From daa99406fa837f83ad5fc8b90216dde19c664cf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= <kevin.delmont@visiativ.com>
Date: Thu, 12 Oct 2023 15:30:32 +0200
Subject: [PATCH 1/3] Add diagnostic on Azure Recovery Service Vault

---
 .github/workflows/standalone-scenarios.json   |   1 +
 .../106-asr-diagnostics/configuration.tfvars  | 150 ++++++++++++++++++
 modules/recovery_vault/diagnostics.tf         |   1 +
 modules/recovery_vault/variables.tf           |   9 +-
 recovery_vaults.tf                            |   1 +
 5 files changed, 161 insertions(+), 1 deletion(-)
 create mode 100644 examples/recovery_vault/106-asr-diagnostics/configuration.tfvars

diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json
index 38c6d74801..3bafbd6a8a 100644
--- a/.github/workflows/standalone-scenarios.json
+++ b/.github/workflows/standalone-scenarios.json
@@ -136,6 +136,7 @@
     "recovery_vault/103-asr-with-private-endpoint",
     "recovery_vault/104-backupvault-with-private-endpoint",
     "recovery_vault/105-asr-with-network-mapping",
+    "recovery_vault/106-asr-diagnostics",
     "redis_cache/103-redis-private-endpoints",
     "role_mapping/100-simple-role-mapping",
     "role_mapping/101-function-app-managed-identity",
diff --git a/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars b/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars
new file mode 100644
index 0000000000..314c84f211
--- /dev/null
+++ b/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars
@@ -0,0 +1,150 @@
+global_settings = {
+  regions = {
+    region1 = "australiaeast"
+    region2 = "australiacentral"
+  }
+}
+resource_groups = {
+  primary = {
+    name = "sharedsvc_re1"
+  }
+}
+diagnostics_definition = {
+  azure_site_recovery = {
+    name                           = "operational_logs_and_metrics"
+    log_analytics_destination_type = "Dedicated"
+    categories = {
+      log = [
+        # ["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
+        ["AzureBackupReport", true, true, 0],
+        ["CoreAzureBackup", true, true, 0],
+        ["AddonAzureBackupAlerts", true, true, 0],
+        ["AddonAzureBackupJobs", true, true, 0],
+        ["AddonAzureBackupPolicy", true, true, 0],
+        ["AddonAzureBackupProtectedInstance", true, true, 0],
+        ["AddonAzureBackupStorage", true, true, 0],
+        ["AzureSiteRecoveryJobs", true, true, 0],
+        ["AzureSiteRecoveryEvents", true, true, 0],
+        ["AzureSiteRecoveryReplicatedItems", true, true, 0],
+        ["AzureSiteRecoveryReplicationStats", true, true, 0],
+        ["AzureSiteRecoveryRecoveryPoints", true, true, 0],
+        ["AzureSiteRecoveryReplicationDataUploadRate", true, true, 0],
+        ["AzureSiteRecoveryProtectedDiskDataChurn", true, true, 0],
+      ]
+      metric = [
+        ["AllMetrics", true, true, 0],
+      ]
+    }
+  }
+}
+
+diagnostic_event_hub_namespaces = {
+  event_hub_namespace1 = {
+    name               = "operation_logs"
+    resource_group_key = "primary"
+    sku                = "Standard"
+    region             = "region1"
+  }
+}
+
+diagnostics_destinations = {
+  event_hub_namespaces = {
+    central_logs_example = {
+      event_hub_namespace_key = "event_hub_namespace1"
+    }
+  }
+
+recovery_vaults = {
+  asr1 = {
+    name               = "vault_re1"
+    resource_group_key = "primary"
+
+    diagnostic_profiles = {
+      azure_site_recovery = {
+        definition_key   = "azure_site_recovery"
+        destination_type = "event_hub"
+        destination_key  = "central_logs_example"
+      }
+    }
+    region = "region1"
+
+    replication_policies = {
+      repl1 = {
+        name               = "policy1"
+        resource_group_key = "primary"
+
+        recovery_point_retention_in_minutes                  = 24 * 60
+        application_consistent_snapshot_frequency_in_minutes = 4 * 60
+      }
+    }
+
+
+    backup_policies = {
+      vms = {
+        policy1 = {
+          name                           = "VMBackupPolicy1"
+          vault_key                      = "asr1"
+          rg_key                         = "primary"
+          timezone                       = "UTC"
+          instant_restore_retention_days = 5
+          backup = {
+            frequency = "Daily"
+            time      = "23:00"
+            #if not desired daily, can pick weekdays as below:
+            #weekdays  = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"]
+          }
+          retention_daily = {
+            count = 10
+          }
+          retention_weekly = {
+            count    = 42
+            weekdays = ["Sunday", "Wednesday", "Friday", "Saturday"]
+          }
+          retention_monthly = {
+            count    = 7
+            weekdays = ["Sunday", "Wednesday"]
+            weeks    = ["First", "Last"]
+          }
+          retention_yearly = {
+            count    = 7
+            weekdays = ["Sunday"]
+            weeks    = ["Last"]
+            months   = ["January"]
+          }
+        }
+      }
+
+      fs = {
+        policy1 = {
+          name      = "FSBackupPolicy1"
+          vault_key = "asr1"
+          rg_key    = "primary"
+          timezone  = "UTC"
+          backup = {
+            frequency = "Daily"
+            time      = "23:00"
+          }
+          retention_daily = {
+            count = 1
+          }
+          retention_weekly = {
+            count    = 1
+            weekdays = ["Sunday", "Wednesday", "Friday", "Saturday"]
+          }
+          retention_monthly = {
+            count    = 1
+            weekdays = ["Sunday", "Wednesday"]
+            weeks    = ["First", "Last"]
+          }
+          retention_yearly = {
+            count    = 2
+            weekdays = ["Sunday"]
+            weeks    = ["Last"]
+            months   = ["January"]
+          }
+        }
+      }
+    }
+  }
+
+}
diff --git a/modules/recovery_vault/diagnostics.tf b/modules/recovery_vault/diagnostics.tf
index 0caaba4e20..50f56b34e9 100644
--- a/modules/recovery_vault/diagnostics.tf
+++ b/modules/recovery_vault/diagnostics.tf
@@ -1,6 +1,7 @@
 
