azurerm_storage_account_customer_managed_key: support for key vaults in other subscriptions

[MattGarnerAWR]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.6.0

AzureRM Provider Version

3.85.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account_customer_managed_key

Terraform Configuration Files

resource "azurerm_storage_account" "example" {
  name                     = "examplestor"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }

  lifecycle {
    ignore_changes = [
      customer_managed_key
    ]
  }
}

resource "azurerm_storage_account_customer_managed_key" "example" {
  storage_account_id = azurerm_storage_account.example.id
  key_vault_id       = azurerm_key_vault.example.id
  key_name           = azurerm_key_vault_key.example.name
}

Debug Output/Panic Output

# azurerm_storage_account_customer_managed_key.example will be updated in place
+ key_vault_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-name/providers/Microsoft.KeyVault/vaults/kv-name"

Expected Behaviour

TF plan should find no changes, as CMK is already set up on the storage account

Actual Behaviour

Every TF plan is wanting to apply the key vault ID to the storage account CMK.

Steps to Reproduce

1. terraform apply
2. terraform plan

Important Factoids

Key Vault is not on the same subscription, not sure if that is a problem?

References

No response

[magodo]

@MattGarnerAWR Currently, the code assumes the subscription id of the keyvault is the same as the storage account id:

terraform-provider-azurerm/internal/services/storage/storage_account_customer_managed_key_resource.go

Lines 274 to 284 in 5273496

	// we can't look up the ID when using federated identity as the key will be under different tenant
	keyVaultID := ""
	if federatedIdentityClientID == "" {
	subscriptionResourceId := commonids.NewSubscriptionID(id.SubscriptionId)
	tmpKeyVaultID, err := keyVaultsClient.KeyVaultIDFromBaseUrl(ctx, subscriptionResourceId, keyVaultURI)
	if err != nil {
	return fmt.Errorf("retrieving Key Vault ID from the Base URI %q: %+v", keyVaultURI, err)
	}
	keyVaultID = pointer.From(tmpKeyVaultID)
	}

As the provider currently is designed to work within one subscription, I regard this issue as an enhancement.

[MattGarnerAWR]

@magodo I disagree, this goes against provider design principles. This should be a bug.

https://developer.hashicorp.com/terraform/plugin/best-practices/hashicorp-provider-design-principles

[magodo]

@tombuildsstuff This issue seems to be a regression introduced by #24019.

[btpemercier]

I'm agree with @MattGarnerAWR whenever you do a terraform plan you have this

# module.storage_account.azurerm_storage_account.storage_account will be updated in-place
  ~ resource "azurerm_storage_account" "storage_account" {
        id                                = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount"
      - customer_managed_key {
          - key_vault_key_id          = "https://myvault.vault.azure.net/keys/my-key" -> null
          - user_assigned_identity_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mystorageaccount-blob-id" -> null
        }

        # (5 unchanged blocks hidden)
    }

And the terraform apply does something but it shouldn't

Plan: 0 to add, 1 to change, 0 to destroy.
module.storage_account.azurerm_storage_account.storage_account: Modifying... [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount]
module.storage_account.azurerm_storage_account.storage_account: Modifications complete after 5s [id=/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount]

[tombuildsstuff]

As @magodo has mentioned above, this is an enhancement request rather than a bug - since we have a 1:1 relationship between a Provider instance and a Subscription at this point-in-time. Since there's already an issue open for this I'm going to consolidate this issue into #20199, as such would you mind subscribing to that issue for updates?

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.