Skip to content

Enable soft delete for Key Vault #373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lansalot wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Enable soft delete for Key Vault #373

lansalot wants to merge 1 commit into from

Conversation

@lansalot
Copy link

@lansalot lansalot commented Jan 6, 2026

Deployments fail if using the alz-bicep landing zone pattern when recommended azure key vault guard rails policy in effect.

https://www.azadvertizer.net/azpolicyadvertizer/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d.html

Typical error:

     | 15:40:22 - The deployment 'ipamInfraDeploy-20260106033743PM' failed with error(s). Showing 1 out of 1 error(s). Status Message: The template deployment
     | failed because of policy violation. Please see details for more information. (Code: InvalidTemplateDeployment)  - Resource 'ipam-kv-bsuq3hb27vmuk' was
     | disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Enforce recommended guardrails for Azure Key
     | Vault","id":"/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-KeyVault"},"policyDefinition":{"name":"Key vaults should have soft delete enabled","id":"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d","version":"3.1.0"},"policySetDefinition":{"name":"Enforce recommended guardrails for Azure Key Vault","id":"/providers/Microsoft.Management/managementGroups/xxx/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault","version":"1.0.0"}}]'. (Code:RequestDisallowedByPolicy)

Suggested fix is to add the two parameters in keyVault.bicep

@lansalot
Enable soft delete for Key Vault
2395481 
To align with alz-bicep landing-zone deployment, and specifically the policy "Enforce recommended guardrails for Azure Key Vault", soft-delete should be enabled.
@DCMattyG DCMattyG self-assigned this Jan 6, 2026
@DCMattyG DCMattyG added the enhancement New feature or request label Jan 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@DCMattyG DCMattyG

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lansalot @DCMattyG