From e74fbe8fd2ead40f1d602c018a455875651ea394 Mon Sep 17 00:00:00 2001 From: Yuval Yaron <43217306+yuvalyaron@users.noreply.github.com> Date: Thu, 2 Jan 2025 20:27:30 +0200 Subject: [PATCH] Use CMK blocks rather than CMK resources in Terraform (#4242) * replace cmk resources with cmk blocks for storage accounts * remove cmk resources for cosmosdb * update template versions * fix terraform format * remove duplicated data block * update core version * update encryption_key_versionless_id assignment to handle null values based on cmk encryption flag --- core/terraform/.terraform.lock.hcl | 19 ----- core/terraform/airlock/airlock_processor.tf | 16 ++-- core/terraform/airlock/storage_accounts.tf | 80 +++++++++---------- core/terraform/airlock/variables.tf | 10 +-- core/terraform/api-identity.tf | 2 - core/terraform/appgateway/staticweb.tf | 14 ++-- core/terraform/appgateway/variables.tf | 17 +--- core/terraform/azure-monitor/azure-monitor.tf | 16 ++-- core/terraform/azure-monitor/variables.tf | 16 +--- core/terraform/cosmos_mongo.tf | 20 +---- core/terraform/main.tf | 25 +++--- core/terraform/statestore.tf | 19 +---- core/terraform/storage.tf | 21 ++--- core/version.txt | 2 +- devops/terraform/main.tf | 23 ++---- templates/shared_services/certs/porter.yaml | 2 +- .../shared_services/certs/terraform/data.tf | 6 ++ .../certs/terraform/staticweb.tf | 16 ++-- .../shared_services/cyclecloud/porter.yaml | 2 +- .../cyclecloud/terraform/data.tf | 6 ++ .../cyclecloud/terraform/storage.tf | 16 ++-- templates/shared_services/gitea/porter.yaml | 2 +- .../workspace_services/azureml/porter.yaml | 2 +- .../azureml/terraform/storage.tf | 16 ++-- .../gitea/terraform/data.tf | 6 ++ .../gitea/terraform/storage.tf | 16 ++-- templates/workspaces/base/porter.yaml | 2 +- .../terraform/airlock/storage_accounts.tf | 55 +++++++++---- .../base/terraform/airlock/variables.tf | 5 +- .../terraform/azure-monitor/azure-monitor.tf | 16 ++-- .../base/terraform/azure-monitor/variables.tf | 5 +- .../workspaces/base/terraform/storage.tf | 18 ++--- .../workspaces/base/terraform/workspace.tf | 32 ++++---- 33 files changed, 231 insertions(+), 292 deletions(-) diff --git a/core/terraform/.terraform.lock.hcl b/core/terraform/.terraform.lock.hcl index 7c6b650d30..1c20359910 100644 --- a/core/terraform/.terraform.lock.hcl +++ b/core/terraform/.terraform.lock.hcl @@ -82,25 +82,6 @@ provider "registry.terraform.io/hashicorp/local" { ] } -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} - provider "registry.terraform.io/hashicorp/random" { version = "3.6.3" constraints = ">= 3.0.0, ~> 3.6" diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 1be01b7d40..be784443ef 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -44,15 +44,15 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" { # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true - lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } -} + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } -resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_airlock_processor_func_app.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_linux_function_app" "airlock_function_app" { diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf index 57bb5c8d9d..660850b95c 100644 --- a/core/terraform/airlock/storage_accounts.tf +++ b/core/terraform/airlock/storage_accounts.tf @@ -30,6 +30,14 @@ resource "azurerm_storage_account" "sa_import_external" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge(var.tre_core_tags, { description = "airlock;import;external" }) @@ -59,14 +67,6 @@ resource "azurerm_private_endpoint" "stg_import_external_pe" { } } -resource "azurerm_storage_account_customer_managed_key" "sa_import_external_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_import_external.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} - # 'Approved' export resource "azurerm_storage_account" "sa_export_approved" { name = local.export_approved_storage_name @@ -98,6 +98,14 @@ resource "azurerm_storage_account" "sa_export_approved" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge(var.tre_core_tags, { description = "airlock;export;approved" }) @@ -127,14 +135,6 @@ resource "azurerm_private_endpoint" "stg_export_approved_pe" { } } -resource "azurerm_storage_account_customer_managed_key" "sa_export_approved_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_export_approved.