Open cjtous1 opened 1 month ago
@matt-FFFFFF do you have any thoughts on how to address this?
Slightly confused between the post (albeit quite old), but if you can't disable encryption then why do we need the policy?
@Springstone from the product docs:
Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled
The policy is still valid for queue and table, but the other conditions could be dropped from the policy.
"policyRule": {
"if": {
"allOf": [
{ "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
{
"anyOf": [
{
- "anyOf": [
- {
- "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
- "exists": "false"
- },
- {
- "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
- "notEquals": true
- }
- ]
- },
- {
- "anyOf": [
- {
- "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
- "exists": "false"
- },
- {
- "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
- "notEquals": true
- }
- ]
- },
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
"notEquals": "Account"
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
"notEquals": "Account"
}
]
}
]
}
]
}
Describe the bug When you deploy ALZ policies with the current default values for the Deny-Storage-ServicesEncryption, it checks for those 2 properties to exist and be true:
When you try to create a storage account via Terraform with the AzureRM provider, there is no way to specify those values. Those parameters were removed (see https://github.com/hashicorp/terraform-provider-azurerm/issues/3820)
These parameters were removed in AzureRM 2.0.0 because even if you set it to false, it will be set to true...
Steps to reproduce
I even tried the AVM module for storage account but it also does not expose this parameter to be set...
Screenshots