KeyVault secrets are passed to module w/o secure() decorator.

[jongio]

This app creates secrets in bulk, but passes those secrets from main.bicep w/o using the secure decorator. Those secrets with therefore be in plaintext in the Azure deployment.

Add secure() here.

azure-search-openai-demo-csharp/infra/core/security/keyvault-secrets.bicep

Line 3 in fb1ca32

param secrets array = []

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

[LittleLittleCloud]

[LittleLittleCloud]

@jongio Can you share an example on adding secure decorator to individual module?

[jongio]

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

[luisquintanilla]

I'd go this route:

If that isn't possible, then remove the keyvault-secrets.bicep file and create them with individual module references and a secure decorator on the key.

@jongio do we have a sample of this?

[luisquintanilla]

@LittleLittleCloud are we okay to close this one?

[jongio]

I'd remove "secrets" file and set each one individually so they are passed securely.