Tags map[string]*string
+
+	// READ-ONLY; The Azure Resource Manager resource ID for the managed HSM Pool.
+	ID *string
+
+	// READ-ONLY; The name of the managed HSM Pool.
+	Name *string
+
+	// READ-ONLY; Metadata pertaining to creation and last modification of the key vault resource.
+	SystemData *SystemData
+
+	// READ-ONLY; The resource type of the managed HSM Pool.
+	Type *string
+}
+
+// MHSMPrivateLinkResourceListResult - A list of private link resources
+type MHSMPrivateLinkResourceListResult struct {
+	// Array of private link resources
+	Value []*MHSMPrivateLinkResource
+}
+
+// MHSMPrivateLinkResourceProperties - Properties of a private link resource.
+type MHSMPrivateLinkResourceProperties struct {
+	// Required DNS zone names of the the private link resource.
+	RequiredZoneNames []*string
+
+	// READ-ONLY; Group identifier of private link resource.
+	GroupID *string
+
+	// READ-ONLY; Required member names of private link resource.
+	RequiredMembers []*string
+}
+
+// MHSMPrivateLinkServiceConnectionState - An object that represents the approval state of the private link connection.
+type MHSMPrivateLinkServiceConnectionState struct {
+	// A message indicating if changes on the service provider require any updates on the consumer.
+	ActionsRequired *ActionsRequired
+
+	// The reason for approval or rejection.
+	Description *string
+
+	// Indicates whether the connection has been approved, rejected or removed by the key vault owner.
+	Status *PrivateEndpointServiceConnectionStatus
+}
+
+// MHSMRegionsListResult - List of regions associated with a managed HSM Pools
+type MHSMRegionsListResult struct {
+	// The URL to get the next set of managed HSM Pools.
+	NextLink *string
+
+	// The region associated with a managed HSM Pools.
+	Value []*MHSMGeoReplicatedRegion
+}
+
+// MHSMVirtualNetworkRule - A rule governing the accessibility of a managed hsm pool from a specific virtual network.
+type MHSMVirtualNetworkRule struct {
+	// REQUIRED; Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.
+	ID *string
+}
+
+// ManagedHSMSecurityDomainProperties - The security domain properties of the managed hsm.
+type ManagedHSMSecurityDomainProperties struct {
+	// READ-ONLY; Activation Status
+	ActivationStatus *ActivationStatus
+
+	// READ-ONLY; Activation Status Message.
+	ActivationStatusMessage *string
+}
+
+// ManagedHsm - Resource information with extended details.
+type ManagedHsm struct {
+	// Managed service identity (system assigned and/or user assigned identities)
+	Identity *ManagedServiceIdentity
+
+	// The supported Azure location where the managed HSM Pool should be created.
+	Location *string
+
+	// Properties of the managed HSM
+	Properties *ManagedHsmProperties
+
+	// SKU details
+	SKU *ManagedHsmSKU
+
+	// Resource tags
+	Tags map[string]*string
+
+	// READ-ONLY; The Azure Resource Manager resource ID for the managed HSM Pool.
+	ID *string
+
+	// READ-ONLY; The name of the managed HSM Pool.
+	Name *string
+
+	// READ-ONLY; Metadata pertaining to creation and last modification of the key vault resource.
+	SystemData *SystemData
+
+	// READ-ONLY; The resource type of the managed HSM Pool.
+	Type *string
+}
+
+type ManagedHsmAction struct {
+	// The type of action.
+	Type *KeyRotationPolicyActionType
+}
+
+// ManagedHsmKey - The key resource.
+type ManagedHsmKey struct {
+	// REQUIRED; The properties of the key.
+	Properties *ManagedHsmKeyProperties
+
+	// Resource tags.
+	Tags map[string]*string
+
+	// READ-ONLY; Fully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
+	ID *string
+
+	// READ-ONLY; The name of the resource
+	Name *string
+
+	// READ-ONLY; The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"
+	Type *string
+}
+
+// ManagedHsmKeyAttributes - The object attributes managed by the Azure Key Vault service.
+type ManagedHsmKeyAttributes struct {
+	// Determines whether or not the object is enabled.
+	Enabled *bool
+
+	// Expiry date in seconds since 1970-01-01T00:00:00Z.
+	Expires *int64
+
+	// Indicates if the private key can be exported.
+	Exportable *bool
+
+	// Not before date in seconds since 1970-01-01T00:00:00Z.
+	NotBefore *int64
+
+	// READ-ONLY; Creation time in seconds since 1970-01-01T00:00:00Z.
+	Created *int64
+
+	// READ-ONLY; The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object
+	// can be permanently deleted by a privileged user; otherwise, only the system can purge the
+	// object at the end of the retention interval.
+	RecoveryLevel *DeletionRecoveryLevel
+
+	// READ-ONLY; Last updated time in seconds since 1970-01-01T00:00:00Z.
+	Updated *int64
+}
+
+// ManagedHsmKeyCreateParameters - The parameters used to create a key.
+type ManagedHsmKeyCreateParameters struct {
+	// REQUIRED; The properties of the key to be created.
+	Properties *ManagedHsmKeyProperties
+
+	// The tags that will be assigned to the key.
+	Tags map[string]*string
+}
+
+// ManagedHsmKeyListResult - The page of keys.
+type ManagedHsmKeyListResult struct {
+	// The URL to get the next page of keys.
+	NextLink *string
+
+	// The key resources.
+	Value []*ManagedHsmKey
+}
+
+// ManagedHsmKeyProperties - The properties of the key.
+type ManagedHsmKeyProperties struct {
+	// The attributes of the key.
+	Attributes *ManagedHsmKeyAttributes
+
+	// The elliptic curve name. For valid values, see JsonWebKeyCurveName.
+	CurveName *JSONWebKeyCurveName
+	KeyOps    []*JSONWebKeyOperation
+
+	// The key size in bits. For example: 2048, 3072, or 4096 for RSA.
+	KeySize *int32
+
+	// The type of the key. For valid values, see JsonWebKeyType.
+	Kty *JSONWebKeyType
+
+	// Key release policy in response. It will be used for both output and input. Omitted if empty
+	ReleasePolicy *ManagedHsmKeyReleasePolicy
+
+	// Key rotation policy in response. It will be used for both output and input. Omitted if empty
+	RotationPolicy *ManagedHsmRotationPolicy
+
+	// READ-ONLY; The URI to retrieve the current version of the key.
+	KeyURI *string
+
+	// READ-ONLY; The URI to retrieve the specific version of the key.
+	KeyURIWithVersion *string
+}
+
+type ManagedHsmKeyReleasePolicy struct {
+	// Content type and version of key release policy
+	ContentType *string
+
+	// Blob encoding the policy rules under which the key can be released.
+	Data []byte
+}
+
+type ManagedHsmKeyRotationPolicyAttributes struct {
+	// The expiration time for the new key version. It should be in ISO8601 format. Eg: 'P90D', 'P1Y'.
+	ExpiryTime *string
+
+	// READ-ONLY; Creation time in seconds since 1970-01-01T00:00:00Z.
+	Created *int64
+
+	// READ-ONLY; Last updated time in seconds since 1970-01-01T00:00:00Z.
+	Updated *int64
+}
+
+type ManagedHsmLifetimeAction struct {
+	// The action of key rotation policy lifetimeAction.
+	Action *ManagedHsmAction
+
+	// The trigger of key rotation policy lifetimeAction.
+	Trigger *ManagedHsmTrigger
+}
+
+// ManagedHsmListResult - List of managed HSM Pools
+type ManagedHsmListResult struct {
+	// The URL to get the next set of managed HSM Pools.
+	NextLink *string
+
+	// The list of managed HSM Pools.
+	Value []*ManagedHsm
+}
+
+// ManagedHsmProperties - Properties of the managed HSM Pool
+type ManagedHsmProperties struct {
+	// The create mode to indicate whether the resource is being created or is being recovered from a deleted resource.
+	CreateMode *CreateMode
+
+	// Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true
+	// activates protection against purge for this managed HSM pool and its content -
+	// only the Managed HSM service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible.
+	EnablePurgeProtection *bool
+
+	// Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. Soft delete is enabled
+	// by default for all managed HSMs and is immutable.
+	EnableSoftDelete *bool
+
+	// Array of initial administrators object ids for this managed hsm pool.
+	InitialAdminObjectIDs []*string
+
+	// Rules governing the accessibility of the key vault from specific network locations.
+	NetworkACLs *MHSMNetworkRuleSet
+
+	// Control permission to the managed HSM from public networks.
+	PublicNetworkAccess *PublicNetworkAccess
+
+	// List of all regions associated with the managed hsm pool.
+	Regions []*MHSMGeoReplicatedRegion
+
+	// Soft deleted data retention days. When you delete an HSM or a key, it will remain recoverable for the configured retention
+	// period or for a default period of 90 days. It accepts values between 7 and
+	// 90.
+	SoftDeleteRetentionInDays *int32
+
+	// The Azure Active Directory tenant ID that should be used for authenticating requests to the managed HSM pool.
+	TenantID *string
+
+	// READ-ONLY; The URI of the managed hsm pool for performing operations on keys.
+	HsmURI *string
+
+	// READ-ONLY; List of private endpoint connections associated with the managed hsm pool.
+	PrivateEndpointConnections []*MHSMPrivateEndpointConnectionItem
+
+	// READ-ONLY; Provisioning state.
+	ProvisioningState *ProvisioningState
+
+	// READ-ONLY; The scheduled purge date in UTC.
+	ScheduledPurgeDate *time.Time
+
+	// READ-ONLY; Managed HSM security domain properties.
+	SecurityDomainProperties *ManagedHSMSecurityDomainProperties
+
+	// READ-ONLY; Resource Status Message.
+	StatusMessage *string
+}
+
+type ManagedHsmRotationPolicy struct {
+	// The attributes of key rotation policy.
+	Attributes *ManagedHsmKeyRotationPolicyAttributes
+
+	// The lifetimeActions for key rotation action.
+	LifetimeActions []*ManagedHsmLifetimeAction
+}
+
+// ManagedHsmSKU - SKU details
+type ManagedHsmSKU struct {
+	// REQUIRED; SKU Family of the managed HSM Pool
+	Family *ManagedHsmSKUFamily
+
+	// REQUIRED; SKU of the managed HSM Pool
+	Name *ManagedHsmSKUName
+}
+
+type ManagedHsmTrigger struct {
+	// The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format.
+	// Eg: 'P90D', 'P1Y'.
+	TimeAfterCreate *string
+
+	// The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'.
+	TimeBeforeExpiry *string
+}
+
+// ManagedServiceIdentity - Managed service identity (system assigned and/or user assigned identities)
+type ManagedServiceIdentity struct {
+	// REQUIRED; Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).
+	Type *ManagedServiceIdentityType
+
+	// The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM
+	// resource ids in the form:
+	// '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}.
+	// The dictionary values can be empty objects ({}) in
+	// requests.
+	UserAssignedIdentities map[string]*UserAssignedIdentity
+
+	// READ-ONLY; The service principal ID of the system assigned identity. This property will only be provided for a system assigned
+	// identity.
+	PrincipalID *string
+
+	// READ-ONLY; The tenant ID of the system assigned identity. This property will only be provided for a system assigned identity.
+	TenantID *string
+}
+
+// MetricSpecification - Metric specification of operation.
+type MetricSpecification struct {
+	// The metric aggregation type. Possible values include: 'Average', 'Count', 'Total'.
+	AggregationType *string
+
+	// The dimensions of metric
+	Dimensions []*DimensionProperties
+
+	// Display description of metric specification.
+	DisplayDescription *string
+
+	// Display name of metric specification.
+	DisplayName *string
+
+	// Property to specify whether to fill gap with zero.
+	FillGapWithZero *bool
+
+	// The internal metric name.
+	InternalMetricName *string
+
+	// The metric lock aggregation type.
+	LockAggregationType *string
+
+	// Name of metric specification.
+	Name *string
+
+	// The supported aggregation types for the metrics.
+	SupportedAggregationTypes []*string
+
+	// The supported time grain types for the metrics.
+	SupportedTimeGrainTypes []*string
+
+	// The metric unit. Possible values include: 'Bytes', 'Count', 'Milliseconds'.
+	Unit *string
+}
+
+// NetworkRuleSet - A set of rules governing the network accessibility of a vault.
+type NetworkRuleSet struct {
+	// Tells what traffic can bypass network rules. This can be 'AzureServices' or 'None'. If not specified the default is 'AzureServices'.
+	Bypass *NetworkRuleBypassOptions
+
+	// The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property
+	// has been evaluated.
+	DefaultAction *NetworkRuleAction
+
+	// The list of IP address rules.
+	IPRules []*IPRule
+
+	// The list of virtual network rules.
+	VirtualNetworkRules []*VirtualNetworkRule
+}
+
+// Operation - Key Vault REST API operation definition.
+type Operation struct {
+	// Display metadata associated with the operation.
+	Display *OperationDisplay
+
+	// Property to specify whether the action is a data action.
+	IsDataAction *bool
+
+	// Operation name: {provider}/{resource}/{operation}
+	Name *string
+
+	// Properties of operation, include metric specifications.
+	OperationProperties *OperationProperties
+
+	// The origin of operations.
+	Origin *string
+}
+
+// OperationDisplay - Display metadata associated with the operation.
+type OperationDisplay struct {
+	// Description of operation.
+	Description *string
+
+	// Type of operation: get, read, delete, etc.
+	Operation *string
+
+	// Service provider: Microsoft Key Vault.
+	Provider *string
+
+	// Resource on which the operation is performed etc.
+	Resource *string
+}
+
+// OperationListResult - Result of the request to list Storage operations. It contains a list of operations and a URL link
+// to get the next set of results.
+type OperationListResult struct {
+	// The URL to get the next set of operations.
+	NextLink *string
+
+	// List of Storage operations supported by the Storage resource provider.
+	Value []*Operation
+}
+
+// OperationProperties - Properties of operation, include metric specifications.
+type OperationProperties struct {
+	// One property of operation, include metric specifications.
+	ServiceSpecification *ServiceSpecification
+}
+
+// Permissions the identity has for keys, secrets, certificates and storage.
+type Permissions struct {
+	// Permissions to certificates
+	Certificates []*CertificatePermissions
+
+	// Permissions to keys
+	Keys []*KeyPermissions
+
+	// Permissions to secrets
+	Secrets []*SecretPermissions
+
+	// Permissions to storage accounts
+	Storage []*StoragePermissions
+}
+
+// PrivateEndpoint - Private endpoint object properties.
+type PrivateEndpoint struct {
+	// READ-ONLY; Full identifier of the private endpoint resource.
+	ID *string
+}
+
+// PrivateEndpointConnection - Private endpoint connection resource.
+type PrivateEndpointConnection struct {
+	// Modified whenever there is a change in the state of private endpoint connection.
+	Etag *string
+
+	// Resource properties.
+	Properties *PrivateEndpointConnectionProperties
+
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Azure location of the key vault resource.
+	Location *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// PrivateEndpointConnectionItem - Private endpoint connection item.
+type PrivateEndpointConnectionItem struct {
+	// Modified whenever there is a change in the state of private endpoint connection.
+	Etag *string
+
+	// Id of private endpoint connection.
+	ID *string
+
+	// Private endpoint connection properties.
+	Properties *PrivateEndpointConnectionProperties
+}
+
+// PrivateEndpointConnectionListResult - List of private endpoint connections.
+type PrivateEndpointConnectionListResult struct {
+	// The URL to get the next set of private endpoint connections.
+	NextLink *string
+
+	// The list of private endpoint connections.
+	Value []*PrivateEndpointConnection
+}
+
+// PrivateEndpointConnectionProperties - Properties of the private endpoint connection resource.
+type PrivateEndpointConnectionProperties struct {
+	// Properties of the private endpoint object.
+	PrivateEndpoint *PrivateEndpoint
+
+	// Approval state of the private link connection.
+	PrivateLinkServiceConnectionState *PrivateLinkServiceConnectionState
+
+	// Provisioning state of the private endpoint connection.
+	ProvisioningState *PrivateEndpointConnectionProvisioningState
+}
+
+// PrivateLinkResource - A private link resource
+type PrivateLinkResource struct {
+	// Resource properties.
+	Properties *PrivateLinkResourceProperties
+
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Azure location of the key vault resource.
+	Location *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// PrivateLinkResourceListResult - A list of private link resources
+type PrivateLinkResourceListResult struct {
+	// Array of private link resources
+	Value []*PrivateLinkResource
+}
+
+// PrivateLinkResourceProperties - Properties of a private link resource.
+type PrivateLinkResourceProperties struct {
+	// Required DNS zone names of the the private link resource.
+	RequiredZoneNames []*string
+
+	// READ-ONLY; Group identifier of private link resource.
+	GroupID *string
+
+	// READ-ONLY; Required member names of private link resource.
+	RequiredMembers []*string
+}
+
+// PrivateLinkServiceConnectionState - An object that represents the approval state of the private link connection.
+type PrivateLinkServiceConnectionState struct {
+	// A message indicating if changes on the service provider require any updates on the consumer.
+	ActionsRequired *ActionsRequired
+
+	// The reason for approval or rejection.
+	Description *string
+
+	// Indicates whether the connection has been approved, rejected or removed by the key vault owner.
+	Status *PrivateEndpointServiceConnectionStatus
+}
+
+// Resource - Key Vault resource
+type Resource struct {
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Azure location of the key vault resource.
+	Location *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// ResourceListResult - List of vault resources.
+type ResourceListResult struct {
+	// The URL to get the next set of vault resources.
+	NextLink *string
+
+	// The list of vault resources.
+	Value []*Resource
+}
+
+type RotationPolicy struct {
+	// The attributes of key rotation policy.
+	Attributes *KeyRotationPolicyAttributes
+
+	// The lifetimeActions for key rotation action.
+	LifetimeActions []*LifetimeAction
+}
+
+// SKU details
+type SKU struct {
+	// REQUIRED; SKU family name
+	Family *SKUFamily
+
+	// REQUIRED; SKU name to specify whether the key vault is a standard vault or a premium vault.
+	Name *SKUName
+}
+
+// Secret - Resource information with extended details.
+type Secret struct {
+	// REQUIRED; Properties of the secret
+	Properties *SecretProperties
+
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Azure location of the key vault resource.
+	Location *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// SecretAttributes - The secret management attributes.
+type SecretAttributes struct {
+	// Determines whether the object is enabled.
+	Enabled *bool
+
+	// Expiry date in seconds since 1970-01-01T00:00:00Z.
+	Expires *time.Time
+
+	// Not before date in seconds since 1970-01-01T00:00:00Z.
+	NotBefore *time.Time
+
+	// READ-ONLY; Creation time in seconds since 1970-01-01T00:00:00Z.
+	Created *time.Time
+
+	// READ-ONLY; Last updated time in seconds since 1970-01-01T00:00:00Z.
+	Updated *time.Time
+}
+
+// SecretCreateOrUpdateParameters - Parameters for creating or updating a secret
+type SecretCreateOrUpdateParameters struct {
+	// REQUIRED; Properties of the secret
+	Properties *SecretProperties
+
+	// The tags that will be assigned to the secret.
+	Tags map[string]*string
+}
+
+// SecretListResult - List of secrets
+type SecretListResult struct {
+	// The URL to get the next set of secrets.
+	NextLink *string
+
+	// The list of secrets.
+	Value []*Secret
+}
+
+// SecretPatchParameters - Parameters for patching a secret
+type SecretPatchParameters struct {
+	// Properties of the secret
+	Properties *SecretPatchProperties
+
+	// The tags that will be assigned to the secret.
+	Tags map[string]*string
+}
+
+// SecretPatchProperties - Properties of the secret
+type SecretPatchProperties struct {
+	// The attributes of the secret.
+	Attributes *SecretAttributes
+
+	// The content type of the secret.
+	ContentType *string
+
+	// The value of the secret.
+	Value *string
+}
+
+// SecretProperties - Properties of the secret
+type SecretProperties struct {
+	// The attributes of the secret.
+	Attributes *SecretAttributes
+
+	// The content type of the secret.
+	ContentType *string
+
+	// The value of the secret. NOTE: 'value' will never be returned from the service, as APIs using this model are is intended
+	// for internal use in ARM deployments. Users should use the data-plane REST
+	// service for interaction with vault secrets.
+	Value *string
+
+	// READ-ONLY; The URI to retrieve the current version of the secret.
+	SecretURI *string
+
+	// READ-ONLY; The URI to retrieve the specific version of the secret.
+	SecretURIWithVersion *string
+}
+
+// ServiceSpecification - One property of operation, include log specifications.
+type ServiceSpecification struct {
+	// Log specifications of operation.
+	LogSpecifications []*LogSpecification
+
+	// Metric specifications of operation.
+	MetricSpecifications []*MetricSpecification
+}
+
+// SystemData - Metadata pertaining to creation and last modification of the key vault resource.
+type SystemData struct {
+	// The timestamp of the key vault resource creation (UTC).
+	CreatedAt *time.Time
+
+	// The identity that created the key vault resource.
+	CreatedBy *string
+
+	// The type of identity that created the key vault resource.
+	CreatedByType *IdentityType
+
+	// The timestamp of the key vault resource last modification (UTC).
+	LastModifiedAt *time.Time
+
+	// The identity that last modified the key vault resource.
+	LastModifiedBy *string
+
+	// The type of identity that last modified the key vault resource.
+	LastModifiedByType *IdentityType
+}
+
+type Trigger struct {
+	// The time duration after key creation to rotate the key. It only applies to rotate. It will be in ISO 8601 duration format.
+	// Eg: 'P90D', 'P1Y'.
+	TimeAfterCreate *string
+
+	// The time duration before key expiring to rotate or notify. It will be in ISO 8601 duration format. Eg: 'P90D', 'P1Y'.
+	TimeBeforeExpiry *string
+}
+
+// UserAssignedIdentity - User assigned identity properties
+type UserAssignedIdentity struct {
+	// READ-ONLY; The client ID of the assigned identity.
+	ClientID *string
+
+	// READ-ONLY; The principal ID of the assigned identity.
+	PrincipalID *string
+}
+
+// Vault - Resource information with extended details.
+type Vault struct {
+	// REQUIRED; Properties of the vault
+	Properties *VaultProperties
+
+	// Azure location of the key vault resource.
+	Location *string
+
+	// Tags assigned to the key vault resource.
+	Tags map[string]*string
+
+	// READ-ONLY; Fully qualified identifier of the key vault resource.
+	ID *string
+
+	// READ-ONLY; Name of the key vault resource.
+	Name *string
+
+	// READ-ONLY; System metadata for the key vault.
+	SystemData *SystemData
+
+	// READ-ONLY; Resource type of the key vault resource.
+	Type *string
+}
+
+// VaultAccessPolicyParameters - Parameters for updating the access policy in a vault
+type VaultAccessPolicyParameters struct {
+	// REQUIRED; Properties of the access policy
+	Properties *VaultAccessPolicyProperties
+
+	// READ-ONLY; The resource id of the access policy.
+	ID *string
+
+	// READ-ONLY; The resource type of the access policy.
+	Location *string
+
+	// READ-ONLY; The resource name of the access policy.
+	Name *string
+
+	// READ-ONLY; The resource name of the access policy.
+	Type *string
+}
+
+// VaultAccessPolicyProperties - Properties of the vault access policy
+type VaultAccessPolicyProperties struct {
+	// REQUIRED; An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same
+	// tenant ID as the key vault's tenant ID.
+	AccessPolicies []*AccessPolicyEntry
+}
+
+// VaultCheckNameAvailabilityParameters - The parameters used to check the availability of the vault name.
+type VaultCheckNameAvailabilityParameters struct {
+	// REQUIRED; The vault name.
+	Name *string
+
+	// CONSTANT; The type of resource, Microsoft.KeyVault/vaults
+	// Field has constant value "Microsoft.KeyVault/vaults", any specified value is ignored.
+	Type *string
+}
+
+// VaultCreateOrUpdateParameters - Parameters for creating or updating a vault
+type VaultCreateOrUpdateParameters struct {
+	// REQUIRED; The supported Azure location where the key vault should be created.
+	Location *string
+
+	// REQUIRED; Properties of the vault
+	Properties *VaultProperties
+
+	// The tags that will be assigned to the key vault.
+	Tags map[string]*string
+}
+
+// VaultListResult - List of vaults
+type VaultListResult struct {
+	// The URL to get the next set of vaults.
+	NextLink *string
+
+	// The list of vaults.
+	Value []*Vault
+}
+
+// VaultPatchParameters - Parameters for creating or updating a vault
+type VaultPatchParameters struct {
+	// Properties of the vault
+	Properties *VaultPatchProperties
+
+	// The tags that will be assigned to the key vault.
+	Tags map[string]*string
+}
+
+// VaultPatchProperties - Properties of the vault
+type VaultPatchProperties struct {
+	// An array of 0 to 16 identities that have access to the key vault. All identities in the array must use the same tenant
+	// ID as the key vault's tenant ID.
+	AccessPolicies []*AccessPolicyEntry
+
+	// The vault's create mode to indicate whether the vault need to be recovered or not.
+	CreateMode *CreateMode
+
+	// Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates
+	// protection against purge for this vault and its content - only the Key Vault
+	// service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling
+	// this functionality is irreversible - that is, the property does not accept
+	// false as its value.
+	EnablePurgeProtection *bool
+
+	// Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC)
+	// for authorization of data actions, and the access policies specified in vault
+	// properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any
+	// policy stored on Azure Resource Manager will be ignored. If null or not
+	// specified, the value of this property will not change.
+	EnableRbacAuthorization *bool
+
+	// Property to specify whether the 'soft delete' functionality is enabled for this key vault. Once set to true, it cannot
+	// be reverted to false.
+	EnableSoftDelete *bool
+
+	// Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key
+	// vault.
+	EnabledForDeployment *bool
+
+	// Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
+	EnabledForDiskEncryption *bool
+
+	// Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
+	EnabledForTemplateDeployment *bool
+
+	// A collection of rules governing the accessibility of the vault from specific network locations.
+	NetworkACLs *NetworkRuleSet
+
+	// Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except
+	// private endpoint traffic and that that originates from trusted services will be
+	// blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor
+	// the rules.
+	PublicNetworkAccess *string
+
+	// SKU details
+	SKU *SKU
+
+	// softDelete data retention days. It accepts >=7 and <=90.
+	SoftDeleteRetentionInDays *int32
+
+	// The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
+	TenantID *string
+}
+
+// VaultProperties - Properties of the vault
+type VaultProperties struct {
+	// REQUIRED; SKU details
+	SKU *SKU
+
+	// REQUIRED; The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
+	TenantID *string
+
+	// An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant
+	// ID as the key vault's tenant ID. When createMode is set to recover, access
+	// policies are not required. Otherwise, access policies are required.
+	AccessPolicies []*AccessPolicyEntry
+
+	// The vault's create mode to indicate whether the vault need to be recovered or not.
+	CreateMode *CreateMode
+
+	// Property specifying whether protection against purge is enabled for this vault. Setting this property to true activates
+	// protection against purge for this vault and its content - only the Key Vault
+	// service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling
+	// this functionality is irreversible - that is, the property does not accept
+	// false as its value.
+	EnablePurgeProtection *bool
+
+	// Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC)
+	// for authorization of data actions, and the access policies specified in vault
+	// properties will be ignored. When false, the key vault will use the access policies specified in vault properties, and any
+	// policy stored on Azure Resource Manager will be ignored. If null or not
+	// specified, the vault is created with the default value of false. Note that management actions are always authorized with
+	// RBAC.
+	EnableRbacAuthorization *bool
+
+	// Property to specify whether the 'soft delete' functionality is enabled for this key vault. If it's not set to any value(true
+	// or false) when creating new key vault, it will be set to true by default.
+	// Once set to true, it cannot be reverted to false.
+	EnableSoftDelete *bool
+
+	// Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key
+	// vault.
+	EnabledForDeployment *bool
+
+	// Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
+	EnabledForDiskEncryption *bool
+
+	// Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
+	EnabledForTemplateDeployment *bool
+
+	// Rules governing the accessibility of the key vault from specific network locations.
+	NetworkACLs *NetworkRuleSet
+
+	// Provisioning state of the vault.
+	ProvisioningState *VaultProvisioningState
+
+	// Property to specify whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except
+	// private endpoint traffic and that that originates from trusted services will be
+	// blocked. This will override the set firewall rules, meaning that even if the firewall rules are present we will not honor
+	// the rules.
+	PublicNetworkAccess *string
+
+	// softDelete data retention days. It accepts >=7 and <=90.
+	SoftDeleteRetentionInDays *int32
+
+	// The URI of the vault for performing operations on keys and secrets.
+	VaultURI *string
+
+	// READ-ONLY; The resource id of HSM Pool.
+	HsmPoolResourceID *string
+
+	// READ-ONLY; List of private endpoint connections associated with the key vault.
+	PrivateEndpointConnections []*PrivateEndpointConnectionItem
+}
+
+// VirtualNetworkRule - A rule governing the accessibility of a vault from a specific virtual network.
+type VirtualNetworkRule struct {
+	// REQUIRED; Full resource id of a vnet subnet, such as '/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1'.
+	ID *string
+
+	// Property to specify whether NRP will ignore the check if parent subnet has serviceEndpoints configured.
+	IgnoreMissingVnetServiceEndpoint *bool
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models_serde.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models_serde.go
new file mode 100644
index 000000000..fbc4d3172
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/models_serde.go
@@ -0,0 +1,3636 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
+	"reflect"
+)
+
+// MarshalJSON implements the json.Marshaller interface for type AccessPolicyEntry.
+func (a AccessPolicyEntry) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "applicationId", a.ApplicationID)
+	populate(objectMap, "objectId", a.ObjectID)
+	populate(objectMap, "permissions", a.Permissions)
+	populate(objectMap, "tenantId", a.TenantID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type AccessPolicyEntry.
+func (a *AccessPolicyEntry) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", a, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "applicationId":
+			err = unpopulate(val, "ApplicationID", &a.ApplicationID)
+			delete(rawMsg, key)
+		case "objectId":
+			err = unpopulate(val, "ObjectID", &a.ObjectID)
+			delete(rawMsg, key)
+		case "permissions":
+			err = unpopulate(val, "Permissions", &a.Permissions)
+			delete(rawMsg, key)
+		case "tenantId":
+			err = unpopulate(val, "TenantID", &a.TenantID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", a, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Action.
+func (a Action) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "type", a.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Action.
+func (a *Action) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", a, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "type":
+			err = unpopulate(val, "Type", &a.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", a, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type CheckMhsmNameAvailabilityParameters.
+func (c CheckMhsmNameAvailabilityParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "name", c.Name)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type CheckMhsmNameAvailabilityParameters.
+func (c *CheckMhsmNameAvailabilityParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", c, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "name":
+			err = unpopulate(val, "Name", &c.Name)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", c, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type CheckMhsmNameAvailabilityResult.
+func (c CheckMhsmNameAvailabilityResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "message", c.Message)
+	populate(objectMap, "nameAvailable", c.NameAvailable)
+	populate(objectMap, "reason", c.Reason)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type CheckMhsmNameAvailabilityResult.
+func (c *CheckMhsmNameAvailabilityResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", c, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "message":
+			err = unpopulate(val, "Message", &c.Message)
+			delete(rawMsg, key)
+		case "nameAvailable":
+			err = unpopulate(val, "NameAvailable", &c.NameAvailable)
+			delete(rawMsg, key)
+		case "reason":
+			err = unpopulate(val, "Reason", &c.Reason)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", c, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type CheckNameAvailabilityResult.
+func (c CheckNameAvailabilityResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "message", c.Message)
+	populate(objectMap, "nameAvailable", c.NameAvailable)
+	populate(objectMap, "reason", c.Reason)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type CheckNameAvailabilityResult.
+func (c *CheckNameAvailabilityResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", c, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "message":
+			err = unpopulate(val, "Message", &c.Message)
+			delete(rawMsg, key)
+		case "nameAvailable":
+			err = unpopulate(val, "NameAvailable", &c.NameAvailable)
+			delete(rawMsg, key)
+		case "reason":
+			err = unpopulate(val, "Reason", &c.Reason)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", c, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedManagedHsm.
+func (d DeletedManagedHsm) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", d.ID)
+	populate(objectMap, "name", d.Name)
+	populate(objectMap, "properties", d.Properties)
+	populate(objectMap, "type", d.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedManagedHsm.
+func (d *DeletedManagedHsm) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &d.ID)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &d.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &d.Properties)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &d.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedManagedHsmListResult.
+func (d DeletedManagedHsmListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", d.NextLink)
+	populate(objectMap, "value", d.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedManagedHsmListResult.
+func (d *DeletedManagedHsmListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &d.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &d.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedManagedHsmProperties.
+func (d DeletedManagedHsmProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populateDateTimeRFC3339(objectMap, "deletionDate", d.DeletionDate)
+	populate(objectMap, "location", d.Location)
+	populate(objectMap, "mhsmId", d.MhsmID)
+	populate(objectMap, "purgeProtectionEnabled", d.PurgeProtectionEnabled)
+	populateDateTimeRFC3339(objectMap, "scheduledPurgeDate", d.ScheduledPurgeDate)
+	populate(objectMap, "tags", d.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedManagedHsmProperties.
+func (d *DeletedManagedHsmProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "deletionDate":
+			err = unpopulateDateTimeRFC3339(val, "DeletionDate", &d.DeletionDate)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &d.Location)
+			delete(rawMsg, key)
+		case "mhsmId":
+			err = unpopulate(val, "MhsmID", &d.MhsmID)
+			delete(rawMsg, key)
+		case "purgeProtectionEnabled":
+			err = unpopulate(val, "PurgeProtectionEnabled", &d.PurgeProtectionEnabled)
+			delete(rawMsg, key)
+		case "scheduledPurgeDate":
+			err = unpopulateDateTimeRFC3339(val, "ScheduledPurgeDate", &d.ScheduledPurgeDate)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &d.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedVault.
+func (d DeletedVault) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", d.ID)
+	populate(objectMap, "name", d.Name)
+	populate(objectMap, "properties", d.Properties)
+	populate(objectMap, "type", d.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedVault.
+func (d *DeletedVault) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &d.ID)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &d.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &d.Properties)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &d.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedVaultListResult.
+func (d DeletedVaultListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", d.NextLink)
+	populate(objectMap, "value", d.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedVaultListResult.
+func (d *DeletedVaultListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &d.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &d.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DeletedVaultProperties.
+func (d DeletedVaultProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populateDateTimeRFC3339(objectMap, "deletionDate", d.DeletionDate)
+	populate(objectMap, "location", d.Location)
+	populate(objectMap, "purgeProtectionEnabled", d.PurgeProtectionEnabled)
+	populateDateTimeRFC3339(objectMap, "scheduledPurgeDate", d.ScheduledPurgeDate)
+	populate(objectMap, "tags", d.Tags)
+	populate(objectMap, "vaultId", d.VaultID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DeletedVaultProperties.
+func (d *DeletedVaultProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "deletionDate":
+			err = unpopulateDateTimeRFC3339(val, "DeletionDate", &d.DeletionDate)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &d.Location)
+			delete(rawMsg, key)
+		case "purgeProtectionEnabled":
+			err = unpopulate(val, "PurgeProtectionEnabled", &d.PurgeProtectionEnabled)
+			delete(rawMsg, key)
+		case "scheduledPurgeDate":
+			err = unpopulateDateTimeRFC3339(val, "ScheduledPurgeDate", &d.ScheduledPurgeDate)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &d.Tags)
+			delete(rawMsg, key)
+		case "vaultId":
+			err = unpopulate(val, "VaultID", &d.VaultID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type DimensionProperties.
+func (d DimensionProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "displayName", d.DisplayName)
+	populate(objectMap, "name", d.Name)
+	populate(objectMap, "toBeExportedForShoebox", d.ToBeExportedForShoebox)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type DimensionProperties.
+func (d *DimensionProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", d, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "displayName":
+			err = unpopulate(val, "DisplayName", &d.DisplayName)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &d.Name)
+			delete(rawMsg, key)
+		case "toBeExportedForShoebox":
+			err = unpopulate(val, "ToBeExportedForShoebox", &d.ToBeExportedForShoebox)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", d, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type IPRule.
+func (i IPRule) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "value", i.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type IPRule.
+func (i *IPRule) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", i, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "value":
+			err = unpopulate(val, "Value", &i.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", i, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Key.
+func (k Key) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", k.ID)
+	populate(objectMap, "location", k.Location)
+	populate(objectMap, "name", k.Name)
+	populate(objectMap, "properties", k.Properties)
+	populate(objectMap, "tags", k.Tags)
+	populate(objectMap, "type", k.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Key.
+func (k *Key) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &k.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &k.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &k.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &k.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &k.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &k.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyAttributes.
+func (k KeyAttributes) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "created", k.Created)
+	populate(objectMap, "enabled", k.Enabled)
+	populate(objectMap, "exp", k.Expires)
+	populate(objectMap, "exportable", k.Exportable)
+	populate(objectMap, "nbf", k.NotBefore)
+	populate(objectMap, "recoveryLevel", k.RecoveryLevel)
+	populate(objectMap, "updated", k.Updated)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyAttributes.
+func (k *KeyAttributes) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "created":
+			err = unpopulate(val, "Created", &k.Created)
+			delete(rawMsg, key)
+		case "enabled":
+			err = unpopulate(val, "Enabled", &k.Enabled)
+			delete(rawMsg, key)
+		case "exp":
+			err = unpopulate(val, "Expires", &k.Expires)
+			delete(rawMsg, key)
+		case "exportable":
+			err = unpopulate(val, "Exportable", &k.Exportable)
+			delete(rawMsg, key)
+		case "nbf":
+			err = unpopulate(val, "NotBefore", &k.NotBefore)
+			delete(rawMsg, key)
+		case "recoveryLevel":
+			err = unpopulate(val, "RecoveryLevel", &k.RecoveryLevel)
+			delete(rawMsg, key)
+		case "updated":
+			err = unpopulate(val, "Updated", &k.Updated)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyCreateParameters.
+func (k KeyCreateParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "properties", k.Properties)
+	populate(objectMap, "tags", k.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyCreateParameters.
+func (k *KeyCreateParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "properties":
+			err = unpopulate(val, "Properties", &k.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &k.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyListResult.
+func (k KeyListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", k.NextLink)
+	populate(objectMap, "value", k.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyListResult.
+func (k *KeyListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &k.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &k.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyProperties.
+func (k KeyProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", k.Attributes)
+	populate(objectMap, "curveName", k.CurveName)
+	populate(objectMap, "keyOps", k.KeyOps)
+	populate(objectMap, "keySize", k.KeySize)
+	populate(objectMap, "keyUri", k.KeyURI)
+	populate(objectMap, "keyUriWithVersion", k.KeyURIWithVersion)
+	populate(objectMap, "kty", k.Kty)
+	populate(objectMap, "release_policy", k.ReleasePolicy)
+	populate(objectMap, "rotationPolicy", k.RotationPolicy)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyProperties.
