From 23bbea420efc42ba8e63194586b0951bc3a08dbf Mon Sep 17 00:00:00 2001 From: lovely Date: Wed, 17 Jan 2024 23:41:18 +0530 Subject: [PATCH] fix: fixed key-vault authentication issue in cmk encryption --- README.yaml | 1 + _example/basic/example.tf | 1 - _example/complete/example.tf | 38 +++++++++++++++++------------------- main.tf | 29 ++++++++++++++------------- variables.tf | 6 +++--- 5 files changed, 37 insertions(+), 38 deletions(-) diff --git a/README.yaml b/README.yaml index d09a446..eb437af 100644 --- a/README.yaml +++ b/README.yaml @@ -94,6 +94,7 @@ usage: |- identity_type = "UserAssigned" object_id = ["71d1a02f-3ae9-4ab9-8fec-d9b1166d7c97", ] account_replication_type = "ZRS" + cmk_enabled = "true" ###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned. key_vault_id = module.vault.id diff --git a/_example/basic/example.tf b/_example/basic/example.tf index 1187385..d40bdd8 100644 --- a/_example/basic/example.tf +++ b/_example/basic/example.tf @@ -16,7 +16,6 @@ module "storage" { source = "../.." name = local.name environment = local.environment - default_enabled = true resource_group_name = "app-test-rg" location = "Central India" storage_account_name = "stordtyrey36" diff --git a/_example/complete/example.tf b/_example/complete/example.tf index 84c81ab..80eee65 100644 --- a/_example/complete/example.tf +++ b/_example/complete/example.tf @@ -67,7 +67,7 @@ module "log-analytics" { name = local.name environment = local.environment label_order = local.label_order - create_log_analytics_workspace = true + create_log_analytics_workspace = false log_analytics_workspace_sku = "PerGB2018" daily_quota_gb = "-1" internet_ingestion_enabled = true @@ -83,21 +83,17 @@ module "vault" { source = "clouddrove/key-vault/azure" version = "1.1.0" - name = "vault9825" - environment = "test" - label_order = ["name", "environment", ] - resource_group_name = module.resource_group.resource_group_name - location = module.resource_group.resource_group_location - # reader_objects_ids = [data.azurerm_client_config.current_client_config.object_id] - admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id] - virtual_network_id = join("", module.vnet.vnet_id) - subnet_id = module.subnet.default_subnet_id[0] - enable_rbac_authorization = false - network_acls = { - bypass = "AzureServices" - default_action = "Deny" - ip_rules = ["0.0.0.0/0"] - } + name = "vault8767768" + environment = "test" + label_order = ["name", "environment", ] + resource_group_name = module.resource_group.resource_group_name + location = module.resource_group.resource_group_location + admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id] + virtual_network_id = join("", module.vnet.vnet_id) + subnet_id = module.subnet.default_subnet_id[0] + enable_rbac_authorization = true + enabled_for_disk_encryption = false + network_acls = null #private endpoint enable_private_endpoint = false ########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone. @@ -111,13 +107,13 @@ module "vault" { # existing_private_dns_zone_resource_group_name = "" #### enable diagnostic setting - diagnostic_setting_enable = false + diagnostic_setting_enable = true log_analytics_workspace_id = module.log-analytics.workspace_id ## when diagnostic_setting_enable enable, add log analytics workspace id } ##----------------------------------------------------------------------------- ## Storage module call. -## Here default storage will be deployed. +## Here storage account will be deployed with CMK encryption. ##----------------------------------------------------------------------------- module "storage" { source = "../.." @@ -126,13 +122,15 @@ module "storage" { label_order = local.label_order resource_group_name = module.resource_group.resource_group_name location = module.resource_group.resource_group_location - storage_account_name = "strge56563" + storage_account_name = "storage877656" public_network_access_enabled = true account_kind = "StorageV2" account_tier = "Standard" identity_type = "UserAssigned" object_id = [data.azurerm_client_config.current_client_config.object_id] account_replication_type = "ZRS" + cmk_enabled = true + ###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned. key_vault_id = module.vault.id ## Storage Container @@ -142,7 +140,7 @@ module "storage" { tables = ["table1"] queues = ["queue1"] file_shares = [ - { name = "file-test", quota = "10" }, + { name = "fileshare", quota = "10" }, ] virtual_network_id = module.vnet.vnet_id[0] diff --git a/main.tf b/main.tf index de26192..945bb5b 100644 --- a/main.tf +++ b/main.tf @@ -200,8 +200,8 @@ resource "azurerm_storage_account" "storage" { dynamic "customer_managed_key" { for_each = var.cmk_enabled ? [1] : [] content { - key_vault_key_id = var.key_vault_id != null ? join("", azurerm_key_vault_key.kvkey.