-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storage Account: support for Customer Managed Key from another Subscription #20199
Comments
@Nizol Sorry that you are running into this issue.. Currently, the provider has some special cases where it need to link resource between its management plane ID and its data plane URL (e.g. key vault key, storage account container, etc). In your case, the provider is provided by a key vault key's ID, which is a data plane URL. The provider then looks it up via: terraform-provider-azurerm/internal/services/keyvault/client/helpers.go Lines 125 to 126 in 8cdfd60
As is seen, the look up will need a To fix this issue, there are two choices:
To workaround it, you can try https://github.com/azure/terraform-provider-azapi |
Oh chur @magodo. Clearly I missed this even after searching for stuff related to the customer_managed_key block. Would've saved me some digging during work today haha. The azurerm_storage_account_customer_managed_key workaround has worked, so will move forward with that. Cheers! |
Hey @magodo, I think I'm hitting the same error on azurerm_managed_disk encryption block as well...
Assuming this is the same/similar issue |
Any update? |
Is there an existing issue for this?
Community Note
Description
Creation of a customer managed key after the deployment of
azurerm_storage_account
works fine using theazurerm_storage_account_customer_managed_key
resource. This approach will not work anymore after enabling Azure Policy to prevent any deployment without a customer managed key.Using customer_managed_key as an alternative approach works as expected if the key exists within the same subscription. Using the same approach with any key in another subscription results in a failed deployment with the following message displayed:
Error: unexpected nil Key Vault ID retrieved at URL <Vault_URL>
Is there any workaround for deploying a storage account using a customer managed key in another subscription?
New or Affected Resource(s)/Data Source(s)
azurerm_storage_account
Potential Terraform Configuration
No response
References
No response
The text was updated successfully, but these errors were encountered: