### Key Vault Creation, Key Vault Private Endpoint Creation, and Networking provider "azurerm" { features {} } data "azurerm_client_config" "current" {} ################################################################## # Resource group to host all resource ################################################################## resource "azurerm_resource_group" "rg" { name = "rg-poc1-stg-encrypt4" location = "UK South" } ################################################################## # Key Vault resource ################################################################## resource "azurerm_key_vault" "this" { name = "tfencryptstg4" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location tenant_id = data.azurerm_client_config.current.tenant_id sku_name = "standard" # network_acls { # default_action = "Deny" # bypass = "AzureServices" # ip_rules = ["49.xx.xx.234"] #client ip address # virtual_network_subnet_ids = ["${data.azurerm_virtual_network.vnet.id}/subnets/default"] # } enabled_for_deployment = true enabled_for_disk_encryption = true enabled_for_template_deployment = true enable_rbac_authorization = true purge_protection_enabled = true soft_delete_retention_days = 7 } ################################################################## # User assigned identity ################################################################## resource "azurerm_user_assigned_identity" "uai" { resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location name = "user-poc-id" } resource "azurerm_key_vault_access_policy" "client" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify" ] secret_permissions = [ "Get" ] } resource "azurerm_key_vault_access_policy" "uai" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "Get", "UnwrapKey", "WrapKey" ] secret_permissions = [ "Get" ] } ################################################################## # Key Vault Role Assignment - For Current Client ################################################################## resource "azurerm_role_assignment" "kv_role_admin_kva" { scope = azurerm_key_vault.this.id role_definition_name = "Key Vault Administrator" principal_id = data.azurerm_client_config.current.object_id } resource "azurerm_role_assignment" "kv_role_client_kvc" { scope = azurerm_key_vault.this.id role_definition_name = "Key Vault Contributor" principal_id = data.azurerm_client_config.current.object_id } ################################################################## # Key Vault Role Assignment - For User Assigned identity ################################################################## resource "azurerm_role_assignment" "uai_kv_role_client_kvc" { scope = azurerm_key_vault.this.id role_definition_name = "Key Vault Contributor" principal_id = azurerm_user_assigned_identity.uai.principal_id } ################################################################## # Key Vault access Policy - For current client ################################################################## resource "azurerm_key_vault_access_policy" "kvap_current_client" { key_vault_id = azurerm_key_vault.this.id tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id key_permissions = [ "Get", "UnwrapKey", "WrapKey" ] secret_permissions = [ "Get", ] } ################################################################## # Storage Account Creation ################################################################## resource "azurerm_storage_account" "sa" { name = "storagetfstat" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location account_kind = "StorageV2" account_tier = "Standard" account_replication_type = "LRS" access_tier = "Hot" enable_https_traffic_only = true is_hns_enabled = true min_tls_version = "TLS1_2" shared_access_key_enabled = true ##enable to access the storage account with key identity { type = "SystemAssigned, UserAssigned" identity_ids = [ azurerm_user_assigned_identity.uai.id ] } # network_rules { # default_action = "Deny" # bypass = ["AzureServices"] # ip_rules = ["49.xx.xx.234"] #client ip address # virtual_network_subnet_ids = ["${data.azurerm_virtual_network.vnet.id}/subnets/default"] # } depends_on = [ azurerm_key_vault.this, azurerm_key_vault_key.kvkey ] } ################################################################## # Storage Encryption key ################################################################## resource "azurerm_key_vault_key" "kvkey" { name = "storageencryptionkey" key_vault_id = azurerm_key_vault.this.id key_type = "RSA" #as its normal keyvault you can't use RSA-HSM instead use RSA key_size = 2048 key_opts = ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"] depends_on = [ azurerm_key_vault.this, azurerm_key_vault_access_policy.kvap_current_client ] } ################################################################## # Storage Account Role assignment - For current Client config ################################################################## resource "azurerm_role_assignment" "sa_role_admin_sbdo" { scope = azurerm_storage_account.sa.id role_definition_name = "Storage Blob Data Owner" principal_id = data.azurerm_client_config.current.object_id } resource "azurerm_role_assignment" "sa_role_admin_sqdc" { scope = azurerm_storage_account.sa.id role_definition_name = "Storage Queue Data Contributor" principal_id = data.azurerm_client_config.current.object_id } ################################################################## # Storage Account Role assignment - For user assigned identity ################################################################## resource "azurerm_role_assignment" "kv_role_sa_kvcseu" { scope = azurerm_key_vault.this.id role_definition_name = "Key Vault Crypto Service Encryption User" principal_id = azurerm_storage_account.sa.identity.0.principal_id } output "storage_identity" { value = azurerm_storage_account.sa.identity } ################################################################## # Customer Managed Key Creation (fails) ################################################################## resource "azurerm_storage_account_customer_managed_key" "cmk" { # storage_account_id = azurerm_storage_account.sa.id storage_account_id = azurerm_storage_account.sa.id key_vault_id = azurerm_key_vault.this.id key_name = azurerm_key_vault_key.kvkey.name user_assigned_identity_id = azurerm_user_assigned_identity.uai.id depends_on = [ azurerm_role_assignment.kv_role_admin_kva, azurerm_role_assignment.kv_role_sa_kvcseu, azurerm_role_assignment.kv_role_client_kvc, azurerm_storage_account.sa, azurerm_user_assigned_identity.uai ] }