[Hubs] Add optional Key Vault purge protection parameter

[MSBrett]

💡 Feature Request

Add an optional parameter to enable purge protection on the Key Vault deployed with FinOps hubs.

🎯 Problem

Enterprise-scale Azure Landing Zone policies often require purge protection to be enabled on Key Vaults for compliance and security. The current FinOps hub deployment does not support enabling this feature, causing policy violations in compliant environments.

✅ Proposed Solution

Add an enablePurgeProtection parameter (default: false) that:

• Is exposed in main.bicep as an optional parameter
• Passes through to modules/hub.bicep and modules/keyVault.bicep
• Sets enablePurgeProtection: enablePurgeProtection on the Key Vault resource

Implementation Details

File: src/templates/finops-hub/main.bicep

@description('Optional. Enable purge protection for Azure KeyVault. Default: false.')
param enablePurgeProtection bool = false

File: src/templates/finops-hub/modules/hub.bicep

@description('Optional. Enable purge protection of the keyvault. Default: false.')
param enablePurgeProtection bool = false

// Pass to keyVault module
module keyVault 'keyVault.bicep' = if (!empty(remoteHubStorageKey)) {
  // ...
  params: {
    // ...
    enablePurgeProtection: enablePurgeProtection
  }
}

File: src/templates/finops-hub/modules/keyVault.bicep

@description('Optional. Enable purge protection to the keyvault. Default: false')
param enablePurgeProtection bool

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  properties: {
    // ...
    enablePurgeProtection: enablePurgeProtection
  }
}

📚 References

• Original issue: Update Key Vault to Support RBAC Permissions and Delete Protection #1067 (also requests RBAC permissions - that's a separate enhancement)
• Proposed implementation: PR Update Key Vault to Support Delete Protection #1349 (closed due to CLA block)
• Microsoft docs: Key Vault purge protection

📋 Additional Context

This feature is optional with false as the default to maintain backward compatibility. Users deploying into policy-compliant environments can set enablePurgeProtection: true in their deployment parameters.

Credit: Solution originally proposed by @ankurshukla03 in PR #1349.

[MSBrett]

Related PR #1349 was closed due to CLA requirement. The implementation from that PR can be used as a reference.