Encryption Settings - Storage Account #658
Comments
|
Having done a little digging into this, I've managed to track down what I believe the issue is. doesn't set the required KeyVaultProperties as defined in |
|
Hi, this was linked to issue #1323, which is now released, but I don't see KeyVaultProperties added. Is that something planned? |
|
After reviewing the issue, looks like the "KeyVaultProperties" are missing. this is what I have to do to setup storage encryption with Keyvault from ARM template: "properties": { |
|
@LaurentLesle we're hitting an error in Terraform v0.11.10 and provider.azurerm v1.19.0 with the same template layout to yours: When sending the same JSON through Azure CLI, we get: |
|
Hi, can somebody give me some more insights on this ? Looking at the specs of storage_account resource, it seems I can specify a KeyVault as a Source, but not which KeyVault and which Key etc.... Am I missing something here ? What's the point of being able to specify the Source but not to be able to provide further settings ? Has anybody found a workaround for this ? Thx in advance |
Seconding this. Looking at the documentation, it does appear we can specify |
|
The Key vault must have purge protection + soft delete enabled which is not supported by TF as they cannot be disabled, meaning the resource lifecycle cannot be managed. A workaround is to use a null_resource to enable these settings (e.g. with azure cli). Once that is done, assign an MSI to the storage account, permission the MSI to the Key Vault and use another null_resource to execute the commands to enable key vault encryption (I use azure cli). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
I have taken an another approach with the local-exec provision, created a powershell script and executed that script file using terraform. |
This comment has been minimized.
This comment has been minimized.
|
This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.0.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked and limited conversation to collaborators
This issue was originally opened by @raghavanr as hashicorp/terraform#17022. It was migrated here as a result of the provider split. The original body of the issue is below.
how to encrypt VM and Storage Account with Microsoft.Keyvault rather than Microsoft.Storage using terraform.
getting the error when trying with the below code..
``
resource "azurerm_storage_account" "sa" {
name = "sa"
resource_group_name = "${azurerm_resource_group.myrg.name}"
location = "${azurerm_resource_group.myrg.location}"
account_tier = "Standard"
account_replication_type = "LRS"
enable_blob_encryption = "true"
enable_file_encryption = "true"
account_encryption_source = "Microsoft.Keyvault"
}
The text was updated successfully, but these errors were encountered: