Update Key Vault to Support Delete Protection

docs/_resources/changelog.md

@@ -70,6 +70,7 @@ Legend:
 > ➕ Added:
 >
 > 1. Cost Management export modules for subscriptions and resource groups.
+> 2. Enabled Purge protection for Azure keyvault resource
 
 <br><a name="latest"></a>
 

src/templates/finops-hub/main.bicep

@@ -135,6 +135,9 @@ param dataExplorerFinalRetentionInMonths int = 13
 @description('Optional. Enable public access to FinOps hubs resources.  Default: true.')
 param enablePublicAccess bool = true
 
+@description('Optional. Enable purge protection for Azure KeyVault.  Default: false.')
+param enablePurgeProtection bool = false
+
 @description('Optional. Address space for the workload. A /26 is required for the workload. Default: "10.20.30.0/26".')
 param virtualNetworkAddressPrefix string = '10.20.30.0/26'
 
@@ -164,6 +167,7 @@ module hub 'modules/hub.bicep' = {
     remoteHubStorageUri: remoteHubStorageUri
     remoteHubStorageKey: remoteHubStorageKey
     enablePublicAccess: enablePublicAccess
+    enablePurgeProtection: enablePurgeProtection
     virtualNetworkAddressPrefix: virtualNetworkAddressPrefix
   }
 }

src/templates/finops-hub/modules/hub.bicep

@@ -136,6 +136,9 @@ param dataExplorerFinalRetentionInMonths int = 13
 @description('Optional. Enable public access to the data lake. Default: true.')
 param enablePublicAccess bool = true
 
+@description('Optional. Enable purge protection of the keyvault. Default: false.')
+param enablePurgeProtection bool = false
+
 @description('Optional. Address space for the workload. A /26 is required for the workload. Default: "10.20.30.0/26".')
 param virtualNetworkAddressPrefix string = '10.20.30.0/26'
 
@@ -361,6 +364,7 @@ module keyVault 'keyVault.bicep' = {
     enablePublicAccess: enablePublicAccess
     virtualNetworkId: safeVnetId
     privateEndpointSubnetId:safeFinopsHubSubnetId
+    enablePurgeProtection: enablePurgeProtection
     accessPolicies: [
       {
         objectId: dataFactory.identity.principalId

src/templates/finops-hub/modules/keyVault.bicep

@@ -43,6 +43,9 @@ param privateEndpointSubnetId string
 @description('Optional. Enable public access to the data lake.  Default: false.')
 param enablePublicAccess bool
 
+@description('Optional. Enable purge protection to the keyvault.  Default: false')
+param enablePurgeProtection bool
+
 //------------------------------------------------------------------------------
 // Variables
 //------------------------------------------------------------------------------
@@ -77,6 +80,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
     enableSoftDelete: true
     softDeleteRetentionInDays: 90
     enableRbacAuthorization: false
+    enablePurgeProtection: enablePurgeProtection
     createMode: 'default'
     tenantId: subscription().tenantId
     accessPolicies: formattedAccessPolicies