File tree Expand file tree Collapse file tree 1 file changed +12
-1
lines changed
src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/Scripts Expand file tree Collapse file tree 1 file changed +12
-1
lines changed Original file line number Diff line number Diff line change @@ -142,7 +142,18 @@ $ErrorActionPreference = "Stop"
142142 Set-AzureRmKeyVaultAccessPolicy - VaultName $keyVaultName - ServicePrincipalName $aadClientID - PermissionsToKeys wrapKey - PermissionsToSecrets set;
143143
144144 Set-AzureRmKeyVaultAccessPolicy - VaultName $keyVaultName - EnabledForDiskEncryption;
145-
145+
146+ # Enable soft delete on KeyVault to not lose encryption secrets
147+ Write-Host " Enabling Soft Delete on KeyVault $keyVaultName "
148+ $resource = Get-AzureRmResource - ResourceId $keyVault.ResourceId ;
149+ $resource.Properties | Add-Member - MemberType " NoteProperty" - Name " enableSoftDelete" - Value " true" - Force;
150+ Set-AzureRmResource - resourceid $resource.ResourceId - Properties $resource.Properties - Force;
151+
152+ # Enable ARM resource lock on KeyVault to prevent accidental key vault deletion
153+ Write-Host " Adding resource lock on KeyVault $keyVaultName "
154+ $lockNotes = " KeyVault may contain AzureDiskEncryption secrets required to boot encrypted VMs"
155+ New-AzureRmResourceLock - LockLevel CanNotDelete - LockName " LockKeyVault" - ResourceName $resource.Name - ResourceType $resource.ResourceType - ResourceGroupName $resource.ResourceGroupName - LockNotes $lockNotes - Force;
156+
146157 $diskEncryptionKeyVaultUrl = $keyVault.VaultUri ;
147158 $keyVaultResourceId = $keyVault.ResourceId ;
148159
You can’t perform that action at this time.
0 commit comments