CRITICAL
Source
Trivy
ID
AVD-AZU-0013

Key vault should have the network acl block specified

Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault.

The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Set a network ACL for the key vault

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
resource "azurerm_key_vault" "good_example" {
  name                        = "examplekeyvault"
  location                    = azurerm_resource_group.good_example.location
  enabled_for_disk_encryption = true
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  network_acls {
    bypass         = "AzureServices"
    default_action = "Deny"
  }
}