From 03abcd21424c4041b45577fa1ef582a0ec89a260 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 13 Nov 2024 18:06:17 +0000 Subject: [PATCH 1/4] Enable infrastructure encryption on storage accounts #73 --- CHANGELOG.md | 1 + core/terraform/airlock/airlock_processor.tf | 5 +++- core/terraform/airlock/storage_accounts.tf | 25 +++++++++++++++---- core/terraform/appgateway/staticweb.tf | 5 +++- core/terraform/azure-monitor/azure-monitor.tf | 5 +++- core/terraform/storage.tf | 6 ++++- core/version.txt | 2 +- devops/terraform/bootstrap.sh | 15 ++++++++--- devops/terraform/main.tf | 5 +++- devops/version.txt | 2 +- templates/shared_services/certs/porter.yaml | 2 +- .../certs/terraform/staticweb.tf | 5 +++- .../shared_services/cyclecloud/porter.yaml | 2 +- .../cyclecloud/terraform/storage.tf | 5 +++- .../azureml/terraform/storage.tf | 5 +++- .../workspace_services/gitea/porter.yaml | 2 +- .../gitea/terraform/storage.tf | 5 +++- templates/workspaces/base/porter.yaml | 2 +- .../terraform/airlock/storage_accounts.tf | 25 +++++++++++++++---- .../terraform/azure-monitor/azure-monitor.tf | 5 +++- .../workspaces/base/terraform/storage.tf | 5 +++- 21 files changed, 103 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 236f0e205..7feebb154 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ ENHANCEMENTS: * Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992) * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111)) * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103)) +* Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001)) BUG FIXES: - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index 1c4ad3513..118315c58 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -27,7 +27,10 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" { allow_nested_items_to_be_public = false tags = var.tre_core_tags - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_linux_function_app" "airlock_function_app" { diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf index 6a76b97f0..ca4c76965 100644 --- a/core/terraform/airlock/storage_accounts.tf +++ b/core/terraform/airlock/storage_accounts.tf @@ -13,11 +13,14 @@ resource "azurerm_storage_account" "sa_import_external" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge(var.tre_core_tags, { description = "airlock;import;external" }) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "stg_import_external_pe" { @@ -57,11 +60,14 @@ resource "azurerm_storage_account" "sa_export_approved" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge(var.tre_core_tags, { description = "airlock;export;approved" }) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "stg_export_approved_pe" { @@ -99,6 +105,9 @@ resource "azurerm_storage_account" "sa_import_in_progress" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge(var.tre_core_tags, { description = "airlock;import;in-progress" }) @@ -108,7 +117,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" { bypass = ["AzureServices"] } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } @@ -173,6 +182,9 @@ resource "azurerm_storage_account" "sa_import_rejected" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge(var.tre_core_tags, { description = "airlock;import;rejected" }) @@ -182,7 +194,7 @@ resource "azurerm_storage_account" "sa_import_rejected" { bypass = ["AzureServices"] } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "stg_import_rejected_pe" { @@ -221,6 +233,9 @@ resource "azurerm_storage_account" "sa_import_blocked" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge(var.tre_core_tags, { description = "airlock;import;blocked" }) @@ -230,7 +245,7 @@ resource "azurerm_storage_account" "sa_import_blocked" { bypass = ["AzureServices"] } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "stg_import_blocked_pe" { diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf index 98a297785..d2f8e8f39 100644 --- a/core/terraform/appgateway/staticweb.tf +++ b/core/terraform/appgateway/staticweb.tf @@ -10,12 +10,15 @@ resource "azurerm_storage_account" "staticweb" { allow_nested_items_to_be_public = false tags = local.tre_core_tags + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + static_website { index_document = "index.html" error_404_document = "index.html" } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } network_rules { bypass = ["AzureServices"] diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf index d3ba5b411..d24fc417b 100644 --- a/core/terraform/azure-monitor/azure-monitor.tf +++ b/core/terraform/azure-monitor/azure-monitor.tf @@ -23,12 +23,15 @@ resource "azurerm_storage_account" "az_monitor" { allow_nested_items_to_be_public = false tags = var.tre_core_tags + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = "Deny" bypass = ["AzureServices"] } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" { diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index 86aab872a..7604c26e1 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -6,7 +6,11 @@ resource "azurerm_storage_account" "stg" { account_replication_type = "LRS" allow_nested_items_to_be_public = false tags = local.tre_core_tags - lifecycle { ignore_changes = [tags] } + + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "blobpe" { diff --git