Use CMK blocks rather than CMK resources in Terraform (#4242)

* replace cmk resources with cmk blocks for storage accounts * remove cmk resources for cosmosdb * update template versions * fix terraform format * remove duplicated data block * update core version * update encryption_key_versionless_id assignment to handle null values based on cmk encryption flag
microsoft · Jan 2, 2025 · e74fbe8 · e74fbe8
1 parent c79d9e1
commit e74fbe8
Show file tree

Hide file tree

Showing 33 changed files with 231 additions and 292 deletions.
diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl
diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -44,15 +44,15 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
   infrastructure_encryption_enabled = true
 
-  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
-}
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_airlock_processor_func_app.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {

diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf
@@ -30,6 +30,14 @@ resource "azurerm_storage_account" "sa_import_external" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;external"
   })
@@ -59,14 +67,6 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" {
   }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_external_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_external.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'Approved' export
 resource "azurerm_storage_account" "sa_export_approved" {
   name                             = local.export_approved_storage_name
@@ -98,6 +98,14 @@ resource "azurerm_storage_account" "sa_export_approved" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;export;approved"
   })
@@ -127,14 +135,6 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" {
   }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_export_approved_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_export_approved.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'In-Progress' storage account
 resource "azurerm_storage_account" "sa_import_in_progress" {
   name                             = local.import_in_progress_storage_name
@@ -164,6 +164,14 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;in-progress"
   })
@@ -176,15 +184,6 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_in_progress.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
-
 # Enable Airlock Malware Scanning on Core TRE
 resource "azapi_resource_action" "enable_defender_for_storage" {
   count       = var.enable_malware_scanning ? 1 : 0
@@ -262,6 +261,14 @@ resource "azurerm_storage_account" "sa_import_rejected" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;rejected"
   })
@@ -297,14 +304,6 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_rejected_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_rejected.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
-
 # 'Blocked' storage account
 resource "azurerm_storage_account" "sa_import_blocked" {
   name                             = local.import_blocked_storage_name
@@ -334,6 +333,14 @@ resource "azurerm_storage_account" "sa_import_blocked" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;blocked"
   })
@@ -369,10 +376,3 @@ resource "azurerm_private_endpoint" "stg_import_blocked_pe" {
   lifecycle { ignore_changes = [tags] }
 }
 
-resource "azurerm_storage_account_customer_managed_key" "sa_import_blocked_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.sa_import_blocked.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
-}
diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf
@@ -102,13 +102,7 @@ variable "enable_cmk_encryption" {
   description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
 }
 
-variable "key_store_id" {
+variable "encryption_key_versionless_id" {
   type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
-}
-
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+  description = "Versionless ID of the encryption key in the key vault"
 }
diff --git a/core/terraform/api-identity.tf b/core/terraform/api-identity.tf
@@ -57,6 +57,4 @@ resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" {
   role_definition_id  = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id
   principal_id        = azurerm_user_assigned_identity.id.principal_id
   scope               = azurerm_cosmosdb_account.tre_db_account.id
-
-  depends_on = [null_resource.tre_db_account_enable_cmk]
 }
diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
@@ -37,14 +37,14 @@ resource "azurerm_storage_account" "staticweb" {
       identity_ids = [var.encryption_identity_id]
     }
   }
-}
 
-resource "azurerm_storage_account_customer_managed_key" "staticweb_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.staticweb.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 }
 
 # Assign the "Storage Blob Data Contributor" role needed for uploading certificates to the storage account

diff --git a/core/terraform/appgateway/variables.tf b/core/terraform/appgateway/variables.tf
@@ -29,21 +29,12 @@ variable "log_analytics_workspace_id" {
 variable "app_gateway_sku" {
   type = string
 }
-
 variable "encryption_identity_id" {
-  type        = string
-  description = "User Managed Identity with permissions to get encryption keys from key vault"
+  type = string
 }
 variable "enable_cmk_encryption" {
-  type        = bool
-  description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
+  type = bool
 }
-variable "key_store_id" {
-  type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
-}
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+variable "encryption_key_versionless_id" {
+  type = string
 }
diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf
@@ -46,15 +46,15 @@ resource "azurerm_storage_account" "az_monitor" {
     }
   }
 
-  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
-}
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id          = var.encryption_key_versionless_id
+      user_assigned_identity_id = var.encryption_identity_id
+    }
+  }
 
-resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" {
-  count                     = var.enable_cmk_encryption ? 1 : 0
-  storage_account_id        = azurerm_storage_account.az_monitor.id
-  key_vault_id              = var.key_store_id
-  key_name                  = var.kv_encryption_key_name
-  user_assigned_identity_id = var.encryption_identity_id
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {

diff --git a/core/terraform/azure-monitor/variables.tf b/core/terraform/azure-monitor/variables.tf
@@ -33,19 +33,11 @@ variable "enable_local_debugging" {
 }
 
 variable "encryption_identity_id" {
-  type        = string
-  description = "User Managed Identity with permissions to get encryption keys from key vault"
+  type = string
 }
 variable "enable_cmk_encryption" {
-  type        = bool
-  description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources"
-}
-variable "key_store_id" {
-  type        = string
-  description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)"
-  default     = null
+  type = bool
 }
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
+variable "encryption_key_versionless_id" {
+  type = string
 }
diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf
@@ -43,30 +43,14 @@ resource "azurerm_cosmosdb_account" "mongo" {
     }
   }
 
+  key_vault_key_id      = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null
   default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
 
   tags = local.tre_core_tags
 
-  # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource
-  lifecycle { ignore_changes = [tags, key_vault_key_id] }
-}
-
-# Using the az CLI command since terraform forces a re-creation of the resource
-# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
-resource "null_resource" "mongo_enable_cmk" {
-  count = var.enable_cmk_encryption ? 1 : 0
-
-  provisioner "local-exec" {
-    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
-  }
-
-  depends_on = [
-    azurerm_cosmosdb_account.mongo,
-    azurerm_role_assignment.kv_encryption_key_user[0]
-  ]
+  lifecycle { ignore_changes = [tags] }
 }
 
-
 resource "azurerm_cosmosdb_mongo_database" "mongo" {
   name                = "porter"
   resource_group_name = azurerm_resource_group.core.name