fix(LINK-4201): proper configuration of key vaults

[wilderj]

Summary

This resolves an escalation raised by an Azure AWLS customer -- they have an org policy that restricts the creation of new key vaults, and while we provide a variable to provide an existing key vault for AWLS to use, our current module ignores this variable and attempts to create a new key vault regardless.

This PR ensures that we actually use the existing key vault if configured to do so.

How did you test this change?

The customer actually made these changes themselves, confirmed that the issue was fixed, and then provided the necessary code changes back to us.

Issue

https://lacework.atlassian.net/browse/LINK-4201

[lacework-code-security]

Infrastructure as Code - Found 12 new potential violation(s) - Severity 🛑 High

Expand Details

The Lacework FortiCNAPP Infrastructure as Code (IaC) static analyzer evaluated infrastructure as code (IaC) files and identified the following security and compliance violations in the source branch. See summary in Lacework FortiCNAPP.

Violation	Description	Location	Severity
Ensure that Key Vault enables purge protection	Ensure that Azure Key Vault enables purge protection to prevent unauthorized deletion of sensitive cryptographic material.	main.tf#L272 examples/tenant-single-region/../../	🛑 High
Ensure that Key Vault implements network access restrictions	Ensure that Azure Key Vault is protected by network access control rules.	main.tf#L272 examples/custom-vnet/../../	🛑 High
Ensure that Key Vault implements network access restrictions	Ensure that Azure Key Vault is protected by network access control rules.	main.tf#L272 examples/subscription-multi-region/../../	🛑 High
Ensure that Key Vault enables purge protection	Ensure that Azure Key Vault enables purge protection to prevent unauthorized deletion of sensitive cryptographic material.	main.tf#L272 examples/tenant-multi-region/../../	🛑 High
Ensure that Key Vault enables purge protection	Ensure that Azure Key Vault enables purge protection to prevent unauthorized deletion of sensitive cryptographic material.	main.tf#L272 examples/custom-vnet/../../	🛑 High
Ensure that Key Vault implements network access restrictions	Ensure that Azure Key Vault is protected by network access control rules.	main.tf#L272 examples/tenant-multi-region/../../	🛑 High
Ensure that Key Vault implements network access restrictions	Ensure that Azure Key Vault is protected by network access control rules.	main.tf#L272 examples/tenant-single-region/../../	🛑 High
Ensure that Key Vault enables purge protection	Ensure that Azure Key Vault enables purge protection to prevent unauthorized deletion of sensitive cryptographic material.	main.tf#L272 examples/subscription-multi-region/../../	🛑 High
Enable purge protection for Azure Key Vaults	Ensure Azure Key Vault has purge protection enabled	main.tf#L272 examples/tenant-single-region/../../	🟧 Medium
Enable purge protection for Azure Key Vaults	Ensure Azure Key Vault has purge protection enabled	main.tf#L272 examples/subscription-multi-region/../../	🟧 Medium
Enable purge protection for Azure Key Vaults	Ensure Azure Key Vault has purge protection enabled	main.tf#L272 examples/tenant-multi-region/../../	🟧 Medium
Enable purge protection for Azure Key Vaults	Ensure Azure Key Vault has purge protection enabled	main.tf#L272 examples/custom-vnet/../../	🟧 Medium

[kirklandnuts]

just had one question re: the key vault policy dependency that was removed

[kirklandnuts]

don't we still need this in the case that we're not using an existing key vault?

[wilderj]

shoot, good call. Let me update and test.