Defaults on certain Azure resources properties can be hard to change once enabled

[ahmadabdalla]

Description

For example, there are certain properties on resources that if are enabled, cannot be rolled back or changed after. Below is an example for a storage account :

@description('Optional. A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest. For security reasons, it is recommended to set it to true.')
param requireInfrastructureEncryption bool = true

• Should we be setting/enforcing a property to true, if it is referenced as 'optional' in our template reference documentation?
• We need to have clear guidance on what 'Secure by default / design' means so that we can call out these features on our modules. This change for example caused issues with our existing storage accounts for the dependency pipeline where we now must delete our resources so we can redeploy with the new defaults

Error example:

    ~~~~~~~~~~~~~~~~~~~~
       | 01:35:33 - The deployment
       | 'storageAccounts-20220309T0103294582Z' failed with error(s).
       | Showing 1 out of 1 error(s). Status Message: The property
       | 'requireInfrastructureEncryption' was specified in the input,
       | but it cannot be updated as it is read-only. For more
       | information, see - https://aka.ms/storageaccountupdate
       | (Code:AccountPropertyCannotBeUpdated)  CorrelationId:
       | 80271a0d-6011-444c-ba2d-14fe65af985f

Steps to reproduce

1. Create a resource without a specific property that is enforced as a parameter default
2. Enforce this property with a default in the module
3. redeploy the same module again with the new change

[ahmadabdalla]

This also applies to virtual machines

@description('Optional. This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs.')
param encryptionAtHost bool = true

 VERBOSE: Deployment output: {}
  Exception: /home/runner/work/_temp/25088aa3-c884-466a-99bc-45080b80d61d.ps1:49
  Line |
    49 |    throw $res.exception
       |    ~~~~~~~~~~~~~~~~~~~~
       | 01:33:24 - The deployment
       | 'virtualMachines-20220316T0103517410Z' failed with error(s).
       | Showing 1 out of 1 error(s). Status Message: The property
       | 'securityProfile.encryptionAtHost' is not valid because the
       | 'Microsoft.Compute/EncryptionAtHost' feature is not enabled
       | for this subscription. (Code:InvalidParameter)  CorrelationId:
       | 078cbb40-77f9-4505-8237-101dcde82d2e

[rahalan]

Need to wait for the discussion on how we handle "secure by default"

[eriqua]

Missing clarity on what to do with this issue. Moving back to needs triage and applying the needs further discussion label.

[rahalan]

Need to wait for the discussion on how we handle "secure by default"

[DanoThom]

Any movement on or internal discussions on this issue? It's definitely one that regularly appears for me and doesn't have a clear work around other than hacking at the underlying CARML module and deleting existing storage accounts that have strayed outside of any changes to the defaults...