New Resource: 'azurerm_storage_account_encryption_settings' to enable storage account encryption using key vault customer-managed keys

[liemnotliam]

This PR adds storage account key vault properties to enable support for customer-managed keys for storage service encryption.

Issue #658

Test results:

~/go/src/github.com/terraform-providers/terraform-provider-azurerm
λ TESTARGS="-run TestAccAzureRMStorageAccount_keyVault" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test $(go list ./... |grep -v 'vendor') -v -run TestAccAzureRMStorageAccount_keyVault -count=1 -timeout 180m
?   	github.com/terraform-providers/terraform-provider-azurerm	[no test files]
=== RUN   TestAccAzureRMStorageAccount_keyVault
--- PASS: TestAccAzureRMStorageAccount_keyVault (224.02s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	224.051s
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/authentication	0.027s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure	0.030s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/kubernetes	0.010s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/response	0.026s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/set	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/suppress	0.028s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/validate	0.018s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils	0.020s [no tests to run]

[LaurentLesle]

In order to get this PR working I need the KeyVault to have
enablePurgeProtection and enableSoftDelete

https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/vaults_createorupdate

Looks like the KeyVault provider needs to be updated. Have you noticed that?

[LaurentLesle]

added request to support enablePurgeProtection and enableSoftDelete in KV #2066

[liemnotliam]

@LaurentLesle good catch, enablePurgeProtection and enableSoftDelete properties do need to be set on the key vault. A request to set storage account keyvault properties returns OK, which is why everything looked good.

The test case needs to be updated when the enablePurgeProtection and enableSoftDelete properties are added (PR #1805) to the keyvault resource and this PR should be good to review again.

[kvaes]

Out-of-curiosity ; Won't this go into a cycle/loop?
Next to that ; Interested in seeing it merged. ;-)

[metacpp]

@liemnotliam Thanks for the contributions and I added some comments.

[WodansSon]

@liemnotliam Thanks for this PR, if you don't mind I would like to build on top of what you did here in your fork to get this merged. I am currently splitting this resource into two resources since there are multiple steps that need to be done (e.g. create the service account, created a key vault policy on the key vault for the newly created service account, then update the service account with the correct encryption settings).

[tombuildsstuff]

@jeffreyCline heads up this is dependent on Key Vault Soft Delete (#1805) which requires some thought / will be a breaking change

[metacpp]

@jeffreyCline thanks for pushing the commits.

I notice that the Travis CI failed due to lint error:

$ make lint
==> Checking source code against linters...
golangci-lint run ./...
azurerm/resource_arm_storage_account_key_vault_custom_keys.go:110:34: unnecessary conversion (unconvert)
					KeySource: storage.KeySource(storage.MicrosoftStorage),
					                            ^
azurerm/resource_arm_storage_account_key_vault_custom_keys.go:151:43: unnecessary conversion (unconvert)
					KeySource:          storage.KeySource(storage.MicrosoftKeyvault),
					                                     ^
azurerm/resource_arm_storage_account_key_vault_custom_keys.go:235:5: S1009: should omit nil check; len() for nil slices is defined as zero (gosimple)
	if vs == nil || len(vs) == 0 {
	   ^
make: *** [lint] Error 1
The command "make lint" exited with 2.

Can we get it fixed so that we move forward ?

[WodansSon]

@metacpp I am removing your review since it is outdated.

Review is outdated

[msuringa]

Is there an ETA on when this feature will be implemented? I would very much like to have this functionality in the provider, at the moment I'm having to work around it by following the Terraform run with a Powershell script to add the encryption settings.

[ntmggr]

This is very much needed. I don't see the point of having the option to choose the account_encryption_source to be Microsoft.Keyvault but without actually working due to not being able to pass the keyvault properties

[msakowski]

Wouldn't it be nice to just pass the key URI that already includes the full path to the keyVault, keyName and keyVersion?

[WodansSon]

I am porting this to the new code base for 2.0 release.

[ghost]

This has been released in version 2.0.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.0.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!