+func (k *KeyProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &k.Attributes)
+			delete(rawMsg, key)
+		case "curveName":
+			err = unpopulate(val, "CurveName", &k.CurveName)
+			delete(rawMsg, key)
+		case "keyOps":
+			err = unpopulate(val, "KeyOps", &k.KeyOps)
+			delete(rawMsg, key)
+		case "keySize":
+			err = unpopulate(val, "KeySize", &k.KeySize)
+			delete(rawMsg, key)
+		case "keyUri":
+			err = unpopulate(val, "KeyURI", &k.KeyURI)
+			delete(rawMsg, key)
+		case "keyUriWithVersion":
+			err = unpopulate(val, "KeyURIWithVersion", &k.KeyURIWithVersion)
+			delete(rawMsg, key)
+		case "kty":
+			err = unpopulate(val, "Kty", &k.Kty)
+			delete(rawMsg, key)
+		case "release_policy":
+			err = unpopulate(val, "ReleasePolicy", &k.ReleasePolicy)
+			delete(rawMsg, key)
+		case "rotationPolicy":
+			err = unpopulate(val, "RotationPolicy", &k.RotationPolicy)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyReleasePolicy.
+func (k KeyReleasePolicy) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "contentType", k.ContentType)
+	populateByteArray(objectMap, "data", k.Data, runtime.Base64URLFormat)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyReleasePolicy.
+func (k *KeyReleasePolicy) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "contentType":
+			err = unpopulate(val, "ContentType", &k.ContentType)
+			delete(rawMsg, key)
+		case "data":
+			err = runtime.DecodeByteArray(string(val), &k.Data, runtime.Base64URLFormat)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type KeyRotationPolicyAttributes.
+func (k KeyRotationPolicyAttributes) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "created", k.Created)
+	populate(objectMap, "expiryTime", k.ExpiryTime)
+	populate(objectMap, "updated", k.Updated)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type KeyRotationPolicyAttributes.
+func (k *KeyRotationPolicyAttributes) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", k, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "created":
+			err = unpopulate(val, "Created", &k.Created)
+			delete(rawMsg, key)
+		case "expiryTime":
+			err = unpopulate(val, "ExpiryTime", &k.ExpiryTime)
+			delete(rawMsg, key)
+		case "updated":
+			err = unpopulate(val, "Updated", &k.Updated)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", k, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type LifetimeAction.
+func (l LifetimeAction) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "action", l.Action)
+	populate(objectMap, "trigger", l.Trigger)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type LifetimeAction.
+func (l *LifetimeAction) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", l, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "action":
+			err = unpopulate(val, "Action", &l.Action)
+			delete(rawMsg, key)
+		case "trigger":
+			err = unpopulate(val, "Trigger", &l.Trigger)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", l, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type LogSpecification.
+func (l LogSpecification) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "blobDuration", l.BlobDuration)
+	populate(objectMap, "displayName", l.DisplayName)
+	populate(objectMap, "name", l.Name)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type LogSpecification.
+func (l *LogSpecification) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", l, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "blobDuration":
+			err = unpopulate(val, "BlobDuration", &l.BlobDuration)
+			delete(rawMsg, key)
+		case "displayName":
+			err = unpopulate(val, "DisplayName", &l.DisplayName)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &l.Name)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", l, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMGeoReplicatedRegion.
+func (m MHSMGeoReplicatedRegion) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "isPrimary", m.IsPrimary)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "provisioningState", m.ProvisioningState)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMGeoReplicatedRegion.
+func (m *MHSMGeoReplicatedRegion) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "isPrimary":
+			err = unpopulate(val, "IsPrimary", &m.IsPrimary)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "provisioningState":
+			err = unpopulate(val, "ProvisioningState", &m.ProvisioningState)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMIPRule.
+func (m MHSMIPRule) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMIPRule.
+func (m *MHSMIPRule) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMNetworkRuleSet.
+func (m MHSMNetworkRuleSet) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "bypass", m.Bypass)
+	populate(objectMap, "defaultAction", m.DefaultAction)
+	populate(objectMap, "ipRules", m.IPRules)
+	populate(objectMap, "virtualNetworkRules", m.VirtualNetworkRules)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMNetworkRuleSet.
+func (m *MHSMNetworkRuleSet) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "bypass":
+			err = unpopulate(val, "Bypass", &m.Bypass)
+			delete(rawMsg, key)
+		case "defaultAction":
+			err = unpopulate(val, "DefaultAction", &m.DefaultAction)
+			delete(rawMsg, key)
+		case "ipRules":
+			err = unpopulate(val, "IPRules", &m.IPRules)
+			delete(rawMsg, key)
+		case "virtualNetworkRules":
+			err = unpopulate(val, "VirtualNetworkRules", &m.VirtualNetworkRules)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateEndpoint.
+func (m MHSMPrivateEndpoint) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", m.ID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateEndpoint.
+func (m *MHSMPrivateEndpoint) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateEndpointConnection.
+func (m MHSMPrivateEndpointConnection) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "etag", m.Etag)
+	populate(objectMap, "id", m.ID)
+	populate(objectMap, "identity", m.Identity)
+	populate(objectMap, "location", m.Location)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "properties", m.Properties)
+	populate(objectMap, "sku", m.SKU)
+	populate(objectMap, "systemData", m.SystemData)
+	populate(objectMap, "tags", m.Tags)
+	populate(objectMap, "type", m.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateEndpointConnection.
+func (m *MHSMPrivateEndpointConnection) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "etag":
+			err = unpopulate(val, "Etag", &m.Etag)
+			delete(rawMsg, key)
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		case "identity":
+			err = unpopulate(val, "Identity", &m.Identity)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &m.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		case "sku":
+			err = unpopulate(val, "SKU", &m.SKU)
+			delete(rawMsg, key)
+		case "systemData":
+			err = unpopulate(val, "SystemData", &m.SystemData)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &m.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateEndpointConnectionItem.
+func (m MHSMPrivateEndpointConnectionItem) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "etag", m.Etag)
+	populate(objectMap, "id", m.ID)
+	populate(objectMap, "properties", m.Properties)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateEndpointConnectionItem.
+func (m *MHSMPrivateEndpointConnectionItem) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "etag":
+			err = unpopulate(val, "Etag", &m.Etag)
+			delete(rawMsg, key)
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateEndpointConnectionProperties.
+func (m MHSMPrivateEndpointConnectionProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "privateEndpoint", m.PrivateEndpoint)
+	populate(objectMap, "privateLinkServiceConnectionState", m.PrivateLinkServiceConnectionState)
+	populate(objectMap, "provisioningState", m.ProvisioningState)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateEndpointConnectionProperties.
+func (m *MHSMPrivateEndpointConnectionProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "privateEndpoint":
+			err = unpopulate(val, "PrivateEndpoint", &m.PrivateEndpoint)
+			delete(rawMsg, key)
+		case "privateLinkServiceConnectionState":
+			err = unpopulate(val, "PrivateLinkServiceConnectionState", &m.PrivateLinkServiceConnectionState)
+			delete(rawMsg, key)
+		case "provisioningState":
+			err = unpopulate(val, "ProvisioningState", &m.ProvisioningState)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateEndpointConnectionsListResult.
+func (m MHSMPrivateEndpointConnectionsListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", m.NextLink)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateEndpointConnectionsListResult.
+func (m *MHSMPrivateEndpointConnectionsListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &m.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateLinkResource.
+func (m MHSMPrivateLinkResource) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", m.ID)
+	populate(objectMap, "identity", m.Identity)
+	populate(objectMap, "location", m.Location)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "properties", m.Properties)
+	populate(objectMap, "sku", m.SKU)
+	populate(objectMap, "systemData", m.SystemData)
+	populate(objectMap, "tags", m.Tags)
+	populate(objectMap, "type", m.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateLinkResource.
+func (m *MHSMPrivateLinkResource) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		case "identity":
+			err = unpopulate(val, "Identity", &m.Identity)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &m.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		case "sku":
+			err = unpopulate(val, "SKU", &m.SKU)
+			delete(rawMsg, key)
+		case "systemData":
+			err = unpopulate(val, "SystemData", &m.SystemData)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &m.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateLinkResourceListResult.
+func (m MHSMPrivateLinkResourceListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateLinkResourceListResult.
+func (m *MHSMPrivateLinkResourceListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateLinkResourceProperties.
+func (m MHSMPrivateLinkResourceProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "groupId", m.GroupID)
+	populate(objectMap, "requiredMembers", m.RequiredMembers)
+	populate(objectMap, "requiredZoneNames", m.RequiredZoneNames)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateLinkResourceProperties.
+func (m *MHSMPrivateLinkResourceProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "groupId":
+			err = unpopulate(val, "GroupID", &m.GroupID)
+			delete(rawMsg, key)
+		case "requiredMembers":
+			err = unpopulate(val, "RequiredMembers", &m.RequiredMembers)
+			delete(rawMsg, key)
+		case "requiredZoneNames":
+			err = unpopulate(val, "RequiredZoneNames", &m.RequiredZoneNames)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMPrivateLinkServiceConnectionState.
+func (m MHSMPrivateLinkServiceConnectionState) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "actionsRequired", m.ActionsRequired)
+	populate(objectMap, "description", m.Description)
+	populate(objectMap, "status", m.Status)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMPrivateLinkServiceConnectionState.
+func (m *MHSMPrivateLinkServiceConnectionState) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "actionsRequired":
+			err = unpopulate(val, "ActionsRequired", &m.ActionsRequired)
+			delete(rawMsg, key)
+		case "description":
+			err = unpopulate(val, "Description", &m.Description)
+			delete(rawMsg, key)
+		case "status":
+			err = unpopulate(val, "Status", &m.Status)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMRegionsListResult.
+func (m MHSMRegionsListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", m.NextLink)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMRegionsListResult.
+func (m *MHSMRegionsListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &m.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MHSMVirtualNetworkRule.
+func (m MHSMVirtualNetworkRule) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", m.ID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MHSMVirtualNetworkRule.
+func (m *MHSMVirtualNetworkRule) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHSMSecurityDomainProperties.
+func (m ManagedHSMSecurityDomainProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "activationStatus", m.ActivationStatus)
+	populate(objectMap, "activationStatusMessage", m.ActivationStatusMessage)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHSMSecurityDomainProperties.
+func (m *ManagedHSMSecurityDomainProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "activationStatus":
+			err = unpopulate(val, "ActivationStatus", &m.ActivationStatus)
+			delete(rawMsg, key)
+		case "activationStatusMessage":
+			err = unpopulate(val, "ActivationStatusMessage", &m.ActivationStatusMessage)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsm.
+func (m ManagedHsm) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", m.ID)
+	populate(objectMap, "identity", m.Identity)
+	populate(objectMap, "location", m.Location)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "properties", m.Properties)
+	populate(objectMap, "sku", m.SKU)
+	populate(objectMap, "systemData", m.SystemData)
+	populate(objectMap, "tags", m.Tags)
+	populate(objectMap, "type", m.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsm.
+func (m *ManagedHsm) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		case "identity":
+			err = unpopulate(val, "Identity", &m.Identity)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &m.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		case "sku":
+			err = unpopulate(val, "SKU", &m.SKU)
+			delete(rawMsg, key)
+		case "systemData":
+			err = unpopulate(val, "SystemData", &m.SystemData)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &m.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmAction.
+func (m ManagedHsmAction) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "type", m.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmAction.
+func (m *ManagedHsmAction) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKey.
+func (m ManagedHsmKey) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", m.ID)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "properties", m.Properties)
+	populate(objectMap, "tags", m.Tags)
+	populate(objectMap, "type", m.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKey.
+func (m *ManagedHsmKey) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &m.ID)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &m.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyAttributes.
+func (m ManagedHsmKeyAttributes) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "created", m.Created)
+	populate(objectMap, "enabled", m.Enabled)
+	populate(objectMap, "exp", m.Expires)
+	populate(objectMap, "exportable", m.Exportable)
+	populate(objectMap, "nbf", m.NotBefore)
+	populate(objectMap, "recoveryLevel", m.RecoveryLevel)
+	populate(objectMap, "updated", m.Updated)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyAttributes.
+func (m *ManagedHsmKeyAttributes) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "created":
+			err = unpopulate(val, "Created", &m.Created)
+			delete(rawMsg, key)
+		case "enabled":
+			err = unpopulate(val, "Enabled", &m.Enabled)
+			delete(rawMsg, key)
+		case "exp":
+			err = unpopulate(val, "Expires", &m.Expires)
+			delete(rawMsg, key)
+		case "exportable":
+			err = unpopulate(val, "Exportable", &m.Exportable)
+			delete(rawMsg, key)
+		case "nbf":
+			err = unpopulate(val, "NotBefore", &m.NotBefore)
+			delete(rawMsg, key)
+		case "recoveryLevel":
+			err = unpopulate(val, "RecoveryLevel", &m.RecoveryLevel)
+			delete(rawMsg, key)
+		case "updated":
+			err = unpopulate(val, "Updated", &m.Updated)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyCreateParameters.
+func (m ManagedHsmKeyCreateParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "properties", m.Properties)
+	populate(objectMap, "tags", m.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyCreateParameters.
+func (m *ManagedHsmKeyCreateParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "properties":
+			err = unpopulate(val, "Properties", &m.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &m.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyListResult.
+func (m ManagedHsmKeyListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", m.NextLink)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyListResult.
+func (m *ManagedHsmKeyListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &m.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyProperties.
+func (m ManagedHsmKeyProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", m.Attributes)
+	populate(objectMap, "curveName", m.CurveName)
+	populate(objectMap, "keyOps", m.KeyOps)
+	populate(objectMap, "keySize", m.KeySize)
+	populate(objectMap, "keyUri", m.KeyURI)
+	populate(objectMap, "keyUriWithVersion", m.KeyURIWithVersion)
+	populate(objectMap, "kty", m.Kty)
+	populate(objectMap, "release_policy", m.ReleasePolicy)
+	populate(objectMap, "rotationPolicy", m.RotationPolicy)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyProperties.
+func (m *ManagedHsmKeyProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &m.Attributes)
+			delete(rawMsg, key)
+		case "curveName":
+			err = unpopulate(val, "CurveName", &m.CurveName)
+			delete(rawMsg, key)
+		case "keyOps":
+			err = unpopulate(val, "KeyOps", &m.KeyOps)
+			delete(rawMsg, key)
+		case "keySize":
+			err = unpopulate(val, "KeySize", &m.KeySize)
+			delete(rawMsg, key)
+		case "keyUri":
+			err = unpopulate(val, "KeyURI", &m.KeyURI)
+			delete(rawMsg, key)
+		case "keyUriWithVersion":
+			err = unpopulate(val, "KeyURIWithVersion", &m.KeyURIWithVersion)
+			delete(rawMsg, key)
+		case "kty":
+			err = unpopulate(val, "Kty", &m.Kty)
+			delete(rawMsg, key)
+		case "release_policy":
+			err = unpopulate(val, "ReleasePolicy", &m.ReleasePolicy)
+			delete(rawMsg, key)
+		case "rotationPolicy":
+			err = unpopulate(val, "RotationPolicy", &m.RotationPolicy)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyReleasePolicy.
+func (m ManagedHsmKeyReleasePolicy) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "contentType", m.ContentType)
+	populateByteArray(objectMap, "data", m.Data, runtime.Base64URLFormat)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyReleasePolicy.
+func (m *ManagedHsmKeyReleasePolicy) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "contentType":
+			err = unpopulate(val, "ContentType", &m.ContentType)
+			delete(rawMsg, key)
+		case "data":
+			err = runtime.DecodeByteArray(string(val), &m.Data, runtime.Base64URLFormat)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmKeyRotationPolicyAttributes.
+func (m ManagedHsmKeyRotationPolicyAttributes) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "created", m.Created)
+	populate(objectMap, "expiryTime", m.ExpiryTime)
+	populate(objectMap, "updated", m.Updated)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmKeyRotationPolicyAttributes.
+func (m *ManagedHsmKeyRotationPolicyAttributes) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "created":
+			err = unpopulate(val, "Created", &m.Created)
+			delete(rawMsg, key)
+		case "expiryTime":
+			err = unpopulate(val, "ExpiryTime", &m.ExpiryTime)
+			delete(rawMsg, key)
+		case "updated":
+			err = unpopulate(val, "Updated", &m.Updated)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmLifetimeAction.
+func (m ManagedHsmLifetimeAction) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "action", m.Action)
+	populate(objectMap, "trigger", m.Trigger)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmLifetimeAction.
+func (m *ManagedHsmLifetimeAction) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "action":
+			err = unpopulate(val, "Action", &m.Action)
+			delete(rawMsg, key)
+		case "trigger":
+			err = unpopulate(val, "Trigger", &m.Trigger)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmListResult.
+func (m ManagedHsmListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", m.NextLink)
+	populate(objectMap, "value", m.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmListResult.
+func (m *ManagedHsmListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &m.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &m.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmProperties.
+func (m ManagedHsmProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "createMode", m.CreateMode)
+	populate(objectMap, "enablePurgeProtection", m.EnablePurgeProtection)
+	populate(objectMap, "enableSoftDelete", m.EnableSoftDelete)
+	populate(objectMap, "hsmUri", m.HsmURI)
+	populate(objectMap, "initialAdminObjectIds", m.InitialAdminObjectIDs)
+	populate(objectMap, "networkAcls", m.NetworkACLs)
+	populate(objectMap, "privateEndpointConnections", m.PrivateEndpointConnections)
+	populate(objectMap, "provisioningState", m.ProvisioningState)
+	populate(objectMap, "publicNetworkAccess", m.PublicNetworkAccess)
+	populate(objectMap, "regions", m.Regions)
+	populateDateTimeRFC3339(objectMap, "scheduledPurgeDate", m.ScheduledPurgeDate)
+	populate(objectMap, "securityDomainProperties", m.SecurityDomainProperties)
+	populate(objectMap, "softDeleteRetentionInDays", m.SoftDeleteRetentionInDays)
+	populate(objectMap, "statusMessage", m.StatusMessage)
+	populate(objectMap, "tenantId", m.TenantID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmProperties.
+func (m *ManagedHsmProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "createMode":
+			err = unpopulate(val, "CreateMode", &m.CreateMode)
+			delete(rawMsg, key)
+		case "enablePurgeProtection":
+			err = unpopulate(val, "EnablePurgeProtection", &m.EnablePurgeProtection)
+			delete(rawMsg, key)
+		case "enableSoftDelete":
+			err = unpopulate(val, "EnableSoftDelete", &m.EnableSoftDelete)
+			delete(rawMsg, key)
+		case "hsmUri":
+			err = unpopulate(val, "HsmURI", &m.HsmURI)
+			delete(rawMsg, key)
+		case "initialAdminObjectIds":
+			err = unpopulate(val, "InitialAdminObjectIDs", &m.InitialAdminObjectIDs)
+			delete(rawMsg, key)
+		case "networkAcls":
+			err = unpopulate(val, "NetworkACLs", &m.NetworkACLs)
+			delete(rawMsg, key)
+		case "privateEndpointConnections":
+			err = unpopulate(val, "PrivateEndpointConnections", &m.PrivateEndpointConnections)
+			delete(rawMsg, key)
+		case "provisioningState":
+			err = unpopulate(val, "ProvisioningState", &m.ProvisioningState)
+			delete(rawMsg, key)
+		case "publicNetworkAccess":
+			err = unpopulate(val, "PublicNetworkAccess", &m.PublicNetworkAccess)
+			delete(rawMsg, key)
+		case "regions":
+			err = unpopulate(val, "Regions", &m.Regions)
+			delete(rawMsg, key)
+		case "scheduledPurgeDate":
+			err = unpopulateDateTimeRFC3339(val, "ScheduledPurgeDate", &m.ScheduledPurgeDate)
+			delete(rawMsg, key)
+		case "securityDomainProperties":
+			err = unpopulate(val, "SecurityDomainProperties", &m.SecurityDomainProperties)
+			delete(rawMsg, key)
+		case "softDeleteRetentionInDays":
+			err = unpopulate(val, "SoftDeleteRetentionInDays", &m.SoftDeleteRetentionInDays)
+			delete(rawMsg, key)
+		case "statusMessage":
+			err = unpopulate(val, "StatusMessage", &m.StatusMessage)
+			delete(rawMsg, key)
+		case "tenantId":
+			err = unpopulate(val, "TenantID", &m.TenantID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmRotationPolicy.