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} - # 'In-Progress' storage account resource "azurerm_storage_account" "sa_import_in_progress" { name = local.import_in_progress_storage_name @@ -164,6 +164,14 @@ resource "azurerm_storage_account" "sa_import_in_progress" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge(var.tre_core_tags, { description = "airlock;import;in-progress" }) @@ -176,15 +184,6 @@ resource "azurerm_storage_account" "sa_import_in_progress" { lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } -resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_import_in_progress.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} - - # Enable Airlock Malware Scanning on Core TRE resource "azapi_resource_action" "enable_defender_for_storage" { count = var.enable_malware_scanning ? 1 : 0 @@ -262,6 +261,14 @@ resource "azurerm_storage_account" "sa_import_rejected" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge(var.tre_core_tags, { description = "airlock;import;rejected" }) @@ -297,14 +304,6 @@ resource "azurerm_private_endpoint" "stg_import_rejected_pe" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_storage_account_customer_managed_key" "sa_import_rejected_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_import_rejected.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} - # 'Blocked' storage account resource "azurerm_storage_account" "sa_import_blocked" { name = local.import_blocked_storage_name @@ -334,6 +333,14 @@ resource "azurerm_storage_account" "sa_import_blocked" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge(var.tre_core_tags, { description = "airlock;import;blocked" }) @@ -369,10 +376,3 @@ resource "azurerm_private_endpoint" "stg_import_blocked_pe" { lifecycle { ignore_changes = [tags] } } -resource "azurerm_storage_account_customer_managed_key" "sa_import_blocked_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.sa_import_blocked.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} diff --git a/core/terraform/airlock/variables.tf b/core/terraform/airlock/variables.tf index f88f1fc50f..95e03b4ba4 100644 --- a/core/terraform/airlock/variables.tf +++ b/core/terraform/airlock/variables.tf @@ -102,13 +102,7 @@ variable "enable_cmk_encryption" { description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources" } -variable "key_store_id" { +variable "encryption_key_versionless_id" { type = string - description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)" - default = null -} - -variable "kv_encryption_key_name" { - type = string - description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)" + description = "Versionless ID of the encryption key in the key vault" } diff --git a/core/terraform/api-identity.tf b/core/terraform/api-identity.tf index 8aabadab1a..8209e37143 100644 --- a/core/terraform/api-identity.tf +++ b/core/terraform/api-identity.tf @@ -57,6 +57,4 @@ resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" { role_definition_id = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id principal_id = azurerm_user_assigned_identity.id.principal_id scope = azurerm_cosmosdb_account.tre_db_account.id - - depends_on = [null_resource.tre_db_account_enable_cmk] } diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf index 5047fdc618..ee6a0b44bc 100644 --- a/core/terraform/appgateway/staticweb.tf +++ b/core/terraform/appgateway/staticweb.tf @@ -37,14 +37,14 @@ resource "azurerm_storage_account" "staticweb" { identity_ids = [var.encryption_identity_id] } } -} -resource "azurerm_storage_account_customer_managed_key" "staticweb_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.staticweb.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } } # Assign the "Storage Blob Data Contributor" role needed for uploading certificates to the storage account diff --git a/core/terraform/appgateway/variables.tf b/core/terraform/appgateway/variables.tf index 21d50f61b6..8124cdabcd 100644 --- a/core/terraform/appgateway/variables.tf +++ b/core/terraform/appgateway/variables.tf @@ -29,21 +29,12 @@ variable "log_analytics_workspace_id" { variable "app_gateway_sku" { type = string } - variable "encryption_identity_id" { - type = string - description = "User Managed Identity with permissions to get encryption keys from key vault" + type = string } variable "enable_cmk_encryption" { - type = bool - description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources" + type = bool } -variable "key_store_id" { - type = string - description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)" - default = null -} -variable "kv_encryption_key_name" { - type = string - description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)" +variable "encryption_key_versionless_id" { + type = string } diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf index 5e2d8e6dee..81f5c3c18d 100644 --- a/core/terraform/azure-monitor/azure-monitor.tf +++ b/core/terraform/azure-monitor/azure-monitor.tf @@ -46,15 +46,15 @@ resource "azurerm_storage_account" "az_monitor" { } } - lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } -} + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } -resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.az_monitor.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" { diff --git a/core/terraform/azure-monitor/variables.tf b/core/terraform/azure-monitor/variables.tf index 30b99dc0a7..4b370d74ba 100644 --- a/core/terraform/azure-monitor/variables.tf +++ b/core/terraform/azure-monitor/variables.tf @@ -33,19 +33,11 @@ variable "enable_local_debugging" { } variable "encryption_identity_id" { - type = string - description = "User Managed Identity with permissions to get encryption keys from key vault" + type = string } variable "enable_cmk_encryption" { - type = bool - description = "A boolean indicating if customer managed keys will be used for encryption of supporting resources" -} -variable "key_store_id" { - type = string - description = "ID of the Key Vault to store CMKs in (only used if enable_cmk_encryption is true)" - default = null + type = bool } -variable "kv_encryption_key_name" { - type = string - description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)" +variable "encryption_key_versionless_id" { + type = string } diff --git a/core/terraform/cosmos_mongo.tf b/core/terraform/cosmos_mongo.tf index 38231a9c2f..65812cc8f1 100644 --- a/core/terraform/cosmos_mongo.tf +++ b/core/terraform/cosmos_mongo.tf @@ -43,30 +43,14 @@ resource "azurerm_cosmosdb_account" "mongo" { } } + key_vault_key_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null tags = local.tre_core_tags - # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource - lifecycle { ignore_changes = [tags, key_vault_key_id] } -} - -# Using the az CLI command since terraform forces a re-creation of the resource -# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781 -resource "null_resource" "mongo_enable_cmk" { - count = var.enable_cmk_encryption ? 1 : 0 - - provisioner "local-exec" { - command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}" - } - - depends_on = [ - azurerm_cosmosdb_account.mongo, - azurerm_role_assignment.kv_encryption_key_user[0] - ] + lifecycle { ignore_changes = [tags] } } - resource "azurerm_cosmosdb_mongo_database" "mongo" { name = "porter" resource_group_name = azurerm_resource_group.core.name diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 8a60d545bd..49693884c1 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -21,10 +21,6 @@ terraform { source = "Azure/azapi" version = "~> 1.15.0" } - null = { - source = "hashicorp/null" - version = "~> 3.2" - } } backend "azurerm" {} @@ -78,8 +74,7 @@ module "azure_monitor" { tre_core_tags = local.tre_core_tags enable_local_debugging = var.enable_local_debugging enable_cmk_encryption = var.enable_cmk_encryption - key_store_id = local.key_store_id - kv_encryption_key_name = local.cmk_name + encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -110,10 +105,9 @@ module "appgateway" { log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id app_gateway_sku = var.app_gateway_sku - enable_cmk_encryption = var.enable_cmk_encryption - key_store_id = local.key_store_id - kv_encryption_key_name = local.cmk_name - encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null + enable_cmk_encryption = var.enable_cmk_encryption + encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null + encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ module.network, @@ -148,12 +142,11 @@ module "airlock_resources" { queue_core_dns_zone_id = module.network.queue_core_dns_zone_id table_core_dns_zone_id = module.network.table_core_dns_zone_id - enable_local_debugging = var.enable_local_debugging - myip = local.myip - enable_cmk_encryption = var.enable_cmk_encryption - key_store_id = local.key_store_id - kv_encryption_key_name = local.cmk_name - encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null + enable_local_debugging = var.enable_local_debugging + myip = local.myip + enable_cmk_encryption = var.enable_cmk_encryption + encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null + encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ azurerm_servicebus_namespace.sb, diff --git a/core/terraform/statestore.tf b/core/terraform/statestore.tf index 0bc9c9c51f..66748fda58 100644 --- a/core/terraform/statestore.tf +++ b/core/terraform/statestore.tf @@ -25,6 +25,7 @@ resource "azurerm_cosmosdb_account" "tre_db_account" { } } + key_vault_key_id = var.enable_cmk_encryption ? azurerm_key_vault_key.tre_encryption[0].versionless_id : null default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null consistency_policy { @@ -38,8 +39,7 @@ resource "azurerm_cosmosdb_account" "tre_db_account" { failover_priority = 0 } - # since key_vault_key_id is created by the 'tre_db_account_enable_cmk' null_resource, terraform forces re-creation of the resource - lifecycle { ignore_changes = [tags, key_vault_key_id] } + lifecycle { ignore_changes = [tags] } } moved { @@ -107,18 +107,3 @@ resource "azurerm_private_endpoint" "sspe" { subresource_names = ["Sql"] } } - -# Using the az CLI command since terraform forces a re-creation of the resource -# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781 -resource "null_resource" "tre_db_account_enable_cmk" { - count = var.enable_cmk_encryption ? 1 : 0 - - provisioner "local-exec" { - command = "az cosmosdb update --name ${azurerm_cosmosdb_account.tre_db_account.name} --resource-group ${azurerm_cosmosdb_account.tre_db_account.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}" - } - - depends_on = [ - azurerm_cosmosdb_account.tre_db_account, - azurerm_role_assignment.kv_encryption_key_user[0] - ] -} diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index 157aa9c463..5471e8cc79 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -22,6 +22,14 @@ resource "azurerm_storage_account" "stg" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].versionless_id + user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id + } + } + tags = local.tre_core_tags lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } @@ -79,16 +87,3 @@ resource "azurerm_private_endpoint" "filepe" { azurerm_private_endpoint.blobpe ] } - -resource "azurerm_storage_account_customer_managed_key" "encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.stg.id - key_vault_id = local.key_store_id - key_name = local.cmk_name - user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id - - depends_on = [ - azurerm_role_assignment.kv_encryption_key_user[0], - azurerm_key_vault_key.tre_encryption[0] - ] -} diff --git a/core/version.txt b/core/version.txt index 23c1471f28..87583f1acf 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.14" +__version__ = "0.11.15" diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf index e450c34877..7dd4086153 100644 --- a/devops/terraform/main.tf +++ b/devops/terraform/main.tf @@ -42,27 +42,20 @@ resource "azurerm_storage_account" "state_storage" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = azurerm_key_vault_key.tre_mgmt_encryption[0].versionless_id + user_assigned_identity_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].id + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } -resource "azurerm_storage_account_customer_managed_key" "state_storage_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.state_storage.id - key_vault_id = local.key_store_id - key_name = var.kv_mgmt_encryption_key_name - user_assigned_identity_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].id - - depends_on = [ - azurerm_role_assignment.kv_mgmt_encryption_key_user, - azurerm_key_vault_key.tre_mgmt_encryption[0] - ] -} - - - # Shared container registry resource "azurerm_container_registry" "shared_acr" { name = var.acr_name diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml index e2f2971052..92de8ee40d 100755 --- a/templates/shared_services/certs/porter.yaml +++ b/templates/shared_services/certs/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-certs -version: 0.7.1 +version: 0.7.2 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/certs/terraform/data.tf b/templates/shared_services/certs/terraform/data.tf index 359ae36f43..db35778306 100644 --- a/templates/shared_services/certs/terraform/data.tf +++ b/templates/shared_services/certs/terraform/data.tf @@ -23,3 +23,9 @@ data "azurerm_user_assigned_identity" "tre_encryption_identity" { name = local.encryption_identity_name resource_group_name = data.azurerm_resource_group.rg.name } + +data "azurerm_key_vault_key" "encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf index 88d5bd4318..7c044b6be2 100644 --- a/templates/shared_services/certs/terraform/staticweb.tf +++ b/templates/shared_services/certs/terraform/staticweb.tf @@ -29,15 +29,15 @@ resource "azurerm_storage_account" "staticweb" { } } - lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } -} + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = data.azurerm_key_vault_key.encryption_key[0].versionless_id + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + } + } -resource "azurerm_storage_account_customer_managed_key" "staticweb_stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.staticweb.id - key_vault_id = var.key_store_id - key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_role_assignment" "stgwriter" { diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml index 818a76e7f3..8111768286 100644 --- a/templates/shared_services/cyclecloud/porter.yaml +++ b/templates/shared_services/cyclecloud/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-cyclecloud -version: 0.7.1 +version: 0.7.2 description: "An Azure TRE Shared Service Template for Azure Cyclecloud" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/cyclecloud/terraform/data.tf b/templates/shared_services/cyclecloud/terraform/data.tf index b3ab49aa77..6bc1dea20c 100644 --- a/templates/shared_services/cyclecloud/terraform/data.tf +++ b/templates/shared_services/cyclecloud/terraform/data.tf @@ -3,3 +3,9 @@ data "azurerm_user_assigned_identity" "tre_encryption_identity" { name = local.encryption_identity_name resource_group_name = local.core_resource_group_name } + +data "azurerm_key_vault_key" "encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf index ed669ac609..4b02f51d18 100644 --- a/templates/shared_services/cyclecloud/terraform/storage.tf +++ b/templates/shared_services/cyclecloud/terraform/storage.tf @@ -20,15 +20,15 @@ resource "azurerm_storage_account" "cyclecloud" { } } - lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } -} + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = data.azurerm_key_vault_key.encryption_key[0].versionless_id + user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + } + } -resource "azurerm_storage_account_customer_managed_key" "cyclecloud_stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.cyclecloud.id - key_vault_id = var.key_store_id - key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.tre_encryption_identity[0].id + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/shared_services/gitea/porter.yaml b/templates/shared_services/gitea/porter.yaml index 98daa28807..e2d3c8b0d5 100644 --- a/templates/shared_services/gitea/porter.yaml +++ b/templates/shared_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-gitea -version: 1.1.3 +version: 1.1.4 description: "A Gitea shared service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index 530575f43d..24f5488f33 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-service-azureml -version: 0.9.1 +version: 0.9.2 description: "An Azure TRE service for Azure Machine Learning" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index 94925a85eb..42ba38b5d6 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -20,20 +20,20 @@ resource "azurerm_storage_account" "aml" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } -resource "azurerm_storage_account_customer_managed_key" "aml_stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.aml.id - key_vault_id = var.key_store_id - key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id -} - data "azurerm_private_dns_zone" "blobcore" { name = module.terraform_azurerm_environment_configuration.private_links["privatelink.blob.core.windows.net"] resource_group_name = local.core_resource_group_name diff --git a/templates/workspace_services/gitea/terraform/data.tf b/templates/workspace_services/gitea/terraform/data.tf index 4447529bb0..eb24688f2a 100644 --- a/templates/workspace_services/gitea/terraform/data.tf +++ b/templates/workspace_services/gitea/terraform/data.tf @@ -80,3 +80,9 @@ data "azurerm_user_assigned_identity" "ws_encryption_identity" { name = local.encryption_identity_name resource_group_name = data.azurerm_resource_group.ws.name } + +data "azurerm_key_vault_key" "ws_encryption_key" { + count = var.enable_cmk_encryption ? 