diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index 1bd8d6529..4f6c959e0 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -473,6 +473,9 @@ param time string = utcNow() @sys.description('Enable usage and telemetry feedback to Microsoft.') param enableTelemetry bool = true +@sys.description('Enable purge protection for the keyvaults. (Default: true)') +param enableKvPurgeProtection bool = true + // =========== // // Variable declaration // // =========== // @@ -944,6 +947,7 @@ module zeroTrust './modules/zeroTrust/deploy.bicep' = if (diskZeroTrust && avdDe deployPrivateEndpointKeyvaultStorage: deployPrivateEndpointKeyvaultStorage keyVaultprivateDNSResourceId: createPrivateDnsZones ? networking.outputs.KeyVaultDnsZoneResourceId : avdVnetPrivateDnsZoneKeyvaultId tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags + enableKvPurgeProtection: enableKvPurgeProtection kvTags: varZtKeyvaultTag } dependsOn: [ @@ -962,7 +966,7 @@ module wrklKeyVault '../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.bicep' = name: varWrklKvName location: avdSessionHostLocation enableRbacAuthorization: false - enablePurgeProtection: true + enablePurgeProtection: enableKvPurgeProtection softDeleteRetentionInDays: 7 publicNetworkAccess: deployPrivateEndpointKeyvaultStorage ? 'Disabled' : 'Enabled' networkAcls: deployPrivateEndpointKeyvaultStorage ? { diff --git a/workload/bicep/deploy-custom-image.bicep b/workload/bicep/deploy-custom-image.bicep index 38bb616ad..60d82a1fb 100644 --- a/workload/bicep/deploy-custom-image.bicep +++ b/workload/bicep/deploy-custom-image.bicep @@ -503,11 +503,11 @@ var varRemainingCustomizers = [ } { type: 'PowerShell' - name: 'Sleep for a min' + name: 'Sleep for 5 minutes' runElevated: true runAsSystem: true inline: [ - 'Write-Host "Sleep for a 5 min"' + 'Write-Host "Sleep for 5 min"' 'Start-Sleep -Seconds 300' ] } diff --git a/workload/bicep/modules/avdSessionHosts/deploy.bicep b/workload/bicep/modules/avdSessionHosts/deploy.bicep index d662ce9d9..9e0219b00 100644 --- a/workload/bicep/modules/avdSessionHosts/deploy.bicep +++ b/workload/bicep/modules/avdSessionHosts/deploy.bicep @@ -49,7 +49,7 @@ param avsetNamePrefix string @sys.description('The service providing domain services for Azure Virtual Desktop.') param identityServiceProvider string -@sys.description('Eronll session hosts on Intune.') +@sys.description('Enroll session hosts on Intune.') param createIntuneEnrollment bool @sys.description('This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.') diff --git a/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep b/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep index 2ad7760d5..335fae4a9 100644 --- a/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep +++ b/workload/bicep/modules/storageAzureFiles/.bicep/managementVm.bicep @@ -167,7 +167,7 @@ module managementVm '../../../../../carml/1.3.0/Microsoft.Compute/virtualMachine options: '3' } } - // Azure AD (AAD) Join. + // Entra ID Join. extensionAadJoinConfig: { enabled: (identityServiceProvider == 'AAD') ? true: false } diff --git a/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep b/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep index ab7ac1c32..382d875c3 100644 --- a/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep +++ b/workload/bicep/modules/zeroTrust/.bicep/zeroTrustKeyVault.bicep @@ -46,6 +46,8 @@ param tags object @sys.description('Do not modify, used to set unique value for resource deployment.') param time string = utcNow() +@sys.description('Enable purge protection on the key vault') +param enableKvPurgeProtection bool = true // =========== // // Variable declaration // // =========== // @@ -62,7 +64,7 @@ module ztKeyVault '../../../../../carml/1.3.0/Microsoft.KeyVault/vaults/deploy.b name: kvName location: location enableRbacAuthorization: true - enablePurgeProtection: true + enablePurgeProtection: enableKvPurgeProtection softDeleteRetentionInDays: 7 publicNetworkAccess: 'Disabled' networkAcls: { diff --git a/workload/bicep/modules/zeroTrust/deploy.bicep b/workload/bicep/modules/zeroTrust/deploy.bicep index fea7c48c5..aebc74767 100644 --- a/workload/bicep/modules/zeroTrust/deploy.bicep +++ b/workload/bicep/modules/zeroTrust/deploy.bicep @@ -55,6 +55,9 @@ param keyVaultprivateDNSResourceId string @sys.description('Do not modify, used to set unique value for resource deployment.') param time string = utcNow() +@sys.description('Enable purge protection on the key vault') +param enableKvPurgeProtection bool = true + // =========== // // Variable declaration // // =========== // @@ -222,6 +225,7 @@ module ztKeyVault './.bicep/zeroTrustKeyVault.bicep' = if (diskZeroTrust) { diskEncryptionSetName: diskEncryptionSetName ztManagedIdentityResourceId: diskZeroTrust ? ztManagedIdentity.outputs.resourceId : '' tags: union(tags, kvTags) + enableKvPurgeProtection: enableKvPurgeProtection } }