azure-vault-purge-protection¶
Ensure that key vault enables purge protection
Enabling Purge Protection ensures that any accidental or malicious deletion of the Azure Key Vault or Vault Objects within a specific amount of days, thus ensuring a faster recovery. Purge Protection works in conjunction with Soft Delete and is an additional layer of security requiring additional access policies.
Examples¶
Insecure Example
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = false
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 90
purge_protection_enabled = false # (default value is false)
sku_name = "standard"
network_acls {
bypass = None
default_action = Allow
}
}
Secure Example
resource "azurerm_key_vault" "example" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = false
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 90
purge_protection_enabled = true
sku_name = "standard"
network_acls {
bypass = None
default_action = Allow
}
}