Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable purge protection #1830

Closed
1 task done
tanya-borisova opened this issue May 12, 2022 · 1 comment · Fixed by #1973
Closed
1 task done

Enable purge protection #1830

tanya-borisova opened this issue May 12, 2022 · 1 comment · Fixed by #1973
Assignees
@tanya-borisova
Labels
story Stories are the smallest unit of work to be done for a project.

Comments

@tanya-borisova
Copy link
Contributor

tanya-borisova commented May 12, 2022
edited
Loading

TRE customers are usually expected to enable keyvault purge protection.

However, in the repo we have a flag keyvault_purge_protection_enabled, which has been useful in development scenarios, as we were often recreating resources in Azure.

Now, in the azurerm Terraform provider configuration,one can now set the following:


provider "azurerm" {
  features {
    key_vault {
      # Don't purge secrets on destroy (this would fail due to purge protection being enabled on keyvault)
      purge_soft_deleted_secrets_on_destroy = false
      # When recreating a shared service, recover any previously soft deleted secrets
      recover_soft_deleted_secrets = true
    }
  }
}

(See also PR #1777)

With this, there should not be a problem having purge protection on, because Terraform should not purge secrets on deletion, and should restore previously soft deleted secrets. So we should have purge protection on.

Purge protection is already enabled in #1797 for workspace keyvault, in this ticket enable it for the keyvault in core as well.
@tanya-borisova tanya-borisova added the story Stories are the smallest unit of work to be done for a project. label May 12, 2022
@tanya-borisova tanya-borisova self-assigned this May 12, 2022
@tanya-borisova tanya-borisova linked a pull request May 12, 2022 that will close this issue
Enable purge protection #1831
Closed
@tanya-borisova tanya-borisova mentioned this issue May 18, 2022
Closed
@tanya-borisova tanya-borisova mentioned this issue Jun 6, 2022
Merged
@tanya-borisova tanya-borisova linked a pull request Jun 8, 2022 that will close this issue
Enable purge protection #1973
Merged
@tanya-borisova
Copy link
Contributor Author

tanya-borisova commented Jun 9, 2022
edited
Loading

The blocker of this work is that TLS certificate cannot be recovered after being deleted. The crux of the problem is described in this bug report for azurerm: hashicorp/terraform-provider-azurerm#17168

There might be a workaround possible if we don't import a temporary certificate and instead let Azure create one for us from parameters. I will do a timeboxed investigation into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tanya-borisova tanya-borisova

Labels
story Stories are the smallest unit of work to be done for a project.
Projects
No open projects
AzureTRE - Crew Rock
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable purge protection microsoft/AzureTRE
Enable purge protection microsoft/AzureTRE
1 participant
@tanya-borisova