1 : 0 + name = local.cmk_name + key_vault_id = var.key_store_id +} diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf index c042a18ff7..0e74f16883 100644 --- a/templates/workspace_services/gitea/terraform/storage.tf +++ b/templates/workspace_services/gitea/terraform/storage.tf @@ -20,15 +20,15 @@ resource "azurerm_storage_account" "gitea" { } } - lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } -} + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = data.azurerm_key_vault_key.ws_encryption_key[0].versionless_id + user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id + } + } -resource "azurerm_storage_account_customer_managed_key" "gitea_stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.gitea.id - key_vault_id = var.key_store_id - key_name = local.cmk_name - user_assigned_identity_id = data.azurerm_user_assigned_identity.ws_encryption_identity[0].id + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_storage_account_network_rules" "stgrules" { diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index 71c75e942a..89be17e3de 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 1.9.0 +version: 1.9.1 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 9c1c933744..2090c08d30 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -32,6 +32,14 @@ resource "azurerm_storage_account" "sa_import_approved" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge( var.tre_workspace_tags, { @@ -99,6 +107,14 @@ resource "azurerm_storage_account" "sa_export_internal" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge( var.tre_workspace_tags, { @@ -158,6 +174,14 @@ resource "azurerm_storage_account" "sa_export_inprogress" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true @@ -240,6 +264,14 @@ resource "azurerm_storage_account" "sa_export_rejected" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge( var.tre_workspace_tags, { @@ -307,6 +339,14 @@ resource "azurerm_storage_account" "sa_export_blocked" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + tags = merge( var.tre_workspace_tags, { @@ -356,18 +396,3 @@ resource "azurerm_role_assignment" "api_sa_data_contributor" { role_definition_name = "Storage Blob Data Contributor" principal_id = data.azurerm_user_assigned_identity.api_id.principal_id } - -resource "azurerm_storage_account_customer_managed_key" "sa_encryption" { - for_each = var.enable_cmk_encryption ? { - "sa_import_approved" = azurerm_storage_account.sa_import_approved, - "sa_export_internal" = azurerm_storage_account.sa_export_internal, - "sa_export_inprogress" = azurerm_storage_account.sa_export_inprogress, - "sa_export_rejected" = azurerm_storage_account.sa_export_rejected, - "sa_export_blocked" = azurerm_storage_account.sa_export_blocked - } : {} - - storage_account_id = each.value.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} diff --git a/templates/workspaces/base/terraform/airlock/variables.tf b/templates/workspaces/base/terraform/airlock/variables.tf index 70e4b1a101..5f299e00fa 100644 --- a/templates/workspaces/base/terraform/airlock/variables.tf +++ b/templates/workspaces/base/terraform/airlock/variables.tf @@ -28,12 +28,9 @@ variable "arm_environment" { variable "enable_cmk_encryption" { type = bool } -variable "key_store_id" { - type = string -} variable "encryption_identity_id" { type = string } -variable "kv_encryption_key_name" { +variable "encryption_key_versionless_id" { type = string } diff --git a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf index 70e99cf5b1..6c8068de24 100644 --- a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf +++ b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf @@ -37,6 +37,14 @@ resource "azurerm_storage_account" "app_insights" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = var.encryption_key_versionless_id + user_assigned_identity_id = var.encryption_identity_id + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true @@ -48,14 +56,6 @@ resource "azurerm_storage_account" "app_insights" { lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } -resource "azurerm_storage_account_customer_managed_key" "app_insights_stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.app_insights.id - key_vault_id = var.key_store_id - key_name = var.kv_encryption_key_name - user_assigned_identity_id = var.encryption_identity_id -} - resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" { data_source_type = "Ingestion" resource_group_name = var.resource_group_name diff --git a/templates/workspaces/base/terraform/azure-monitor/variables.tf b/templates/workspaces/base/terraform/azure-monitor/variables.tf index 1171350646..f021759860 100644 --- a/templates/workspaces/base/terraform/azure-monitor/variables.tf +++ b/templates/workspaces/base/terraform/azure-monitor/variables.tf @@ -40,12 +40,9 @@ variable "enable_local_debugging" { variable "enable_cmk_encryption" { type = bool } -variable "key_store_id" { - type = string -} variable "encryption_identity_id" { type = string } -variable "kv_encryption_key_name" { +variable "encryption_key_versionless_id" { type = string } diff --git a/templates/workspaces/base/terraform/storage.tf b/templates/workspaces/base/terraform/storage.tf index 6a8027ed10..7fc6f00a2c 100644 --- a/templates/workspaces/base/terraform/storage.tf +++ b/templates/workspaces/base/terraform/storage.tf @@ -19,6 +19,14 @@ resource "azurerm_storage_account" "stg" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = azurerm_key_vault_key.encryption_key[0].versionless_id + user_assigned_identity_id = azurerm_user_assigned_identity.encryption_identity[0].id + } + } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below infrastructure_encryption_enabled = true @@ -141,13 +149,3 @@ resource "azurerm_private_endpoint" "stgdfspe" { subresource_names = ["dfs"] } } - -resource "azurerm_storage_account_customer_managed_key" "stg_encryption" { - count = var.enable_cmk_encryption ? 1 : 0 - storage_account_id = azurerm_storage_account.stg.id - key_vault_id = var.key_store_id - key_name = local.kv_encryption_key_name - user_assigned_identity_id = azurerm_user_assigned_identity.encryption_identity[0].id - - depends_on = [azurerm_key_vault_key.encryption_key] -} diff --git a/templates/workspaces/base/terraform/workspace.tf b/templates/workspaces/base/terraform/workspace.tf index 2e6b36d173..10fb74c6a7 100644 --- a/templates/workspaces/base/terraform/workspace.tf +++ b/templates/workspaces/base/terraform/workspace.tf @@ -45,21 +45,20 @@ module "aad" { } module "airlock" { - count = var.enable_airlock ? 1 : 0 - source = "./airlock" - location = var.location - tre_id = var.tre_id - tre_workspace_tags = local.tre_workspace_tags - ws_resource_group_name = azurerm_resource_group.ws.name - enable_local_debugging = var.enable_local_debugging - services_subnet_id = module.network.services_subnet_id - short_workspace_id = local.short_workspace_id - airlock_processor_subnet_id = module.network.airlock_processor_subnet_id - arm_environment = var.arm_environment - enable_cmk_encryption = var.enable_cmk_encryption - key_store_id = var.key_store_id - kv_encryption_key_name = local.kv_encryption_key_name - encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption_identity[0].id : null + count = var.enable_airlock ? 1 : 0 + source = "./airlock" + location = var.location + tre_id = var.tre_id + tre_workspace_tags = local.tre_workspace_tags + ws_resource_group_name = azurerm_resource_group.ws.name + enable_local_debugging = var.enable_local_debugging + services_subnet_id = module.network.services_subnet_id + short_workspace_id = local.short_workspace_id + airlock_processor_subnet_id = module.network.airlock_processor_subnet_id + arm_environment = var.arm_environment + enable_cmk_encryption = var.enable_cmk_encryption + encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.encryption_key[0].versionless_id : null + encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption_identity[0].id : null depends_on = [ module.network, ] @@ -81,8 +80,7 @@ module "azure_monitor" { azure_monitor_agentsvc_dns_zone_id = module.network.azure_monitor_agentsvc_dns_zone_id blob_core_dns_zone_id = module.network.blobcore_zone_id enable_cmk_encryption = var.enable_cmk_encryption - key_store_id = var.key_store_id - kv_encryption_key_name = local.kv_encryption_key_name + encryption_key_versionless_id = var.enable_cmk_encryption ? azurerm_key_vault_key.encryption_key[0].versionless_id : null encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption_identity[0].id : null enable_local_debugging = var.enable_local_debugging depends_on = [