azure: Fix storage account encryption

Fixing storage acconut encryption for Azure CAPI.
openshift · Apr 30, 2024 · 3a0f906 · 3a0f906
1 parent e6b59d5
commit 3a0f906
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
@@ -200,6 +200,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		Tags:               tags,
 		TokenCredential:    tokenCredential,
 		CloudConfiguration: cloudConfiguration,
+		ManagedKeys:        in.InstallConfig.Config.Azure.CustomerManagedKey,
 	})
 	if err != nil {
 		return err

diff --git a/pkg/infrastructure/azure/storage.go b/pkg/infrastructure/azure/storage.go
@@ -35,6 +35,7 @@ type CreateStorageAccountInput struct {
 	CloudName          aztypes.CloudEnvironment
 	TokenCredential    azcore.TokenCredential
 	CloudConfiguration cloud.Configuration
+	ManagedKeys        *aztypes.CustomerManagedKey
 }
 
 // CreateStorageAccountOutput contains the return values after creating a
@@ -73,6 +74,32 @@ func CreateStorageAccount(ctx context.Context, in *CreateStorageAccountInput) (*
 		return nil, fmt.Errorf("failed to get storage account factory %w", err)
 	}
 
+	sku := armstorage.SKUNameStandardLRS
+	parameterProperties := armstorage.AccountPropertiesCreateParameters{
+		AllowBlobPublicAccess: to.Ptr(true), // XXX true if using disk encryption
+		AllowSharedKeyAccess:  to.Ptr(true),
+		IsLocalUserEnabled:    to.Ptr(true),
+		LargeFileSharesState:  to.Ptr(armstorage.LargeFileSharesStateEnabled),
+		PublicNetworkAccess:   to.Ptr(armstorage.PublicNetworkAccessEnabled),
+		MinimumTLSVersion:     &minimumTLSVersion,
+	}
+
+	if in.ManagedKeys != nil {
+		sku = armstorage.SKUNamePremiumLRS
+		keyVaultURI := fmt.Sprintf("subscriptions/%s/resourceGroups/%s/providers/Microsoft.KeyVault/vaults/%s", in.SubscriptionID, in.ManagedKeys.KeyVault.ResourceGroup, in.ManagedKeys.KeyVault.Name)
+		// userAssignedIdentityURI := fmt.Sprintf("subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s", in.SubscriptionID, in.ManagedKeys.KeyVault.ResourceGroup, in.ManagedKeys.UserAssignedIdentityKey)
+		parameterProperties.Encryption = &armstorage.Encryption{
+			EncryptionIdentity: &armstorage.EncryptionIdentity{
+				EncryptionUserAssignedIdentity: to.Ptr(in.ManagedKeys.UserAssignedIdentityKey),
+			},
+			KeySource: to.Ptr(armstorage.KeySourceMicrosoftKeyvault),
+			KeyVaultProperties: &armstorage.KeyVaultProperties{
+				KeyName:     to.Ptr(in.ManagedKeys.KeyVault.KeyName),
+				KeyVaultURI: to.Ptr(keyVaultURI),
+			},
+		}
+	}
+
 	logrus.Debugf("Creating storage account")
 	accountsClient := storageClientFactory.NewAccountsClient()
 	pollerResponse, err := accountsClient.BeginCreate(
@@ -83,17 +110,10 @@ func CreateStorageAccount(ctx context.Context, in *CreateStorageAccountInput) (*
 			Kind:     to.Ptr(armstorage.KindStorageV2),
 			Location: to.Ptr(in.Region),
 			SKU: &armstorage.SKU{
-				Name: to.Ptr(armstorage.SKUNameStandardLRS), // XXX Premium_LRS if disk encryption if used
-			},
-			Properties: &armstorage.AccountPropertiesCreateParameters{
-				AllowBlobPublicAccess: to.Ptr(true), // XXX true if using disk encryption
-				AllowSharedKeyAccess:  to.Ptr(true),
-				IsLocalUserEnabled:    to.Ptr(true),
-				LargeFileSharesState:  to.Ptr(armstorage.LargeFileSharesStateEnabled),
-				PublicNetworkAccess:   to.Ptr(armstorage.PublicNetworkAccessEnabled),
-				MinimumTLSVersion:     &minimumTLSVersion,
+				Name: to.Ptr(sku),
 			},
-			Tags: in.Tags,
+			Properties: &parameterProperties,
+			Tags:       in.Tags,
 		},
 		nil,
 	)