+func (m ManagedHsmRotationPolicy) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", m.Attributes)
+	populate(objectMap, "lifetimeActions", m.LifetimeActions)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmRotationPolicy.
+func (m *ManagedHsmRotationPolicy) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &m.Attributes)
+			delete(rawMsg, key)
+		case "lifetimeActions":
+			err = unpopulate(val, "LifetimeActions", &m.LifetimeActions)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmSKU.
+func (m ManagedHsmSKU) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	if m.Family == nil {
+		m.Family = to.Ptr(ManagedHsmSKUFamilyB)
+	}
+	populate(objectMap, "family", m.Family)
+	populate(objectMap, "name", m.Name)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmSKU.
+func (m *ManagedHsmSKU) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "family":
+			err = unpopulate(val, "Family", &m.Family)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedHsmTrigger.
+func (m ManagedHsmTrigger) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "timeAfterCreate", m.TimeAfterCreate)
+	populate(objectMap, "timeBeforeExpiry", m.TimeBeforeExpiry)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedHsmTrigger.
+func (m *ManagedHsmTrigger) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "timeAfterCreate":
+			err = unpopulate(val, "TimeAfterCreate", &m.TimeAfterCreate)
+			delete(rawMsg, key)
+		case "timeBeforeExpiry":
+			err = unpopulate(val, "TimeBeforeExpiry", &m.TimeBeforeExpiry)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ManagedServiceIdentity.
+func (m ManagedServiceIdentity) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "principalId", m.PrincipalID)
+	populate(objectMap, "tenantId", m.TenantID)
+	populate(objectMap, "type", m.Type)
+	populate(objectMap, "userAssignedIdentities", m.UserAssignedIdentities)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ManagedServiceIdentity.
+func (m *ManagedServiceIdentity) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "principalId":
+			err = unpopulate(val, "PrincipalID", &m.PrincipalID)
+			delete(rawMsg, key)
+		case "tenantId":
+			err = unpopulate(val, "TenantID", &m.TenantID)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &m.Type)
+			delete(rawMsg, key)
+		case "userAssignedIdentities":
+			err = unpopulate(val, "UserAssignedIdentities", &m.UserAssignedIdentities)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type MetricSpecification.
+func (m MetricSpecification) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "aggregationType", m.AggregationType)
+	populate(objectMap, "dimensions", m.Dimensions)
+	populate(objectMap, "displayDescription", m.DisplayDescription)
+	populate(objectMap, "displayName", m.DisplayName)
+	populate(objectMap, "fillGapWithZero", m.FillGapWithZero)
+	populate(objectMap, "internalMetricName", m.InternalMetricName)
+	populate(objectMap, "lockAggregationType", m.LockAggregationType)
+	populate(objectMap, "name", m.Name)
+	populate(objectMap, "supportedAggregationTypes", m.SupportedAggregationTypes)
+	populate(objectMap, "supportedTimeGrainTypes", m.SupportedTimeGrainTypes)
+	populate(objectMap, "unit", m.Unit)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type MetricSpecification.
+func (m *MetricSpecification) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", m, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "aggregationType":
+			err = unpopulate(val, "AggregationType", &m.AggregationType)
+			delete(rawMsg, key)
+		case "dimensions":
+			err = unpopulate(val, "Dimensions", &m.Dimensions)
+			delete(rawMsg, key)
+		case "displayDescription":
+			err = unpopulate(val, "DisplayDescription", &m.DisplayDescription)
+			delete(rawMsg, key)
+		case "displayName":
+			err = unpopulate(val, "DisplayName", &m.DisplayName)
+			delete(rawMsg, key)
+		case "fillGapWithZero":
+			err = unpopulate(val, "FillGapWithZero", &m.FillGapWithZero)
+			delete(rawMsg, key)
+		case "internalMetricName":
+			err = unpopulate(val, "InternalMetricName", &m.InternalMetricName)
+			delete(rawMsg, key)
+		case "lockAggregationType":
+			err = unpopulate(val, "LockAggregationType", &m.LockAggregationType)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &m.Name)
+			delete(rawMsg, key)
+		case "supportedAggregationTypes":
+			err = unpopulate(val, "SupportedAggregationTypes", &m.SupportedAggregationTypes)
+			delete(rawMsg, key)
+		case "supportedTimeGrainTypes":
+			err = unpopulate(val, "SupportedTimeGrainTypes", &m.SupportedTimeGrainTypes)
+			delete(rawMsg, key)
+		case "unit":
+			err = unpopulate(val, "Unit", &m.Unit)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", m, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type NetworkRuleSet.
+func (n NetworkRuleSet) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "bypass", n.Bypass)
+	populate(objectMap, "defaultAction", n.DefaultAction)
+	populate(objectMap, "ipRules", n.IPRules)
+	populate(objectMap, "virtualNetworkRules", n.VirtualNetworkRules)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type NetworkRuleSet.
+func (n *NetworkRuleSet) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", n, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "bypass":
+			err = unpopulate(val, "Bypass", &n.Bypass)
+			delete(rawMsg, key)
+		case "defaultAction":
+			err = unpopulate(val, "DefaultAction", &n.DefaultAction)
+			delete(rawMsg, key)
+		case "ipRules":
+			err = unpopulate(val, "IPRules", &n.IPRules)
+			delete(rawMsg, key)
+		case "virtualNetworkRules":
+			err = unpopulate(val, "VirtualNetworkRules", &n.VirtualNetworkRules)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", n, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Operation.
+func (o Operation) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "display", o.Display)
+	populate(objectMap, "isDataAction", o.IsDataAction)
+	populate(objectMap, "name", o.Name)
+	populate(objectMap, "properties", o.OperationProperties)
+	populate(objectMap, "origin", o.Origin)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Operation.
+func (o *Operation) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", o, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "display":
+			err = unpopulate(val, "Display", &o.Display)
+			delete(rawMsg, key)
+		case "isDataAction":
+			err = unpopulate(val, "IsDataAction", &o.IsDataAction)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &o.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "OperationProperties", &o.OperationProperties)
+			delete(rawMsg, key)
+		case "origin":
+			err = unpopulate(val, "Origin", &o.Origin)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", o, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type OperationDisplay.
+func (o OperationDisplay) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "description", o.Description)
+	populate(objectMap, "operation", o.Operation)
+	populate(objectMap, "provider", o.Provider)
+	populate(objectMap, "resource", o.Resource)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type OperationDisplay.
+func (o *OperationDisplay) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", o, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "description":
+			err = unpopulate(val, "Description", &o.Description)
+			delete(rawMsg, key)
+		case "operation":
+			err = unpopulate(val, "Operation", &o.Operation)
+			delete(rawMsg, key)
+		case "provider":
+			err = unpopulate(val, "Provider", &o.Provider)
+			delete(rawMsg, key)
+		case "resource":
+			err = unpopulate(val, "Resource", &o.Resource)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", o, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type OperationListResult.
+func (o OperationListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", o.NextLink)
+	populate(objectMap, "value", o.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type OperationListResult.
+func (o *OperationListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", o, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &o.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &o.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", o, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type OperationProperties.
+func (o OperationProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "serviceSpecification", o.ServiceSpecification)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type OperationProperties.
+func (o *OperationProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", o, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "serviceSpecification":
+			err = unpopulate(val, "ServiceSpecification", &o.ServiceSpecification)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", o, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Permissions.
+func (p Permissions) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "certificates", p.Certificates)
+	populate(objectMap, "keys", p.Keys)
+	populate(objectMap, "secrets", p.Secrets)
+	populate(objectMap, "storage", p.Storage)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Permissions.
+func (p *Permissions) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "certificates":
+			err = unpopulate(val, "Certificates", &p.Certificates)
+			delete(rawMsg, key)
+		case "keys":
+			err = unpopulate(val, "Keys", &p.Keys)
+			delete(rawMsg, key)
+		case "secrets":
+			err = unpopulate(val, "Secrets", &p.Secrets)
+			delete(rawMsg, key)
+		case "storage":
+			err = unpopulate(val, "Storage", &p.Storage)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateEndpoint.
+func (p PrivateEndpoint) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", p.ID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateEndpoint.
+func (p *PrivateEndpoint) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &p.ID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateEndpointConnection.
+func (p PrivateEndpointConnection) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "etag", p.Etag)
+	populate(objectMap, "id", p.ID)
+	populate(objectMap, "location", p.Location)
+	populate(objectMap, "name", p.Name)
+	populate(objectMap, "properties", p.Properties)
+	populate(objectMap, "tags", p.Tags)
+	populate(objectMap, "type", p.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateEndpointConnection.
+func (p *PrivateEndpointConnection) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "etag":
+			err = unpopulate(val, "Etag", &p.Etag)
+			delete(rawMsg, key)
+		case "id":
+			err = unpopulate(val, "ID", &p.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &p.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &p.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &p.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &p.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &p.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateEndpointConnectionItem.
+func (p PrivateEndpointConnectionItem) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "etag", p.Etag)
+	populate(objectMap, "id", p.ID)
+	populate(objectMap, "properties", p.Properties)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateEndpointConnectionItem.
+func (p *PrivateEndpointConnectionItem) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "etag":
+			err = unpopulate(val, "Etag", &p.Etag)
+			delete(rawMsg, key)
+		case "id":
+			err = unpopulate(val, "ID", &p.ID)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &p.Properties)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateEndpointConnectionListResult.
+func (p PrivateEndpointConnectionListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", p.NextLink)
+	populate(objectMap, "value", p.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateEndpointConnectionListResult.
+func (p *PrivateEndpointConnectionListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &p.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &p.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateEndpointConnectionProperties.
+func (p PrivateEndpointConnectionProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "privateEndpoint", p.PrivateEndpoint)
+	populate(objectMap, "privateLinkServiceConnectionState", p.PrivateLinkServiceConnectionState)
+	populate(objectMap, "provisioningState", p.ProvisioningState)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateEndpointConnectionProperties.
+func (p *PrivateEndpointConnectionProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "privateEndpoint":
+			err = unpopulate(val, "PrivateEndpoint", &p.PrivateEndpoint)
+			delete(rawMsg, key)
+		case "privateLinkServiceConnectionState":
+			err = unpopulate(val, "PrivateLinkServiceConnectionState", &p.PrivateLinkServiceConnectionState)
+			delete(rawMsg, key)
+		case "provisioningState":
+			err = unpopulate(val, "ProvisioningState", &p.ProvisioningState)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateLinkResource.
+func (p PrivateLinkResource) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", p.ID)
+	populate(objectMap, "location", p.Location)
+	populate(objectMap, "name", p.Name)
+	populate(objectMap, "properties", p.Properties)
+	populate(objectMap, "tags", p.Tags)
+	populate(objectMap, "type", p.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateLinkResource.
+func (p *PrivateLinkResource) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &p.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &p.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &p.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &p.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &p.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &p.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateLinkResourceListResult.
+func (p PrivateLinkResourceListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "value", p.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateLinkResourceListResult.
+func (p *PrivateLinkResourceListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "value":
+			err = unpopulate(val, "Value", &p.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateLinkResourceProperties.
+func (p PrivateLinkResourceProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "groupId", p.GroupID)
+	populate(objectMap, "requiredMembers", p.RequiredMembers)
+	populate(objectMap, "requiredZoneNames", p.RequiredZoneNames)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateLinkResourceProperties.
+func (p *PrivateLinkResourceProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "groupId":
+			err = unpopulate(val, "GroupID", &p.GroupID)
+			delete(rawMsg, key)
+		case "requiredMembers":
+			err = unpopulate(val, "RequiredMembers", &p.RequiredMembers)
+			delete(rawMsg, key)
+		case "requiredZoneNames":
+			err = unpopulate(val, "RequiredZoneNames", &p.RequiredZoneNames)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type PrivateLinkServiceConnectionState.
+func (p PrivateLinkServiceConnectionState) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "actionsRequired", p.ActionsRequired)
+	populate(objectMap, "description", p.Description)
+	populate(objectMap, "status", p.Status)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type PrivateLinkServiceConnectionState.
+func (p *PrivateLinkServiceConnectionState) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", p, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "actionsRequired":
+			err = unpopulate(val, "ActionsRequired", &p.ActionsRequired)
+			delete(rawMsg, key)
+		case "description":
+			err = unpopulate(val, "Description", &p.Description)
+			delete(rawMsg, key)
+		case "status":
+			err = unpopulate(val, "Status", &p.Status)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", p, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Resource.
+func (r Resource) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", r.ID)
+	populate(objectMap, "location", r.Location)
+	populate(objectMap, "name", r.Name)
+	populate(objectMap, "tags", r.Tags)
+	populate(objectMap, "type", r.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Resource.
+func (r *Resource) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", r, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &r.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &r.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &r.Name)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &r.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &r.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", r, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ResourceListResult.
+func (r ResourceListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", r.NextLink)
+	populate(objectMap, "value", r.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ResourceListResult.
+func (r *ResourceListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", r, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &r.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &r.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", r, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type RotationPolicy.
+func (r RotationPolicy) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", r.Attributes)
+	populate(objectMap, "lifetimeActions", r.LifetimeActions)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type RotationPolicy.
+func (r *RotationPolicy) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", r, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &r.Attributes)
+			delete(rawMsg, key)
+		case "lifetimeActions":
+			err = unpopulate(val, "LifetimeActions", &r.LifetimeActions)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", r, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SKU.
+func (s SKU) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	if s.Family == nil {
+		s.Family = to.Ptr(SKUFamilyA)
+	}
+	populate(objectMap, "family", s.Family)
+	populate(objectMap, "name", s.Name)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SKU.
+func (s *SKU) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "family":
+			err = unpopulate(val, "Family", &s.Family)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &s.Name)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Secret.
+func (s Secret) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", s.ID)
+	populate(objectMap, "location", s.Location)
+	populate(objectMap, "name", s.Name)
+	populate(objectMap, "properties", s.Properties)
+	populate(objectMap, "tags", s.Tags)
+	populate(objectMap, "type", s.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Secret.
+func (s *Secret) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &s.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &s.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &s.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &s.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &s.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &s.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretAttributes.
+func (s SecretAttributes) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populateTimeUnix(objectMap, "created", s.Created)
+	populate(objectMap, "enabled", s.Enabled)
+	populateTimeUnix(objectMap, "exp", s.Expires)
+	populateTimeUnix(objectMap, "nbf", s.NotBefore)
+	populateTimeUnix(objectMap, "updated", s.Updated)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretAttributes.
+func (s *SecretAttributes) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "created":
+			err = unpopulateTimeUnix(val, "Created", &s.Created)
+			delete(rawMsg, key)
+		case "enabled":
+			err = unpopulate(val, "Enabled", &s.Enabled)
+			delete(rawMsg, key)
+		case "exp":
+			err = unpopulateTimeUnix(val, "Expires", &s.Expires)
+			delete(rawMsg, key)
+		case "nbf":
+			err = unpopulateTimeUnix(val, "NotBefore", &s.NotBefore)
+			delete(rawMsg, key)
+		case "updated":
+			err = unpopulateTimeUnix(val, "Updated", &s.Updated)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretCreateOrUpdateParameters.
+func (s SecretCreateOrUpdateParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "properties", s.Properties)
+	populate(objectMap, "tags", s.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretCreateOrUpdateParameters.
+func (s *SecretCreateOrUpdateParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "properties":
+			err = unpopulate(val, "Properties", &s.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &s.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretListResult.
+func (s SecretListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", s.NextLink)
+	populate(objectMap, "value", s.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretListResult.
+func (s *SecretListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &s.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &s.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretPatchParameters.
+func (s SecretPatchParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "properties", s.Properties)
+	populate(objectMap, "tags", s.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretPatchParameters.
+func (s *SecretPatchParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "properties":
+			err = unpopulate(val, "Properties", &s.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &s.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretPatchProperties.
+func (s SecretPatchProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", s.Attributes)
+	populate(objectMap, "contentType", s.ContentType)
+	populate(objectMap, "value", s.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretPatchProperties.
+func (s *SecretPatchProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &s.Attributes)
+			delete(rawMsg, key)
+		case "contentType":
+			err = unpopulate(val, "ContentType", &s.ContentType)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &s.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SecretProperties.
+func (s SecretProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "attributes", s.Attributes)
+	populate(objectMap, "contentType", s.ContentType)
+	populate(objectMap, "secretUri", s.SecretURI)
+	populate(objectMap, "secretUriWithVersion", s.SecretURIWithVersion)
+	populate(objectMap, "value", s.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SecretProperties.
+func (s *SecretProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "attributes":
+			err = unpopulate(val, "Attributes", &s.Attributes)
+			delete(rawMsg, key)
+		case "contentType":
+			err = unpopulate(val, "ContentType", &s.ContentType)
+			delete(rawMsg, key)
+		case "secretUri":
+			err = unpopulate(val, "SecretURI", &s.SecretURI)
+			delete(rawMsg, key)
+		case "secretUriWithVersion":
+			err = unpopulate(val, "SecretURIWithVersion", &s.SecretURIWithVersion)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &s.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type ServiceSpecification.
+func (s ServiceSpecification) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "logSpecifications", s.LogSpecifications)
+	populate(objectMap, "metricSpecifications", s.MetricSpecifications)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type ServiceSpecification.
+func (s *ServiceSpecification) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "logSpecifications":
+			err = unpopulate(val, "LogSpecifications", &s.LogSpecifications)
+			delete(rawMsg, key)
+		case "metricSpecifications":
+			err = unpopulate(val, "MetricSpecifications", &s.MetricSpecifications)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type SystemData.
+func (s SystemData) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populateDateTimeRFC3339(objectMap, "createdAt", s.CreatedAt)
+	populate(objectMap, "createdBy", s.CreatedBy)
+	populate(objectMap, "createdByType", s.CreatedByType)
+	populateDateTimeRFC3339(objectMap, "lastModifiedAt", s.LastModifiedAt)
+	populate(objectMap, "lastModifiedBy", s.LastModifiedBy)
+	populate(objectMap, "lastModifiedByType", s.LastModifiedByType)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type SystemData.
+func (s *SystemData) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", s, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "createdAt":
+			err = unpopulateDateTimeRFC3339(val, "CreatedAt", &s.CreatedAt)
+			delete(rawMsg, key)
+		case "createdBy":
+			err = unpopulate(val, "CreatedBy", &s.CreatedBy)
+			delete(rawMsg, key)
+		case "createdByType":
+			err = unpopulate(val, "CreatedByType", &s.CreatedByType)
+			delete(rawMsg, key)
+		case "lastModifiedAt":
+			err = unpopulateDateTimeRFC3339(val, "LastModifiedAt", &s.LastModifiedAt)
+			delete(rawMsg, key)
+		case "lastModifiedBy":
+			err = unpopulate(val, "LastModifiedBy", &s.LastModifiedBy)
+			delete(rawMsg, key)
+		case "lastModifiedByType":
+			err = unpopulate(val, "LastModifiedByType", &s.LastModifiedByType)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", s, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Trigger.