 module "diagnostics" {
   source = "../diagnostics"
+  count  = var.diagnostic_profiles == null ? 0 : 1
 
   resource_id       = azurerm_recovery_services_vault.asr.id
   resource_location = local.location
diff --git a/modules/recovery_vault/variables.tf b/modules/recovery_vault/variables.tf
index 5f4359b7e4..aeae2a877a 100644
--- a/modules/recovery_vault/variables.tf
+++ b/modules/recovery_vault/variables.tf
@@ -4,7 +4,14 @@ variable "global_settings" {
   description = "Global settings object (see module README.md)"
 }
 
-variable "diagnostics" {}
+variable "diagnostic_profiles" {
+  default = {}
+}
+
+variable "diagnostics" {
+  default = null
+}
+
 variable "private_endpoints" {}
 variable "vnets" {}
 variable "client_config" {
diff --git a/recovery_vaults.tf b/recovery_vaults.tf
index 2449c3d201..47a45ccb57 100644
--- a/recovery_vaults.tf
+++ b/recovery_vaults.tf
@@ -6,6 +6,7 @@ module "recovery_vaults" {
   global_settings   = local.global_settings
   client_config     = local.client_config
   settings          = each.value
+  diagnostic_profiles = try(each.value.diagnostic_profiles, {})
   diagnostics       = local.combined_diagnostics
   identity          = try(each.value.identity, null)
   vnets             = try(local.combined_objects_networking, {})

From b061260c4b7423243da8a3d65ac05716e34ba84d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= <kevin.delmont@visiativ.com>
Date: Tue, 17 Oct 2023 14:00:12 +0200
Subject: [PATCH 2/3] fix example - missing closing bracket

---
 examples/recovery_vault/106-asr-diagnostics/configuration.tfvars | 1 +
 1 file changed, 1 insertion(+)

diff --git a/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars b/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars
index 314c84f211..bd90d904f5 100644
--- a/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars
+++ b/examples/recovery_vault/106-asr-diagnostics/configuration.tfvars
@@ -53,6 +53,7 @@ diagnostics_destinations = {
       event_hub_namespace_key = "event_hub_namespace1"
     }
   }
+}
 
 recovery_vaults = {
   asr1 = {

From 0a4aa4ae4e16342b7b2573c9653036aae0c59f24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20DELMONT?= <kevin.delmont@visiativ.com>
Date: Fri, 24 Nov 2023 17:06:41 +0100
Subject: [PATCH 3/3] fix

---
 .../standalone-scenarios-longrunners.json     |  1 +
 .../virtual_wan.tfvars                        | 98 +++++++++++++++++++
 keyvault_certificate_requests.tf              |  3 +-
 modules/compute/virtual_machine/vm_linux.tf   |  7 +-
 modules/compute/virtual_machine/vm_windows.tf |  3 +
 modules/networking/virtual_wan/variables.tf   |  5 +-
 .../virtual_hub/point_to_site_gateway.tf      | 10 +-
 .../virtual_wan/virtual_hub/variables.tf      |  5 +-
 modules/networking/virtual_wan/virtual_wan.tf |  1 +
 .../backup_policies_vm_workload.tf            | 78 +++++++++++++++
 modules/recovery_vault/outputs.tf             |  1 +
 modules/recovery_vault/recovery_vault.tf      | 16 +--
 modules/roles/custom_roles/module.tf          | 12 ++-
 .../global_sign.tf                            |  2 +-
 .../keyvault_certificate_request/output.tf    |  3 +
 .../keyvault_certificate_request/variables.tf |  1 +
 networking_virtual_hubs.tf                    |  1 +
 networking_virtual_wan.tf                     |  1 +
 18 files changed, 230 insertions(+), 18 deletions(-)
 create mode 100644 examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars
 create mode 100644 modules/recovery_vault/backup_policies_vm_workload.tf

