no-purge
Default Severity: medium
Explanation
Purge protection is an optional Key Vault behavior and is not enabled by default.
Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.
Possible Impact
Keys could be purged from the vault without protection
Suggested Resolution
Enable purge protection for key vaults
Insecure Example
The following example will fail the azure-keyvault-no-purge check.
resource "azurerm_key_vault" "bad_example" {
name = "examplekeyvault"
location = azurerm_resource_group.bad_example.location
enabled_for_disk_encryption = true
purge_protection_enabled = false
}
Secure Example
The following example will pass the azure-keyvault-no-purge check.
resource "azurerm_key_vault" "good_example" {
name = "examplekeyvault"
location = azurerm_resource_group.good_example.location
enabled_for_disk_encryption = true
soft_delete_retention_days = 7
purge_protection_enabled = true
}