+func (t Trigger) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "timeAfterCreate", t.TimeAfterCreate)
+	populate(objectMap, "timeBeforeExpiry", t.TimeBeforeExpiry)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Trigger.
+func (t *Trigger) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", t, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "timeAfterCreate":
+			err = unpopulate(val, "TimeAfterCreate", &t.TimeAfterCreate)
+			delete(rawMsg, key)
+		case "timeBeforeExpiry":
+			err = unpopulate(val, "TimeBeforeExpiry", &t.TimeBeforeExpiry)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", t, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type UserAssignedIdentity.
+func (u UserAssignedIdentity) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "clientId", u.ClientID)
+	populate(objectMap, "principalId", u.PrincipalID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type UserAssignedIdentity.
+func (u *UserAssignedIdentity) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", u, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "clientId":
+			err = unpopulate(val, "ClientID", &u.ClientID)
+			delete(rawMsg, key)
+		case "principalId":
+			err = unpopulate(val, "PrincipalID", &u.PrincipalID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", u, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type Vault.
+func (v Vault) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", v.ID)
+	populate(objectMap, "location", v.Location)
+	populate(objectMap, "name", v.Name)
+	populate(objectMap, "properties", v.Properties)
+	populate(objectMap, "systemData", v.SystemData)
+	populate(objectMap, "tags", v.Tags)
+	populate(objectMap, "type", v.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type Vault.
+func (v *Vault) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &v.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &v.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &v.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &v.Properties)
+			delete(rawMsg, key)
+		case "systemData":
+			err = unpopulate(val, "SystemData", &v.SystemData)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &v.Tags)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &v.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultAccessPolicyParameters.
+func (v VaultAccessPolicyParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", v.ID)
+	populate(objectMap, "location", v.Location)
+	populate(objectMap, "name", v.Name)
+	populate(objectMap, "properties", v.Properties)
+	populate(objectMap, "type", v.Type)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultAccessPolicyParameters.
+func (v *VaultAccessPolicyParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &v.ID)
+			delete(rawMsg, key)
+		case "location":
+			err = unpopulate(val, "Location", &v.Location)
+			delete(rawMsg, key)
+		case "name":
+			err = unpopulate(val, "Name", &v.Name)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &v.Properties)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &v.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultAccessPolicyProperties.
+func (v VaultAccessPolicyProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "accessPolicies", v.AccessPolicies)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultAccessPolicyProperties.
+func (v *VaultAccessPolicyProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "accessPolicies":
+			err = unpopulate(val, "AccessPolicies", &v.AccessPolicies)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultCheckNameAvailabilityParameters.
+func (v VaultCheckNameAvailabilityParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "name", v.Name)
+	objectMap["type"] = "Microsoft.KeyVault/vaults"
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultCheckNameAvailabilityParameters.
+func (v *VaultCheckNameAvailabilityParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "name":
+			err = unpopulate(val, "Name", &v.Name)
+			delete(rawMsg, key)
+		case "type":
+			err = unpopulate(val, "Type", &v.Type)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultCreateOrUpdateParameters.
+func (v VaultCreateOrUpdateParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "location", v.Location)
+	populate(objectMap, "properties", v.Properties)
+	populate(objectMap, "tags", v.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultCreateOrUpdateParameters.
+func (v *VaultCreateOrUpdateParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "location":
+			err = unpopulate(val, "Location", &v.Location)
+			delete(rawMsg, key)
+		case "properties":
+			err = unpopulate(val, "Properties", &v.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &v.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultListResult.
+func (v VaultListResult) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "nextLink", v.NextLink)
+	populate(objectMap, "value", v.Value)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultListResult.
+func (v *VaultListResult) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "nextLink":
+			err = unpopulate(val, "NextLink", &v.NextLink)
+			delete(rawMsg, key)
+		case "value":
+			err = unpopulate(val, "Value", &v.Value)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultPatchParameters.
+func (v VaultPatchParameters) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "properties", v.Properties)
+	populate(objectMap, "tags", v.Tags)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultPatchParameters.
+func (v *VaultPatchParameters) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "properties":
+			err = unpopulate(val, "Properties", &v.Properties)
+			delete(rawMsg, key)
+		case "tags":
+			err = unpopulate(val, "Tags", &v.Tags)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultPatchProperties.
+func (v VaultPatchProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "accessPolicies", v.AccessPolicies)
+	populate(objectMap, "createMode", v.CreateMode)
+	populate(objectMap, "enablePurgeProtection", v.EnablePurgeProtection)
+	populate(objectMap, "enableRbacAuthorization", v.EnableRbacAuthorization)
+	populate(objectMap, "enableSoftDelete", v.EnableSoftDelete)
+	populate(objectMap, "enabledForDeployment", v.EnabledForDeployment)
+	populate(objectMap, "enabledForDiskEncryption", v.EnabledForDiskEncryption)
+	populate(objectMap, "enabledForTemplateDeployment", v.EnabledForTemplateDeployment)
+	populate(objectMap, "networkAcls", v.NetworkACLs)
+	populate(objectMap, "publicNetworkAccess", v.PublicNetworkAccess)
+	populate(objectMap, "sku", v.SKU)
+	populate(objectMap, "softDeleteRetentionInDays", v.SoftDeleteRetentionInDays)
+	populate(objectMap, "tenantId", v.TenantID)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultPatchProperties.
+func (v *VaultPatchProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "accessPolicies":
+			err = unpopulate(val, "AccessPolicies", &v.AccessPolicies)
+			delete(rawMsg, key)
+		case "createMode":
+			err = unpopulate(val, "CreateMode", &v.CreateMode)
+			delete(rawMsg, key)
+		case "enablePurgeProtection":
+			err = unpopulate(val, "EnablePurgeProtection", &v.EnablePurgeProtection)
+			delete(rawMsg, key)
+		case "enableRbacAuthorization":
+			err = unpopulate(val, "EnableRbacAuthorization", &v.EnableRbacAuthorization)
+			delete(rawMsg, key)
+		case "enableSoftDelete":
+			err = unpopulate(val, "EnableSoftDelete", &v.EnableSoftDelete)
+			delete(rawMsg, key)
+		case "enabledForDeployment":
+			err = unpopulate(val, "EnabledForDeployment", &v.EnabledForDeployment)
+			delete(rawMsg, key)
+		case "enabledForDiskEncryption":
+			err = unpopulate(val, "EnabledForDiskEncryption", &v.EnabledForDiskEncryption)
+			delete(rawMsg, key)
+		case "enabledForTemplateDeployment":
+			err = unpopulate(val, "EnabledForTemplateDeployment", &v.EnabledForTemplateDeployment)
+			delete(rawMsg, key)
+		case "networkAcls":
+			err = unpopulate(val, "NetworkACLs", &v.NetworkACLs)
+			delete(rawMsg, key)
+		case "publicNetworkAccess":
+			err = unpopulate(val, "PublicNetworkAccess", &v.PublicNetworkAccess)
+			delete(rawMsg, key)
+		case "sku":
+			err = unpopulate(val, "SKU", &v.SKU)
+			delete(rawMsg, key)
+		case "softDeleteRetentionInDays":
+			err = unpopulate(val, "SoftDeleteRetentionInDays", &v.SoftDeleteRetentionInDays)
+			delete(rawMsg, key)
+		case "tenantId":
+			err = unpopulate(val, "TenantID", &v.TenantID)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VaultProperties.
+func (v VaultProperties) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "accessPolicies", v.AccessPolicies)
+	populate(objectMap, "createMode", v.CreateMode)
+	populate(objectMap, "enablePurgeProtection", v.EnablePurgeProtection)
+	populate(objectMap, "enableRbacAuthorization", v.EnableRbacAuthorization)
+	populate(objectMap, "enableSoftDelete", v.EnableSoftDelete)
+	populate(objectMap, "enabledForDeployment", v.EnabledForDeployment)
+	populate(objectMap, "enabledForDiskEncryption", v.EnabledForDiskEncryption)
+	populate(objectMap, "enabledForTemplateDeployment", v.EnabledForTemplateDeployment)
+	populate(objectMap, "hsmPoolResourceId", v.HsmPoolResourceID)
+	populate(objectMap, "networkAcls", v.NetworkACLs)
+	populate(objectMap, "privateEndpointConnections", v.PrivateEndpointConnections)
+	populate(objectMap, "provisioningState", v.ProvisioningState)
+	populate(objectMap, "publicNetworkAccess", v.PublicNetworkAccess)
+	populate(objectMap, "sku", v.SKU)
+	populate(objectMap, "softDeleteRetentionInDays", v.SoftDeleteRetentionInDays)
+	populate(objectMap, "tenantId", v.TenantID)
+	populate(objectMap, "vaultUri", v.VaultURI)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VaultProperties.
+func (v *VaultProperties) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "accessPolicies":
+			err = unpopulate(val, "AccessPolicies", &v.AccessPolicies)
+			delete(rawMsg, key)
+		case "createMode":
+			err = unpopulate(val, "CreateMode", &v.CreateMode)
+			delete(rawMsg, key)
+		case "enablePurgeProtection":
+			err = unpopulate(val, "EnablePurgeProtection", &v.EnablePurgeProtection)
+			delete(rawMsg, key)
+		case "enableRbacAuthorization":
+			err = unpopulate(val, "EnableRbacAuthorization", &v.EnableRbacAuthorization)
+			delete(rawMsg, key)
+		case "enableSoftDelete":
+			err = unpopulate(val, "EnableSoftDelete", &v.EnableSoftDelete)
+			delete(rawMsg, key)
+		case "enabledForDeployment":
+			err = unpopulate(val, "EnabledForDeployment", &v.EnabledForDeployment)
+			delete(rawMsg, key)
+		case "enabledForDiskEncryption":
+			err = unpopulate(val, "EnabledForDiskEncryption", &v.EnabledForDiskEncryption)
+			delete(rawMsg, key)
+		case "enabledForTemplateDeployment":
+			err = unpopulate(val, "EnabledForTemplateDeployment", &v.EnabledForTemplateDeployment)
+			delete(rawMsg, key)
+		case "hsmPoolResourceId":
+			err = unpopulate(val, "HsmPoolResourceID", &v.HsmPoolResourceID)
+			delete(rawMsg, key)
+		case "networkAcls":
+			err = unpopulate(val, "NetworkACLs", &v.NetworkACLs)
+			delete(rawMsg, key)
+		case "privateEndpointConnections":
+			err = unpopulate(val, "PrivateEndpointConnections", &v.PrivateEndpointConnections)
+			delete(rawMsg, key)
+		case "provisioningState":
+			err = unpopulate(val, "ProvisioningState", &v.ProvisioningState)
+			delete(rawMsg, key)
+		case "publicNetworkAccess":
+			err = unpopulate(val, "PublicNetworkAccess", &v.PublicNetworkAccess)
+			delete(rawMsg, key)
+		case "sku":
+			err = unpopulate(val, "SKU", &v.SKU)
+			delete(rawMsg, key)
+		case "softDeleteRetentionInDays":
+			err = unpopulate(val, "SoftDeleteRetentionInDays", &v.SoftDeleteRetentionInDays)
+			delete(rawMsg, key)
+		case "tenantId":
+			err = unpopulate(val, "TenantID", &v.TenantID)
+			delete(rawMsg, key)
+		case "vaultUri":
+			err = unpopulate(val, "VaultURI", &v.VaultURI)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+// MarshalJSON implements the json.Marshaller interface for type VirtualNetworkRule.
+func (v VirtualNetworkRule) MarshalJSON() ([]byte, error) {
+	objectMap := make(map[string]any)
+	populate(objectMap, "id", v.ID)
+	populate(objectMap, "ignoreMissingVnetServiceEndpoint", v.IgnoreMissingVnetServiceEndpoint)
+	return json.Marshal(objectMap)
+}
+
+// UnmarshalJSON implements the json.Unmarshaller interface for type VirtualNetworkRule.
+func (v *VirtualNetworkRule) UnmarshalJSON(data []byte) error {
+	var rawMsg map[string]json.RawMessage
+	if err := json.Unmarshal(data, &rawMsg); err != nil {
+		return fmt.Errorf("unmarshalling type %T: %v", v, err)
+	}
+	for key, val := range rawMsg {
+		var err error
+		switch key {
+		case "id":
+			err = unpopulate(val, "ID", &v.ID)
+			delete(rawMsg, key)
+		case "ignoreMissingVnetServiceEndpoint":
+			err = unpopulate(val, "IgnoreMissingVnetServiceEndpoint", &v.IgnoreMissingVnetServiceEndpoint)
+			delete(rawMsg, key)
+		}
+		if err != nil {
+			return fmt.Errorf("unmarshalling type %T: %v", v, err)
+		}
+	}
+	return nil
+}
+
+func populate(m map[string]any, k string, v any) {
+	if v == nil {
+		return
+	} else if azcore.IsNullValue(v) {
+		m[k] = nil
+	} else if !reflect.ValueOf(v).IsNil() {
+		m[k] = v
+	}
+}
+
+func populateByteArray(m map[string]any, k string, b []byte, f runtime.Base64Encoding) {
+	if azcore.IsNullValue(b) {
+		m[k] = nil
+	} else if len(b) == 0 {
+		return
+	} else {
+		m[k] = runtime.EncodeByteArray(b, f)
+	}
+}
+
+func unpopulate(data json.RawMessage, fn string, v any) error {
+	if data == nil {
+		return nil
+	}
+	if err := json.Unmarshal(data, v); err != nil {
+		return fmt.Errorf("struct field %s: %v", fn, err)
+	}
+	return nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/operations_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/operations_client.go
new file mode 100644
index 000000000..23c695a64
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/operations_client.go
@@ -0,0 +1,88 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+)
+
+// OperationsClient contains the methods for the Operations group.
+// Don't use this type directly, use NewOperationsClient() instead.
+type OperationsClient struct {
+	internal *arm.Client
+}
+
+// NewOperationsClient creates a new instance of OperationsClient with the specified values.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewOperationsClient(credential azcore.TokenCredential, options *arm.ClientOptions) (*OperationsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &OperationsClient{
+		internal: cl,
+	}
+	return client, nil
+}
+
+// NewListPager - Lists all of the available Key Vault Rest API operations.
+//
+// Generated from API version 2023-07-01
+//   - options - OperationsClientListOptions contains the optional parameters for the OperationsClient.NewListPager method.
+func (client *OperationsClient) NewListPager(options *OperationsClientListOptions) *runtime.Pager[OperationsClientListResponse] {
+	return runtime.NewPager(runtime.PagingHandler[OperationsClientListResponse]{
+		More: func(page OperationsClientListResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *OperationsClientListResponse) (OperationsClientListResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "OperationsClient.NewListPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return OperationsClientListResponse{}, err
+			}
+			return client.listHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listCreateRequest creates the List request.
+func (client *OperationsClient) listCreateRequest(ctx context.Context, options *OperationsClientListOptions) (*policy.Request, error) {
+	urlPath := "/providers/Microsoft.KeyVault/operations"
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listHandleResponse handles the List response.
+func (client *OperationsClient) listHandleResponse(resp *http.Response) (OperationsClientListResponse, error) {
+	result := OperationsClientListResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.OperationListResult); err != nil {
+		return OperationsClientListResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/options.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/options.go
new file mode 100644
index 000000000..0f3515424
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/options.go
@@ -0,0 +1,283 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+// KeysClientCreateIfNotExistOptions contains the optional parameters for the KeysClient.CreateIfNotExist method.
+type KeysClientCreateIfNotExistOptions struct {
+	// placeholder for future optional parameters
+}
+
+// KeysClientGetOptions contains the optional parameters for the KeysClient.Get method.
+type KeysClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// KeysClientGetVersionOptions contains the optional parameters for the KeysClient.GetVersion method.
+type KeysClientGetVersionOptions struct {
+	// placeholder for future optional parameters
+}
+
+// KeysClientListOptions contains the optional parameters for the KeysClient.NewListPager method.
+type KeysClientListOptions struct {
+	// placeholder for future optional parameters
+}
+
+// KeysClientListVersionsOptions contains the optional parameters for the KeysClient.NewListVersionsPager method.
+type KeysClientListVersionsOptions struct {
+	// placeholder for future optional parameters
+}
+
+// MHSMPrivateEndpointConnectionsClientBeginDeleteOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.BeginDelete
+// method.
+type MHSMPrivateEndpointConnectionsClientBeginDeleteOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// MHSMPrivateEndpointConnectionsClientGetOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.Get
+// method.
+type MHSMPrivateEndpointConnectionsClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// MHSMPrivateEndpointConnectionsClientListByResourceOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.NewListByResourcePager
+// method.
+type MHSMPrivateEndpointConnectionsClientListByResourceOptions struct {
+	// placeholder for future optional parameters
+}
+
+// MHSMPrivateEndpointConnectionsClientPutOptions contains the optional parameters for the MHSMPrivateEndpointConnectionsClient.Put
+// method.
+type MHSMPrivateEndpointConnectionsClientPutOptions struct {
+	// placeholder for future optional parameters
+}
+
+// MHSMPrivateLinkResourcesClientListByMHSMResourceOptions contains the optional parameters for the MHSMPrivateLinkResourcesClient.ListByMHSMResource
+// method.
+type MHSMPrivateLinkResourcesClientListByMHSMResourceOptions struct {
+	// placeholder for future optional parameters
+}
+
+// MHSMRegionsClientListByResourceOptions contains the optional parameters for the MHSMRegionsClient.NewListByResourcePager
+// method.
+type MHSMRegionsClientListByResourceOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmKeysClientCreateIfNotExistOptions contains the optional parameters for the ManagedHsmKeysClient.CreateIfNotExist
+// method.
+type ManagedHsmKeysClientCreateIfNotExistOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmKeysClientGetOptions contains the optional parameters for the ManagedHsmKeysClient.Get method.
+type ManagedHsmKeysClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmKeysClientGetVersionOptions contains the optional parameters for the ManagedHsmKeysClient.GetVersion method.
+type ManagedHsmKeysClientGetVersionOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmKeysClientListOptions contains the optional parameters for the ManagedHsmKeysClient.NewListPager method.
+type ManagedHsmKeysClientListOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmKeysClientListVersionsOptions contains the optional parameters for the ManagedHsmKeysClient.NewListVersionsPager
+// method.
+type ManagedHsmKeysClientListVersionsOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmsClientBeginCreateOrUpdateOptions contains the optional parameters for the ManagedHsmsClient.BeginCreateOrUpdate
+// method.
+type ManagedHsmsClientBeginCreateOrUpdateOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// ManagedHsmsClientBeginDeleteOptions contains the optional parameters for the ManagedHsmsClient.BeginDelete method.
+type ManagedHsmsClientBeginDeleteOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// ManagedHsmsClientBeginPurgeDeletedOptions contains the optional parameters for the ManagedHsmsClient.BeginPurgeDeleted
+// method.
+type ManagedHsmsClientBeginPurgeDeletedOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// ManagedHsmsClientBeginUpdateOptions contains the optional parameters for the ManagedHsmsClient.BeginUpdate method.
+type ManagedHsmsClientBeginUpdateOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// ManagedHsmsClientCheckMhsmNameAvailabilityOptions contains the optional parameters for the ManagedHsmsClient.CheckMhsmNameAvailability
+// method.
+type ManagedHsmsClientCheckMhsmNameAvailabilityOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmsClientGetDeletedOptions contains the optional parameters for the ManagedHsmsClient.GetDeleted method.
+type ManagedHsmsClientGetDeletedOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmsClientGetOptions contains the optional parameters for the ManagedHsmsClient.Get method.
+type ManagedHsmsClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// ManagedHsmsClientListByResourceGroupOptions contains the optional parameters for the ManagedHsmsClient.NewListByResourceGroupPager
+// method.
+type ManagedHsmsClientListByResourceGroupOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// ManagedHsmsClientListBySubscriptionOptions contains the optional parameters for the ManagedHsmsClient.NewListBySubscriptionPager
+// method.
+type ManagedHsmsClientListBySubscriptionOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// ManagedHsmsClientListDeletedOptions contains the optional parameters for the ManagedHsmsClient.NewListDeletedPager method.
+type ManagedHsmsClientListDeletedOptions struct {
+	// placeholder for future optional parameters
+}
+
+// OperationsClientListOptions contains the optional parameters for the OperationsClient.NewListPager method.
+type OperationsClientListOptions struct {
+	// placeholder for future optional parameters
+}
+
+// PrivateEndpointConnectionsClientBeginDeleteOptions contains the optional parameters for the PrivateEndpointConnectionsClient.BeginDelete
+// method.
+type PrivateEndpointConnectionsClientBeginDeleteOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// PrivateEndpointConnectionsClientGetOptions contains the optional parameters for the PrivateEndpointConnectionsClient.Get
+// method.
+type PrivateEndpointConnectionsClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// PrivateEndpointConnectionsClientListByResourceOptions contains the optional parameters for the PrivateEndpointConnectionsClient.NewListByResourcePager
+// method.
+type PrivateEndpointConnectionsClientListByResourceOptions struct {
+	// placeholder for future optional parameters
+}
+
+// PrivateEndpointConnectionsClientPutOptions contains the optional parameters for the PrivateEndpointConnectionsClient.Put
+// method.
+type PrivateEndpointConnectionsClientPutOptions struct {
+	// placeholder for future optional parameters
+}
+
+// PrivateLinkResourcesClientListByVaultOptions contains the optional parameters for the PrivateLinkResourcesClient.ListByVault
+// method.
+type PrivateLinkResourcesClientListByVaultOptions struct {
+	// placeholder for future optional parameters
+}
+
+// SecretsClientCreateOrUpdateOptions contains the optional parameters for the SecretsClient.CreateOrUpdate method.
+type SecretsClientCreateOrUpdateOptions struct {
+	// placeholder for future optional parameters
+}
+
+// SecretsClientGetOptions contains the optional parameters for the SecretsClient.Get method.
+type SecretsClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// SecretsClientListOptions contains the optional parameters for the SecretsClient.NewListPager method.
+type SecretsClientListOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// SecretsClientUpdateOptions contains the optional parameters for the SecretsClient.Update method.
+type SecretsClientUpdateOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientBeginCreateOrUpdateOptions contains the optional parameters for the VaultsClient.BeginCreateOrUpdate method.
+type VaultsClientBeginCreateOrUpdateOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// VaultsClientBeginPurgeDeletedOptions contains the optional parameters for the VaultsClient.BeginPurgeDeleted method.
+type VaultsClientBeginPurgeDeletedOptions struct {
+	// Resumes the LRO from the provided token.
+	ResumeToken string
+}
+
+// VaultsClientCheckNameAvailabilityOptions contains the optional parameters for the VaultsClient.CheckNameAvailability method.
+type VaultsClientCheckNameAvailabilityOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientDeleteOptions contains the optional parameters for the VaultsClient.Delete method.
+type VaultsClientDeleteOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientGetDeletedOptions contains the optional parameters for the VaultsClient.GetDeleted method.
+type VaultsClientGetDeletedOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientGetOptions contains the optional parameters for the VaultsClient.Get method.
+type VaultsClientGetOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientListByResourceGroupOptions contains the optional parameters for the VaultsClient.NewListByResourceGroupPager
+// method.
+type VaultsClientListByResourceGroupOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// VaultsClientListBySubscriptionOptions contains the optional parameters for the VaultsClient.NewListBySubscriptionPager
+// method.
+type VaultsClientListBySubscriptionOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// VaultsClientListDeletedOptions contains the optional parameters for the VaultsClient.NewListDeletedPager method.
+type VaultsClientListDeletedOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientListOptions contains the optional parameters for the VaultsClient.NewListPager method.
+type VaultsClientListOptions struct {
+	// Maximum number of results to return.
+	Top *int32
+}
+
+// VaultsClientUpdateAccessPolicyOptions contains the optional parameters for the VaultsClient.UpdateAccessPolicy method.
+type VaultsClientUpdateAccessPolicyOptions struct {
+	// placeholder for future optional parameters
+}
+
+// VaultsClientUpdateOptions contains the optional parameters for the VaultsClient.Update method.
+type VaultsClientUpdateOptions struct {
+	// placeholder for future optional parameters
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privateendpointconnections_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privateendpointconnections_client.go
new file mode 100644
index 000000000..4941b953f
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privateendpointconnections_client.go
@@ -0,0 +1,348 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// PrivateEndpointConnectionsClient contains the methods for the PrivateEndpointConnections group.
+// Don't use this type directly, use NewPrivateEndpointConnectionsClient() instead.
+type PrivateEndpointConnectionsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewPrivateEndpointConnectionsClient creates a new instance of PrivateEndpointConnectionsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewPrivateEndpointConnectionsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*PrivateEndpointConnectionsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &PrivateEndpointConnectionsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// BeginDelete - Deletes the specified private endpoint connection associated with the key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the key vault.
+//   - vaultName - The name of the key vault.
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the key vault.
+//   - options - PrivateEndpointConnectionsClientBeginDeleteOptions contains the optional parameters for the PrivateEndpointConnectionsClient.BeginDelete
+//     method.
+func (client *PrivateEndpointConnectionsClient) BeginDelete(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, options *PrivateEndpointConnectionsClientBeginDeleteOptions) (*runtime.Poller[PrivateEndpointConnectionsClientDeleteResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.deleteOperation(ctx, resourceGroupName, vaultName, privateEndpointConnectionName, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[PrivateEndpointConnectionsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[PrivateEndpointConnectionsClientDeleteResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// Delete - Deletes the specified private endpoint connection associated with the key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *PrivateEndpointConnectionsClient) deleteOperation(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, options *PrivateEndpointConnectionsClientBeginDeleteOptions) (*http.Response, error) {
+	var err error
+	const operationName = "PrivateEndpointConnectionsClient.BeginDelete"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.deleteCreateRequest(ctx, resourceGroupName, vaultName, privateEndpointConnectionName, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// deleteCreateRequest creates the Delete request.
+func (client *PrivateEndpointConnectionsClient) deleteCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, options *PrivateEndpointConnectionsClientBeginDeleteOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodDelete, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// Get - Gets the specified private endpoint connection associated with the key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the key vault.
+//   - vaultName - The name of the key vault.
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the key vault.
+//   - options - PrivateEndpointConnectionsClientGetOptions contains the optional parameters for the PrivateEndpointConnectionsClient.Get
+//     method.
+func (client *PrivateEndpointConnectionsClient) Get(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, options *PrivateEndpointConnectionsClientGetOptions) (PrivateEndpointConnectionsClientGetResponse, error) {
+	var err error
+	const operationName = "PrivateEndpointConnectionsClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, vaultName, privateEndpointConnectionName, options)
+	if err != nil {
+		return PrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return PrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return PrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *PrivateEndpointConnectionsClient) getCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, options *PrivateEndpointConnectionsClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *PrivateEndpointConnectionsClient) getHandleResponse(resp *http.Response) (PrivateEndpointConnectionsClientGetResponse, error) {
+	result := PrivateEndpointConnectionsClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.PrivateEndpointConnection); err != nil {
+		return PrivateEndpointConnectionsClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListByResourcePager - The List operation gets information about the private endpoint connections associated with the
+// vault.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the key vault.
+//   - vaultName - The name of the key vault.
+//   - options - PrivateEndpointConnectionsClientListByResourceOptions contains the optional parameters for the PrivateEndpointConnectionsClient.NewListByResourcePager
+//     method.
+func (client *PrivateEndpointConnectionsClient) NewListByResourcePager(resourceGroupName string, vaultName string, options *PrivateEndpointConnectionsClientListByResourceOptions) *runtime.Pager[PrivateEndpointConnectionsClientListByResourceResponse] {
+	return runtime.NewPager(runtime.PagingHandler[PrivateEndpointConnectionsClientListByResourceResponse]{
+		More: func(page PrivateEndpointConnectionsClientListByResourceResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *PrivateEndpointConnectionsClientListByResourceResponse) (PrivateEndpointConnectionsClientListByResourceResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "PrivateEndpointConnectionsClient.NewListByResourcePager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listByResourceCreateRequest(ctx, resourceGroupName, vaultName, options)
+			}, nil)
+			if err != nil {
+				return PrivateEndpointConnectionsClientListByResourceResponse{}, err
+			}
+			return client.listByResourceHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listByResourceCreateRequest creates the ListByResource request.
+func (client *PrivateEndpointConnectionsClient) listByResourceCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *PrivateEndpointConnectionsClientListByResourceOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByResourceHandleResponse handles the ListByResource response.
+func (client *PrivateEndpointConnectionsClient) listByResourceHandleResponse(resp *http.Response) (PrivateEndpointConnectionsClientListByResourceResponse, error) {
+	result := PrivateEndpointConnectionsClientListByResourceResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.PrivateEndpointConnectionListResult); err != nil {
+		return PrivateEndpointConnectionsClientListByResourceResponse{}, err
+	}
+	return result, nil
+}
+
+// Put - Updates the specified private endpoint connection associated with the key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the key vault.
+//   - vaultName - The name of the key vault.
+//   - privateEndpointConnectionName - Name of the private endpoint connection associated with the key vault.
+//   - properties - The intended state of private endpoint connection.
+//   - options - PrivateEndpointConnectionsClientPutOptions contains the optional parameters for the PrivateEndpointConnectionsClient.Put
+//     method.
+func (client *PrivateEndpointConnectionsClient) Put(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, properties PrivateEndpointConnection, options *PrivateEndpointConnectionsClientPutOptions) (PrivateEndpointConnectionsClientPutResponse, error) {
+	var err error
+	const operationName = "PrivateEndpointConnectionsClient.Put"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.putCreateRequest(ctx, resourceGroupName, vaultName, privateEndpointConnectionName, properties, options)
+	if err != nil {
+		return PrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return PrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return PrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	resp, err := client.putHandleResponse(httpResp)
+	return resp, err
+}
+
+// putCreateRequest creates the Put request.
+func (client *PrivateEndpointConnectionsClient) putCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, privateEndpointConnectionName string, properties PrivateEndpointConnection, options *PrivateEndpointConnectionsClientPutOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateEndpointConnections/{privateEndpointConnectionName}"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if privateEndpointConnectionName == "" {
+		return nil, errors.New("parameter privateEndpointConnectionName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{privateEndpointConnectionName}", url.PathEscape(privateEndpointConnectionName))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, properties); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// putHandleResponse handles the Put response.
+func (client *PrivateEndpointConnectionsClient) putHandleResponse(resp *http.Response) (PrivateEndpointConnectionsClientPutResponse, error) {
+	result := PrivateEndpointConnectionsClientPutResponse{}
+	if val := resp.Header.Get("Azure-AsyncOperation"); val != "" {
+		result.AzureAsyncOperation = &val
+	}
+	if val := resp.Header.Get("Retry-After"); val != "" {
+		retryAfter32, err := strconv.ParseInt(val, 10, 32)
+		retryAfter := int32(retryAfter32)
+		if err != nil {
+			return PrivateEndpointConnectionsClientPutResponse{}, err
+		}
+		result.RetryAfter = &retryAfter
+	}
+	if err := runtime.UnmarshalAsJSON(resp, &result.PrivateEndpointConnection); err != nil {
+		return PrivateEndpointConnectionsClientPutResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privatelinkresources_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privatelinkresources_client.go
new file mode 100644
index 000000000..b329955a7
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/privatelinkresources_client.go
@@ -0,0 +1,110 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// PrivateLinkResourcesClient contains the methods for the PrivateLinkResources group.
+// Don't use this type directly, use NewPrivateLinkResourcesClient() instead.
+type PrivateLinkResourcesClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewPrivateLinkResourcesClient creates a new instance of PrivateLinkResourcesClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewPrivateLinkResourcesClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*PrivateLinkResourcesClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &PrivateLinkResourcesClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// ListByVault - Gets the private link resources supported for the key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - Name of the resource group that contains the key vault.
+//   - vaultName - The name of the key vault.
+//   - options - PrivateLinkResourcesClientListByVaultOptions contains the optional parameters for the PrivateLinkResourcesClient.ListByVault
+//     method.
+func (client *PrivateLinkResourcesClient) ListByVault(ctx context.Context, resourceGroupName string, vaultName string, options *PrivateLinkResourcesClientListByVaultOptions) (PrivateLinkResourcesClientListByVaultResponse, error) {
+	var err error
+	const operationName = "PrivateLinkResourcesClient.ListByVault"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.listByVaultCreateRequest(ctx, resourceGroupName, vaultName, options)
+	if err != nil {
+		return PrivateLinkResourcesClientListByVaultResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return PrivateLinkResourcesClientListByVaultResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return PrivateLinkResourcesClientListByVaultResponse{}, err
+	}
+	resp, err := client.listByVaultHandleResponse(httpResp)
+	return resp, err
+}
+
+// listByVaultCreateRequest creates the ListByVault request.
+func (client *PrivateLinkResourcesClient) listByVaultCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *PrivateLinkResourcesClientListByVaultOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/privateLinkResources"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByVaultHandleResponse handles the ListByVault response.
+func (client *PrivateLinkResourcesClient) listByVaultHandleResponse(resp *http.Response) (PrivateLinkResourcesClientListByVaultResponse, error) {
+	result := PrivateLinkResourcesClientListByVaultResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.PrivateLinkResourceListResult); err != nil {
+		return PrivateLinkResourcesClientListByVaultResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/response_types.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/response_types.go
new file mode 100644
index 000000000..efeaaf1c7
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/response_types.go
@@ -0,0 +1,305 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+// KeysClientCreateIfNotExistResponse contains the response from method KeysClient.CreateIfNotExist.
+type KeysClientCreateIfNotExistResponse struct {
+	// The key resource.
+	Key
+}
+
+// KeysClientGetResponse contains the response from method KeysClient.Get.
+type KeysClientGetResponse struct {
+	// The key resource.
+	Key
+}
+
+// KeysClientGetVersionResponse contains the response from method KeysClient.GetVersion.
+type KeysClientGetVersionResponse struct {
+	// The key resource.
+	Key
+}
+
+// KeysClientListResponse contains the response from method KeysClient.NewListPager.
+type KeysClientListResponse struct {
+	// The page of keys.
+	KeyListResult
+}
+
+// KeysClientListVersionsResponse contains the response from method KeysClient.NewListVersionsPager.
+type KeysClientListVersionsResponse struct {
+	// The page of keys.
+	KeyListResult
+}
+
+// MHSMPrivateEndpointConnectionsClientDeleteResponse contains the response from method MHSMPrivateEndpointConnectionsClient.BeginDelete.
+type MHSMPrivateEndpointConnectionsClientDeleteResponse struct {
+	// Private endpoint connection resource.
+	MHSMPrivateEndpointConnection
+}
+
+// MHSMPrivateEndpointConnectionsClientGetResponse contains the response from method MHSMPrivateEndpointConnectionsClient.Get.
+type MHSMPrivateEndpointConnectionsClientGetResponse struct {
+	// Private endpoint connection resource.
+	MHSMPrivateEndpointConnection
+}
+
+// MHSMPrivateEndpointConnectionsClientListByResourceResponse contains the response from method MHSMPrivateEndpointConnectionsClient.NewListByResourcePager.
+type MHSMPrivateEndpointConnectionsClientListByResourceResponse struct {
+	// List of private endpoint connections associated with a managed HSM Pools
+	MHSMPrivateEndpointConnectionsListResult
+}
+
+// MHSMPrivateEndpointConnectionsClientPutResponse contains the response from method MHSMPrivateEndpointConnectionsClient.Put.
+type MHSMPrivateEndpointConnectionsClientPutResponse struct {
+	// Private endpoint connection resource.
+	MHSMPrivateEndpointConnection
+
+	// AzureAsyncOperation contains the information returned from the Azure-AsyncOperation header response.
+	AzureAsyncOperation *string
+
+	// RetryAfter contains the information returned from the Retry-After header response.
+	RetryAfter *int32
+}
+
+// MHSMPrivateLinkResourcesClientListByMHSMResourceResponse contains the response from method MHSMPrivateLinkResourcesClient.ListByMHSMResource.
+type MHSMPrivateLinkResourcesClientListByMHSMResourceResponse struct {
+	// A list of private link resources
+	MHSMPrivateLinkResourceListResult
+}
+
+// MHSMRegionsClientListByResourceResponse contains the response from method MHSMRegionsClient.NewListByResourcePager.
+type MHSMRegionsClientListByResourceResponse struct {
+	// List of regions associated with a managed HSM Pools
+	MHSMRegionsListResult
+}
+
+// ManagedHsmKeysClientCreateIfNotExistResponse contains the response from method ManagedHsmKeysClient.CreateIfNotExist.
+type ManagedHsmKeysClientCreateIfNotExistResponse struct {
+	// The key resource.
+	ManagedHsmKey
+}
+
+// ManagedHsmKeysClientGetResponse contains the response from method ManagedHsmKeysClient.Get.
+type ManagedHsmKeysClientGetResponse struct {
+	// The key resource.
+	ManagedHsmKey
+}
+
+// ManagedHsmKeysClientGetVersionResponse contains the response from method ManagedHsmKeysClient.GetVersion.
+type ManagedHsmKeysClientGetVersionResponse struct {
+	// The key resource.
+	ManagedHsmKey
+}
+
+// ManagedHsmKeysClientListResponse contains the response from method ManagedHsmKeysClient.NewListPager.
+type ManagedHsmKeysClientListResponse struct {
+	// The page of keys.
+	ManagedHsmKeyListResult
+}
+
+// ManagedHsmKeysClientListVersionsResponse contains the response from method ManagedHsmKeysClient.NewListVersionsPager.
+type ManagedHsmKeysClientListVersionsResponse struct {
+	// The page of keys.
+	ManagedHsmKeyListResult
+}
+
+// ManagedHsmsClientCheckMhsmNameAvailabilityResponse contains the response from method ManagedHsmsClient.CheckMhsmNameAvailability.
+type ManagedHsmsClientCheckMhsmNameAvailabilityResponse struct {
+	// The CheckMhsmNameAvailability operation response.
+	CheckMhsmNameAvailabilityResult
+}
+
+// ManagedHsmsClientCreateOrUpdateResponse contains the response from method ManagedHsmsClient.BeginCreateOrUpdate.
+type ManagedHsmsClientCreateOrUpdateResponse struct {
+	// Resource information with extended details.
+	ManagedHsm
+}
+
+// ManagedHsmsClientDeleteResponse contains the response from method ManagedHsmsClient.BeginDelete.
+type ManagedHsmsClientDeleteResponse struct {
+	// placeholder for future response values
+}
+
+// ManagedHsmsClientGetDeletedResponse contains the response from method ManagedHsmsClient.GetDeleted.
+type ManagedHsmsClientGetDeletedResponse struct {
+	DeletedManagedHsm
+}
+
+// ManagedHsmsClientGetResponse contains the response from method ManagedHsmsClient.Get.