a/core/version.txt b/core/version.txt index fee46bd8c..e2bd0728a 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.1" +__version__ = "0.11.2" diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index 1623159dd..1c42ba3e6 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -7,11 +7,18 @@ set -o nounset echo -e "\n\e[34m»»» 🤖 \e[96mCreating resource group and storage account\e[0m..." # shellcheck disable=SC2154 az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "$LOCATION" -o table + # shellcheck disable=SC2154 -az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \ - --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \ - --allow-blob-public-access false \ - --kind StorageV2 --sku Standard_LRS -o table +if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then + # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled) + + # shellcheck disable=SC2154 + az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \ + --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \ + --allow-blob-public-access false \ + --kind StorageV2 --sku Standard_LRS -o table \ + --require-infrastructure-encryption true +fi # Grant user blob data contributor permissions echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..." diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf index 6111c7280..f37ffd281 100644 --- a/devops/terraform/main.tf +++ b/devops/terraform/main.tf @@ -28,7 +28,10 @@ resource "azurerm_storage_account" "state_storage" { allow_nested_items_to_be_public = false shared_access_key_enabled = false - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } # Shared container registry diff --git a/devops/version.txt b/devops/version.txt index 722515271..43a1e95ba 100644 --- a/devops/version.txt +++ b/devops/version.txt @@ -1 +1 @@ -__version__ = "0.5.2" +__version__ = "0.5.3" diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml index b54343e88..2e3618caf 100755 --- a/templates/shared_services/certs/porter.yaml +++ b/templates/shared_services/certs/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-certs -version: 0.6.0 +version: 0.6.1 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf index 2336eb440..f58af966a 100644 --- a/templates/shared_services/certs/terraform/staticweb.tf +++ b/templates/shared_services/certs/terraform/staticweb.tf @@ -10,12 +10,15 @@ resource "azurerm_storage_account" "staticweb" { allow_nested_items_to_be_public = false tags = local.tre_shared_service_tags + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + static_website { index_document = "index.html" error_404_document = "404.html" } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_role_assignment" "stgwriter" { diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml index 6ca645f0e..64ea04e3b 100644 --- a/templates/shared_services/cyclecloud/porter.yaml +++ b/templates/shared_services/cyclecloud/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-shared-service-cyclecloud -version: 0.6.6 +version: 0.6.7 description: "An Azure TRE Shared Service Template for Azure Cyclecloud" registry: azuretre dockerfile: Dockerfile.tmpl diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf index c5f561a8d..9d6fa873a 100644 --- a/templates/shared_services/cyclecloud/terraform/storage.tf +++ b/templates/shared_services/cyclecloud/terraform/storage.tf @@ -6,7 +6,10 @@ resource "azurerm_storage_account" "cyclecloud" { account_replication_type = "GRS" tags = local.tre_shared_service_tags - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf index b85acf5bd..429efff1d 100644 --- a/templates/workspace_services/azureml/terraform/storage.tf +++ b/templates/workspace_services/azureml/terraform/storage.tf @@ -9,7 +9,10 @@ resource "azurerm_storage_account" "aml" { default_action = "Deny" } - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } data "azurerm_private_dns_zone" "blobcore" { diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml index e78cb4a03..1d648b0c2 100644 --- a/templates/workspace_services/gitea/porter.yaml +++ b/templates/workspace_services/gitea/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-service-gitea -version: 1.1.0 +version: 1.1.1 description: "A Gitea workspace service" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf index 6c5c8c79d..28f13439e 100644 --- a/templates/workspace_services/gitea/terraform/storage.tf +++ b/templates/workspace_services/gitea/terraform/storage.tf @@ -6,7 +6,10 @@ resource "azurerm_storage_account" "gitea" { account_replication_type = "GRS" tags = local.workspace_service_tags - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_storage_account_network_rules" "stgrules" { diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index bc99b4a9b..6e2971ad8 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -1,7 +1,7 @@ --- schemaVersion: 1.0.0 name: tre-workspace-base -version: 1.6.0 +version: 1.6.1 description: "A base Azure TRE workspace" dockerfile: Dockerfile.tmpl registry: azuretre diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf index 666411fba..f2ffc092a 100644 --- a/templates/workspaces/base/terraform/airlock/storage_accounts.tf +++ b/templates/workspaces/base/terraform/airlock/storage_accounts.tf @@ -11,6 +11,9 @@ resource "azurerm_storage_account" "sa_import_approved" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = var.enable_local_debugging ? "Allow" : "Deny" bypass = ["AzureServices"] @@ -23,7 +26,7 @@ resource "azurerm_storage_account" "sa_import_approved" { } ) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_private_endpoint" "import_approved_pe" { @@ -62,6 +65,9 @@ resource "azurerm_storage_account" "sa_export_internal" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = var.enable_local_debugging ? "Allow" : "Deny" bypass = ["AzureServices"] @@ -74,7 +80,7 @@ resource "azurerm_storage_account" "sa_export_internal" { } ) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } @@ -113,6 +119,9 @@ resource "azurerm_storage_account" "sa_export_inprogress" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + tags = merge( var.tre_workspace_tags, { @@ -120,7 +129,7 @@ resource "azurerm_storage_account" "sa_export_inprogress" { } ) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_storage_account_network_rules" "sa_export_inprogress_rules" { @@ -171,6 +180,9 @@ resource "azurerm_storage_account" "sa_export_rejected" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = var.enable_local_debugging ? "Allow" : "Deny" bypass = ["AzureServices"] @@ -183,7 +195,7 @@ resource "azurerm_storage_account" "sa_export_rejected" { } ) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } @@ -222,6 +234,9 @@ resource "azurerm_storage_account" "sa_export_blocked" { # This is true ONLY when Hierarchical Namespace is DISABLED is_hns_enabled = false + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = var.enable_local_debugging ? "Allow" : "Deny" bypass = ["AzureServices"] @@ -234,7 +249,7 @@ resource "azurerm_storage_account" "sa_export_blocked" { } ) - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } diff --git a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf index e6d868856..be91cf695 100644 --- a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf +++ b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf @@ -22,12 +22,15 @@ resource "azurerm_storage_account" "app_insights" { allow_nested_items_to_be_public = false tags = var.tre_workspace_tags + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + network_rules { default_action = "Deny" bypass = ["AzureServices"] } - lifecycle { ignore_changes = [tags] } + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" { diff --git a/templates/workspaces/base/terraform/storage.tf b/templates/workspaces/base/terraform/storage.tf index e705bc424..ef86bc019 100644 --- a/templates/workspaces/base/terraform/storage.tf +++ b/templates/workspaces/base/terraform/storage.tf @@ -8,7 +8,10 @@ resource "azurerm_storage_account" "stg" { is_hns_enabled = true tags = local.tre_workspace_tags - lifecycle { ignore_changes = [tags] } + # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below + infrastructure_encryption_enabled = true + + lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] } } # Using AzAPI as AzureRM uses shared account key for Azure files operations From ad06a3d6eba9fc4b57709fa17283d894cba00f50 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 13 Nov 2024 18:27:51 +0000 Subject: [PATCH 2/4] Enable infrastructure encryption on storage accounts #73 --- devops/terraform/bootstrap.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index 1c42ba3e6..0ffe93d9f 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -18,6 +18,9 @@ if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --allow-blob-public-access false \ --kind StorageV2 --sku Standard_LRS -o table \ --require-infrastructure-encryption true +else + echo "Storage account already exists..." + az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" fi # Grant user blob data contributor permissions From 522aaa7bfe4c06a61e5790386ec4c7addb23f55e Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 13 Nov 2024 18:34:06 +0000 Subject: [PATCH 3/4] Enable infrastructure encryption on storage accounts #73 --- devops/terraform/bootstrap.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh index 0ffe93d9f..d0671c3a1 100755 --- a/devops/terraform/bootstrap.sh +++ b/devops/terraform/bootstrap.sh @@ -20,7 +20,7 @@ if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --require-infrastructure-encryption true else echo "Storage account already exists..." - az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" + az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table fi # Grant user blob data contributor permissions From 96a0503a952ea3853a5798dd50dae9561bceb647 Mon Sep 17 00:00:00 2001 From: jonnyry Date: Wed, 27 Nov 2024 11:55:48 +0000 Subject: [PATCH 4/4] Update storage_accounts.tf --- core/terraform/airlock/storage_accounts.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf index 22159cfd1..70cd58996 100644 --- a/core/terraform/airlock/storage_accounts.tf +++ b/core/terraform/airlock/storage_accounts.tf @@ -71,8 +71,7 @@ resource "azurerm_storage_account" "sa_export_approved" { resource_group_name = var.resource_group_name account_tier = "Standard" account_replication_type = "LRS" - - _tenant_replication_enabled = false + cross_tenant_replication_enabled = false # Don't allow anonymous access (unrelated to the 'public' networking rules) allow_nested_items_to_be_public = false