Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Key Vault to Support RBAC Permissions and Delete Protection #1067

Open
AErmie opened this issue Oct 18, 2024 · 4 comments
Open

Update Key Vault to Support RBAC Permissions and Delete Protection #1067

AErmie opened this issue Oct 18, 2024 · 4 comments
Labels
Tool: FinOps hubs Data pipeline solution
Milestone
2024-12 - December

Comments

@AErmie
Copy link

AErmie commented Oct 18, 2024
edited
Loading

⚠️ Problem

For organizations that utilize the Enterprise Scale in association with the Cloud Adoption Framework (CAF), there are various Azure Policies and Initiatives that are deployed.

One of those Initiatives is the Enforce recommended guardrails for Azure Key Vault. This initiative contains several policies, including:

  • Azure Key Vault should use RBAC permission model
  • Key vaults should have deletion protection enabled

The current deployment of the FinOps Toolkit (Hub architecture), violates those 2 policies and prevents its deployment. We have to add/create an exception in the target Subscription / Resource Group, for the deployment to complete successfully.

🛠️ Solution

Update the FinOps Toolkit's Key Vault implementation to support the RBAC permissions model, and also enable delete protection.

ℹ️ Additional context

The client I am currently assisting, is in a regulated industry, and uses the CAF / Enterprise Scale Terraform modules.

🙋‍♀️ Ask for the community

We could use your help:

  1. Please vote this issue up (👍) to prioritize it.
  2. Leave comments to help us solidify the vision.
@AErmie AErmie added the Needs: Triage 🔍 Untriaged issue needs to be reviewed label Oct 18, 2024
@AErmie AErmie mentioned this issue Oct 18, 2024
Open
2 tasks
@flanakin flanakin added the Tool: FinOps hubs Data pipeline solution label Oct 21, 2024
@flanakin flanakin added this to the 2024-12 - December milestone Oct 23, 2024
@flanakin
Copy link
Collaborator

Makes sense. I'm not familiar with these options, but we can probably look at this in December. If you're familiar with bicep and would like to see this sooner, we'd welcome a PR to add this. Or if you know the settings that need to be applied, you could share them here, which might speed things up. Just let us know.

Either way, thanks for the feedback!

@flanakin flanakin removed the Needs: Triage 🔍 Untriaged issue needs to be reviewed label Oct 23, 2024
@flanakin
Copy link
Collaborator

@allcontributors please add AErmie for feature

@allcontributors AllContributors
Copy link
Contributor

@flanakin

I couldn't determine any contributions to add, did you specify any contributions?
Please make sure to use valid contribution names.

@AErmie
Copy link
Author

AErmie commented Oct 29, 2024

@flanakin, I believe the REST API properties are:

  • enableRbacAuthorization
  • enableSoftDelete
  • enablePurgeProtection

See: https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults/create-or-update?view=rest-keyvault-keyvault-2022-07-01&tabs=HTTP#vaultproperties

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Tool: FinOps hubs Data pipeline solution
Projects
None yet
Milestone
2024-12 - December
Development

No branches or pull requests
2 participants
@flanakin @AErmie