diff --git a/.github/workflows/standalone-scenarios-longrunners.json b/.github/workflows/standalone-scenarios-longrunners.json
index 653d5955ce..dc0d12268f 100644
--- a/.github/workflows/standalone-scenarios-longrunners.json
+++ b/.github/workflows/standalone-scenarios-longrunners.json
@@ -30,6 +30,7 @@
     "networking/virtual_wan/104-vwan-hub-gw-spp",
     "networking/virtual_wan/105-vwan-hub-route-table",
     "networking/virtual_wan/109-vwan-vpn-gateway-connection",
+    "networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert",
     "redis_cache/100-redis-standard",
     "redis_cache/101-redis-diagnostics",
     "redis_cache/102-redis-private",
diff --git a/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars b/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars
new file mode 100644
index 0000000000..6dea339306
--- /dev/null
+++ b/examples/networking/virtual_wan/110-vwan-hub-gw-p2s-keyvault-cert/virtual_wan.tfvars
@@ -0,0 +1,98 @@
+global_settings = {
+  default_region = "region1"
+  regions = {
+    region1 = "australiaeast"
+  }
+}
+
+provider_azurerm_features_keyvault = {
+  // set to true to cleanup the CI
+  purge_soft_delete_on_destroy = true
+}
+
+resource_groups = {
+  hub_re1 = {
+    name   = "vnet-hub-re1"
+    region = "region1"
+  }
+}
+
+keyvaults = {
+  vwan-kv = {
+    name               = "vwan-kv"
+    resource_group_key = "hub_re1"
+    sku_name           = "standard"
+    creation_policies = {
+      logged_in_user = {
+        secret_permissions = ["Set", "Get", "List", "Delete", "Purge"]
+      }
+    }
+    secrets = {
+      ca_cert = {
+        name  = "ca-cert"
+        value = <<EOF
+          -----BEGIN CERTIFICATE-----
+          MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn
+          MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+          d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg
+          Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV
+          BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
+          Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB
+          MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j
+          QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8
+          zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf
+          GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d
+          GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8
+          Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2
+          DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
+          HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW
+          jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP
+          9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR
+          QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL
+          uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn
+          WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq
+          M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=
+          -----END CERTIFICATE-----
+          EOF
+      }
+    }
+  }
+}
+
+virtual_wans = {
+  vwan_re1 = {
+    resource_group_key = "hub_re1"
+    name               = "contosovWAN-re1"
+    region             = "region1"
+
+    hubs = {
+      hub_re1 = {
+        hub_name           = "hub-re1"
+        region             = "region1"
+        hub_address_prefix = "10.0.3.0/24"
+        deploy_p2s         = true
+        p2s_config = {
+          name       = "caf-sea-vpn-p2s"
+          scale_unit = 2
+          connection_configuration = {
+            name = "client-connections"
+            vpn_client_address_pool = {
+              address_prefixes = ["192.168.0.0/24"]
+            }
+          }
+          server_config = {
+            vpn_authentication_types = ["Certificate"]
+            client_root_certificate = {
+              name = "root-ca"
+              keyvault_secret = {
+                keyvault_key = "vwan-kv"
+                secret_name  = "ca-cert"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
diff --git a/keyvault_certificate_requests.tf b/keyvault_certificate_requests.tf
index eef12534d1..0cf9cc3e0a 100644
--- a/keyvault_certificate_requests.tf
+++ b/keyvault_certificate_requests.tf
@@ -6,8 +6,9 @@ module "keyvault_certificate_requests" {
   depends_on = [module.keyvault_certificate_issuers, module.domain_name_registrations]
   source     = "./modules/security/keyvault_certificate_request"
   for_each   = local.security.keyvault_certificate_requests
-
+  
   keyvault_id               = can(each.value.keyvault_id) ? each.value.keyvault_id : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].id
+  keyvault_uri              = can(each.value.keyvault_uri) ? each.value.keyvault_uri : local.combined_objects_keyvaults[try(each.value.lz_key, local.client_config.landingzone_key)][each.value.keyvault_key].vault_uri
   cert_secret_name          = can(each.value.cert_secret_name) || can(each.value.cert_password_key) == false ? try(each.value.cert_secret_name, null) : var.security.dynamic_keyvault_secrets[each.value.keyvault_key][each.value.cert_password_key].secret_name
   certificate_issuers       = try(var.security.keyvault_certificate_issuers, {})
   settings                  = each.value
diff --git a/modules/compute/virtual_machine/vm_linux.tf b/modules/compute/virtual_machine/vm_linux.tf
index cf8ca67bd9..a791462a52 100644
--- a/modules/compute/virtual_machine/vm_linux.tf
+++ b/modules/compute/virtual_machine/vm_linux.tf
@@ -76,13 +76,16 @@ resource "azurerm_linux_virtual_machine" "vm" {
   size                            = each.value.size
   tags                            = merge(local.tags, try(each.value.tags, null))
   zone                            = try(each.value.zone, null)
+  secure_boot_enabled             = try(each.value.secure_boot_enabled, null)
+  vtpm_enabled                    = try(each.value.vtpm_enabled, null)
+
 
   custom_data = try(
     try(
       try(local_sensitive_file.custom_data[each.key].content_base64, local.dynamic_custom_data[each.value.custom_data][each.value.name]),
-      try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))), 
+      try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data))),
   null)
-  
+
 
   dedicated_host_id = can(each.value.dedicated_host.key) ? var.dedicated_hosts[try(each.value.dedicated_host.lz_key, var.client_config.landingzone_key)][each.value.dedicated_host.key].id : try(each.value.dedicated_host.id, null)
 
diff --git a/modules/compute/virtual_machine/vm_windows.tf b/modules/compute/virtual_machine/vm_windows.tf
index 979bb89ddc..6d1d37ee14 100644
--- a/modules/compute/virtual_machine/vm_windows.tf
+++ b/modules/compute/virtual_machine/vm_windows.tf
@@ -63,6 +63,9 @@ resource "azurerm_windows_virtual_machine" "vm" {
   tags                         = merge(local.tags, try(each.value.tags, null))
   timezone                     = try(each.value.timezone, null)
   zone                         = try(each.value.zone, null)
+  secure_boot_enabled          = try(each.value.secure_boot_enabled, null)
+  vtpm_enabled                 = try(each.value.vtpm_enabled, null)
+
 
   custom_data = try(
     try(filebase64(format("%s/%s", path.cwd, each.value.custom_data)), base64encode(each.value.custom_data)),
diff --git a/modules/networking/virtual_wan/variables.tf b/modules/networking/virtual_wan/variables.tf
index 8248462fec..425fb35aff 100644
--- a/modules/networking/virtual_wan/variables.tf
+++ b/modules/networking/virtual_wan/variables.tf
@@ -23,6 +23,9 @@ variable "virtual_networks" {
 variable "public_ip_addresses" {
   description = "Combined object for public ip addresses"
 }
+variable "keyvaults" {
+  description = "Combined object for keyvaults"
+}
 variable "client_config" {
 