*.id) : null - user_assigned_identity_id = var.key_vault_id != null ? join("", azurerm_user_assigned_identity.identity.*.id) : null + key_vault_key_id = var.key_vault_id != null ? azurerm_key_vault_key.kvkey[0].id : null + user_assigned_identity_id = var.key_vault_id != null ? azurerm_user_assigned_identity.identity[0].id : null } } } @@ -211,9 +211,9 @@ resource "azurerm_storage_account" "storage" { ## This user assigned identity will be created when storage account with cmk is created. ##----------------------------------------------------------------------------- resource "azurerm_user_assigned_identity" "identity" { - count = var.enabled ? 1 : 0 + count = var.enabled && var.cmk_enabled ? 1 : 0 location = var.location - name = format("midd-storage-%s", module.labels.id) + name = format("%s-storage-mid", module.labels.id) resource_group_name = var.resource_group_name } @@ -223,7 +223,7 @@ resource "azurerm_user_assigned_identity" "identity" { resource "azurerm_role_assignment" "identity_assigned" { depends_on = [azurerm_user_assigned_identity.identity] count = var.enabled && var.key_vault_rbac_auth_enabled ? 1 : 0 - principal_id = join("", azurerm_user_assigned_identity.identity.*.principal_id) + principal_id = azurerm_user_assigned_identity.identity[0].principal_id scope = var.key_vault_id role_definition_name = "Key Vault Crypto Service Encryption User" } @@ -232,9 +232,9 @@ resource "azurerm_role_assignment" "identity_assigned" { ## Below resource will create key vault key that will be used for encryption. ##----------------------------------------------------------------------------- resource "azurerm_key_vault_key" "kvkey" { - depends_on = [azurerm_role_assignment.identity_assigned] + depends_on = [azurerm_role_assignment.identity_assigned, azurerm_user_assigned_identity.identity] count = var.enabled && var.cmk_enabled ? 1 : 0 - name = format("storage-%s-cmk-testing", module.labels.id) + name = format("%s-storage-key-vault-key", module.labels.id) expiration_date = var.expiration_date key_vault_id = var.key_vault_id key_type = "RSA" @@ -624,10 +624,11 @@ resource "azurerm_monitor_diagnostic_setting" "storage-nic" { } } -resource "azurerm_storage_account_customer_managed_key" "example" { - count = var.enabled && var.cmk_enabled ? 1 : 0 - storage_account_id = join("", azurerm_storage_account.storage.*.id) - key_vault_id = var.key_vault_id - key_name = join("", azurerm_key_vault_key.kvkey.*.name) - user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id) -} +# resource "azurerm_storage_account_customer_managed_key" "example" { +# depends_on = [ azurerm_storage_account.storage ] +# count = var.enabled && var.cmk_enabled ? 1 : 0 +# storage_account_id = join("", azurerm_storage_account.storage.*.id) +# key_vault_id = var.key_vault_id +# key_name = join("", azurerm_key_vault_key.kvkey.*.name) +# user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id) +# } diff --git a/variables.tf b/variables.tf index b692f8d..e45096b 100644 --- a/variables.tf +++ b/variables.tf @@ -303,7 +303,7 @@ variable "key_vault_id" { variable "expiration_date" { type = string - default = "2023-12-31T18:29:59Z" + default = null description = "Expiration UTC datetime (Y-m-d'T'H:M:S'Z')" } @@ -655,7 +655,7 @@ variable "multi_sub_vnet_link" { variable "key_vault_rbac_auth_enabled" { type = bool - default = false + default = true description = "Is key vault has role base access enable or not." } @@ -677,5 +677,5 @@ variable "rotation_policy" { expire_after = string notify_before_expiry = string })) - default = {} + default = null } \ No newline at end of file