Merge pull request #111 from reneenoble/keyvault_fix2

Force KeyVault firewall security
Azure-Samples · May 6, 2024 · 5a1315c · 5a1315c
2 parents 3c59d7d + 95ea209
commit 5a1315c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/.cruft.json b/.cruft.json
@@ -1,6 +1,6 @@
 {
   "template": "https://github.com/Azure-Samples/Azure-Python-Standardization-Template-Generator",
-  "commit": "f9a5fdc99895df6e7f4844a19cb000ec8eb23bca",
+  "commit": "071985944385a0faa5d5510469b94eac92339d1f",
   "checkout": null,
   "context": {
     "cookiecutter": {

diff --git a/infra/core/security/keyvault.bicep b/infra/core/security/keyvault.bicep
@@ -5,13 +5,26 @@ param tags object = {}
 
 param principalId string = ''
 
+@description('List of IP addresses or IP address ranges in CIDR format that are allowed to access the key vault.')
+param ipRules array = []
+
+// Allow all Azure services to bypass Key Vault network rules
+param allowAzureServicesAccess bool = true
+
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: name
   location: location
   tags: tags
   properties: {
     tenantId: subscription().tenantId
     sku: { family: 'A', name: 'standard' }
+    networkAcls: {
+      bypass: allowAzureServicesAccess ? 'AzureServices' : 'None'
+      defaultAction: 'Deny'
+      ipRules: ipRules
+      virtualNetworkRules: []
+    }
+    enableRbacAuthorization: true
     accessPolicies: !empty(principalId) ? [
       {
         objectId: principalId