-}
\ No newline at end of file
+}
diff --git a/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf b/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf
index bdf1bafb6d..1412176ebc 100644
--- a/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf
+++ b/modules/networking/virtual_wan/virtual_hub/point_to_site_gateway.tf
@@ -64,7 +64,7 @@ resource "azurerm_vpn_server_configuration" "p2s_configuration" {
     for_each = contains(var.virtual_hub_config.p2s_config.server_config.vpn_authentication_types, "Certificate") ? [1] : []
     content {
       name             = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.name
-      public_cert_data = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.public_cert_data
+      public_cert_data = can(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret) ? replace(replace(data.azurerm_key_vault_secret.vpn_client_configuration_root_certificate[0].value, "-----BEGIN CERTIFICATE-----", ""), "-----END CERTIFICATE-----", "") : var.virtual_hub_config.p2s_config.server_config.client_root_certificate.public_cert_data
     }
   }
 
@@ -78,3 +78,11 @@ resource "azurerm_vpn_server_configuration" "p2s_configuration" {
   }
 }
 
+data "azurerm_key_vault_secret" "vpn_client_configuration_root_certificate" {
+  count = try(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret, null) != null ? 1 : 0
+  name  = var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.secret_name
+  key_vault_id = try(
+    var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.key_vault_id,
+    var.keyvaults[try(var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.lz_key, var.client_config.landingzone_key)][var.virtual_hub_config.p2s_config.server_config.client_root_certificate.keyvault_secret.keyvault_key].id
+  )
+}
diff --git a/modules/networking/virtual_wan/virtual_hub/variables.tf b/modules/networking/virtual_wan/virtual_hub/variables.tf
index 10fc694b91..f5d9fae1a8 100644
--- a/modules/networking/virtual_wan/virtual_hub/variables.tf
+++ b/modules/networking/virtual_wan/virtual_hub/variables.tf
@@ -45,6 +45,9 @@ variable "virtual_networks" {
 variable "public_ip_addresses" {
   description = "Combined object for public ip addresses"
 }
+variable "keyvaults" {
+  description = "Combined object for keyvaults"
+}
 variable "client_config" {
 
