fix: fixed key-vault authentication issue in cmk encryption

clouddrove · Jan 17, 2024 · 23bbea4 · 23bbea4
1 parent fae3fb8
commit 23bbea4
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 38 deletions.
diff --git a/README.yaml b/README.yaml
@@ -94,6 +94,7 @@ usage: |-
       identity_type             = "UserAssigned"
       object_id                 = ["71d1a02f-3ae9-4ab9-8fec-d9b1166d7c97", ]
       account_replication_type  = "ZRS"
+      cmk_enabled               = "true"
 
       ###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
       key_vault_id = module.vault.id

diff --git a/_example/basic/example.tf b/_example/basic/example.tf
@@ -16,7 +16,6 @@ module "storage" {
   source                        = "../.."
   name                          = local.name
   environment                   = local.environment
-  default_enabled               = true
   resource_group_name           = "app-test-rg"
   location                      = "Central India"
   storage_account_name          = "stordtyrey36"

diff --git a/_example/complete/example.tf b/_example/complete/example.tf
@@ -67,7 +67,7 @@ module "log-analytics" {
   name                             = local.name
   environment                      = local.environment
   label_order                      = local.label_order
-  create_log_analytics_workspace   = true
+  create_log_analytics_workspace   = false
   log_analytics_workspace_sku      = "PerGB2018"
   daily_quota_gb                   = "-1"
   internet_ingestion_enabled       = true
@@ -83,21 +83,17 @@ module "vault" {
   source  = "clouddrove/key-vault/azure"
   version = "1.1.0"
 
-  name                = "vault9825"
-  environment         = "test"
-  label_order         = ["name", "environment", ]
-  resource_group_name = module.resource_group.resource_group_name
-  location            = module.resource_group.resource_group_location
-  # reader_objects_ids        = [data.azurerm_client_config.current_client_config.object_id]
-  admin_objects_ids         = [data.azurerm_client_config.current_client_config.object_id]
-  virtual_network_id        = join("", module.vnet.vnet_id)
-  subnet_id                 = module.subnet.default_subnet_id[0]
-  enable_rbac_authorization = false
-  network_acls = {
-    bypass         = "AzureServices"
-    default_action = "Deny"
-    ip_rules       = ["0.0.0.0/0"]
-  }
+  name                        = "vault8767768"
+  environment                 = "test"
+  label_order                 = ["name", "environment", ]
+  resource_group_name         = module.resource_group.resource_group_name
+  location                    = module.resource_group.resource_group_location
+  admin_objects_ids           = [data.azurerm_client_config.current_client_config.object_id]
+  virtual_network_id          = join("", module.vnet.vnet_id)
+  subnet_id                   = module.subnet.default_subnet_id[0]
+  enable_rbac_authorization   = true
+  enabled_for_disk_encryption = false
+  network_acls                = null
   #private endpoint
   enable_private_endpoint = false
   ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.
@@ -111,13 +107,13 @@ module "vault" {
   # existing_private_dns_zone_resource_group_name = ""
 
   #### enable diagnostic setting
-  diagnostic_setting_enable  = false
+  diagnostic_setting_enable  = true
   log_analytics_workspace_id = module.log-analytics.workspace_id ## when diagnostic_setting_enable enable,  add log analytics workspace id
 }
 
 ##----------------------------------------------------------------------------- 
 ## Storage module call.
-## Here default storage will be deployed. 
+## Here storage account will be deployed with CMK encryption. 
 ##-----------------------------------------------------------------------------
 module "storage" {
   source                        = "../.."
@@ -126,13 +122,15 @@ module "storage" {
   label_order                   = local.label_order
   resource_group_name           = module.resource_group.resource_group_name
   location                      = module.resource_group.resource_group_location
-  storage_account_name          = "strge56563"
+  storage_account_name          = "storage877656"
   public_network_access_enabled = true
   account_kind                  = "StorageV2"
   account_tier                  = "Standard"
   identity_type                 = "UserAssigned"
   object_id                     = [data.azurerm_client_config.current_client_config.object_id]
   account_replication_type      = "ZRS"
+  cmk_enabled                   = true
+
   ###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
   key_vault_id = module.vault.id
   ##   Storage Container
@@ -142,7 +140,7 @@ module "storage" {
   tables = ["table1"]
   queues = ["queue1"]
   file_shares = [
-    { name = "file-test", quota = "10" },
+    { name = "fileshare", quota = "10" },
   ]
 
