diff --git a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep index 8abd05065c..0518522c66 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep @@ -90,6 +90,8 @@ module testDeployment '../../deploy.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + // Only for testing purposes + enablePurgeProtection: false enableRbacAuthorization: false keys: [ { diff --git a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep index 16552c8b48..c14853d8f3 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep @@ -33,5 +33,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}002' + // Only for testing purposes + enablePurgeProtection: false } } diff --git a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep index 0b1d66a6d6..d2525a0557 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep @@ -41,6 +41,8 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}001' + // Only for testing purposes + enablePurgeProtection: false privateEndpoints: [ { privateDnsZoneGroup: { diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep index be8a4dcc17..381c9db8a8 100644 --- a/modules/Microsoft.KeyVault/vaults/deploy.bicep +++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep @@ -52,7 +52,7 @@ param enableRbacAuthorization bool = false param createMode string = 'default' @description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false +param enablePurgeProtection bool = true @description('Optional. Specifies the SKU for the vault.') @allowed([ diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index 8b5cc490b8..b43b2bd82e 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -47,7 +47,7 @@ This module deploys a key vault and its child resources. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enablePurgeProtection` | bool | `False` | | Provide 'true' to enable Key Vault's purge protection feature. | +| `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | | `enableVaultForDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for deployment by script or compute. | @@ -429,6 +429,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + enablePurgeProtection: false enableRbacAuthorization: false keys: [ { @@ -569,6 +570,9 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "diagnosticWorkspaceId": { "value": "" }, + "enablePurgeProtection": { + "value": false + }, "enableRbacAuthorization": { "value": false }, @@ -679,7 +683,10 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-kvvmin' params: { + // Required parameters name: '<>kvvmin002' + // Non-required parameters + enablePurgeProtection: false } } ``` @@ -696,8 +703,13 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + // Required parameters "name": { "value": "<>kvvmin002" + }, + // Non-required parameters + "enablePurgeProtection": { + "value": false } } } @@ -719,6 +731,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { // Required parameters name: '<>kvvpe001' // Non-required parameters + enablePurgeProtection: false privateEndpoints: [ { privateDnsZoneGroup: { @@ -755,6 +768,9 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "value": "<>kvvpe001" }, // Non-required parameters + "enablePurgeProtection": { + "value": false + }, "privateEndpoints": { "value": [ {