Skip to content

Commit

Permalink
Enable storage account infrastructure encryption (#4139)
Browse files Browse the repository at this point in the history 
* Enable infrastructure encryption on storage accounts #73

* Enable infrastructure encryption on storage accounts #73

* Enable infrastructure encryption on storage accounts #73

* Update storage_accounts.tf
  • Loading branch information
@jonnyry
jonnyry authored Dec 1, 2024
1 parent d3f5684 commit 90274e5
Show file tree
Hide file tree
Showing 16 changed files with 99 additions and 27 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ ENHANCEMENTS:
* Split log entries with [Log chunk X of Y] for better readability. ([#3992](https://github.com/microsoft/AzureTRE/issues/3992))
* Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
* Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
* Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001))
* Update obsolete Terraform properties ([#4136](https://github.com/microsoft/AzureTRE/issues/4136))
* Update Guacamole version and dependencies ([#4140](https://github.com/microsoft/AzureTRE/issues/4140))
* Add partial (core resources only) support for customer managed keys ([#4141](https://github.com/microsoft/AzureTRE/issues/4142))
Expand Down
5 changes: 4 additions & 1 deletion core/terraform/airlock/airlock_processor.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
}
}

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" {
Expand Down
25 changes: 20 additions & 5 deletions core/terraform/airlock/storage_accounts.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ resource "azurerm_storage_account" "sa_import_external" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
content {
Expand All @@ -28,7 +31,7 @@ resource "azurerm_storage_account" "sa_import_external" {
description = "airlock;import;external"
})

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "stg_import_external_pe" {
Expand Down Expand Up @@ -77,6 +80,9 @@ resource "azurerm_storage_account" "sa_export_approved" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
content {
Expand All @@ -89,7 +95,7 @@ resource "azurerm_storage_account" "sa_export_approved" {
description = "airlock;export;approved"
})

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "stg_export_approved_pe" {
Expand Down Expand Up @@ -136,6 +142,9 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
content {
Expand All @@ -153,7 +162,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
bypass = ["AzureServices"]
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" {
Expand Down Expand Up @@ -227,6 +236,9 @@ resource "azurerm_storage_account" "sa_import_rejected" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
content {
Expand All @@ -244,7 +256,7 @@ resource "azurerm_storage_account" "sa_import_rejected" {
bypass = ["AzureServices"]
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
Expand Down Expand Up @@ -292,6 +304,9 @@ resource "azurerm_storage_account" "sa_import_blocked" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
content {
Expand All @@ -309,7 +324,7 @@ resource "azurerm_storage_account" "sa_import_blocked" {
bypass = ["AzureServices"]
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "stg_import_blocked_pe" {
Expand Down
5 changes: 4 additions & 1 deletion core/terraform/appgateway/staticweb.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
cross_tenant_replication_enabled = false
tags = local.tre_core_tags

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

static_website {
index_document = "index.html"
error_404_document = "index.html"
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }

network_rules {
bypass = ["AzureServices"]
Expand Down
5 changes: 4 additions & 1 deletion core/terraform/azure-monitor/azure-monitor.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ resource "azurerm_storage_account" "az_monitor" {
cross_tenant_replication_enabled = false
tags = var.tre_core_tags

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
Expand All @@ -37,7 +40,7 @@ resource "azurerm_storage_account" "az_monitor" {
}
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" {
Expand Down
5 changes: 3 additions & 2 deletions core/terraform/storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ resource "azurerm_storage_account" "stg" {
allow_nested_items_to_be_public = false
cross_tenant_replication_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

dynamic "identity" {
for_each = var.enable_cmk_encryption ? [1] : []
Expand All @@ -18,8 +20,7 @@ resource "azurerm_storage_account" "stg" {

tags = local.tre_core_tags


lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "blobpe" {
Expand Down
2 changes: 1 addition & 1 deletion core/version.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.11.3"
__version__ = "0.11.4"
18 changes: 14 additions & 4 deletions devops/terraform/bootstrap.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,21 @@ set -o nounset
echo -e "\n\e[34m»»» 🤖 \e[96mCreating resource group and storage account\e[0m..."
# shellcheck disable=SC2154
az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "$LOCATION" -o table

# shellcheck disable=SC2154
az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
--name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
--allow-blob-public-access false \
--kind StorageV2 --sku Standard_LRS -o table
if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
# only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)