   virtual_network_id         = module.vnet.vnet_id[0]

diff --git a/main.tf b/main.tf
@@ -200,8 +200,8 @@ resource "azurerm_storage_account" "storage" {
   dynamic "customer_managed_key" {
     for_each = var.cmk_enabled ? [1] : []
     content {
-      key_vault_key_id          = var.key_vault_id != null ? join("", azurerm_key_vault_key.kvkey.*.id) : null
-      user_assigned_identity_id = var.key_vault_id != null ? join("", azurerm_user_assigned_identity.identity.*.id) : null
+      key_vault_key_id          = var.key_vault_id != null ? azurerm_key_vault_key.kvkey[0].id : null
+      user_assigned_identity_id = var.key_vault_id != null ? azurerm_user_assigned_identity.identity[0].id : null
     }
   }
 }
@@ -211,9 +211,9 @@ resource "azurerm_storage_account" "storage" {
 ## This user assigned identity will be created when storage account with cmk is created.    
 ##-----------------------------------------------------------------------------
 resource "azurerm_user_assigned_identity" "identity" {
-  count               = var.enabled ? 1 : 0
+  count               = var.enabled && var.cmk_enabled ? 1 : 0
   location            = var.location
-  name                = format("midd-storage-%s", module.labels.id)
+  name                = format("%s-storage-mid", module.labels.id)
   resource_group_name = var.resource_group_name
 }
 
@@ -223,7 +223,7 @@ resource "azurerm_user_assigned_identity" "identity" {
 resource "azurerm_role_assignment" "identity_assigned" {
   depends_on           = [azurerm_user_assigned_identity.identity]
   count                = var.enabled && var.key_vault_rbac_auth_enabled ? 1 : 0
-  principal_id         = join("", azurerm_user_assigned_identity.identity.*.principal_id)
+  principal_id         = azurerm_user_assigned_identity.identity[0].principal_id
   scope                = var.key_vault_id
   role_definition_name = "Key Vault Crypto Service Encryption User"
 }
@@ -232,9 +232,9 @@ resource "azurerm_role_assignment" "identity_assigned" {
 ## Below resource will create key vault key that will be used for encryption.  
 ##-----------------------------------------------------------------------------
 resource "azurerm_key_vault_key" "kvkey" {
-  depends_on      = [azurerm_role_assignment.identity_assigned]
+  depends_on      = [azurerm_role_assignment.identity_assigned, azurerm_user_assigned_identity.identity]
   count           = var.enabled && var.cmk_enabled ? 1 : 0
-  name            = format("storage-%s-cmk-testing", module.labels.id)
+  name            = format("%s-storage-key-vault-key", module.labels.id)
   expiration_date = var.expiration_date
   key_vault_id    = var.key_vault_id
   key_type        = "RSA"
@@ -624,10 +624,11 @@ resource "azurerm_monitor_diagnostic_setting" "storage-nic" {
   }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "example" {
-  count                     = var.enabled && var.cmk_enabled ? 1 : 0
-  storage_account_id        = join("", azurerm_storage_account.storage.*.id)
-  key_vault_id              = var.key_vault_id
-  key_name                  = join("", azurerm_key_vault_key.kvkey.*.name)
-  user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id)
-}
+# resource "azurerm_storage_account_customer_managed_key" "example" {
+#   depends_on = [ azurerm_storage_account.storage ]
+#   count                     = var.enabled && var.cmk_enabled ? 1 : 0
+#   storage_account_id        = join("", azurerm_storage_account.storage.*.id)
+#   key_vault_id              = var.key_vault_id
+#   key_name                  = join("", azurerm_key_vault_key.kvkey.*.name)
+#   user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id)
+# }
diff --git a/variables.tf b/variables.tf
@@ -303,7 +303,7 @@ variable "key_vault_id" {
 
 variable "expiration_date" {
   type        = string
-  default     = "2023-12-31T18:29:59Z"
+  default     = null
   description = "Expiration UTC datetime (Y-m-d'T'H:M:S'Z')"
 }
 
@@ -655,7 +655,7 @@ variable "multi_sub_vnet_link" {
 
 variable "key_vault_rbac_auth_enabled" {
   type        = bool
-  default     = false
+  default     = true
   description = "Is key vault has role base access enable or not."
 }
 
@@ -677,5 +677,5 @@ variable "rotation_policy" {
     expire_after         = string
     notify_before_expiry = string
   }))
-  default = {}
+  default = null
 }