Merge pull request #33 from reneenoble/keyvault_fix2

tonybaloney · web-flow · commit 11fb1ab56886 · 2024-05-06T12:16:09.000+10:00
Force KeyVault firewall security
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Azure-Samples/Azure-Python-Standardization-Template-Generator",
-  "commit": "f9a5fdc99895df6e7f4844a19cb000ec8eb23bca",
+  "commit": "071985944385a0faa5d5510469b94eac92339d1f",
   "checkout": null,
   "context": {
     "cookiecutter": {
diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep
@@ -5,13 +5,26 @@ param tags object = {}
 
 param principalId string = ''
 
+@description('List of IP addresses or IP address ranges in CIDR format that are allowed to access the key vault.')
+param ipRules array = []
+
+// Allow all Azure services to bypass Key Vault network rules
+param allowAzureServicesAccess bool = true
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: name
   location: location
   tags: tags
   properties: {
     tenantId: subscription().tenantId
     sku: { family: 'A', name: 'standard' }
+    networkAcls: {
+      bypass: allowAzureServicesAccess ? 'AzureServices' : 'None'
+      defaultAction: 'Deny'
+      ipRules: ipRules
+      virtualNetworkRules: []
+    }
+    enableRbacAuthorization: true
     accessPolicies: !empty(principalId) ? [
       {
         objectId: principalId

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"template": "https://github.com/Azure-Samples/Azure-Python-Standardization-Template-Generator",`
`3`		`- "commit": "f9a5fdc99895df6e7f4844a19cb000ec8eb23bca",`
	`3`	`+ "commit": "071985944385a0faa5d5510469b94eac92339d1f",`
`4`	`4`	`"checkout": null,`
`5`	`5`	`"context": {`
`6`	`6`	`"cookiecutter": {`