diff --git a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json index e47a93745f..1c5cc4ec89 100644 --- a/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json +++ b/arm/Microsoft.KeyVault/vaults/.parameters/parameters.json @@ -11,6 +11,22 @@ "enableRbacAuthorization": { "value": false }, + "privateEndpoints": { + "value": [ + { + "subnetResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-005-privateEndpoints", + "service": "vault" + } + ] + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "virtualNetworkRules": [], + "ipRules": [] + } + }, "roleAssignments": { "value": [ { @@ -27,6 +43,7 @@ "name": "secretName", "value": "secretValue", "contentType": "Something", + "attributesExp": 1702648632, "attributesNbf": 10000, "roleAssignments": [ { @@ -43,6 +60,7 @@ "value": [ { "name": "keyName", + "attributesExp": 1702648632, "attributesNbf": 10000, "roleAssignments": [ { @@ -102,4 +120,4 @@ "value": "adp-sxx-az-evh-x-001" } } -} +} \ No newline at end of file diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 44ee6033fa..d653d587fc 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -57,7 +57,7 @@ param enablePurgeProtection bool = false ]) param vaultSku string = 'premium' -@description('Optional. Service endpoint object information') +@description('Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction Deny') param networkAcls object = {} @description('Optional. Virtual Network resource identifier, if networkAcls is passed, this value must be passed as well') @@ -68,16 +68,16 @@ param vNetId string = '' @maxValue(365) param diagnosticLogsRetentionInDays int = 365 -@description('Optional. Resource ID of the diagnostic storage account.') +@description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticStorageAccountId string = '' -@description('Optional. Resource ID of the diagnostic log analytics workspace.') +@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticWorkspaceId string = '' -@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. ') param diagnosticEventHubAuthorizationRuleId string = '' -@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub') param diagnosticEventHubName string = '' @allowed([ @@ -91,7 +91,7 @@ param lock string = 'NotSpecified' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleAssignments array = [] -@description('Optional. Configuration Details for private endpoints.') +@description('Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible') param privateEndpoints array = [] @description('Optional. Resource tags.') diff --git a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep index 323472a0a4..cb311bd70b 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/keys/deploy.bicep @@ -10,7 +10,7 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') diff --git a/arm/Microsoft.KeyVault/vaults/keys/readme.md b/arm/Microsoft.KeyVault/vaults/keys/readme.md index 8ff11b72b4..2d282e9348 100644 --- a/arm/Microsoft.KeyVault/vaults/keys/readme.md +++ b/arm/Microsoft.KeyVault/vaults/keys/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault key. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `curveName` | string | `P-256` | `[P-256, P-256K, P-384, P-521]` | Optional. The elliptic curve name. | diff --git a/arm/Microsoft.KeyVault/vaults/readme.md b/arm/Microsoft.KeyVault/vaults/readme.md index 5281b52e24..5720a1dbd4 100644 --- a/arm/Microsoft.KeyVault/vaults/readme.md +++ b/arm/Microsoft.KeyVault/vaults/readme.md @@ -25,10 +25,10 @@ This module deploys a key vault and it's child resources. | `createMode` | string | `default` | | Optional. The vault's create mode to indicate whether the vault need to be recovered or not. - recover or default. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `diagnosticEventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticEventHubName` | string | | | Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | +| `diagnosticWorkspaceId` | string | | | Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | `enablePurgeProtection` | bool | | | Optional. Provide 'true' to enable Key Vault's purge protection feature. | | `enableRbacAuthorization` | bool | | | Optional. Property that controls how data actions are authorized. When true, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When false, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. If null or not specified, the vault is created with the default value of false. Note that management actions are always authorized with RBAC. | | `enableSoftDelete` | bool | `True` | | Optional. Switch to enable/disable Key Vault's soft delete feature. | @@ -41,8 +41,8 @@ This module deploys a key vault and it's child resources. | `logsToEnable` | array | `[AuditEvent]` | `[AuditEvent]` | Optional. The name of logs that will be streamed. | | `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Optional. Name of the Key Vault. If no name is provided, then unique name will be created. | -| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information | -| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. | +| `networkAcls` | object | `{object}` | | Optional. Service endpoint object information. For security reasons, it is recommended to set the DefaultAction `Deny` | +| `privateEndpoints` | array | `[]` | | Optional. Configuration Details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | `roleAssignments` | array | `[]` | | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `secrets` | _[secrets](secrets/readme.md)_ array | `[]` | | Optional. All secrets to create | | `softDeleteRetentionInDays` | int | `90` | | Optional. softDelete data retention days. It accepts >=7 and <=90. | diff --git a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep index c074035a49..00620edcda 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/secrets/deploy.bicep @@ -10,7 +10,7 @@ param tags object = {} @description('Optional. Determines whether the object is enabled.') param attributesEnabled bool = true -@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z.') +@description('Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible.') param attributesExp int = -1 @description('Optional. Not before date in seconds since 1970-01-01T00:00:00Z.') diff --git a/arm/Microsoft.KeyVault/vaults/secrets/readme.md b/arm/Microsoft.KeyVault/vaults/secrets/readme.md index 013d22d710..63559535de 100644 --- a/arm/Microsoft.KeyVault/vaults/secrets/readme.md +++ b/arm/Microsoft.KeyVault/vaults/secrets/readme.md @@ -14,7 +14,7 @@ This module deploys a key vault secret. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `attributesEnabled` | bool | `True` | | Optional. Determines whether the object is enabled. | -| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. | +| `attributesExp` | int | `-1` | | Optional. Expiry date in seconds since 1970-01-01T00:00:00Z. For security reasons, it is recommended to set an expiration date whenever possible. | | `attributesNbf` | int | `-1` | | Optional. Not before date in seconds since 1970-01-01T00:00:00Z. | | `contentType` | secureString | | | Optional. The content type of the secret. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered |