Skip to content

CKV_AZURE_189 should account for empty ip_rules #7384

New issue
New issue
Open
Open
CKV_AZURE_189 should account for empty ip_rules#7384
Labels
checksCheck additions or changes
@Matthijsy

Description

@Matthijsy
Matthijsy
opened on Nov 27, 2025

Describe the issue
When passing an empty ip_rules to an azurerm_key_vault this results in a Key-Vault which is not publicly available. However, CKV_AZURE_189 complains that it is publicly reachable.

Examples
This example should be approved, since it results in a non-reachable key-vault.

resource "azurerm_key_vault" "main" {
  name                          = "test"
  public_network_access_enabled = true
  purge_protection_enabled = true

  network_acls {
    bypass         =  "None"
    default_action =  "Deny"
    ip_rules = []
  }
}

Version (please complete the following information):
3.2.460

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions