finops-toolkit icon indicating copy to clipboard operation
finops-toolkit copied to clipboard
verified publisher icon microsoft

[Hubs] Add optional Key Vault purge protection parameter

Open MSBrett opened this issue 2 months ago • 1 comments

💡 Feature Request

Add an optional parameter to enable purge protection on the Key Vault deployed with FinOps hubs.

🎯 Problem

Enterprise-scale Azure Landing Zone policies often require purge protection to be enabled on Key Vaults for compliance and security. The current FinOps hub deployment does not support enabling this feature, causing policy violations in compliant environments.

✅ Proposed Solution

Add an enablePurgeProtection parameter (default: false) that:

  • Is exposed in main.bicep as an optional parameter
  • Passes through to modules/hub.bicep and modules/keyVault.bicep
  • Sets enablePurgeProtection: enablePurgeProtection on the Key Vault resource

Implementation Details

File: src/templates/finops-hub/main.bicep

@description('Optional. Enable purge protection for Azure KeyVault. Default: false.')
param enablePurgeProtection bool = false

File: src/templates/finops-hub/modules/hub.bicep

@description('Optional. Enable purge protection of the keyvault. Default: false.')
param enablePurgeProtection bool = false

// Pass to keyVault module
module keyVault 'keyVault.bicep' = if (!empty(remoteHubStorageKey)) {
  // ...
  params: {
    // ...
    enablePurgeProtection: enablePurgeProtection
  }
}

File: src/templates/finops-hub/modules/keyVault.bicep

@description('Optional. Enable purge protection to the keyvault. Default: false')
param enablePurgeProtection bool

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  properties: {
    // ...
    enablePurgeProtection: enablePurgeProtection
  }
}

📚 References

  • Original issue: #1067 (also requests RBAC permissions - that's a separate enhancement)
  • Proposed implementation: PR #1349 (closed due to CLA block)
  • Microsoft docs: Key Vault purge protection

📋 Additional Context

This feature is optional with false as the default to maintain backward compatibility. Users deploying into policy-compliant environments can set enablePurgeProtection: true in their deployment parameters.

Credit: Solution originally proposed by @ankurshukla03 in PR #1349.

MSBrett avatar Oct 11 '25 19:10 MSBrett

Related PR #1349 was closed due to CLA requirement. The implementation from that PR can be used as a reference.

MSBrett avatar Oct 11 '25 19:10 MSBrett