Support Data encryption for Azure Database for PostgreSQL (BYOK)

[jhagestedt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure recently has announced the Data encryption for it's PostgreSQL database.
Would be nice if Terraform will support this too.
https://docs.microsoft.com/en-us/azure/postgresql/howto-data-encryption-cli

New or Affected Resource(s)

• azurerm_postgresql_server

Potential Terraform Configuration

resource "azurerm_key_vault_key" "generated" {
  name         = "generated-certificate"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048
  key_opts = [
    ...
  ]
}

resource "azurerm_postgresql_server" "example" {
  name                = "example-psqlserver"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  ...
  encryption_key = azurerm_key_vault_key.generated.id
}

References

• https://docs.microsoft.com/en-us/azure/postgresql/howto-data-encryption-cli
• https://docs.microsoft.com/en-us/azure/postgresql/concepts-data-encryption-postgresql
• https://azure.microsoft.com/en-us/updates/data-encryption-for-azure-database-for-postgresql-single-server/

[pietervincken]

We're currently exploring setting this up manually and noticed that the Postgres server also needs a Managed Identity connected to if in order to access the Keyvault. I currently don't see an option in the TF module to do this. Would this be handled automatically by the Azure RM? If so, we still need the ID / name of the Managed Identity to setup the Keyvault access policies correctly.

[flo-02-mu]

@pietervincken Doesn't the managed identity part work with:

resource "azurerm_postgresql_server" "example" {
  ...
  identity {
    type = SystemAssigned
  }
}

and then use it as:

resource "azurerm_key_vault_access_policy" "example_policy" {
  key_vault_id = azurerm_key_vault.example.id
  [...]
  object_id = azurerm_postgresql_server.example.identity.principal_id
}

?

[pietervincken]

@flo-02-mu You are completely right. I totally missed that in the documentation somehow 🤦 Sorry about that.

[ghost]

This has been released in version 2.29.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.29.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!