Question about secret lifetime in "Enforce recommended guardrails for Azure Key Vault" initiative

[jdrepo]

Describe the bug

I've a question about the secret validty handling in the "Enforce recommended guardrails for Azure Key Vault" policy initiative As far as I can see and understand the following parameters are both set to the value "90"

• secretsActiveInDays: 90 days This parameter denies the creation of a secret with a lifetime greater than 90 days ( (PolicyDefinitionRefrence Id: Deny-KV-Secret-ActiveDays )

• minimumSecretsLifeDaysBeforeExpiry: 90 days (PolicyDefinitionRefrence Id: KvSecretsLifetime) This parameter audits the lifetime of a secret which lifetime is shorter than 90 days (PolicyDefinitionRefrence Id: KvSecretsLifetime) BTW: The parameter description doesn´t fit, seems to me copy from another parameter ?

So if I deploy this policy initiative I will never be able to create a compliant secret ?

Screenshots

[Springstone]

@jdrepo it can be confusing :) We default to the policy default parameter values provided by the authors, and the intent is that customer customize these according to their organization/workload requirements. In this yes, you can still deploy a secret (with an expiry date of less than 90 days), but the second parameter will automatically flag as not compliant, as this serves as a reminder to renew the secret before expiry.

It doesn't break anything, but you are right, you would probably not want to leave the values as they are :)

We considered reducing the minimumSecretsLifeDaysBeforeExpiry to 30 days, but decided against, as most organizations do not regularly review policy compliance as part of operations.