-}
\ No newline at end of file
+}
diff --git a/modules/networking/virtual_wan/virtual_wan.tf b/modules/networking/virtual_wan/virtual_wan.tf
index f8d625ee83..b0bb2b03e8 100644
--- a/modules/networking/virtual_wan/virtual_wan.tf
+++ b/modules/networking/virtual_wan/virtual_wan.tf
@@ -34,5 +34,6 @@ module "hubs" {
   tags                = merge(try(each.value.tags, null), local.tags)
   virtual_hub_config  = each.value
   virtual_networks    = var.virtual_networks
+  keyvaults = var.keyvaults
   vwan_id             = azurerm_virtual_wan.vwan.id
 }
diff --git a/modules/recovery_vault/backup_policies_vm_workload.tf b/modules/recovery_vault/backup_policies_vm_workload.tf
new file mode 100644
index 0000000000..b40bffdeda
--- /dev/null
+++ b/modules/recovery_vault/backup_policies_vm_workload.tf
@@ -0,0 +1,78 @@
+resource "azurerm_backup_policy_vm_workload" "vm_workload" {
+  for_each = try(var.settings.backup_policies.vm_workloads, {})
+
+  name                = each.value.name
+  resource_group_name = local.resource_group_name
+  recovery_vault_name = azurerm_recovery_services_vault.asr.name
+  workload_type       = each.value.workload_type
+
+  settings {
+    time_zone           = each.value.timezone
+    compression_enabled = each.value.compression_enabled
+  }
+
+  dynamic "protection_policy" {
+    for_each = each.value.protection_policies
+
+    content {
+      policy_type =  protection_policy.value.policy_type
+
+      backup {
+        frequency            = try(protection_policy.value.backup.frequency, null)
+        frequency_in_minutes = try(protection_policy.value.backup.frequency_in_minutes, null)
+        time                 = try(protection_policy.value.backup.time, null)
+        weekdays             = try(protection_policy.value.backup.weekdays, null)
+      }
+
+      dynamic "retention_daily" {
+        for_each = lookup(protection_policy.value, "retention_daily", null) == null ? [] : [1]
+
+        content {
+          count = protection_policy.value.retention_daily.count
+        }
+      }
+
+      dynamic "retention_weekly" {
+        for_each = lookup(protection_policy.value, "retention_weekly", null) == null ? [] : [1]
+
+        content {
+          count    = protection_policy.value.retention_weekly.count
+          weekdays = protection_policy.value.retention_weekly.weekdays
+        }
+      }
+
+      dynamic "retention_monthly" {
+        for_each = lookup(protection_policy.value, "retention_monthly", null) == null ? [] : [1]
+
+        content {
+          count       = protection_policy.value.retention_monthly.count
+          format_type = protection_policy.value.retention_monthly.format_type
+          monthdays   = try(protection_policy.value.retention_monthly.monthdays, null)
+          weekdays    = try(protection_policy.value.retention_monthly.weekdays, null)
+          weeks       = try(protection_policy.value.retention_monthly.weeks, null)
+        }
+      }
+
+      dynamic "retention_yearly" {
+        for_each = lookup(protection_policy.value, "retention_yearly", null) == null ? [] : [1]
+
+        content {
+          count       = protection_policy.value.retention_yearly.count
+          format_type = protection_policy.value.retention_yearly.format_type
+          months      = protection_policy.value.retention_yearly.months
+          monthdays   = try(protection_policy.value.retention_yearly.monthdays, null)
+          weekdays    = try(protection_policy.value.retention_yearly.weekdays, null)
+          weeks       = try(protection_policy.value.retention_yearly.weeks, null)
+        }
+      }
+
+      dynamic "simple_retention" {
+        for_each = lookup(protection_policy.value, "simple_retention", null) == null ? [] : [1]
+
+        content {
+          count = protection_policy.value.simple_retention.count
+        }
+      }
+    }
+  }
+}
diff --git a/modules/recovery_vault/outputs.tf b/modules/recovery_vault/outputs.tf
index 936572ebe9..7ddb9fc6b3 100644
--- a/modules/recovery_vault/outputs.tf
+++ b/modules/recovery_vault/outputs.tf
@@ -16,6 +16,7 @@ output "backup_policies" {
   value = {
     virtual_machines = azurerm_backup_policy_vm.vm
     file_shares      = azurerm_backup_policy_file_share.fs
+    vm_workloads      = azurerm_backup_policy_vm_workload.vm_workload
   }
 }
 
diff --git a/modules/recovery_vault/recovery_vault.tf b/modules/recovery_vault/recovery_vault.tf
index 4d73f65dba..eecd16a3ac 100644
--- a/modules/recovery_vault/recovery_vault.tf
+++ b/modules/recovery_vault/recovery_vault.tf
@@ -12,13 +12,15 @@ resource "azurecaf_name" "asr_rg_vault" {
 }
 
 resource "azurerm_recovery_services_vault" "asr" {
-  name                = azurecaf_name.asr_rg_vault.result
-  location            = local.location
-  resource_group_name = local.resource_group_name
-  sku                 = "Standard"
-  tags                = merge(local.tags, try(var.settings.tags, null))
-  soft_delete_enabled = try(var.settings.soft_delete_enabled, true)
-  storage_mode_type   = try(var.settings.storage_mode_type, "GeoRedundant")
+  name                          = azurecaf_name.asr_rg_vault.result
+  location                      = local.location
+  resource_group_name           = local.resource_group_name
+  sku                           = "Standard"
+  tags                          = merge(local.tags, try(var.settings.tags, null))
+  soft_delete_enabled           = try(var.settings.soft_delete_enabled, true)
+  storage_mode_type             = try(var.settings.storage_mode_type, "GeoRedundant")
+  public_network_access_enabled = try(var.settings.public_network_access_enabled, null)
+  immutability                  = try(var.settings.immutability, null)
 
   identity {
     type = "SystemAssigned"
diff --git a/modules/roles/custom_roles/module.tf b/modules/roles/custom_roles/module.tf
index afcc8b8aa9..81d5bf91c1 100644
--- a/modules/roles/custom_roles/module.tf
+++ b/modules/roles/custom_roles/module.tf
@@ -1,13 +1,17 @@
 
