Enable purge protection on key-vault-certificate-create vault#14762
Conversation
|
@alex-frankel — first, thanks for your patience and for the clear feedback on the previous round of PRs (#14739, #14740, #14741, #14742). Your write-up of the new This PR follows the contribution-guide workflow:
Ready for review / |
Adds enablePurgeProtection: true to the vault in key-vault-certificate-create/main.bicep (and the regenerated azuredeploy.json). Without purge protection, soft-deleted vault contents can be permanently destroyed during the soft-delete retention window. Enabling purge protection guarantees the configured retention window is honored, which is the recommended Key Vault security baseline. Validation: - correlationId: 05435e1e-63f6-4269-98b1-42955d84a56a - deploymentName: kvcrt-deploy-29b9ab41 - region: eastus - provisioningState: Succeeded metadata.json updated with validationType: Manual and the testResult.deployments block. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
0afd71d to
b7a11b4
Compare
|
@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.] |
|
/validate |
🤖 Quickstart Sample SummarySample Summary
Resources Deployed
Security Findings
Key Parameters
Notes for Reviewers
Files Touched
Generated by the quickstart summarizer agent (v2 — agentic + MSDO security) · triggered by /validate |
|
@msmbaldwin — quick favor before we merge this one. Two things just happened that make this PR an ideal verification target:
Could you push one more commit to this branch that just deletes If you'd rather not do that, just say so and I'll merge as-is — your call. Either way thanks for the four PRs. Merging #14759, #14760, #14761 now and holding this one pending your reply. |
Per @alex-frankel's request: removes the hand-stamped azuredeploy.json so the commit-generated-on-merge pipeline (fixed by @ouldsid in ca5c529) regenerates it from main.bicep into the correct sample folder on master. Verifies the staging-directory pattern works end-to-end. main.bicep and metadata.json (with correlationId/deploymentName from the manual deployment) are preserved unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
@alex-frankel — happy to help. Pushed a commit that deletes |
|
/validate |
|
@msmbaldwin - check this PR for updates that may be needed to documentation that references this sample. [This is an automated message. You are receiving it because you are listed as the docOwner in metadata.json.] |
|
/validate |
|
@msmbaldwin — quick follow-up to close the loop on this one. The verification you helped with surfaced two real bugs in the auto-gen pipeline (great outcome from the experiment, though not the one I'd planned): What happened after merge:
Net for you: nothing to fix on your end. Your three other PRs (#14759/#14760/#14761) are merged and good. Sorry for the experimental detour — it surfaced a real second-order bug in the pipeline, which is genuinely useful, but cost us a regression-and-manual-restore cycle that I wouldn't have asked for if I'd thought about the fork-branch gate first. cc @ouldsid |
Summary
Adds
enablePurgeProtection: trueto the vault inkey-vault-certificate-create/main.bicep(and the regeneratedazuredeploy.json).Why
Without purge protection, a soft-deleted certificate (and its underlying key) can be permanently destroyed during the soft-delete retention window. For a quickstart that demonstrates creating a certificate, the recommended baseline is soft delete + purge protection both on.
softDeleteRetentionInDays: 90was already present.Validation
Deployed the updated
main.bicepto my subscription (the deployment-scripts module under the hood means the deployment takes ~5 minutes):correlationId: 05435e1e-63f6-4269-98b1-42955d84a56adeploymentName: kvcrt-deploy-29b9ab41provisioningState: Succeededmetadata.jsonupdated withvalidationType: Manualand thetestResult.deploymentsblock.