+type ManagedHsmsClientGetResponse struct {
+	// Resource information with extended details.
+	ManagedHsm
+}
+
+// ManagedHsmsClientListByResourceGroupResponse contains the response from method ManagedHsmsClient.NewListByResourceGroupPager.
+type ManagedHsmsClientListByResourceGroupResponse struct {
+	// List of managed HSM Pools
+	ManagedHsmListResult
+}
+
+// ManagedHsmsClientListBySubscriptionResponse contains the response from method ManagedHsmsClient.NewListBySubscriptionPager.
+type ManagedHsmsClientListBySubscriptionResponse struct {
+	// List of managed HSM Pools
+	ManagedHsmListResult
+}
+
+// ManagedHsmsClientListDeletedResponse contains the response from method ManagedHsmsClient.NewListDeletedPager.
+type ManagedHsmsClientListDeletedResponse struct {
+	// List of deleted managed HSM Pools
+	DeletedManagedHsmListResult
+}
+
+// ManagedHsmsClientPurgeDeletedResponse contains the response from method ManagedHsmsClient.BeginPurgeDeleted.
+type ManagedHsmsClientPurgeDeletedResponse struct {
+	// placeholder for future response values
+}
+
+// ManagedHsmsClientUpdateResponse contains the response from method ManagedHsmsClient.BeginUpdate.
+type ManagedHsmsClientUpdateResponse struct {
+	// Resource information with extended details.
+	ManagedHsm
+}
+
+// OperationsClientListResponse contains the response from method OperationsClient.NewListPager.
+type OperationsClientListResponse struct {
+	// Result of the request to list Storage operations. It contains a list of operations and a URL link to get the next set of
+	// results.
+	OperationListResult
+}
+
+// PrivateEndpointConnectionsClientDeleteResponse contains the response from method PrivateEndpointConnectionsClient.BeginDelete.
+type PrivateEndpointConnectionsClientDeleteResponse struct {
+	// Private endpoint connection resource.
+	PrivateEndpointConnection
+}
+
+// PrivateEndpointConnectionsClientGetResponse contains the response from method PrivateEndpointConnectionsClient.Get.
+type PrivateEndpointConnectionsClientGetResponse struct {
+	// Private endpoint connection resource.
+	PrivateEndpointConnection
+}
+
+// PrivateEndpointConnectionsClientListByResourceResponse contains the response from method PrivateEndpointConnectionsClient.NewListByResourcePager.
+type PrivateEndpointConnectionsClientListByResourceResponse struct {
+	// List of private endpoint connections.
+	PrivateEndpointConnectionListResult
+}
+
+// PrivateEndpointConnectionsClientPutResponse contains the response from method PrivateEndpointConnectionsClient.Put.
+type PrivateEndpointConnectionsClientPutResponse struct {
+	// Private endpoint connection resource.
+	PrivateEndpointConnection
+
+	// AzureAsyncOperation contains the information returned from the Azure-AsyncOperation header response.
+	AzureAsyncOperation *string
+
+	// RetryAfter contains the information returned from the Retry-After header response.
+	RetryAfter *int32
+}
+
+// PrivateLinkResourcesClientListByVaultResponse contains the response from method PrivateLinkResourcesClient.ListByVault.
+type PrivateLinkResourcesClientListByVaultResponse struct {
+	// A list of private link resources
+	PrivateLinkResourceListResult
+}
+
+// SecretsClientCreateOrUpdateResponse contains the response from method SecretsClient.CreateOrUpdate.
+type SecretsClientCreateOrUpdateResponse struct {
+	// Resource information with extended details.
+	Secret
+}
+
+// SecretsClientGetResponse contains the response from method SecretsClient.Get.
+type SecretsClientGetResponse struct {
+	// Resource information with extended details.
+	Secret
+}
+
+// SecretsClientListResponse contains the response from method SecretsClient.NewListPager.
+type SecretsClientListResponse struct {
+	// List of secrets
+	SecretListResult
+}
+
+// SecretsClientUpdateResponse contains the response from method SecretsClient.Update.
+type SecretsClientUpdateResponse struct {
+	// Resource information with extended details.
+	Secret
+}
+
+// VaultsClientCheckNameAvailabilityResponse contains the response from method VaultsClient.CheckNameAvailability.
+type VaultsClientCheckNameAvailabilityResponse struct {
+	// The CheckNameAvailability operation response.
+	CheckNameAvailabilityResult
+}
+
+// VaultsClientCreateOrUpdateResponse contains the response from method VaultsClient.BeginCreateOrUpdate.
+type VaultsClientCreateOrUpdateResponse struct {
+	// Resource information with extended details.
+	Vault
+}
+
+// VaultsClientDeleteResponse contains the response from method VaultsClient.Delete.
+type VaultsClientDeleteResponse struct {
+	// placeholder for future response values
+}
+
+// VaultsClientGetDeletedResponse contains the response from method VaultsClient.GetDeleted.
+type VaultsClientGetDeletedResponse struct {
+	// Deleted vault information with extended details.
+	DeletedVault
+}
+
+// VaultsClientGetResponse contains the response from method VaultsClient.Get.
+type VaultsClientGetResponse struct {
+	// Resource information with extended details.
+	Vault
+}
+
+// VaultsClientListByResourceGroupResponse contains the response from method VaultsClient.NewListByResourceGroupPager.
+type VaultsClientListByResourceGroupResponse struct {
+	// List of vaults
+	VaultListResult
+}
+
+// VaultsClientListBySubscriptionResponse contains the response from method VaultsClient.NewListBySubscriptionPager.
+type VaultsClientListBySubscriptionResponse struct {
+	// List of vaults
+	VaultListResult
+}
+
+// VaultsClientListDeletedResponse contains the response from method VaultsClient.NewListDeletedPager.
+type VaultsClientListDeletedResponse struct {
+	// List of vaults
+	DeletedVaultListResult
+}
+
+// VaultsClientListResponse contains the response from method VaultsClient.NewListPager.
+type VaultsClientListResponse struct {
+	// List of vault resources.
+	ResourceListResult
+}
+
+// VaultsClientPurgeDeletedResponse contains the response from method VaultsClient.BeginPurgeDeleted.
+type VaultsClientPurgeDeletedResponse struct {
+	// placeholder for future response values
+}
+
+// VaultsClientUpdateAccessPolicyResponse contains the response from method VaultsClient.UpdateAccessPolicy.
+type VaultsClientUpdateAccessPolicyResponse struct {
+	// Parameters for updating the access policy in a vault
+	VaultAccessPolicyParameters
+}
+
+// VaultsClientUpdateResponse contains the response from method VaultsClient.Update.
+type VaultsClientUpdateResponse struct {
+	// Resource information with extended details.
+	Vault
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/secrets_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/secrets_client.go
new file mode 100644
index 000000000..d57157653
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/secrets_client.go
@@ -0,0 +1,335 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// SecretsClient contains the methods for the Secrets group.
+// Don't use this type directly, use NewSecretsClient() instead.
+type SecretsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewSecretsClient creates a new instance of SecretsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewSecretsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*SecretsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &SecretsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// CreateOrUpdate - Create or update a secret in a key vault in the specified subscription. NOTE: This API is intended for
+// internal use in ARM deployments. Users should use the data-plane REST service for interaction
+// with vault secrets.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - Name of the vault
+//   - secretName - Name of the secret. The value you provide may be copied globally for the purpose of running the service. The
+//     value provided should not include personally identifiable or sensitive information.
+//   - parameters - Parameters to create or update the secret
+//   - options - SecretsClientCreateOrUpdateOptions contains the optional parameters for the SecretsClient.CreateOrUpdate method.
+func (client *SecretsClient) CreateOrUpdate(ctx context.Context, resourceGroupName string, vaultName string, secretName string, parameters SecretCreateOrUpdateParameters, options *SecretsClientCreateOrUpdateOptions) (SecretsClientCreateOrUpdateResponse, error) {
+	var err error
+	const operationName = "SecretsClient.CreateOrUpdate"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.createOrUpdateCreateRequest(ctx, resourceGroupName, vaultName, secretName, parameters, options)
+	if err != nil {
+		return SecretsClientCreateOrUpdateResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return SecretsClientCreateOrUpdateResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusCreated) {
+		err = runtime.NewResponseError(httpResp)
+		return SecretsClientCreateOrUpdateResponse{}, err
+	}
+	resp, err := client.createOrUpdateHandleResponse(httpResp)
+	return resp, err
+}
+
+// createOrUpdateCreateRequest creates the CreateOrUpdate request.
+func (client *SecretsClient) createOrUpdateCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, secretName string, parameters SecretCreateOrUpdateParameters, options *SecretsClientCreateOrUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/secrets/{secretName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if secretName == "" {
+		return nil, errors.New("parameter secretName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{secretName}", url.PathEscape(secretName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// createOrUpdateHandleResponse handles the CreateOrUpdate response.
+func (client *SecretsClient) createOrUpdateHandleResponse(resp *http.Response) (SecretsClientCreateOrUpdateResponse, error) {
+	result := SecretsClientCreateOrUpdateResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Secret); err != nil {
+		return SecretsClientCreateOrUpdateResponse{}, err
+	}
+	return result, nil
+}
+
+// Get - Gets the specified secret. NOTE: This API is intended for internal use in ARM deployments. Users should use the data-plane
+// REST service for interaction with vault secrets.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - The name of the vault.
+//   - secretName - The name of the secret.
+//   - options - SecretsClientGetOptions contains the optional parameters for the SecretsClient.Get method.
+func (client *SecretsClient) Get(ctx context.Context, resourceGroupName string, vaultName string, secretName string, options *SecretsClientGetOptions) (SecretsClientGetResponse, error) {
+	var err error
+	const operationName = "SecretsClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, vaultName, secretName, options)
+	if err != nil {
+		return SecretsClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return SecretsClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return SecretsClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *SecretsClient) getCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, secretName string, options *SecretsClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/secrets/{secretName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if secretName == "" {
+		return nil, errors.New("parameter secretName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{secretName}", url.PathEscape(secretName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *SecretsClient) getHandleResponse(resp *http.Response) (SecretsClientGetResponse, error) {
+	result := SecretsClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Secret); err != nil {
+		return SecretsClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListPager - The List operation gets information about the secrets in a vault. NOTE: This API is intended for internal
+// use in ARM deployments. Users should use the data-plane REST service for interaction with
+// vault secrets.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - The name of the vault.
+//   - options - SecretsClientListOptions contains the optional parameters for the SecretsClient.NewListPager method.
+func (client *SecretsClient) NewListPager(resourceGroupName string, vaultName string, options *SecretsClientListOptions) *runtime.Pager[SecretsClientListResponse] {
+	return runtime.NewPager(runtime.PagingHandler[SecretsClientListResponse]{
+		More: func(page SecretsClientListResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *SecretsClientListResponse) (SecretsClientListResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "SecretsClient.NewListPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listCreateRequest(ctx, resourceGroupName, vaultName, options)
+			}, nil)
+			if err != nil {
+				return SecretsClientListResponse{}, err
+			}
+			return client.listHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listCreateRequest creates the List request.
+func (client *SecretsClient) listCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *SecretsClientListOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/secrets"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listHandleResponse handles the List response.
+func (client *SecretsClient) listHandleResponse(resp *http.Response) (SecretsClientListResponse, error) {
+	result := SecretsClientListResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.SecretListResult); err != nil {
+		return SecretsClientListResponse{}, err
+	}
+	return result, nil
+}
+
+// Update - Update a secret in the specified subscription. NOTE: This API is intended for internal use in ARM deployments.
+// Users should use the data-plane REST service for interaction with vault secrets.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - Name of the vault
+//   - secretName - Name of the secret
+//   - parameters - Parameters to patch the secret
+//   - options - SecretsClientUpdateOptions contains the optional parameters for the SecretsClient.Update method.
+func (client *SecretsClient) Update(ctx context.Context, resourceGroupName string, vaultName string, secretName string, parameters SecretPatchParameters, options *SecretsClientUpdateOptions) (SecretsClientUpdateResponse, error) {
+	var err error
+	const operationName = "SecretsClient.Update"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.updateCreateRequest(ctx, resourceGroupName, vaultName, secretName, parameters, options)
+	if err != nil {
+		return SecretsClientUpdateResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return SecretsClientUpdateResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusCreated) {
+		err = runtime.NewResponseError(httpResp)
+		return SecretsClientUpdateResponse{}, err
+	}
+	resp, err := client.updateHandleResponse(httpResp)
+	return resp, err
+}
+
+// updateCreateRequest creates the Update request.
+func (client *SecretsClient) updateCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, secretName string, parameters SecretPatchParameters, options *SecretsClientUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/secrets/{secretName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if secretName == "" {
+		return nil, errors.New("parameter secretName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{secretName}", url.PathEscape(secretName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPatch, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// updateHandleResponse handles the Update response.
+func (client *SecretsClient) updateHandleResponse(resp *http.Response) (SecretsClientUpdateResponse, error) {
+	result := SecretsClientUpdateResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Secret); err != nil {
+		return SecretsClientUpdateResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_rfc3339.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_rfc3339.go
new file mode 100644
index 000000000..a7b9a6b4d
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_rfc3339.go
@@ -0,0 +1,86 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"reflect"
+	"regexp"
+	"strings"
+	"time"
+)
+
+// Azure reports time in UTC but it doesn't include the 'Z' time zone suffix in some cases.
+var tzOffsetRegex = regexp.MustCompile(`(Z|z|\+|-)(\d+:\d+)*"*$`)
+
+const (
+	utcDateTimeJSON = `"2006-01-02T15:04:05.999999999"`
+	utcDateTime     = "2006-01-02T15:04:05.999999999"
+	dateTimeJSON    = `"` + time.RFC3339Nano + `"`
+)
+
+type dateTimeRFC3339 time.Time
+
+func (t dateTimeRFC3339) MarshalJSON() ([]byte, error) {
+	tt := time.Time(t)
+	return tt.MarshalJSON()
+}
+
+func (t dateTimeRFC3339) MarshalText() ([]byte, error) {
+	tt := time.Time(t)
+	return tt.MarshalText()
+}
+
+func (t *dateTimeRFC3339) UnmarshalJSON(data []byte) error {
+	layout := utcDateTimeJSON
+	if tzOffsetRegex.Match(data) {
+		layout = dateTimeJSON
+	}
+	return t.Parse(layout, string(data))
+}
+
+func (t *dateTimeRFC3339) UnmarshalText(data []byte) error {
+	layout := utcDateTime
+	if tzOffsetRegex.Match(data) {
+		layout = time.RFC3339Nano
+	}
+	return t.Parse(layout, string(data))
+}
+
+func (t *dateTimeRFC3339) Parse(layout, value string) error {
+	p, err := time.Parse(layout, strings.ToUpper(value))
+	*t = dateTimeRFC3339(p)
+	return err
+}
+
+func populateDateTimeRFC3339(m map[string]any, k string, t *time.Time) {
+	if t == nil {
+		return
+	} else if azcore.IsNullValue(t) {
+		m[k] = nil
+		return
+	} else if reflect.ValueOf(t).IsNil() {
+		return
+	}
+	m[k] = (*dateTimeRFC3339)(t)
+}
+
+func unpopulateDateTimeRFC3339(data json.RawMessage, fn string, t **time.Time) error {
+	if data == nil || strings.EqualFold(string(data), "null") {
+		return nil
+	}
+	var aux dateTimeRFC3339
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return fmt.Errorf("struct field %s: %v", fn, err)
+	}
+	*t = (*time.Time)(&aux)
+	return nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_unix.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_unix.go
new file mode 100644
index 000000000..bf0463717
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/time_unix.go
@@ -0,0 +1,61 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"reflect"
+	"strings"
+	"time"
+)
+
+type timeUnix time.Time
+
+func (t timeUnix) MarshalJSON() ([]byte, error) {
+	return json.Marshal(time.Time(t).Unix())
+}
+
+func (t *timeUnix) UnmarshalJSON(data []byte) error {
+	var seconds int64
+	if err := json.Unmarshal(data, &seconds); err != nil {
+		return err
+	}
+	*t = timeUnix(time.Unix(seconds, 0))
+	return nil
+}
+
+func (t timeUnix) String() string {
+	return fmt.Sprintf("%d", time.Time(t).Unix())
+}
+
+func populateTimeUnix(m map[string]any, k string, t *time.Time) {
+	if t == nil {
+		return
+	} else if azcore.IsNullValue(t) {
+		m[k] = nil
+		return
+	} else if reflect.ValueOf(t).IsNil() {
+		return
+	}
+	m[k] = (*timeUnix)(t)
+}
+
+func unpopulateTimeUnix(data json.RawMessage, fn string, t **time.Time) error {
+	if data == nil || strings.EqualFold(string(data), "null") {
+		return nil
+	}
+	var aux timeUnix
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return fmt.Errorf("struct field %s: %v", fn, err)
+	}
+	*t = (*time.Time)(&aux)
+	return nil
+}
diff --git a/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/vaults_client.go b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/vaults_client.go
new file mode 100644
index 000000000..00075aff0
--- /dev/null
+++ b/vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault/vaults_client.go
@@ -0,0 +1,819 @@
+//go:build go1.18
+// +build go1.18
+
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+// Code generated by Microsoft (R) AutoRest Code Generator. DO NOT EDIT.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+package armkeyvault
+
+import (
+	"context"
+	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/arm"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+// VaultsClient contains the methods for the Vaults group.
+// Don't use this type directly, use NewVaultsClient() instead.
+type VaultsClient struct {
+	internal       *arm.Client
+	subscriptionID string
+}
+
+// NewVaultsClient creates a new instance of VaultsClient with the specified values.
+//   - subscriptionID - Subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms
+//     part of the URI for every service call.
+//   - credential - used to authorize requests. Usually a credential from azidentity.
+//   - options - pass nil to accept the default values.
+func NewVaultsClient(subscriptionID string, credential azcore.TokenCredential, options *arm.ClientOptions) (*VaultsClient, error) {
+	cl, err := arm.NewClient(moduleName, moduleVersion, credential, options)
+	if err != nil {
+		return nil, err
+	}
+	client := &VaultsClient{
+		subscriptionID: subscriptionID,
+		internal:       cl,
+	}
+	return client, nil
+}
+
+// CheckNameAvailability - Checks that the vault name is valid and is not already in use.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - vaultName - The name of the vault.
+//   - options - VaultsClientCheckNameAvailabilityOptions contains the optional parameters for the VaultsClient.CheckNameAvailability
+//     method.
+func (client *VaultsClient) CheckNameAvailability(ctx context.Context, vaultName VaultCheckNameAvailabilityParameters, options *VaultsClientCheckNameAvailabilityOptions) (VaultsClientCheckNameAvailabilityResponse, error) {
+	var err error
+	const operationName = "VaultsClient.CheckNameAvailability"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.checkNameAvailabilityCreateRequest(ctx, vaultName, options)
+	if err != nil {
+		return VaultsClientCheckNameAvailabilityResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientCheckNameAvailabilityResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientCheckNameAvailabilityResponse{}, err
+	}
+	resp, err := client.checkNameAvailabilityHandleResponse(httpResp)
+	return resp, err
+}
+
+// checkNameAvailabilityCreateRequest creates the CheckNameAvailability request.
+func (client *VaultsClient) checkNameAvailabilityCreateRequest(ctx context.Context, vaultName VaultCheckNameAvailabilityParameters, options *VaultsClientCheckNameAvailabilityOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/checkNameAvailability"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPost, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, vaultName); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// checkNameAvailabilityHandleResponse handles the CheckNameAvailability response.