+locals {
+  global_settings = merge(var.global_settings, var.custom_role.global_settings)
+}
+
 resource "azurecaf_name" "custom_role" {
   name          = var.custom_role.name
   resource_type = "azurerm_resource_group"
   #TODO: need to be changed to appropriate resource (no caf reference for now)
-  prefixes      = var.global_settings.prefixes
-  random_length = var.global_settings.random_length
+  prefixes      = local.global_settings.prefixes
+  random_length = local.global_settings.random_length
   clean_input   = true
-  passthrough   = var.global_settings.passthrough
-  use_slug      = var.global_settings.use_slug
+  passthrough   = local.global_settings.passthrough
+  use_slug      = local.global_settings.use_slug
 }
 
 resource "azurerm_role_definition" "custom_role" {
diff --git a/modules/security/keyvault_certificate_request/global_sign.tf b/modules/security/keyvault_certificate_request/global_sign.tf
index 4d37d173f1..ab89721e1e 100644
--- a/modules/security/keyvault_certificate_request/global_sign.tf
+++ b/modules/security/keyvault_certificate_request/global_sign.tf
@@ -5,7 +5,7 @@ data "external" "password" {
     "bash", "-c",
     format(
       "az keyvault secret show --id '%s'secrets/'%s' --query '{value: value}' -o json",
-      var.keyvault_id,
+      var.keyvault_uri,
       var.cert_secret_name
     )
   ]
diff --git a/modules/security/keyvault_certificate_request/output.tf b/modules/security/keyvault_certificate_request/output.tf
index be939cec82..306e00551f 100644
--- a/modules/security/keyvault_certificate_request/output.tf
+++ b/modules/security/keyvault_certificate_request/output.tf
@@ -4,6 +4,9 @@ output "id" {
 output "keyvault_id" {
   value = var.keyvault_id
 }
+output "keyvault_uri" {
+  value = var.keyvault_uri
+}
 output "secret_id" {
   value = azurerm_key_vault_certificate.csr.secret_id
 }
diff --git a/modules/security/keyvault_certificate_request/variables.tf b/modules/security/keyvault_certificate_request/variables.tf
index 5f3a19f4c3..df115d8202 100644
--- a/modules/security/keyvault_certificate_request/variables.tf
+++ b/modules/security/keyvault_certificate_request/variables.tf
@@ -2,6 +2,7 @@ variable "certificate_issuers" {
   default = {}
 }
 variable "keyvault_id" {}
+variable "keyvault_uri" {}
 variable "settings" {}
 variable "domain_name_registrations" {
   default = {}
diff --git a/networking_virtual_hubs.tf b/networking_virtual_hubs.tf
index 0b9d0066ea..5798210db1 100644
--- a/networking_virtual_hubs.tf
+++ b/networking_virtual_hubs.tf
@@ -23,6 +23,7 @@ module "virtual_hubs" {
   tags                = try(local.global_settings.inherit_tags, false) ? merge(local.combined_objects_resource_groups[try(each.value.resource_group.lz_key, local.client_config.landingzone_key)][each.value.resource_group.key].tags, try(each.value.tags, null)) : {}
   virtual_hub_config  = each.value
   virtual_networks    = local.combined_objects_networking
+  keyvaults           = local.combined_objects_keyvaults
   vwan_id             = can(each.value.virtual_wan) ? local.combined_objects_virtual_wans[try(each.value.virtual_wan.lz_key, local.client_config.landingzone_key)][each.value.virtual_wan.key].virtual_wan.id : null
 }
 
diff --git a/networking_virtual_wan.tf b/networking_virtual_wan.tf
index c1bdd4f119..9363cfde01 100644
--- a/networking_virtual_wan.tf
+++ b/networking_virtual_wan.tf
@@ -25,5 +25,6 @@ module "virtual_wans" {
   global_settings     = local.global_settings
   virtual_networks    = local.combined_objects_networking
   public_ip_addresses = local.combined_objects_public_ip_addresses
+  keyvaults           = local.combined_objects_keyvaults
 }