Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_storage_account_customer_managed_key fails with managed hsm id #14389

Closed
dano0b opened this issue Nov 30, 2021 · 1 comment · Fixed by #25088
Closed

azurerm_storage_account_customer_managed_key fails with managed hsm id #14389

dano0b opened this issue Nov 30, 2021 · 1 comment · Fixed by #25088
Labels
enhancement service/storage

Comments

@dano0b
Copy link

dano0b commented Nov 30, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

  source  = "hashicorp/azurerm"
  version = "~> 2.76.0"

Affected Resource(s)

  • azurerm_storage_account_customer_managed_key

Terraform Configuration Files

resource "azurerm_storage_account_customer_managed_key" "this" {
  storage_account_id = azurerm_storage_account.this.id
  key_vault_id       = var.azurerm_storage_account_customer_managed_key_key_vault_id
  key_name           = var.azurerm_storage_account_customer_managed_key_key_name
}

Debug Output

Panic Output

Expected Behaviour

By providing a managed HSM ID like "/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/managedHSMs/YOURHSM" it should setup the encryption similar to:
az storage account update --name ... --resource-group ... --encryption-key-name ... --encryption-key-source Microsoft.Keyvault --encryption-key-vault $YOURHSMURL --subscription ...

Actual Behaviour

│ Error: ID was missing the `vaults` element
│ 
│   with module.storagecontainer.azurerm_storage_account_customer_managed_key.this,
│   on .terraform/modules/storagecontainer/main.tf line 65, in resource "azurerm_storage_account_customer_managed_key" "this":
│   65:   key_vault_id       = var.azurerm_storage_account_customer_managed_key_key_vault_id

This happens it checks just for classic KeyVaults via:
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/keyvault/parse/vault.go#L60
while:
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/keyvault/parse/managed_hsm.go#L60
should be respected too.

Was first thinking to open a feature request but since both are KeyVaults I think it is more a bug.

Steps to Reproduce

  1. Use HSM ID as key_vault_id in azurerm_storage_account_customer_managed_key.
  2. test it

Important Factoids

References
@dano0b dano0b mentioned this issue Sep 19, 2023
Closed
1 task
@Botje Botje mentioned this issue Feb 28, 2024
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 2, 2024

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement service/storage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

azurerm_storage_account: Support managed HSMs for CMKs Botje/terraform-provider-azurerm
3 participants
@tombuildsstuff @favoretti @dano0b