Enable purge protection on key-vault-secret-create vault

[msmbaldwin]

Summary

Adds enablePurgeProtection: true to the vault in key-vault-secret-create/main.bicep (and the regenerated azuredeploy.json).

Why

Without purge protection, a soft-deleted secret can be permanently destroyed during the soft-delete retention window. For a quickstart that demonstrates creating secrets, the recommended baseline is soft delete + purge protection both on. softDeleteRetentionInDays: 90 was already present.

Validation

Deployed the updated main.bicep to my subscription:

• correlationId: 36fa8201-9ac1-4932-8c3c-7d4c1dbf36d6
• deploymentName: kvs-deploy-99a79900
• provisioningState: Succeeded
• region: eastus

metadata.json updated with validationType: Manual and the testResult.deployments block.

[msmbaldwin]

@alex-frankel — first, thanks for your patience and for the clear feedback on the previous round of PRs (#14739, #14740, #14741, #14742). Your write-up of the new testResult requirement was exactly what I needed.

This PR follows the contribution-guide workflow:

• Updated main.bicep was deployed locally against my subscription before the PR was opened.
• metadata.json carries validationType: "Manual" and a testResult.deployments block with the real correlationId and deploymentName from that deployment.
• I also rebased the branch onto current master so the diff is the minimal one-line bicep change + the corresponding regenerated azuredeploy.json + the metadata.json update (no longer showing azuredeploy.json as a new file — that was a fork-staleness artifact in the original push).

Ready for review / /verify whenever you have a moment. Thanks again!

[alex-frankel]

/validate

[github-actions]

🤖 Quickstart Sample Summary

Sample Summary

• This sample deploys an Azure Key Vault with RBAC authorization enabled.
• The Key Vault is configured with soft delete, purge protection, and supports creating multiple secrets as specified in parameters.
• It enables optional features like allowing Azure VMs, disk encryption, and template deployment to retrieve secrets.
• To deploy, provide the Key Vault name, location, SKU, tenant ID, and a secure object containing secrets. Deploy using either the ARM template or Bicep file.

Resources Deployed

• Microsoft.KeyVault/vaults (defined in main.bicep and azuredeploy.json):
  • Deploys a Key Vault with RBAC authorization, soft delete enabled for 90 days retention, and purge protection enabled.
  • Supports network ACLs with a default allow action and bypass for Azure services.
  • Configurable for deployment, disk encryption, and template deployment access.
• Microsoft.KeyVault/vaults/secrets (defined in main.bicep and azuredeploy.json):
  • Creates a list of secrets inside the Key Vault from the input secure secrets object.

Security Findings

High Severity:

• AZR-000355: Key Vault accepts connections from any network by default. The default action is "Allow", and no traffic restrictions are configured. (main.bicep line ~40, azuredeploy.json line ~90)
• CKV_AZURE_189: Azure Key Vault does not disable public network access. (main.bicep line ~30, azuredeploy.json line ~70)
• CKV_AZURE_109: Key Vault does not properly configure firewall rules. (main.bicep line ~30, azuredeploy.json line ~70)
• CKV_AZURE_41: Secrets do not have expiration dates set. (main.bicep line ~53, azuredeploy.json line ~95)

Medium Severity:

• AC_AZURE_0169: Azure Key Vault logging is not explicitly enabled. (azuredeploy.json line 1)

Low Severity:

• CKV_AZURE_114: Key Vault secrets do not have "content_type" property set. (main.bicep line ~53, azuredeploy.json line ~95)
• CKV_SECRET_6: Base64 high entropy strings detected in parameters file, likely secret values. (azuredeploy.parameters.json)

Additional Notes:

• The deployment enables purge protection on the Key Vault.
• Network ACLs allow all by default with bypass for Azure services, which is potentially too permissive.
• No expiration dates or content types are set on secrets, which may affect security best practices.
• No hardcoded secrets or credentials were found in the templates themselves.

Key Parameters

• keyVaultName: Name of the Key Vault to create.
• location: Azure region for the Key Vault deployment.
• skuName: Specifies Key Vault SKU (standard or premium).
• tenantId: Azure Active Directory tenant ID for authentication.
• secretsObject: Secure object containing secrets to be created in the Key Vault.

Notes for Reviewers

• The Key Vault network ACL default action is "Allow" with bypass enabled; consider recommending restricting network access for better security.
• Secrets created do not have expiration dates or content types set; improvements for secret management best practices could be suggested.
• Purge protection is enabled, increasing security against accidental or malicious vault deletion.
• Documentation or README content was not reviewed and not provided to confirm deployment instructions or additional context.

Files Touched

• main.bicep
• azuredeploy.json
• metadata.json

No other nested or linked templates detected.

---

Generated by the quickstart summarizer agent (v2 — agentic + MSDO security) · triggered by /validate