[BUG] Azure.Deployment.SecureParameter is matching the keys param in public:avm/res/key-vault/vault

[jachin84]

Existing rule

Azure.Deployment.SecureParameter

Description of the issue

When using the AVM Key Vault module like below I get hit with Azure.Deployment.SecureParameter on the keys param.

module keyVault 'br/public:avm/res/key-vault/vault:0.13.3' = {
  scope: resourceGroup(resourceGroupName)
  params: {
    name: keyVaultName
    enableTelemetry: false
    roleAssignments: keyVaultRoleAssignments
    location:location
    tags: tags
    enableRbacAuthorization: true
    enablePurgeProtection: false
    enableSoftDelete: true
    softDeleteRetentionInDays: 30
  }
}

Error messages

keyVault-fbbc992f04770 : Microsoft.Resources/deployments [7/8]

   FAIL  Azure.Deployment.SecureParameter (AZR-000408)

  Sensitive parameters that have been not been marked as secure may leak the secret into deployment history or logs.

  Parameter: Deployments/foo/params/prd.bicepparam:0:0

  Recommend:
  Consider using secure parameters for any parameter that contain sensitive
  information.

  Reason:
  - The parameter 'keys' with type '#/definitions/keyType' is not secure.

  Help:
  - https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Deployment.SecureParameter/

Reproduction

1. Use the Bicep above.
2. Run PSRule Assert-PSRule -Format File -InputPath .\Deployments\ -Module 'PSRule.Rules.Azure' -Outcome fail

Version of PSRule

2.9.0

Version of PSRule for Azure

1.47.0

Additional context

My workaround for now is to add keys to AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES which feels wrong as keys seems like the exact kind of param I would want catch with Azure.Deployment.SecureParameter

[BernieWhite]

Thanks for reporting the issue @jachin84.