Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the use of a user-assigned identity with BYOK #22852

Open
1 task done
jake-scott opened this issue Aug 8, 2023 · 1 comment
Open
1 task done

Support the use of a user-assigned identity with BYOK #22852

jake-scott opened this issue Aug 8, 2023 · 1 comment
Labels
enhancement service/event-hubs EventHubs

Comments

@jake-scott
Copy link
Contributor

jake-scott commented Aug 8, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Many Azure resources support the use of customer managed keys sourced from Key Vaults (BYOK). This requires that the resource is assigned an identity that it can use to access to key. The use of system managed identities are supported by the provider already, but there is an ordering issue here in that the principal ID of the system managed ID is not known until the resource has been created, and so there is no oppotunity to grant a role to use the key to that identity.

It is also possible to assign a User Assigned Identity to many resources and while this provider supports that, resources do not use that identity to authenticate to Key Vault by default (the default is to use the System Managed identity). While the Azure REST APIs support configuring a resource to use the User Assigned Identity for this purpose, the functionality has bee missing from this provider.

There have been other issues raised for specific resource types and looking into that it seems that the missing functionality stems from an ommision in the Swagger spec for the APIs. That seems to have been fixed from a cursory glance at some resource types, and this provider is already using a version of the SDK that has the new fields in the models.

I have tested a patch to demonstrate support in the Event Hub resource. Once we have an agreed approach and people are happy with this sample resource I can implement across all the remaining resources that are missing the functionality. I will post a premininary PR and link to this issue to progress this discussion.

New or Affected Resource(s)/Data Source(s)

azurerm_eventhub + many others

Potential Terraform Configuration

resource "azurerm_eventhub_namespace_customer_managed_key" "example" {
  eventhub_namespace_id = azurerm_eventhub_namespace.test.id
  key_vault_key_ids     = [azurerm_key_vault_key.eventhub.versionless_id]
  user_assigned_identity = azurerm_user_assigned_identity.test.id
}

References

No response
@github-actions github-actions bot added the service/event-hubs EventHubs label Aug 8, 2023
@jake-scott jake-scott mentioned this issue Aug 8, 2023
Closed
@jake-scott
Copy link
Contributor Author

Please see #22853 for a demo of how this can work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/event-hubs EventHubs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support User Assigned IDs with BYOK jake-scott/terraform-provider-azurerm
2 participants
@jake-scott @mybayern1974