Terraform-provider-azurerm: Unable to encrypt storage account with customer managed keys , If Azure key vault is in different subscription

Created on 30 Mar 2020  路  3Comments  路  Source: terraform-providers/terraform-provider-azurerm

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

  Terraform v0.12.18
  provider.azurerm v2.3.0

Affected Resource(s)

  • azurerm_storage_account_customer_managed_key

Terraform Configuration Files

resource "azurerm_storage_account_customer_managed_key" "sta_encryption" {
  storage_account_id = azurerm_storage_account.storage_account.id
  key_vault_id       = var.key_vault_id
  key_name           = var.key_vault_key_name
  key_version        = var.key_vault_key_version
}

Terraform plan output : 

  # module.storage_account_without_lifecycle_rules.azurerm_storage_account_customer_managed_key.sta_encryption will be created
  + resource "azurerm_storage_account_customer_managed_key" "sta_encryption" {
      + id                 = (known after apply)
      + key_name           = "XXXXXXX"
      + key_vault_id       = "/subscriptions/XXXXXX/resourceGroups/XXXX/providers/Microsoft.KeyVault/vaults/XXXX"
      + key_version        = "XXXXXXXXXXXXXXXXXXXX"
      + storage_account_id = (known after apply)
    }

Error : 

Error retrieving Key Vault "XXX" (Resource Group "XXX"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned a
n error. Status=404 Code="ResourceGroupNotFound" Message="Resource group 'XXX' could not be found."

Expected Behavior

Enable Storage Service Encryption with customer-managed keys in Azure key vault

Actual Behavior

Unbale to encrypt storage account with customer-managed keys, if the azure key vault and storage account is located in located in different subscriptions

Steps to Reproduce

  1. Setup key vault resource in different azure subscription to storage account
resource "azurerm_storage_account_customer_managed_key" "sta_encryption" {
  storage_account_id = azurerm_storage_account.storage_account.id
  key_vault_id       = var.key_vault_id
  key_name           = var.key_vault_key_name
  key_version        = var.key_vault_key_version
}
  • #0000
question servicstorage
Source
picture kumarkran
👍11

Most helpful comment

@tombuildsstuff Our use case is that we store our storage encryption keys in a "Shared Services" subscription and configure encryption on our storage accounts to be encrypted using the keys managed in the Shared Services subscription. This is entirely possible through ARM templates. As we've migrated over to Terraform, however, this issue is blocking us from getting rid of the ARM templates altogether.

Looking at the current code, it looks like the provider is performing a read request on the key vault in key_vault_id and failing because it's in a different subscription. This is incompatible with using Key Vault's in a different subscription than the primary resource, which doesn't match Azure's behavior of allowing storage accounts to use encryption keys in different subscriptions as long as the vault is in the same region. I think the provider should match what is allowed by Azure.

I would propose adding either adding a key_vault_uri property or calculating the URI without an API call based on the environment configured in the provider and the vault name (https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#resource-endpoints) to support cross-subscription scenarios. I'm happy to work on either approach myself and submit a PR if you'd like.

picture sean-nixon on 4 May 2020
👍3

All 3 comments

@tombuildsstuff Our use case is that we store our storage encryption keys in a "Shared Services" subscription and configure encryption on our storage accounts to be encrypted using the keys managed in the Shared Services subscription. This is entirely possible through ARM templates. As we've migrated over to Terraform, however, this issue is blocking us from getting rid of the ARM templates altogether.

Looking at the current code, it looks like the provider is performing a read request on the key vault in key_vault_id and failing because it's in a different subscription. This is incompatible with using Key Vault's in a different subscription than the primary resource, which doesn't match Azure's behavior of allowing storage accounts to use encryption keys in different subscriptions as long as the vault is in the same region. I think the provider should match what is allowed by Azure.

I would propose adding either adding a key_vault_uri property or calculating the URI without an API call based on the environment configured in the provider and the vault name (https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#resource-endpoints) to support cross-subscription scenarios. I'm happy to work on either approach myself and submit a PR if you'd like.

sean-nixon picture sean-nixon on 4 May 2020
👍3

This is currently being worked on in https://github.com/terraform-providers/terraform-provider-azurerm/pull/6815

bgs113 picture bgs113 on 14 May 2020

When is this PR going to be merged, would really love to have this capability

jawadabutt picture jawadabutt on 13 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

akamalov picture akamalov  路  3Comments
sam-cogan picture sam-cogan  路  3Comments
alant94 picture alant94  路  3Comments
voyera picture voyera  路  3Comments
bentterp picture bentterp  路  3Comments