Enable infrastructure encryption on storage accounts #73

nwsde · Nov 15, 2024 · 03abcd2 · 03abcd2
1 parent 158dce1
commit 03abcd2
Show file tree

Hide file tree

Showing 21 changed files with 103 additions and 31 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ ENHANCEMENTS:
 * Split log entries with [Log chunk X of Y] for better readability. ([[#3992](https://github.com/microsoft/AzureTRE/issues/3992)
 * Expose APP_SERVICE_SKU build variable to allow enablement of App Gateway WAF ([#4111](https://github.com/microsoft/AzureTRE/pull/4111))
 * Update Terraform to use Azure AD authentication rather than storage account keys ([#4103](https://github.com/microsoft/AzureTRE/issues/4103))
+* Storage accounts should use infrastructure encryption ([#4001](https://github.com/microsoft/AzureTRE/issues/4001))
 
 BUG FIXES:
 - Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -27,7 +27,10 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   allow_nested_items_to_be_public = false
   tags                            = var.tre_core_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_linux_function_app" "airlock_function_app" {

diff --git a/core/terraform/airlock/storage_accounts.tf b/core/terraform/airlock/storage_accounts.tf
@@ -13,11 +13,14 @@ resource "azurerm_storage_account" "sa_import_external" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;external"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_external_pe" {
@@ -57,11 +60,14 @@ resource "azurerm_storage_account" "sa_export_approved" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;export;approved"
   })
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_export_approved_pe" {
@@ -99,6 +105,9 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;in-progress"
   })
@@ -108,7 +117,7 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 
@@ -173,6 +182,9 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;rejected"
   })
@@ -182,7 +194,7 @@ resource "azurerm_storage_account" "sa_import_rejected" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_rejected_pe" {
@@ -221,6 +233,9 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(var.tre_core_tags, {
     description = "airlock;import;blocked"
   })
@@ -230,7 +245,7 @@ resource "azurerm_storage_account" "sa_import_blocked" {
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "stg_import_blocked_pe" {

diff --git a/core/terraform/appgateway/staticweb.tf b/core/terraform/appgateway/staticweb.tf
@@ -10,12 +10,15 @@ resource "azurerm_storage_account" "staticweb" {
   allow_nested_items_to_be_public = false
   tags                            = local.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "index.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 
   network_rules {
     bypass         = ["AzureServices"]

diff --git a/core/terraform/azure-monitor/azure-monitor.tf b/core/terraform/azure-monitor/azure-monitor.tf
@@ -23,12 +23,15 @@ resource "azurerm_storage_account" "az_monitor" {
   allow_nested_items_to_be_public = false
   tags                            = var.tre_core_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = "Deny"
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {

diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf
@@ -6,7 +6,11 @@ resource "azurerm_storage_account" "stg" {
   account_replication_type        = "LRS"
   allow_nested_items_to_be_public = false
   tags                            = local.tre_core_tags
-  lifecycle { ignore_changes = [tags] }
+
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "blobpe" {

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.1"
+__version__ = "0.11.2"
diff --git a/devops/terraform/bootstrap.sh b/devops/terraform/bootstrap.sh
@@ -7,11 +7,18 @@ set -o nounset
 echo -e "\n\e[34m»»» 🤖 \e[96mCreating resource group and storage account\e[0m..."
 # shellcheck disable=SC2154
 az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "$LOCATION" -o table
+
 # shellcheck disable=SC2154
-az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
-  --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
-  --allow-blob-public-access false \
-  --kind StorageV2 --sku Standard_LRS -o table
+if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
+  # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)
+
+  # shellcheck disable=SC2154
+  az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
+    --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
+    --allow-blob-public-access false \
+    --kind StorageV2 --sku Standard_LRS -o table \
+    --require-infrastructure-encryption true
+fi
 
 # Grant user blob data contributor permissions
 echo -e "\n\e[34m»»» 🔑 \e[96mGranting Storage Blob Data Contributor role to the current user\e[0m..."

diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
@@ -28,7 +28,10 @@ resource "azurerm_storage_account" "state_storage" {
   allow_nested_items_to_be_public = false
   shared_access_key_enabled       = false
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 # Shared container registry

diff --git a/devops/version.txt b/devops/version.txt
@@ -1 +1 @@
-__version__ = "0.5.2"
+__version__ = "0.5.3"
diff --git a/templates/shared_services/certs/porter.yaml b/templates/shared_services/certs/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-certs
-version: 0.6.0
+version: 0.6.1
 description: "An Azure TRE shared service to generate certificates for a specified internal domain using Letsencrypt"
 registry: azuretre
 dockerfile: Dockerfile.tmpl

diff --git a/templates/shared_services/certs/terraform/staticweb.tf b/templates/shared_services/certs/terraform/staticweb.tf
@@ -10,12 +10,15 @@ resource "azurerm_storage_account" "staticweb" {
   allow_nested_items_to_be_public = false
   tags                            = local.tre_shared_service_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   static_website {
     index_document     = "index.html"
     error_404_document = "404.html"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_role_assignment" "stgwriter" {

diff --git a/templates/shared_services/cyclecloud/porter.yaml b/templates/shared_services/cyclecloud/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-shared-service-cyclecloud
-version: 0.6.6
+version: 0.6.7
 description: "An Azure TRE Shared Service Template for Azure Cyclecloud"
 registry: azuretre
 dockerfile: Dockerfile.tmpl

diff --git a/templates/shared_services/cyclecloud/terraform/storage.tf b/templates/shared_services/cyclecloud/terraform/storage.tf
@@ -6,7 +6,10 @@ resource "azurerm_storage_account" "cyclecloud" {
   account_replication_type = "GRS"
   tags                     = local.tre_shared_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

diff --git a/templates/workspace_services/azureml/terraform/storage.tf b/templates/workspace_services/azureml/terraform/storage.tf
@@ -9,7 +9,10 @@ resource "azurerm_storage_account" "aml" {
     default_action = "Deny"
   }
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 data "azurerm_private_dns_zone" "blobcore" {

diff --git a/templates/workspace_services/gitea/porter.yaml b/templates/workspace_services/gitea/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-service-gitea
-version: 1.1.0
+version: 1.1.1
 description: "A Gitea workspace service"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspace_services/gitea/terraform/storage.tf b/templates/workspace_services/gitea/terraform/storage.tf
@@ -6,7 +6,10 @@ resource "azurerm_storage_account" "gitea" {
   account_replication_type = "GRS"
   tags                     = local.workspace_service_tags
 
-  lifecycle { ignore_changes = [tags] }
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_network_rules" "stgrules" {

diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml
@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.6.0
+version: 1.6.1
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

diff --git a/templates/workspaces/base/terraform/airlock/storage_accounts.tf b/templates/workspaces/base/terraform/airlock/storage_accounts.tf
@@ -11,6 +11,9 @@ resource "azurerm_storage_account" "sa_import_approved" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -23,7 +26,7 @@ resource "azurerm_storage_account" "sa_import_approved" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_private_endpoint" "import_approved_pe" {
@@ -62,6 +65,9 @@ resource "azurerm_storage_account" "sa_export_internal" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -74,7 +80,7 @@ resource "azurerm_storage_account" "sa_export_internal" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 
@@ -113,14 +119,17 @@ resource "azurerm_storage_account" "sa_export_inprogress" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   tags = merge(
     var.tre_workspace_tags,
     {
       description = "airlock;export;inprogress"
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_storage_account_network_rules" "sa_export_inprogress_rules" {
@@ -171,6 +180,9 @@ resource "azurerm_storage_account" "sa_export_rejected" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -183,7 +195,7 @@ resource "azurerm_storage_account" "sa_export_rejected" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 
@@ -222,6 +234,9 @@ resource "azurerm_storage_account" "sa_export_blocked" {
   # This is true ONLY when Hierarchical Namespace is DISABLED
   is_hns_enabled = false
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = var.enable_local_debugging ? "Allow" : "Deny"
     bypass         = ["AzureServices"]
@@ -234,7 +249,7 @@ resource "azurerm_storage_account" "sa_export_blocked" {
     }
   )
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 

diff --git a/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf b/templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf
@@ -22,12 +22,15 @@ resource "azurerm_storage_account" "app_insights" {
   allow_nested_items_to_be_public = false
   tags                            = var.tre_workspace_tags
 
+  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
+  infrastructure_encryption_enabled = true
+
   network_rules {
     default_action = "Deny"
     bypass         = ["AzureServices"]
   }
 
-  lifecycle { ignore_changes = [tags] }
+  lifecycle { ignore_changes = [infrastructure_encryption_enabled, tags] }
 }
 
 resource "azurerm_log_analytics_linked_storage_account" "workspace_storage_ingestion" {