From 8d9703920c4ad45b6c77d45a5c0880d6cf3fea4d Mon Sep 17 00:00:00 2001
From: Tim Allen <tim.allen@cloudkubed.com>
Date: Wed, 29 May 2024 12:32:05 +0100
Subject: [PATCH] Add Key Vault purge protection variable  (#3952)

* Update clean_validation_envs.yml

* update

* update BRANCH_LAST_ACTIVITY_IN_HOURS_FOR_STOP: 8

* add new variable

* update to allow kv var to be optional

* tf format

* Update clean_validation_envs.yml
---
 .github/actions/devcontainer_run_command/action.yml | 5 +++++
 .github/workflows/deploy_tre_reusable.yml           | 1 +
 CHANGELOG.md                                        | 1 +
 config.sample.yaml                                  | 2 ++
 core/terraform/keyvault.tf                          | 2 +-
 core/terraform/variables.tf                         | 6 ++++++
 core/version.txt                                    | 2 +-
 docs/tre-admins/environment-variables.md            | 1 +
 8 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index d39dada904..18b44e2606 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -121,6 +121,10 @@ inputs:
     description: "JSON string containing key/value pairs to injet into the Resource Processor as ENV vars"
     required: false
     default: ""
+  KV_PURGE_PROTECTION_ENABLED:
+    description: "A boolean indicating if the purge protection will be enabled on the core keyvault."
+    required: false
+    default: "true"
 
 runs:
   using: composite
@@ -219,6 +223,7 @@ runs:
           -e IS_API_SECURED=${{ inputs.IS_API_SECURED }} \
           -e DOCKER_BUILDKIT=1 \
           -e TF_VAR_stateful_resources_locked=${{ inputs.STATEFUL_RESOURCES_LOCKED }} \
+          -e TF_VAR_kv_purge_protection_enabled="${{ inputs.KV_PURGE_PROTECTION_ENABLED }}" \
           -e TF_VAR_enable_airlock_malware_scanning=${{ inputs.ENABLE_AIRLOCK_MALWARE_SCANNING }} \
           -e CI_CACHE_ACR_NAME="${{ inputs.CI_CACHE_ACR_NAME }}" \
           -e TF_VAR_core_app_service_plan_sku="${{ (inputs.CORE_APP_SERVICE_PLAN_SKU != ''
diff --git a/.github/workflows/deploy_tre_reusable.yml b/.github/workflows/deploy_tre_reusable.yml
index 9a2f986f97..a8a3005dc0 100644
--- a/.github/workflows/deploy_tre_reusable.yml
+++ b/.github/workflows/deploy_tre_reusable.yml
@@ -353,6 +353,7 @@ jobs:
           APPLICATION_ADMIN_CLIENT_ID: "${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}"
           APPLICATION_ADMIN_CLIENT_SECRET: "${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}"
           STATEFUL_RESOURCES_LOCKED: "${{ github.ref == 'refs/heads/main' && inputs.prRef == '' && true || false }}"
+          KV_PURGE_PROTECTION_ENABLED: ${{ vars.KV_PURGE_PROTECTION_ENABLED || true }}
           CORE_APP_SERVICE_PLAN_SKU: ${{ vars.CORE_APP_SERVICE_PLAN_SKU }}
           RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE: ${{ vars.RESOURCE_PROCESSOR_NUMBER_PROCESSES_PER_INSTANCE }}
           RP_BUNDLE_VALUES: ${{ vars.RP_BUNDLE_VALUES }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e0e08b7b2b..25e480c127 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@
 FEATURES:
 
 ENHANCEMENTS:
+* Add KeyVault Purge Protection Variable ([#3922](https://github.com/microsoft/AzureTRE/issues/3922))
 
 BUG FIXES:
 * Update Guacamole Linux VM Images to Ubuntu 22.04 LTS. Part of ([#3523](https://github.com/microsoft/AzureTRE/issues/3523))
diff --git a/config.sample.yaml b/config.sample.yaml
index e4c2f2d789..da877d0217 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -67,6 +67,8 @@ resource_processor:
 developer_settings:
 # Locks will not be added to stateful resources so they can be easily removed
 # stateful_resources_locked: false
+# TRE Core Key Vault purge protection will be disabled so it can be reused upon deletion
+# kv_purge_protection_enabled: false
 
 # This setting will enable your local machine to be able to
 # communicate with Service Bus and Cosmos. It will also allow deploying
diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf
index 8260fb239e..659017dfb0 100644
--- a/core/terraform/keyvault.tf
+++ b/core/terraform/keyvault.tf
@@ -4,7 +4,7 @@ resource "azurerm_key_vault" "kv" {
   location                 = azurerm_resource_group.core.location
   resource_group_name      = azurerm_resource_group.core.name
   sku_name                 = "standard"
-  purge_protection_enabled = true
+  purge_protection_enabled = var.kv_purge_protection_enabled
   tags                     = local.tre_core_tags
 
   lifecycle { ignore_changes = [access_policy, tags] }
diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
index 39702b98fb..724969d0b6 100644
--- a/core/terraform/variables.tf
+++ b/core/terraform/variables.tf
@@ -185,6 +185,12 @@ variable "is_cosmos_defined_throughput" {
   default = false
 }
 
+variable "kv_purge_protection_enabled" {
+  type        = bool
+  description = "A boolean indicating if the purge protection will be enabled on the core keyvault."
+  default     = true
+}
+
 variable "logging_level" {
   type        = string
   default     = "INFO"
diff --git a/core/version.txt b/core/version.txt
index 88081a7269..c0984d55cc 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.9.9"
+__version__ = "0.9.10"
diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md
index 815251cd84..55825e8ef9 100644
--- a/docs/tre-admins/environment-variables.md
+++ b/docs/tre-admins/environment-variables.md
@@ -31,6 +31,7 @@
 | `API_CLIENT_ID` | Generated when following [pre-deployment steps](./setup-instructions/setup-auth-entities.md) guide. Client id of the "TRE API". |
 | `API_CLIENT_SECRET` | Generated when following [pre-deployment steps](./setup-instructions/setup-auth-entities.md) guide. Client secret of the "TRE API". |
 | `STATEFUL_RESOURCES_LOCKED` | If set to `false` locks on stateful resources won't be created. A recommended setting for developers. |
+| `KV_PURGE_PROTECTION_ENABLED` | If set to `false` the core Key Vault's purge protection will be disabled so it can be reused upon deletion. A recommended setting for developers. |
 | `ENABLE_AIRLOCK_MALWARE_SCANNING` | If False, Airlock requests will skip the malware scanning stage. If set to True, Defender for Storage will be enabled. |
 | `ENABLE_LOCAL_DEBUGGING` | Set to `false` by default. Setting this to `true` will ensure that Azure resources are accessible from your local development machine. (e.g. ServiceBus and Cosmos) |
 | `PUBLIC_DEPLOYMENT_IP_ADDRESS` | The public IP address of the machine that is deploying TRE. (Your desktop or the build agents). In certain locations a dynamic script to retrieve this from [https://ipecho.net/plain](https://ipecho.net/plain) does not work. If this is the case, then you can 'hardcode' your IP. |