keyvault IP access rules, secure by default

reneenoble · reneenoble · commit b00f68fe513a · 2024-05-06T11:46:14.000+10:00
diff --git a/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep b/{{cookiecutter.__src_folder_name}}/infra/core/security/keyvault.bicep
@@ -5,27 +5,26 @@ param tags object = {}
 
 param principalId string = ''
 
-// Allow public network access to Key Vault
-param allowPublicNetworkAccess bool = false
+@description('List of IP addresses or IP address ranges in CIDR format that are allowed to access the key vault.')
+param ipRules array = []
 
 // Allow all Azure services to bypass Key Vault network rules
 param allowAzureServicesAccess bool = true
 
-param networkAcls object = {
-  bypass: allowAzureServicesAccess ? 'AzureServices' : 'None'
-  defaultAction: allowPublicNetworkAccess ? 'Allow' : 'Deny'
-  ipRules: []
-  virtualNetworkRules: []
-}
-
 resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: name
   location: location
   tags: tags
   properties: {
     tenantId: subscription().tenantId
     sku: { family: 'A', name: 'standard' }
-    networkAcls: networkAcls
+    networkAcls: {
+      bypass: allowAzureServicesAccess ? 'AzureServices' : 'None'
+      defaultAction: 'Deny'
+      ipRules: ipRules
+      virtualNetworkRules: []
+    }
+    enableRbacAuthorization: true
     accessPolicies: !empty(principalId) ? [
       {
         objectId: principalId
