Skip to content

Commit

Permalink
fix: fixed key-vault authentication issue in cmk encryption
Browse files Browse the repository at this point in the history
  • Loading branch information
cloudlovely committed Jan 17, 2024
1 parent fae3fb8 commit 23bbea4
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 38 deletions.
1 change: 1 addition & 0 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ usage: |-
identity_type = "UserAssigned"
object_id = ["71d1a02f-3ae9-4ab9-8fec-d9b1166d7c97", ]
account_replication_type = "ZRS"
cmk_enabled = "true"
###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
key_vault_id = module.vault.id
Expand Down
1 change: 0 additions & 1 deletion _example/basic/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ module "storage" {
source = "../.."
name = local.name
environment = local.environment
default_enabled = true
resource_group_name = "app-test-rg"
location = "Central India"
storage_account_name = "stordtyrey36"
Expand Down
38 changes: 18 additions & 20 deletions _example/complete/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ module "log-analytics" {
name = local.name
environment = local.environment
label_order = local.label_order
create_log_analytics_workspace = true
create_log_analytics_workspace = false
log_analytics_workspace_sku = "PerGB2018"
daily_quota_gb = "-1"
internet_ingestion_enabled = true
Expand All @@ -83,21 +83,17 @@ module "vault" {
source = "clouddrove/key-vault/azure"
version = "1.1.0"

name = "vault9825"
environment = "test"
label_order = ["name", "environment", ]
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
# reader_objects_ids = [data.azurerm_client_config.current_client_config.object_id]
admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id]
virtual_network_id = join("", module.vnet.vnet_id)
subnet_id = module.subnet.default_subnet_id[0]
enable_rbac_authorization = false
network_acls = {
bypass = "AzureServices"
default_action = "Deny"
ip_rules = ["0.0.0.0/0"]
}
name = "vault8767768"
environment = "test"
label_order = ["name", "environment", ]
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
admin_objects_ids = [data.azurerm_client_config.current_client_config.object_id]
virtual_network_id = join("", module.vnet.vnet_id)
subnet_id = module.subnet.default_subnet_id[0]
enable_rbac_authorization = true
enabled_for_disk_encryption = false
network_acls = null
#private endpoint
enable_private_endpoint = false
########Following to be uncommnented only when using DNS Zone from different subscription along with existing DNS zone.
Expand All @@ -111,13 +107,13 @@ module "vault" {
# existing_private_dns_zone_resource_group_name = ""

#### enable diagnostic setting
diagnostic_setting_enable = false
diagnostic_setting_enable = true
log_analytics_workspace_id = module.log-analytics.workspace_id ## when diagnostic_setting_enable enable, add log analytics workspace id
}

##-----------------------------------------------------------------------------
## Storage module call.
## Here default storage will be deployed.
## Here storage account will be deployed with CMK encryption.
##-----------------------------------------------------------------------------
module "storage" {
source = "../.."
Expand All @@ -126,13 +122,15 @@ module "storage" {
label_order = local.label_order
resource_group_name = module.resource_group.resource_group_name
location = module.resource_group.resource_group_location
storage_account_name = "strge56563"
storage_account_name = "storage877656"
public_network_access_enabled = true
account_kind = "StorageV2"
account_tier = "Standard"
identity_type = "UserAssigned"
object_id = [data.azurerm_client_config.current_client_config.object_id]
account_replication_type = "ZRS"
cmk_enabled = true

###customer_managed_key can only be set when the account_kind is set to StorageV2 or account_tier set to Premium, and the identity type is UserAssigned.
key_vault_id = module.vault.id
## Storage Container
Expand All @@ -142,7 +140,7 @@ module "storage" {
tables = ["table1"]
queues = ["queue1"]
file_shares = [
{ name = "file-test", quota = "10" },
{ name = "fileshare", quota = "10" },
]

