azure-vault-allow-firewall¶
Ensure that key vault allows firewall rules settings
It is recommended to ensure that your Azure Key Vault is protected by firewall rules in order to reduce the risk of misconfigured access policies on the Key Vault. Such misconfigurations might allow an unauthorized system to access your secrets and gain access to further sensitive systems.
Examples¶
Insecure Example
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = false
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 90
purge_protection_enabled = false
sku_name = "standard"
network_acls {
bypass = None
default_action = Allow
}
}
Secure Example
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = false
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 90
purge_protection_enabled = false
sku_name = "standard"
network_acls {
bypass = None
default_action = Deny
virtual_network_subnet_ids = var.virtual_network_subnet_ids
}
}