Enable storage account infrastructure encryption

CHANGELOG.md

@@ -11,6 +11,7 @@ ENHANCEMENTS:
 * Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992)
 * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
 * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
+* Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001))
 * Update obsolete Terraform properties ([#4136](https://github.com/microsoft/AzureTRE/issues/4136))
 * Update Guacamole version and dependencies ([#4140](https://github.com/microsoft/AzureTRE/issues/4140))
 * Add partial (core resources only) support for customer managed keys  ([#4141](https://github.com/microsoft/AzureTRE/issues/4142))

core/terraform/airlock/airlock_processor.tf

@@ -36,7 +36,10 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "sa_airlock_processor_func_app_encryption" {

core/terraform/airlock/storage_accounts.tf

@@ -16,6 +16,9 @@ resource "azurerm_storage_account" "sa_import_external" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -28,7 +31,7 @@ resource "azurerm_storage_account" "sa_import_external" {
     description = "airlock;import;external"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_external_pe" {
@@ -77,6 +80,9 @@ resource "azurerm_storage_account" "sa_export_approved" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -89,7 +95,7 @@ resource "azurerm_storage_account" "sa_export_approved" {
     description = "airlock;export;approved"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_export_approved_pe" {
@@ -136,6 +142,9 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -153,7 +162,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "sa_import_in_progress_encryption" {
@@ -227,6 +236,9 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -244,7 +256,7 @@ resource "azurerm_storage_account" "sa_import_rejected" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
@@ -292,6 +304,9 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
     content {
@@ -309,7 +324,7 @@ resource "azurerm_storage_account" "sa_import_blocked" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_blocked_pe" {

core/terraform/appgateway/staticweb.tf

@@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "index.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 
   network_rules {
     bypass         = ["AzureServices"]

core/terraform/azure-monitor/azure-monitor.tf

@@ -24,6 +24,9 @@ resource "azurerm_storage_account" "az_monitor" {
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = "Deny"
     bypass         = ["AzureServices"]
@@ -37,7 +40,7 @@ resource "azurerm_storage_account" "az_monitor" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "az_monitor_encryption" {

core/terraform/storage.tf

@@ -7,6 +7,8 @@ resource "azurerm_storage_account" "stg" {
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
 
   dynamic "identity" {
     for_each = var.enable_cmk_encryption ? [1] : []
@@ -18,8 +20,7 @@ resource "azurerm_storage_account" "stg" {
 
   tags = local.tre_core_tags
 
-
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "blobpe" {

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.3"
+__version__ = "0.11.4"

devops/terraform/bootstrap.sh

@@ -7,11 +7,21 @@ set -o nounset
 echo -e "\n\e[34m»»» 🤖 \e[96mCreating resource group and storage account\e[0m..."
 # shellcheck disable=SC2154
 az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "$LOCATION" -o table
+
 # shellcheck disable=SC2154
-az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
-  --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
-  --allow-blob-public-access false \
-  --kind StorageV2 --sku Standard_LRS -o table
+if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
+  # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)
+
+  # shellcheck disable=SC2154
+  az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
+    --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
+    --allow-blob-public-access false \
+    --kind StorageV2 --sku Standard_LRS -o table \
+    --require-infrastructure-encryption true
+else
+  echo "Storage account already exists..."
+  az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --output table
+fi
 
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."

devops/terraform/main.tf

@@ -39,7 +39,10 @@ resource "azurerm_storage_account" "state_storage" {
     }
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_customer_managed_key" "state_storage_encryption" {

templates/shared_services/certs/terraform/staticweb.tf

@@ -11,12 +11,15 @@ resource "azurerm_storage_account" "staticweb" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_shared_service_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "404.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_role_assignment" "stgwriter" {

templates/shared_services/cyclecloud/terraform/storage.tf

@@ -7,7 +7,10 @@ resource "azurerm_storage_account" "cyclecloud" {
   cross_tenant_replication_enabled = false
   tags                             = local.tre_shared_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

templates/workspace_services/azureml/terraform/storage.tf

@@ -10,7 +10,10 @@ resource "azurerm_storage_account" "aml" {
     default_action = "Deny"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

templates/workspace_services/gitea/terraform/storage.tf

@@ -7,7 +7,10 @@ resource "azurerm_storage_account" "gitea" {
   cross_tenant_replication_enabled = false
   tags                             = local.workspace_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_network_rules" "stgrules" {

templates/workspaces/base/terraform/airlock/storage_accounts.tf

@@ -12,6 +12,9 @@ resource "azurerm_storage_account" "sa_import_approved" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -24,7 +27,7 @@ resource "azurerm_storage_account" "sa_import_approved" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "import_approved_pe" {
@@ -64,6 +67,9 @@ resource "azurerm_storage_account" "sa_export_internal" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -76,7 +82,7 @@ resource "azurerm_storage_account" "sa_export_internal" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 
@@ -116,14 +122,17 @@ resource "azurerm_storage_account" "sa_export_inprogress" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(
     var.tre_workspace_tags,
     {
       description = "airlock;export;inprogress"
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_network_rules" "sa_export_inprogress_rules" {
@@ -175,6 +184,9 @@ resource "azurerm_storage_account" "sa_export_rejected" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -187,7 +199,7 @@ resource "azurerm_storage_account" "sa_export_rejected" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 
@@ -227,6 +239,9 @@ resource "azurerm_storage_account" "sa_export_blocked" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -239,7 +254,7 @@ resource "azurerm_storage_account" "sa_export_blocked" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 

templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf

@@ -23,12 +23,15 @@ resource "azurerm_storage_account" "app_insights" {
   cross_tenant_replication_enabled = false
   tags                             = var.tre_workspace_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = "Deny"
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {

templates/workspaces/base/terraform/storage.tf

@@ -9,7 +9,10 @@ resource "azurerm_storage_account" "stg" {
   cross_tenant_replication_enabled = false // not technically needed as cross tenant replication not supported when is_hns_enabled = true
   tags                             = local.tre_workspace_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 # Using AzAPI as AzureRM uses shared account key for Azure files operations