Enable purge protection on key-vault-create vault

[msmbaldwin]

Summary

Adds enablePurgeProtection: true to the vault in key-vault-create/main.bicep (and the regenerated azuredeploy.json).

Why

Without purge protection, soft-deleted secrets, keys, and certificates can be permanently destroyed during the soft-delete retention window — either by an attacker with delete permissions or by an accidental az keyvault purge. Enabling purge protection guarantees the configured retention window is honored, which is the recommended Key Vault security baseline (and a hard requirement for several Azure compliance offerings, e.g. for vaults that hold storage account or disk encryption keys). Soft delete + purge protection should both be on by default for a sample that's billed as a quickstart.

The change is minimal: one line added to the properties block. softDeleteRetentionInDays: 90 was already present.

Validation

Per the contribution guide, deployed the updated main.bicep to my subscription:

• correlationId: 08a19c7d-365d-455d-bbac-4de41d42a718
• deploymentName: kvc-deploy-2b2b8b3f
• provisioningState: Succeeded
• region: eastus

metadata.json updated with validationType: Manual and the testResult.deployments block.

[msmbaldwin]

@alex-frankel — first, thanks for your patience and for the clear feedback on the previous round of PRs (#14739, #14740, #14741, #14742). Your write-up of the new testResult requirement was exactly what I needed.

This PR follows the contribution-guide workflow:

• Updated main.bicep was deployed locally against my subscription before the PR was opened.
• metadata.json carries validationType: "Manual" and a testResult.deployments block with the real correlationId and deploymentName from that deployment.
• I also rebased the branch onto current master so the diff is the minimal one-line bicep change + the corresponding regenerated azuredeploy.json + the metadata.json update (no longer showing azuredeploy.json as a new file — that was a fork-staleness artifact in the original push).

Ready for review / /verify whenever you have a moment. Thanks again!

[azure-quickstarts]

@mumian - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.]

[alex-frankel]

/validate

[github-actions]

🤖 Quickstart Sample Summary

Sample Summary

• This sample deploys an Azure Key Vault with Azure RBAC authorization enabled.

• It also creates a secret stored inside the Key Vault.

• Purge protection is enabled on the Key Vault to prevent accidental or malicious deletion.

• To deploy the sample, specify parameters such as the Key Vault name, location, and secrets. The template supports both Bicep (main.bicep) and ARM JSON (azuredeploy.json) versions.

• The deployment enables soft delete with retention, RBAC authorization, and purge protection as default security features.

Resources Deployed

• Microsoft.KeyVault/vaults (defined in main.bicep and azuredeploy.json):
  Creates an Azure Key Vault resource with properties including:
  • enableSoftDelete: true, soft delete retention set to 90 days.
  • enablePurgeProtection: true, to prevent purge of deleted vaults.
  • RBAC (Role-Based Access Control) enabled.
  • SKU can be standard or premium.
  • Network ACLs configured but default action is "Allow" (which means accessible from all networks unless modified).
• No nested or linked templates detected.

Security Findings

• High Severity:

  • AZR-000355 (Template Analyzer): Key Vault accepts connections from any network by default; recommends setting default action to Deny and configuring firewall rules. Also, if enabling deployment features, allow trusted Microsoft services to bypass firewall.
    • Found in azuredeploy.json line 97 and main.bicep line 50.
  • CKV_AZURE_189 (Checkov): Key Vault public network access is not disabled.
    • Found in azuredeploy.json line 78 and main.bicep line 33.
  • CKV_AZURE_109 (Checkov): Key Vault firewall rules are not sufficiently configured.
    • Found in azuredeploy.json line 78 and main.bicep line 33.
  • CKV_AZURE_41 (Checkov): Secret expiration date is not set.
    • Found in azuredeploy.json line 102 and main.bicep line 56.

• Medium Severity:

  • AC_AZURE_0169 (Terrascan): Logging for Azure KeyVault is not enabled.
    • Found in azuredeploy.json line 1.

• Low Severity:

  • CKV_AZURE_114 (Checkov): Key Vault secrets do not have the content_type attribute set.
    • Found in azuredeploy.json line 102 and main.bicep line 56.

• Additional comments:

  • No hardcoded secrets detected in templates.
  • Network ACL's default action is "Allow", which may expose the vault publicly unless customized.

Key Parameters

• keyVaultName: Name of the Key Vault.
• location: Azure location for the Key Vault deployment (defaults to resource group location).
• tenantId: Azure Active Directory tenant ID for authentication.
• skuName: SKU tier for Key Vault, allowed values are "standard" or "premium".
• secretName and secretValue: For creating a secret inside the Key Vault; secretValue is marked secure.

Notes for Reviewers

• This PR primarily adds enablePurgeProtection: true to Key Vault resource properties, enhancing security by protecting deleted vaults from purging.
• The sample still configures the Key Vault with network default action "Allow", which is flagged by security scanners as a high risk; this is common in samples but should be noted.
• The sample does not set expiration on secrets, which is a security best practice flagged by scanners.
• Logging for Key Vault is not enabled; also recommended for production.
• Documentation in metadata.json is updated with a new date and test details; no major issues there.
• No suspicious instructions or hardcoded secrets detected.

Files Touched

• azuredeploy.json (ARM template updated to enable purge protection)
• main.bicep (Bicep template updated to enable purge protection)
• metadata.json (updated metadata such as dateUpdated and validation info)

---

Generated by the quickstart summarizer agent (v2 — agentic + MSDO security) · triggered by /validate