Merge pull request #552 from chbragg/main

Fixed typos and added KV purge protection param
Azure · Dec 5, 2023 · d6a1a93 · d6a1a93
2 parents bab3640 + f7f57db
commit d6a1a93
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 6 deletions.
diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep
@@ -473,6 +473,9 @@ param time string = utcNow()
 @sys.description('Enable usage and telemetry feedback to Microsoft.')
 param enableTelemetry bool = true
 
+@sys.description('Enable purge protection for the keyvaults. (Default: true)')
+param enableKvPurgeProtection bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -944,6 +947,7 @@ module zeroTrust './modules/zeroTrust/deploy.bicep' = if (diskZeroTrust && avdDe
         deployPrivateEndpointKeyvaultStorage: deployPrivateEndpointKeyvaultStorage
         keyVaultprivateDNSResourceId: createPrivateDnsZones ? networking.outputs.KeyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId
         tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
+        enableKvPurgeProtection: enableKvPurgeProtection
         kvTags: varZtKeyvaultTag
     }
     dependsOn: [
@@ -962,7 +966,7 @@ module wrklKeyVault '../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.bicep' =
         name: varWrklKvName
         location: avdSessionHostLocation
         enableRbacAuthorization: false
-        enablePurgeProtection: true
+        enablePurgeProtection: enableKvPurgeProtection
         softDeleteRetentionInDays: 7
         publicNetworkAccess: deployPrivateEndpointKeyvaultStorage ? 'Disabled' : 'Enabled'
         networkAcls: deployPrivateEndpointKeyvaultStorage ? {

diff --git a/workload/bicep/deploy-custom-image.bicep b/workload/bicep/deploy-custom-image.bicep
@@ -503,11 +503,11 @@ var varRemainingCustomizers = [
     }
     {
         type: 'PowerShell'
-        name: 'Sleep for a min'
+        name: 'Sleep for 5 minutes'
         runElevated: true
         runAsSystem: true
         inline: [
-            'Write-Host "Sleep for a 5 min"'
+            'Write-Host "Sleep for 5 min"'
             'Start-Sleep -Seconds 300'
         ]
     }

diff --git a/workload/bicep/modules/avdSessionHosts/deploy.bicep b/workload/bicep/modules/avdSessionHosts/deploy.bicep
@@ -49,7 +49,7 @@ param avsetNamePrefix string
 @sys.description('The service providing domain services for Azure Virtual Desktop.')
 param identityServiceProvider string
 
-@sys.description('Eronll session hosts on Intune.')
+@sys.description('Enroll session hosts on Intune.')
 param createIntuneEnrollment bool
 
 @sys.description('This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.')

diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep
@@ -167,7 +167,7 @@ module managementVm '../../../../../carml/1.3.0/Microsoft.Compute/virtualMachine
                 options: '3'
             }
         }
-        // Azure AD (AAD) Join.
+        // Entra ID Join.
         extensionAadJoinConfig: {
             enabled: (identityServiceProvider == 'AAD') ? true: false
         }

diff --git a/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep b/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep
@@ -46,6 +46,8 @@ param tags object
 @sys.description('Do not modify, used to set unique value for resource deployment.')
 param time string = utcNow()
 
+@sys.description('Enable purge protection on the key vault')
+param enableKvPurgeProtection bool = true
 // =========== //
 // Variable declaration //
 // =========== //
@@ -62,7 +64,7 @@ module ztKeyVault '../../../../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.b
         name: kvName
         location: location
         enableRbacAuthorization: true
-        enablePurgeProtection: true
+        enablePurgeProtection: enableKvPurgeProtection
         softDeleteRetentionInDays: 7
         publicNetworkAccess: 'Disabled'
         networkAcls: {

diff --git a/workload/bicep/modules/zeroTrust/deploy.bicep b/workload/bicep/modules/zeroTrust/deploy.bicep
@@ -55,6 +55,9 @@ param keyVaultprivateDNSResourceId string
 @sys.description('Do not modify, used to set unique value for resource deployment.')
 param time string = utcNow()
 
+@sys.description('Enable purge protection on the key vault')
+param enableKvPurgeProtection bool = true
+
 // =========== //
 // Variable declaration //
 // =========== //
@@ -222,6 +225,7 @@ module ztKeyVault './.bicep/zeroTrustKeyVault.bicep' = if (diskZeroTrust) {
         diskEncryptionSetName: diskEncryptionSetName
         ztManagedIdentityResourceId: diskZeroTrust ? ztManagedIdentity.outputs.resourceId : ''
         tags: union(tags, kvTags)
+        enableKvPurgeProtection: enableKvPurgeProtection
     }
 }