From 8cec4232f62bb51a2c7c850b70f17f573c0662a0 Mon Sep 17 00:00:00 2001 From: SeSeicht Date: Fri, 18 Nov 2022 12:09:59 +0100 Subject: [PATCH 1/2] enablePurgeProtection per default - disable in tests --- .../vaults/.test/common/deploy.test.bicep | 4 ++++ .../vaults/.test/min/deploy.test.bicep | 4 ++++ .../vaults/.test/pe/deploy.test.bicep | 4 ++++ modules/Microsoft.KeyVault/vaults/deploy.bicep | 2 +- modules/Microsoft.KeyVault/vaults/readme.md | 18 +++++++++++++++++- 5 files changed, 30 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep index 5e3c67f620..06fad095bd 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep @@ -3,6 +3,9 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // +@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') +param enablePurgeProtection bool = false + @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' @@ -90,6 +93,7 @@ module testDeployment '../../deploy.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + enablePurgeProtection: enablePurgeProtection enableRbacAuthorization: false keys: [ { diff --git a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep index ddd6482c41..2212c77e1f 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep @@ -3,6 +3,9 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // +@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') +param enablePurgeProtection bool = false + @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' @@ -33,5 +36,6 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}002' + enablePurgeProtection: enablePurgeProtection } } diff --git a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep index 8632c03220..b53368684c 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep @@ -3,6 +3,9 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // +@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') +param enablePurgeProtection bool = false + @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) param resourceGroupName string = 'ms.keyvault.vaults-${serviceShort}-rg' @@ -41,6 +44,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}001' + enablePurgeProtection: enablePurgeProtection privateEndpoints: [ { privateDnsZoneGroup: { diff --git a/modules/Microsoft.KeyVault/vaults/deploy.bicep b/modules/Microsoft.KeyVault/vaults/deploy.bicep index be8a4dcc17..381c9db8a8 100644 --- a/modules/Microsoft.KeyVault/vaults/deploy.bicep +++ b/modules/Microsoft.KeyVault/vaults/deploy.bicep @@ -52,7 +52,7 @@ param enableRbacAuthorization bool = false param createMode string = 'default' @description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false +param enablePurgeProtection bool = true @description('Optional. Specifies the SKU for the vault.') @allowed([ diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index 8b5cc490b8..7f7a993c71 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -47,7 +47,7 @@ This module deploys a key vault and its child resources. | `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enablePurgeProtection` | bool | `False` | | Provide 'true' to enable Key Vault's purge protection feature. | +| `enablePurgeProtection` | bool | `True` | | Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | `False` | | Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Switch to enable/disable Key Vault's soft delete feature. | | `enableVaultForDeployment` | bool | `True` | `[False, True]` | Specifies if the vault is enabled for deployment by script or compute. | @@ -429,6 +429,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' + enablePurgeProtection: '' enableRbacAuthorization: false keys: [ { @@ -569,6 +570,9 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "diagnosticWorkspaceId": { "value": "" }, + "enablePurgeProtection": { + "value": "" + }, "enableRbacAuthorization": { "value": false }, @@ -679,7 +683,10 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-kvvmin' params: { + // Required parameters name: '<>kvvmin002' + // Non-required parameters + enablePurgeProtection: '' } } ``` @@ -696,8 +703,13 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { + // Required parameters "name": { "value": "<>kvvmin002" + }, + // Non-required parameters + "enablePurgeProtection": { + "value": "" } } } @@ -719,6 +731,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { // Required parameters name: '<>kvvpe001' // Non-required parameters + enablePurgeProtection: '' privateEndpoints: [ { privateDnsZoneGroup: { @@ -755,6 +768,9 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "value": "<>kvvpe001" }, // Non-required parameters + "enablePurgeProtection": { + "value": "" + }, "privateEndpoints": { "value": [ { From 977fbdddd4a001e3901418ab7eaa3b68120d05b9 Mon Sep 17 00:00:00 2001 From: SeSeicht Date: Fri, 18 Nov 2022 19:36:14 +0100 Subject: [PATCH 2/2] not using variables in test files anymore --- .../vaults/.test/common/deploy.test.bicep | 5 ++--- .../vaults/.test/min/deploy.test.bicep | 5 ++--- .../vaults/.test/pe/deploy.test.bicep | 5 ++--- modules/Microsoft.KeyVault/vaults/readme.md | 12 ++++++------ 4 files changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep index 06fad095bd..40cd8f5a55 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/common/deploy.test.bicep @@ -3,8 +3,6 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // -@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) @@ -93,7 +91,8 @@ module testDeployment '../../deploy.bicep' = { diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName - enablePurgeProtection: enablePurgeProtection + // Only for testing purposes + enablePurgeProtection: false enableRbacAuthorization: false keys: [ { diff --git a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep index 2212c77e1f..3440b9989c 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/min/deploy.test.bicep @@ -3,8 +3,6 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // -@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) @@ -36,6 +34,7 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}002' - enablePurgeProtection: enablePurgeProtection + // Only for testing purposes + enablePurgeProtection: false } } diff --git a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep index b53368684c..8022a8f826 100644 --- a/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep +++ b/modules/Microsoft.KeyVault/vaults/.test/pe/deploy.test.bicep @@ -3,8 +3,6 @@ targetScope = 'subscription' // ========== // // Parameters // // ========== // -@description('Optional. Provide \'true\' to enable Key Vault\'s purge protection feature.') -param enablePurgeProtection bool = false @description('Optional. The name of the resource group to deploy for testing purposes') @maxLength(90) @@ -44,7 +42,8 @@ module testDeployment '../../deploy.bicep' = { name: '${uniqueString(deployment().name)}-test-${serviceShort}' params: { name: '<>${serviceShort}001' - enablePurgeProtection: enablePurgeProtection + // Only for testing purposes + enablePurgeProtection: false privateEndpoints: [ { privateDnsZoneGroup: { diff --git a/modules/Microsoft.KeyVault/vaults/readme.md b/modules/Microsoft.KeyVault/vaults/readme.md index 7f7a993c71..b43b2bd82e 100644 --- a/modules/Microsoft.KeyVault/vaults/readme.md +++ b/modules/Microsoft.KeyVault/vaults/readme.md @@ -429,7 +429,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { diagnosticLogsRetentionInDays: 7 diagnosticStorageAccountId: '' diagnosticWorkspaceId: '' - enablePurgeProtection: '' + enablePurgeProtection: false enableRbacAuthorization: false keys: [ { @@ -571,7 +571,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { "value": "" }, "enablePurgeProtection": { - "value": "" + "value": false }, "enableRbacAuthorization": { "value": false @@ -686,7 +686,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { // Required parameters name: '<>kvvmin002' // Non-required parameters - enablePurgeProtection: '' + enablePurgeProtection: false } } ``` @@ -709,7 +709,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { }, // Non-required parameters "enablePurgeProtection": { - "value": "" + "value": false } } } @@ -731,7 +731,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { // Required parameters name: '<>kvvpe001' // Non-required parameters - enablePurgeProtection: '' + enablePurgeProtection: false privateEndpoints: [ { privateDnsZoneGroup: { @@ -769,7 +769,7 @@ module vaults './Microsoft.KeyVault/vaults/deploy.bicep' = { }, // Non-required parameters "enablePurgeProtection": { - "value": "" + "value": false }, "privateEndpoints": { "value": [