Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Storage Account: support for Customer Managed Key from another Subscription #20199

Open
1 task done
Nizol opened this issue Jan 27, 2023 · 4 comments
Open
1 task done

Comments

@Nizol
Copy link

Nizol commented Jan 27, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Creation of a customer managed key after the deployment of azurerm_storage_account works fine using the azurerm_storage_account_customer_managed_key resource. This approach will not work anymore after enabling Azure Policy to prevent any deployment without a customer managed key.

Using customer_managed_key as an alternative approach works as expected if the key exists within the same subscription. Using the same approach with any key in another subscription results in a failed deployment with the following message displayed:

Error: unexpected nil Key Vault ID retrieved at URL <Vault_URL>

Is there any workaround for deploying a storage account using a customer managed key in another subscription?

New or Affected Resource(s)/Data Source(s)

azurerm_storage_account

Potential Terraform Configuration

No response

References

No response

@magodo
Copy link
Collaborator

magodo commented Jan 29, 2023

@Nizol Sorry that you are running into this issue.. Currently, the provider has some special cases where it need to link resource between its management plane ID and its data plane URL (e.g. key vault key, storage account container, etc).

In your case, the provider is provided by a key vault key's ID, which is a data plane URL. The provider then looks it up via:

filter := fmt.Sprintf("resourceType eq 'Microsoft.KeyVault/vaults' and name eq '%s'", *keyVaultName)
result, err := resourcesClient.ResourcesClient.List(ctx, filter, "", utils.Int32(5))

As is seen, the look up will need a LIST call to Azure at endpoint: /subscriptions/{subscriptionId}/resources. As there is no information about the subscription id from the input key id, the provider takes its configured subscription id (which makes sense). Hence there is no result found.

To fix this issue, there are two choices:

  1. Change the resource id format for these affected resources to their management plane form. I've made some attempts in this direction, but is rejected for historical reasons (see: WIP: Migrate ID for azurerm_key_vault_key (probably extending to the other key vault nested resources) #16230)
  2. Introduce a subscription_id in the customer_managed_key block, but I'd hesitate to go that route

To workaround it, you can try https://github.com/azure/terraform-provider-azapi

@MattoHopkins
Copy link

Oh chur @magodo. Clearly I missed this even after searching for stuff related to the customer_managed_key block. Would've saved me some digging during work today haha.

The azurerm_storage_account_customer_managed_key workaround has worked, so will move forward with that.

Cheers!

@MattoHopkins
Copy link

MattoHopkins commented May 25, 2023

Hey @magodo, I think I'm hitting the same error on azurerm_managed_disk encryption block as well...

Error: creating/updating Managed Disk "vm-disk1" (Resource Group "rg"): performing CreateOrUpdate: disks.DisksClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameter" Message="The SubscriptionId:\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx1\" of the request must match the SubscriptionId \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx2\" contained in the Key Vault Id." Target="encryptionSettings.diskEncryptionKey.sourceVault.id"
│ 
│   with module.test-vm.azurerm_managed_disk.main,
│   on .terraform/modules/test-vm-demo/main.tf line 96, in resource "azurerm_managed_disk" "main":
│   96: resource "azurerm_managed_disk" "main" {
│ 

Assuming this is the same/similar issue

@slideroh
Copy link
Contributor

Any update?
Especially for #24385

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants