Closed PoojanumN closed 4 months ago
I believe this is covered here - https://github.com/microsoft/AzureTRE/blob/c8e5ed39fb8d2839c9a25ee79fe2de8d22be32b2/config.sample.yaml#L67-L69 If it doesn't work as designed, then might need amending.
Also not sure it is a bug, but more of a feature request, that may already exist?
@marrobi bug removed and added as Feature. @Danny-Cooke-CK please review the above and close as necessary
I think the key vault purge protection wants adding either as a separate config flag or to the existing one
Confirmed with @marrobi to add another developer setting
I've reviewed this and can see that the functionality is already there for key_vault, although in Imperial we have handled it more centrally.
in our code we have one variable set which covers every keyvault but in the main code it gets set in every terraform provider in each part of the project like the below so on that basis, im closing this ticket.
provider "azurerm" { features { key_vault {
purge_soft_delete_on_destroy = false
purge_soft_deleted_secrets_on_destroy = false
purge_soft_deleted_certificates_on_destroy = false
purge_soft_deleted_keys_on_destroy = false
# When recreating an environment, recover any previously soft deleted secrets - set to true by default
recover_soft_deleted_key_vaults = true
recover_soft_deleted_secrets = true
recover_soft_deleted_certificates = true
recover_soft_deleted_keys = true
}
} }
@Danny-Cooke-CK I thought you were trying to disable purge protection, not sure the code in the provider does this...
oh ok. i've made a mistake in assumption here. will look again
By default the TRE is deployed with purge protection on the keyvault and stateful resource locks. These make sense in a prod environment but hinder development and redeployment in dev. If a keyvault already existed for example, it will need to be imported into terraform state. having this as a switchable option however, aids development and delivery.
Please see information around this issue:
Tim Allen 26 February 2024 at 16:40
Need to remember to update the the action.yml
Kevin O'Connor 26 February 2024 at 16:14 Edited
terraform apply -var="KV_PURGE_PROTECTION_ENABLED=true" -var="STATEFUL_RESOURCES_LOCKED=true"
etc etc
Kevin O'Connor 26 February 2024 at 16:13
Might need to update the variables.tf file to add these to it for switch work
variable "KV_PURGE_PROTECTION_ENABLED" { description = "Enables or disables Key Vault purge protection" type = bool default = false }
variable "STATEFUL_RESOURCES_LOCKED" { description = "Determines if stateful resources should be locked" type = bool default = false }