+func (client *VaultsClient) checkNameAvailabilityHandleResponse(resp *http.Response) (VaultsClientCheckNameAvailabilityResponse, error) {
+	result := VaultsClientCheckNameAvailabilityResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.CheckNameAvailabilityResult); err != nil {
+		return VaultsClientCheckNameAvailabilityResponse{}, err
+	}
+	return result, nil
+}
+
+// BeginCreateOrUpdate - Create or update a key vault in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the server belongs.
+//   - vaultName - Name of the vault
+//   - parameters - Parameters to create or update the vault
+//   - options - VaultsClientBeginCreateOrUpdateOptions contains the optional parameters for the VaultsClient.BeginCreateOrUpdate
+//     method.
+func (client *VaultsClient) BeginCreateOrUpdate(ctx context.Context, resourceGroupName string, vaultName string, parameters VaultCreateOrUpdateParameters, options *VaultsClientBeginCreateOrUpdateOptions) (*runtime.Poller[VaultsClientCreateOrUpdateResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.createOrUpdate(ctx, resourceGroupName, vaultName, parameters, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[VaultsClientCreateOrUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[VaultsClientCreateOrUpdateResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// CreateOrUpdate - Create or update a key vault in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *VaultsClient) createOrUpdate(ctx context.Context, resourceGroupName string, vaultName string, parameters VaultCreateOrUpdateParameters, options *VaultsClientBeginCreateOrUpdateOptions) (*http.Response, error) {
+	var err error
+	const operationName = "VaultsClient.BeginCreateOrUpdate"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.createOrUpdateCreateRequest(ctx, resourceGroupName, vaultName, parameters, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusCreated) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// createOrUpdateCreateRequest creates the CreateOrUpdate request.
+func (client *VaultsClient) createOrUpdateCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, parameters VaultCreateOrUpdateParameters, options *VaultsClientBeginCreateOrUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// Delete - Deletes the specified Azure key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - The name of the vault to delete
+//   - options - VaultsClientDeleteOptions contains the optional parameters for the VaultsClient.Delete method.
+func (client *VaultsClient) Delete(ctx context.Context, resourceGroupName string, vaultName string, options *VaultsClientDeleteOptions) (VaultsClientDeleteResponse, error) {
+	var err error
+	const operationName = "VaultsClient.Delete"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.deleteCreateRequest(ctx, resourceGroupName, vaultName, options)
+	if err != nil {
+		return VaultsClientDeleteResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientDeleteResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusNoContent) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientDeleteResponse{}, err
+	}
+	return VaultsClientDeleteResponse{}, nil
+}
+
+// deleteCreateRequest creates the Delete request.
+func (client *VaultsClient) deleteCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *VaultsClientDeleteOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodDelete, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// Get - Gets the specified Azure key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - The name of the vault.
+//   - options - VaultsClientGetOptions contains the optional parameters for the VaultsClient.Get method.
+func (client *VaultsClient) Get(ctx context.Context, resourceGroupName string, vaultName string, options *VaultsClientGetOptions) (VaultsClientGetResponse, error) {
+	var err error
+	const operationName = "VaultsClient.Get"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getCreateRequest(ctx, resourceGroupName, vaultName, options)
+	if err != nil {
+		return VaultsClientGetResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientGetResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientGetResponse{}, err
+	}
+	resp, err := client.getHandleResponse(httpResp)
+	return resp, err
+}
+
+// getCreateRequest creates the Get request.
+func (client *VaultsClient) getCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, options *VaultsClientGetOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getHandleResponse handles the Get response.
+func (client *VaultsClient) getHandleResponse(resp *http.Response) (VaultsClientGetResponse, error) {
+	result := VaultsClientGetResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Vault); err != nil {
+		return VaultsClientGetResponse{}, err
+	}
+	return result, nil
+}
+
+// GetDeleted - Gets the deleted Azure key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - vaultName - The name of the vault.
+//   - location - The location of the deleted vault.
+//   - options - VaultsClientGetDeletedOptions contains the optional parameters for the VaultsClient.GetDeleted method.
+func (client *VaultsClient) GetDeleted(ctx context.Context, vaultName string, location string, options *VaultsClientGetDeletedOptions) (VaultsClientGetDeletedResponse, error) {
+	var err error
+	const operationName = "VaultsClient.GetDeleted"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.getDeletedCreateRequest(ctx, vaultName, location, options)
+	if err != nil {
+		return VaultsClientGetDeletedResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientGetDeletedResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientGetDeletedResponse{}, err
+	}
+	resp, err := client.getDeletedHandleResponse(httpResp)
+	return resp, err
+}
+
+// getDeletedCreateRequest creates the GetDeleted request.
+func (client *VaultsClient) getDeletedCreateRequest(ctx context.Context, vaultName string, location string, options *VaultsClientGetDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedVaults/{vaultName}"
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if location == "" {
+		return nil, errors.New("parameter location cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{location}", url.PathEscape(location))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// getDeletedHandleResponse handles the GetDeleted response.
+func (client *VaultsClient) getDeletedHandleResponse(resp *http.Response) (VaultsClientGetDeletedResponse, error) {
+	result := VaultsClientGetDeletedResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.DeletedVault); err != nil {
+		return VaultsClientGetDeletedResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListPager - The List operation gets information about the vaults associated with the subscription.
+//
+// Generated from API version 2023-07-01
+//   - options - VaultsClientListOptions contains the optional parameters for the VaultsClient.NewListPager method.
+func (client *VaultsClient) NewListPager(options *VaultsClientListOptions) *runtime.Pager[VaultsClientListResponse] {
+	return runtime.NewPager(runtime.PagingHandler[VaultsClientListResponse]{
+		More: func(page VaultsClientListResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *VaultsClientListResponse) (VaultsClientListResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "VaultsClient.NewListPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return VaultsClientListResponse{}, err
+			}
+			return client.listHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listCreateRequest creates the List request.
+func (client *VaultsClient) listCreateRequest(ctx context.Context, options *VaultsClientListOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resources"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("$filter", "resourceType eq 'Microsoft.KeyVault/vaults'")
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2015-11-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listHandleResponse handles the List response.
+func (client *VaultsClient) listHandleResponse(resp *http.Response) (VaultsClientListResponse, error) {
+	result := VaultsClientListResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.ResourceListResult); err != nil {
+		return VaultsClientListResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListByResourceGroupPager - The List operation gets information about the vaults associated with the subscription and
+// within the specified resource group.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - options - VaultsClientListByResourceGroupOptions contains the optional parameters for the VaultsClient.NewListByResourceGroupPager
+//     method.
+func (client *VaultsClient) NewListByResourceGroupPager(resourceGroupName string, options *VaultsClientListByResourceGroupOptions) *runtime.Pager[VaultsClientListByResourceGroupResponse] {
+	return runtime.NewPager(runtime.PagingHandler[VaultsClientListByResourceGroupResponse]{
+		More: func(page VaultsClientListByResourceGroupResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *VaultsClientListByResourceGroupResponse) (VaultsClientListByResourceGroupResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "VaultsClient.NewListByResourceGroupPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listByResourceGroupCreateRequest(ctx, resourceGroupName, options)
+			}, nil)
+			if err != nil {
+				return VaultsClientListByResourceGroupResponse{}, err
+			}
+			return client.listByResourceGroupHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listByResourceGroupCreateRequest creates the ListByResourceGroup request.
+func (client *VaultsClient) listByResourceGroupCreateRequest(ctx context.Context, resourceGroupName string, options *VaultsClientListByResourceGroupOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listByResourceGroupHandleResponse handles the ListByResourceGroup response.
+func (client *VaultsClient) listByResourceGroupHandleResponse(resp *http.Response) (VaultsClientListByResourceGroupResponse, error) {
+	result := VaultsClientListByResourceGroupResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.VaultListResult); err != nil {
+		return VaultsClientListByResourceGroupResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListBySubscriptionPager - The List operation gets information about the vaults associated with the subscription.
+//
+// Generated from API version 2023-07-01
+//   - options - VaultsClientListBySubscriptionOptions contains the optional parameters for the VaultsClient.NewListBySubscriptionPager
+//     method.
+func (client *VaultsClient) NewListBySubscriptionPager(options *VaultsClientListBySubscriptionOptions) *runtime.Pager[VaultsClientListBySubscriptionResponse] {
+	return runtime.NewPager(runtime.PagingHandler[VaultsClientListBySubscriptionResponse]{
+		More: func(page VaultsClientListBySubscriptionResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *VaultsClientListBySubscriptionResponse) (VaultsClientListBySubscriptionResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "VaultsClient.NewListBySubscriptionPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listBySubscriptionCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return VaultsClientListBySubscriptionResponse{}, err
+			}
+			return client.listBySubscriptionHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listBySubscriptionCreateRequest creates the ListBySubscription request.
+func (client *VaultsClient) listBySubscriptionCreateRequest(ctx context.Context, options *VaultsClientListBySubscriptionOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/vaults"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	if options != nil && options.Top != nil {
+		reqQP.Set("$top", strconv.FormatInt(int64(*options.Top), 10))
+	}
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listBySubscriptionHandleResponse handles the ListBySubscription response.
+func (client *VaultsClient) listBySubscriptionHandleResponse(resp *http.Response) (VaultsClientListBySubscriptionResponse, error) {
+	result := VaultsClientListBySubscriptionResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.VaultListResult); err != nil {
+		return VaultsClientListBySubscriptionResponse{}, err
+	}
+	return result, nil
+}
+
+// NewListDeletedPager - Gets information about the deleted vaults in a subscription.
+//
+// Generated from API version 2023-07-01
+//   - options - VaultsClientListDeletedOptions contains the optional parameters for the VaultsClient.NewListDeletedPager method.
+func (client *VaultsClient) NewListDeletedPager(options *VaultsClientListDeletedOptions) *runtime.Pager[VaultsClientListDeletedResponse] {
+	return runtime.NewPager(runtime.PagingHandler[VaultsClientListDeletedResponse]{
+		More: func(page VaultsClientListDeletedResponse) bool {
+			return page.NextLink != nil && len(*page.NextLink) > 0
+		},
+		Fetcher: func(ctx context.Context, page *VaultsClientListDeletedResponse) (VaultsClientListDeletedResponse, error) {
+			ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, "VaultsClient.NewListDeletedPager")
+			nextLink := ""
+			if page != nil {
+				nextLink = *page.NextLink
+			}
+			resp, err := runtime.FetcherForNextLink(ctx, client.internal.Pipeline(), nextLink, func(ctx context.Context) (*policy.Request, error) {
+				return client.listDeletedCreateRequest(ctx, options)
+			}, nil)
+			if err != nil {
+				return VaultsClientListDeletedResponse{}, err
+			}
+			return client.listDeletedHandleResponse(resp)
+		},
+		Tracer: client.internal.Tracer(),
+	})
+}
+
+// listDeletedCreateRequest creates the ListDeleted request.
+func (client *VaultsClient) listDeletedCreateRequest(ctx context.Context, options *VaultsClientListDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/deletedVaults"
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodGet, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// listDeletedHandleResponse handles the ListDeleted response.
+func (client *VaultsClient) listDeletedHandleResponse(resp *http.Response) (VaultsClientListDeletedResponse, error) {
+	result := VaultsClientListDeletedResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.DeletedVaultListResult); err != nil {
+		return VaultsClientListDeletedResponse{}, err
+	}
+	return result, nil
+}
+
+// BeginPurgeDeleted - Permanently deletes the specified vault. aka Purges the deleted Azure key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - vaultName - The name of the soft-deleted vault.
+//   - location - The location of the soft-deleted vault.
+//   - options - VaultsClientBeginPurgeDeletedOptions contains the optional parameters for the VaultsClient.BeginPurgeDeleted
+//     method.
+func (client *VaultsClient) BeginPurgeDeleted(ctx context.Context, vaultName string, location string, options *VaultsClientBeginPurgeDeletedOptions) (*runtime.Poller[VaultsClientPurgeDeletedResponse], error) {
+	if options == nil || options.ResumeToken == "" {
+		resp, err := client.purgeDeleted(ctx, vaultName, location, options)
+		if err != nil {
+			return nil, err
+		}
+		poller, err := runtime.NewPoller(resp, client.internal.Pipeline(), &runtime.NewPollerOptions[VaultsClientPurgeDeletedResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+		return poller, err
+	} else {
+		return runtime.NewPollerFromResumeToken(options.ResumeToken, client.internal.Pipeline(), &runtime.NewPollerFromResumeTokenOptions[VaultsClientPurgeDeletedResponse]{
+			Tracer: client.internal.Tracer(),
+		})
+	}
+}
+
+// PurgeDeleted - Permanently deletes the specified vault. aka Purges the deleted Azure key vault.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+func (client *VaultsClient) purgeDeleted(ctx context.Context, vaultName string, location string, options *VaultsClientBeginPurgeDeletedOptions) (*http.Response, error) {
+	var err error
+	const operationName = "VaultsClient.BeginPurgeDeleted"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.purgeDeletedCreateRequest(ctx, vaultName, location, options)
+	if err != nil {
+		return nil, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return nil, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusAccepted) {
+		err = runtime.NewResponseError(httpResp)
+		return nil, err
+	}
+	return httpResp, nil
+}
+
+// purgeDeletedCreateRequest creates the PurgeDeleted request.
+func (client *VaultsClient) purgeDeletedCreateRequest(ctx context.Context, vaultName string, location string, options *VaultsClientBeginPurgeDeletedOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/locations/{location}/deletedVaults/{vaultName}/purge"
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if location == "" {
+		return nil, errors.New("parameter location cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{location}", url.PathEscape(location))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPost, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	return req, nil
+}
+
+// Update - Update a key vault in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the server belongs.
+//   - vaultName - Name of the vault
+//   - parameters - Parameters to patch the vault
+//   - options - VaultsClientUpdateOptions contains the optional parameters for the VaultsClient.Update method.
+func (client *VaultsClient) Update(ctx context.Context, resourceGroupName string, vaultName string, parameters VaultPatchParameters, options *VaultsClientUpdateOptions) (VaultsClientUpdateResponse, error) {
+	var err error
+	const operationName = "VaultsClient.Update"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.updateCreateRequest(ctx, resourceGroupName, vaultName, parameters, options)
+	if err != nil {
+		return VaultsClientUpdateResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientUpdateResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusCreated) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientUpdateResponse{}, err
+	}
+	resp, err := client.updateHandleResponse(httpResp)
+	return resp, err
+}
+
+// updateCreateRequest creates the Update request.
+func (client *VaultsClient) updateCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, parameters VaultPatchParameters, options *VaultsClientUpdateOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPatch, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// updateHandleResponse handles the Update response.
+func (client *VaultsClient) updateHandleResponse(resp *http.Response) (VaultsClientUpdateResponse, error) {
+	result := VaultsClientUpdateResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.Vault); err != nil {
+		return VaultsClientUpdateResponse{}, err
+	}
+	return result, nil
+}
+
+// UpdateAccessPolicy - Update access policies in a key vault in the specified subscription.
+// If the operation fails it returns an *azcore.ResponseError type.
+//
+// Generated from API version 2023-07-01
+//   - resourceGroupName - The name of the Resource Group to which the vault belongs.
+//   - vaultName - Name of the vault
+//   - operationKind - Name of the operation
+//   - parameters - Access policy to merge into the vault
+//   - options - VaultsClientUpdateAccessPolicyOptions contains the optional parameters for the VaultsClient.UpdateAccessPolicy
+//     method.
+func (client *VaultsClient) UpdateAccessPolicy(ctx context.Context, resourceGroupName string, vaultName string, operationKind AccessPolicyUpdateKind, parameters VaultAccessPolicyParameters, options *VaultsClientUpdateAccessPolicyOptions) (VaultsClientUpdateAccessPolicyResponse, error) {
+	var err error
+	const operationName = "VaultsClient.UpdateAccessPolicy"
+	ctx = context.WithValue(ctx, runtime.CtxAPINameKey{}, operationName)
+	ctx, endSpan := runtime.StartSpan(ctx, operationName, client.internal.Tracer(), nil)
+	defer func() { endSpan(err) }()
+	req, err := client.updateAccessPolicyCreateRequest(ctx, resourceGroupName, vaultName, operationKind, parameters, options)
+	if err != nil {
+		return VaultsClientUpdateAccessPolicyResponse{}, err
+	}
+	httpResp, err := client.internal.Pipeline().Do(req)
+	if err != nil {
+		return VaultsClientUpdateAccessPolicyResponse{}, err
+	}
+	if !runtime.HasStatusCode(httpResp, http.StatusOK, http.StatusCreated) {
+		err = runtime.NewResponseError(httpResp)
+		return VaultsClientUpdateAccessPolicyResponse{}, err
+	}
+	resp, err := client.updateAccessPolicyHandleResponse(httpResp)
+	return resp, err
+}
+
+// updateAccessPolicyCreateRequest creates the UpdateAccessPolicy request.
+func (client *VaultsClient) updateAccessPolicyCreateRequest(ctx context.Context, resourceGroupName string, vaultName string, operationKind AccessPolicyUpdateKind, parameters VaultAccessPolicyParameters, options *VaultsClientUpdateAccessPolicyOptions) (*policy.Request, error) {
+	urlPath := "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}/accessPolicies/{operationKind}"
+	if resourceGroupName == "" {
+		return nil, errors.New("parameter resourceGroupName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{resourceGroupName}", url.PathEscape(resourceGroupName))
+	if vaultName == "" {
+		return nil, errors.New("parameter vaultName cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{vaultName}", url.PathEscape(vaultName))
+	if operationKind == "" {
+		return nil, errors.New("parameter operationKind cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{operationKind}", url.PathEscape(string(operationKind)))
+	if client.subscriptionID == "" {
+		return nil, errors.New("parameter client.subscriptionID cannot be empty")
+	}
+	urlPath = strings.ReplaceAll(urlPath, "{subscriptionId}", url.PathEscape(client.subscriptionID))
+	req, err := runtime.NewRequest(ctx, http.MethodPut, runtime.JoinPaths(client.internal.Endpoint(), urlPath))
+	if err != nil {
+		return nil, err
+	}
+	reqQP := req.Raw().URL.Query()
+	reqQP.Set("api-version", "2023-07-01")
+	req.Raw().URL.RawQuery = reqQP.Encode()
+	req.Raw().Header["Accept"] = []string{"application/json"}
+	if err := runtime.MarshalAsJSON(req, parameters); err != nil {
+		return nil, err
+	}
+	return req, nil
+}
+
+// updateAccessPolicyHandleResponse handles the UpdateAccessPolicy response.
+func (client *VaultsClient) updateAccessPolicyHandleResponse(resp *http.Response) (VaultsClientUpdateAccessPolicyResponse, error) {
+	result := VaultsClientUpdateAccessPolicyResponse{}
+	if err := runtime.UnmarshalAsJSON(resp, &result.VaultAccessPolicyParameters); err != nil {
+		return VaultsClientUpdateAccessPolicyResponse{}, err
+	}
+	return result, nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index f662d787b..9c1a9aad9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -42,8 +42,9 @@ github.com/Azure/azure-sdk-for-go/sdk/azcore/log
 github.com/Azure/azure-sdk-for-go/sdk/azcore/policy
 github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime
 github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming
+github.com/Azure/azure-sdk-for-go/sdk/azcore/to
 github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing
-# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1
+# github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/azidentity
 # github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1
@@ -58,6 +59,9 @@ github.com/Azure/azure-sdk-for-go/sdk/internal/uuid
 # github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2
+# github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0
+## explicit; go 1.18
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault
 # github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2 v2.2.1
 ## explicit; go 1.18
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2