virtual_network_id = module.vnet.vnet_id[0]
Expand Down
29 changes: 15 additions & 14 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,8 @@ resource "azurerm_storage_account" "storage" {
dynamic "customer_managed_key" {
for_each = var.cmk_enabled ? [1] : []
content {
key_vault_key_id = var.key_vault_id != null ? join("", azurerm_key_vault_key.kvkey.*.id) : null
user_assigned_identity_id = var.key_vault_id != null ? join("", azurerm_user_assigned_identity.identity.*.id) : null
key_vault_key_id = var.key_vault_id != null ? azurerm_key_vault_key.kvkey[0].id : null
user_assigned_identity_id = var.key_vault_id != null ? azurerm_user_assigned_identity.identity[0].id : null
}
}
}
Expand All @@ -211,9 +211,9 @@ resource "azurerm_storage_account" "storage" {
## This user assigned identity will be created when storage account with cmk is created.
##-----------------------------------------------------------------------------
resource "azurerm_user_assigned_identity" "identity" {
count = var.enabled ? 1 : 0
count = var.enabled && var.cmk_enabled ? 1 : 0
location = var.location
name = format("midd-storage-%s", module.labels.id)
name = format("%s-storage-mid", module.labels.id)
resource_group_name = var.resource_group_name
}

Expand All @@ -223,7 +223,7 @@ resource "azurerm_user_assigned_identity" "identity" {
resource "azurerm_role_assignment" "identity_assigned" {
depends_on = [azurerm_user_assigned_identity.identity]
count = var.enabled && var.key_vault_rbac_auth_enabled ? 1 : 0
principal_id = join("", azurerm_user_assigned_identity.identity.*.principal_id)
principal_id = azurerm_user_assigned_identity.identity[0].principal_id
scope = var.key_vault_id
role_definition_name = "Key Vault Crypto Service Encryption User"
}
Expand All @@ -232,9 +232,9 @@ resource "azurerm_role_assignment" "identity_assigned" {
## Below resource will create key vault key that will be used for encryption.
##-----------------------------------------------------------------------------
resource "azurerm_key_vault_key" "kvkey" {
depends_on = [azurerm_role_assignment.identity_assigned]
depends_on = [azurerm_role_assignment.identity_assigned, azurerm_user_assigned_identity.identity]
count = var.enabled && var.cmk_enabled ? 1 : 0
name = format("storage-%s-cmk-testing", module.labels.id)
name = format("%s-storage-key-vault-key", module.labels.id)
expiration_date = var.expiration_date
key_vault_id = var.key_vault_id
key_type = "RSA"
Expand Down Expand Up @@ -624,10 +624,11 @@ resource "azurerm_monitor_diagnostic_setting" "storage-nic" {
}
}

resource "azurerm_storage_account_customer_managed_key" "example" {
count = var.enabled && var.cmk_enabled ? 1 : 0
storage_account_id = join("", azurerm_storage_account.storage.*.id)
key_vault_id = var.key_vault_id
key_name = join("", azurerm_key_vault_key.kvkey.*.name)
user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id)
}
# resource "azurerm_storage_account_customer_managed_key" "example" {
# depends_on = [ azurerm_storage_account.storage ]
# count = var.enabled && var.cmk_enabled ? 1 : 0
# storage_account_id = join("", azurerm_storage_account.storage.*.id)
# key_vault_id = var.key_vault_id
# key_name = join("", azurerm_key_vault_key.kvkey.*.name)
# user_assigned_identity_id = join("", azurerm_user_assigned_identity.identity.*.id)
# }
6 changes: 3 additions & 3 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ variable "key_vault_id" {

variable "expiration_date" {
type = string
default = "2023-12-31T18:29:59Z"
default = null
description = "Expiration UTC datetime (Y-m-d'T'H:M:S'Z')"
}

Expand Down Expand Up @@ -655,7 +655,7 @@ variable "multi_sub_vnet_link" {

variable "key_vault_rbac_auth_enabled" {
type = bool
default = false
default = true
description = "Is key vault has role base access enable or not."
}

Expand All @@ -677,5 +677,5 @@ variable "rotation_policy" {
expire_after = string
notify_before_expiry = string
}))
default = {}
default = null
}

0 comments on commit 23bbea4

Please sign in to comment.