Merge branch 'main' into marrobi/issue1921

CHANGELOG.md

@@ -12,9 +12,10 @@ ENHANCEMENTS:
 * Split log entries with [Log chunk X of Y] for better readability. ([#3992](https://github.com/microsoft/AzureTRE/issues/3992))
 * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
 * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
+* Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001))
 * Update obsolete Terraform properties ([#4136](https://github.com/microsoft/AzureTRE/issues/4136))
 * Update Guacamole version and dependencies ([#4140](https://github.com/microsoft/AzureTRE/issues/4140))
-* Add partial (core resources only) support for customer managed keys  ([#4141](https://github.com/microsoft/AzureTRE/issues/4142))
+* Add partial (core resources only) support for customer managed keys  ([#4141](https://github.com/microsoft/AzureTRE/issues/4142),  [#4144](https://github.com/microsoft/AzureTRE/issues/4144))
 * Update the Azure CLI version to 2.67.0 in dev container and vmss ([#4157](https://github.com/microsoft/AzureTRE/pull/4157))
 
 BUG FIXES:

core/terraform/airlock/airlock_processor.tf

@@ -36,7 +36,10 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" {

core/terraform/airlock/storage_accounts.tf

@@ -16,6 +16,9 @@ resource "azurerm_storage_account" "sa_import_external" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -28,7 +31,7 @@ resource "azurerm_storage_account" "sa_import_external" {
     description = "airlock;import;external"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_external_pe" {
@@ -77,6 +80,9 @@ resource "azurerm_storage_account" "sa_export_approved" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -89,7 +95,7 @@ resource "azurerm_storage_account" "sa_export_approved" {
     description = "airlock;export;approved"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_export_approved_pe" {
@@ -136,6 +142,9 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -153,7 +162,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" {
@@ -227,6 +236,9 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -244,7 +256,7 @@ resource "azurerm_storage_account" "sa_import_rejected" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
@@ -292,6 +304,9 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -309,7 +324,7 @@ resource "azurerm_storage_account" "sa_import_blocked" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_blocked_pe" {

core/terraform/api-identity.tf

@@ -57,4 +57,6 @@ resource "azurerm_cosmosdb_sql_role_assignment" "tre_db_contributor" {
   role_definition_id  = data.azurerm_cosmosdb_sql_role_definition.cosmosdb_db_contributor.id
   principal_id        = azurerm_user_assigned_identity.id.principal_id
   scope               = azurerm_cosmosdb_account.tre_db_account.id
+
+  depends_on = [null_resource.tre_db_account_enable_cmk]
 }

core/terraform/appgateway/staticweb.tf

@@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "index.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 
   network_rules {
     bypass         = ["AzureServices"]

core/terraform/azure-monitor/azure-monitor.tf

@@ -24,6 +24,9 @@ resource "azurerm_storage_account" "az_monitor" {
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = "Deny"
     bypass         = ["AzureServices"]
@@ -37,7 +40,7 @@ resource "azurerm_storage_account" "az_monitor" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" {

core/terraform/cosmos_mongo.tf

@@ -35,11 +35,38 @@ resource "azurerm_cosmosdb_account" "mongo" {
     failover_priority = 0
   }
 
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.encryption[0].id]
+    }
+  }
+
+  default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
+
   tags = local.tre_core_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # since key_vault_key_id is created by the 'mongo_enable_cmk' null_resource, terraform forces re-creation of the resource
+  lifecycle { ignore_changes = [tags, key_vault_key_id] }
+}
+
+# Using the az CLI command since terraform forces a re-creation of the resource
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
+resource "null_resource" "mongo_enable_cmk" {
+  count = var.enable_cmk_encryption ? 1 : 0
+
+  provisioner "local-exec" {
+    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.mongo.name} --resource-group ${azurerm_cosmosdb_account.mongo.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
+  }
+
+  depends_on = [
+    azurerm_cosmosdb_account.mongo,
+    azurerm_role_assignment.kv_encryption_key_user[0]
+  ]
 }
 
