azurerm_storage_account: Support managed HSMs for CMKs

[Botje]

This PR adds separate arguments to the customer_managed_key block to supply HSM-backed CMKs.
For now it just adds a counterpart to the key vault uri / key ID, which does mean that the storage_account_customer_managed_key resource accepts a managed hsm uri + key name + version whereas storage_account accepts a HSM key ID.
Future work could add the HSM key ID to the storage_account_customer_managed_key resource as well.

It does not address the problem raised in this comment by @tombuildsstuff but tries to use the suffixes as published in the environment.

resolves #23321, resolves #14389

[katbyte]

I think this may be related to this pr? #25069

[Botje]

Thanks for that pointer. Yes, the ManagedHSMKeyID struct and associated parse/validate methods would be very helpful here. Do you suggest I wait until that gets merged and adapt to the new types and methods, or can this be merged separately and can I submit a cleanup PR later? Or I could cherry-pick these changes and hope there are no revisions needed...

[Botje]

I rebased my changes on top of (a part of) the mentioned PR.

[riemers]

Would this not also apply to say keyvault and disk encryption sets as you experience the same issue there too?

[Botje]

Absolutely! There is a comment in the source code to the effect that the various implementations of customer_managed_key blocks ought to be centralized so the same code only has to be written once. I have an approach in mind but would prefer to do it after HSM support is added.

[riemers]

From what i heard, once the #25069 is merged, it should be based of that. As if you now plan/apply on a resource that already has a hsm key it will fail to read the key out properly because of the nestedid's being used.

[Botje]

@riemers I am not sure I follow. This PR is partially based on the mentioned PR, see "wuxu92 and others added 5 commits" in the commit list.

As my PR stands currently, the read path for storage_account_customer_managed_key just copies the URI to the managed_hsm_uri attribute and the validation for that is (much too lax, on review) "is it a HTTPS URL".

The read path for storage_account uses an HSM-specific "nested item ID", which really should be renamed to "HSM key id".

If you have spotted something I missed do please tell me via code comment or a simple test case, so I can fix it.

[riemers]

I overlooked the part where you said "redid the work based on the PR" Just wanted to know if that other PR is merged, if that would fix the Error: internal-error: Managed HSM IDs are not supported as Key Vault Nested Item if the resource gets read out. Since you can still use the azapi provider until the other items are properly supported.

[Botje]

#25069 will not fix the issue you mention by itself, because it does not change the function used to process the IDs in the various customer_managed_key blocks that my PR touches.

[riemers]

Thanks for the info, suppose we just have to wait a bit more until parts are moved forward.

[tombuildsstuff]

Just to aid internal triage (since this otherwise appears ready for review) - since this PR's dependent on a couple of other PRs I'm going to mark this PR as Blocked temporarily until the dependent PR's are addressed - this isn't indicative of an issue in this PR, it's purely to help from an ordering/triage perspective for the moment.

[Botje]

Understood, thanks. I will keep track of #25069 and #25324 and rework when needed.

[riemers]

FYI, there is a internal ticket under IPL-6341 with Hashicorp to look at it. All we can do now is wait i suppose ;)

[katbyte]

#25601 has been merged which has the updated id parsers and validators and unblocks this pr

[mbfrahry]

LGTM

[katbyte]

LGTM 🏗️