azure VM and disk encryption

[raghavanr]

Hi there,

my terraform template for create and encrypt storage account with Microsoft Keyvault instead of microsoft storage

getting the below error while applying the code.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.
Terraform v0.11.1

Affected Resource(s)

Please list the resources as a list, for example:

• Azure Storage accounts
  VM

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "azurerm_storage_account" "mysa" {
  name                     = "mysa"
  resource_group_name      = "${azurerm_resource_group.myrg.name}"
  location                 = "${azurerm_resource_group.my.location}"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  enable_blob_encryption = "true"
  enable_file_encryption = "true"
  account_encryption_source = "Microsoft.Keyvault"
 }

Expected Behavior

VM encryption and disk encryption

Actual Behavior

error: Error applying plan:

1 error(s) occurred:

• azurerm_storage_account.mysa: 1 error(s) occurred:

• azurerm_storage_account.mysa: Error creating Azure Storage Account "mysa": storage.AccountsClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="MissingKeyvaultProperties" Message="The encryption keyvault properties are missing from the request."

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

[dansowter]

Ran into this as well. Checked via Azure portal that you appear to be able to change the encryption source after-the-fact without destroying the storage account, so I'm using the non-keyvault source until there's activity here.

[bg2132332]

Any progress on this issue?

Here is the corresponding Azure template code to enable encryption and we're not able to set key vault properties from Terraform.

      "keySource": "Microsoft.Keyvault",
      "keyvaultproperties": {
        "keyname": "...",
        "keyversion": "...",
        "keyvaulturi": "..."
      }

I tried to set key vault properties with an Azure template, but I got this error from ARM and I can't think of a way around this without the portal -- {"code":"Conflict","message":"{\r\n "error": {\r\n "code": "FeatureNotSupportedForAccount",\r\n "message": "EncryptionAtRest/Customer Managed Key is not supported for the account."\r\n }\r\n}"}

[tombuildsstuff]

👋

Taking a look into this the issue for encrypting a storage account using customer managed Key Vault secrets should be resolved by #2046 - Disk Encryption for Virtual Machines in general is being tracked in #486 which I'm going to close this issue in favour of, please subscribe to that issue for updates.

Thanks!

[gitphill]

@bg2132332 I get the same "FeatureNotSupportedForAccount" message - did you get any further?

[jlucktay]

@gitphill @bg2132332 same here; +1

* azurerm_template_deployment.encrypted_storage_account: Error creating deployment: Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details." Details=[{"code":"Conflict","message":"{\r\n  \"error\": {\r\n    \"code\": \"FeatureNotSupportedForAccount\",\r\n    \"message\": \"EncryptionAtRest/Customer Managed Key is not supported for the account.\"\r\n  }\r\n}"}]

To be clear, I'm using the azurerm_template_deployment resource to (attempt to) create the storage account.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!