# shellcheck disable=SC2154
az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
--name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
--allow-blob-public-access false \
--kind StorageV2 --sku Standard_LRS -o table \
--require-infrastructure-encryption true
else
echo "Storage account already exists..."
az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
fi

# Grant user blob data contributor permissions
echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."
Expand Down
5 changes: 4 additions & 1 deletion devops/terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,10 @@ resource "azurerm_storage_account" "state_storage" {
}
}

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_customer_managed_key" "state_storage_encryption" {
Expand Down
5 changes: 4 additions & 1 deletion templates/shared_services/certs/terraform/staticweb.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
cross_tenant_replication_enabled = false
tags = local.tre_shared_service_tags

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

static_website {
index_document = "index.html"
error_404_document = "404.html"
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_role_assignment" "stgwriter" {
Expand Down
5 changes: 4 additions & 1 deletion templates/shared_services/cyclecloud/terraform/storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ resource "azurerm_storage_account" "cyclecloud" {
cross_tenant_replication_enabled = false
tags = local.tre_shared_service_tags

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

data "azurerm_private_dns_zone" "blobcore" {
Expand Down
5 changes: 4 additions & 1 deletion templates/workspace_services/azureml/terraform/storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,10 @@ resource "azurerm_storage_account" "aml" {
default_action = "Deny"
}

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

data "azurerm_private_dns_zone" "blobcore" {
Expand Down
5 changes: 4 additions & 1 deletion templates/workspace_services/gitea/terraform/storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ resource "azurerm_storage_account" "gitea" {
cross_tenant_replication_enabled = false
tags = local.workspace_service_tags

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_network_rules" "stgrules" {
Expand Down
25 changes: 20 additions & 5 deletions templates/workspaces/base/terraform/airlock/storage_accounts.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ resource "azurerm_storage_account" "sa_import_approved" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = var.enable_local_debugging ? "Allow" : "Deny"
bypass = ["AzureServices"]
Expand All @@ -24,7 +27,7 @@ resource "azurerm_storage_account" "sa_import_approved" {
}
)

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_private_endpoint" "import_approved_pe" {
Expand Down Expand Up @@ -64,6 +67,9 @@ resource "azurerm_storage_account" "sa_export_internal" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = var.enable_local_debugging ? "Allow" : "Deny"
bypass = ["AzureServices"]
Expand All @@ -76,7 +82,7 @@ resource "azurerm_storage_account" "sa_export_internal" {
}
)

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}


Expand Down Expand Up @@ -116,14 +122,17 @@ resource "azurerm_storage_account" "sa_export_inprogress" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

tags = merge(
var.tre_workspace_tags,
{
description = "airlock;export;inprogress"
}
)

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_storage_account_network_rules" "sa_export_inprogress_rules" {
Expand Down Expand Up @@ -175,6 +184,9 @@ resource "azurerm_storage_account" "sa_export_rejected" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = var.enable_local_debugging ? "Allow" : "Deny"
bypass = ["AzureServices"]
Expand All @@ -187,7 +199,7 @@ resource "azurerm_storage_account" "sa_export_rejected" {
}
)

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}


Expand Down Expand Up @@ -227,6 +239,9 @@ resource "azurerm_storage_account" "sa_export_blocked" {
# This is true ONLY when Hierarchical Namespace is DISABLED
is_hns_enabled = false

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = var.enable_local_debugging ? "Allow" : "Deny"
bypass = ["AzureServices"]
Expand All @@ -239,7 +254,7 @@ resource "azurerm_storage_account" "sa_export_blocked" {
}
)

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}


Expand Down
5 changes: 4 additions & 1 deletion templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,15 @@ resource "azurerm_storage_account" "app_insights" {
cross_tenant_replication_enabled = false
tags = var.tre_workspace_tags

# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}

lifecycle { ignore_changes = [tags] }
lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {
Expand Down
5 changes: 4 additions & 1 deletion templates/workspaces/base/terraform/storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ resource "azurerm_storage_account" "stg" {
cross_tenant_replication_enabled = false // not technically needed as cross tenant replication not supported when is_hns_enabled = true
tags = local.tre_workspace_tags

lifecycle { ignore_changes = [tags] }
# changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
infrastructure_encryption_enabled = true

lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
}

# Using AzAPI as AzureRM uses shared account key for Azure files operations
Expand Down

0 comments on commit 90274e5

Please sign in to comment.