+
 resource "azurerm_cosmosdb_mongo_database" "mongo" {
   name                = "porter"
   resource_group_name = azurerm_resource_group.core.name

core/terraform/main.tf

@@ -21,6 +21,10 @@ terraform {
       source  = "Azure/azapi"
       version = "~> 1.15.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.2"
+    }
   }
 
   backend "azurerm" {}

core/terraform/statestore.tf

@@ -16,6 +16,16 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
     }
   }
 
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.encryption[0].id]
+    }
+  }
+
+  default_identity_type = var.enable_cmk_encryption ? "UserAssignedIdentity=${azurerm_user_assigned_identity.encryption[0].id}" : null
+
   consistency_policy {
     consistency_level       = "BoundedStaleness"
     max_interval_in_seconds = 10
@@ -27,7 +37,8 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
     failover_priority = 0
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # since key_vault_key_id is created by the 'tre_db_account_enable_cmk' null_resource, terraform forces re-creation of the resource
+  lifecycle { ignore_changes = [tags, key_vault_key_id] }
 }
 
 moved {
@@ -95,3 +106,18 @@ resource "azurerm_private_endpoint" "sspe" {
     subresource_names              = ["Sql"]
   }
 }
+
+# Using the az CLI command since terraform forces a re-creation of the resource
+# https://github.com/hashicorp/terraform-provider-azurerm/issues/24781
+resource "null_resource" "tre_db_account_enable_cmk" {
+  count = var.enable_cmk_encryption ? 1 : 0
+
+  provisioner "local-exec" {
+    command = "az cosmosdb update --name ${azurerm_cosmosdb_account.tre_db_account.name} --resource-group ${azurerm_cosmosdb_account.tre_db_account.resource_group_name} --key-uri ${azurerm_key_vault_key.tre_encryption[0].versionless_id}"
+  }
+
+  depends_on = [
+    azurerm_cosmosdb_account.tre_db_account,
+    azurerm_role_assignment.kv_encryption_key_user[0]
+  ]
+}

core/terraform/storage.tf

@@ -7,6 +7,8 @@ resource "azurerm_storage_account" "stg" {
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
@@ -18,8 +20,7 @@ resource "azurerm_storage_account" "stg" {
 
   tags = local.tre_core_tags
 
-
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "blobpe" {

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.3"
+__version__ = "0.11.5"

devops/terraform/bootstrap.sh

@@ -7,11 +7,21 @@ set -o nounset
 echo -e "\n\e[34m»»» 🤖 \e[96mCreating resource group and storage account\e[0m..."
 # shellcheck disable=SC2154
 az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "$LOCATION" -o table
+
 # shellcheck disable=SC2154
-az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
-  --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
-  --allow-blob-public-access false \
-  --kind StorageV2 --sku Standard_LRS -o table
+if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
+  # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)
+
+  # shellcheck disable=SC2154
+  az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
+    --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
+    --allow-blob-public-access false \
+    --kind StorageV2 --sku Standard_LRS -o table \
+    --require-infrastructure-encryption true
+else
+  echo "Storage account already exists..."
+  az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
+fi
 
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."

devops/terraform/main.tf

@@ -39,7 +39,10 @@ resource "azurerm_storage_account" "state_storage" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "state_storage_encryption" {

templates/shared_services/certs/terraform/staticweb.tf

@@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_shared_service_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "404.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_role_assignment" "stgwriter" {

templates/shared_services/cyclecloud/terraform/storage.tf

@@ -7,7 +7,10 @@ resource "azurerm_storage_account" "cyclecloud" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_shared_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

templates/workspace_services/azureml/terraform/storage.tf

@@ -10,7 +10,10 @@ resource "azurerm_storage_account" "aml" {
     default_action = "Deny"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

templates/workspace_services/gitea/terraform/storage.tf

@@ -7,7 +7,10 @@ resource "azurerm_storage_account" "gitea" {
   cross_tenant_replication_enabled = false
   tags                             = local.workspace_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_network_rules" "stgrules" {