From 6acf7f62ac1be2a381647a4075b1b29c39c51d4b Mon Sep 17 00:00:00 2001
From: jonnyry <jonnyry@users.noreply.github.com>
Date: Mon, 6 Jan 2025 11:43:21 +0000
Subject: [PATCH] Core key vault firewall should not be set to "Allow public
 access from all networks" #4250

---
 CHANGELOG.md               | 1 +
 core/terraform/keyvault.tf | 5 +++++
 core/version.txt           | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index df36da2a72..799ae7d74b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ ENHANCEMENTS:
 * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
 * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
+* Core key vault firewall should not be set to "Allow public access from all networks" ([#4250](https://github.com/microsoft/AzureTRE/issues/4250))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
diff --git a/core/terraform/keyvault.tf b/core/terraform/keyvault.tf
index 5d75ae9176..6bd0cd519b 100644
--- a/core/terraform/keyvault.tf
+++ b/core/terraform/keyvault.tf
@@ -8,6 +8,11 @@ resource "azurerm_key_vault" "kv" {
   purge_protection_enabled  = var.kv_purge_protection_enabled
   tags                      = local.tre_core_tags
 
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = var.enable_local_debugging ? "Allow" : "Deny"
+  }
+
   lifecycle { ignore_changes = [access_policy, tags] }
 }
 
diff --git a/core/version.txt b/core/version.txt
index 87583f1acf..1e6e806534 100644
--- a/core/version.txt
+++ b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.15"
+__version__ = "0.11.16"