Allow storage account's system assigned identity use CMK #155
+86
−23
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: 039d3c4 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
christian-calabrese
force-pushed
the
allow-cmk-storage-account-with-system-assigned-identity
branch
from
98994f5 to
b1e46e4
Compare
christian-calabrese
force-pushed
the
allow-cmk-storage-account-with-system-assigned-identity
branch
from
e6e8181 to
7f81396
Compare
christian-calabrese
force-pushed
the
allow-cmk-storage-account-with-system-assigned-identity
branch
from
0ad1ad1 to
039d3c4
Compare
Krusty93
reviewed
Nov 13, 2024
| }) | ||
| description = "(Optional) Customer managed key to use for encryption. Currently type can only be set to 'kv'." | ||
| default = { enabled = false, key_name = null } | ||
| description = "(Optional) Customer managed key to use for encryption. Currently type can only be set to 'kv'. If the key vault is in the same account, and key_name is not set, the key and relevant permissions will be automatically created." |
There was a problem hiding this comment.
tenant rather than account?
Krusty93
reviewed
Nov 13, 2024
| # tfsec:ignore:azure-keyvault-ensure-key-expiry | ||
| resource "azurerm_key_vault_key" "key" { | ||
| for_each = (local.cmk_flags.kv && var.customer_managed_key.key_name == null ? toset(["kv"]) : toset([])) | ||
| name = "${replace("${module.naming_convention.prefix}-st-${module.naming_convention.suffix}", "-", "")}-cmk-kv" |
There was a problem hiding this comment.
What do you think of a format like io-p-itn-<domain>-[<app_name>]-st-cmk-01? I took it from the current PEP format as io-p-itn-wallet-sql-pep-01
|
I might have already asked - what are these storage accounts? why do they use managed identities? what key do they use? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
List of changes
Allow the storage account's system assigned identity to use the CMK without a user assigned one
Creating the customer managed key kv key automatically
Adding relevant permissions to the right managed identity to use the customer managed key
Allow the usage of pre-existing key vault keys as customer managed keys
Motivation and context
Some storage accounts that are being migrated from WEU to ITN make use of the system assigned managed identity for CMK setup
Type of changes
Does this introduce a change to production resources with possible user impact?
Other information