If you discover a security vulnerability in this project, please report it responsibly.

Do not open a public issue for security vulnerabilities.

Instead, please send a description of the vulnerability to the project maintainers via a private channel. Include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)

When using this template repository, follow these security best practices:

• Store Terraform state in a remote backend with encryption enabled.
• Enable state locking to prevent concurrent modifications.
• Restrict access to the state storage account using RBAC.

• Never commit secrets, credentials, or sensitive data to version control.
• Use Azure DevOps variable groups with secret variables for sensitive values.
• Consider using Azure Key Vault for centralized secrets management.

• Follow the principle of least privilege when assigning roles.
• Rotate service principal credentials regularly.
• Use managed identities where possible instead of service principals.

• Enable branch policies requiring pull request reviews before merging to main.
• Use deployment environments with approval gates for production changes.
• Restrict pipeline permissions to only the resources needed.

• Require at least one reviewer for all pull requests.
• Review Terraform plans before applying changes to production.
• Use automated tools like tflint and checkov for static analysis.