From 23954816e5b80cd22766d004250a079bd352026a Mon Sep 17 00:00:00 2001
From: lansalot <lansalot@gmail.com>
Date: Tue, 6 Jan 2026 15:52:12 +0000
Subject: [PATCH] Enable soft delete for Key Vault

To align with alz-bicep landing-zone deployment, and specifically the policy "Enforce recommended guardrails for Azure Key Vault", soft-delete should be enabled.
---
 deploy/modules/keyVault.bicep | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/deploy/modules/keyVault.bicep b/deploy/modules/keyVault.bicep
index 078ba58..1f9ab5e 100644
--- a/deploy/modules/keyVault.bicep
+++ b/deploy/modules/keyVault.bicep
@@ -34,7 +34,9 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = {
   name: keyVaultName
   location: location
   properties: {
+    enableSoftDelete: true
     enablePurgeProtection: true
+    softDeleteRetentionInDays: 7
     enableRbacAuthorization: true
     tenantId: tenantId
     sku: {