search

Azure / terraform-azurerm-avm-res-storage-storageaccount

This Terraform module is designed to create Azure Storage Accounts and its related resources, including blob containers, queues, tables, and file shares. It also supports the creation of a storage account private endpoint which provides secure and direct connectivity to Azure Storage over a private network.
https://registry.terraform.io/modules/Azure/avm-res-storage-storageaccount
MIT License
20 stars 32 forks source link

Make this module compliant with Enforce-Guardrails-Storage #173

Open magnus-longva-bouvet opened 1 week ago

magnus-longva-bouvet commented 1 week ago

Is there an existing issue for this?

Description

The Azure Enterprise Scale repository includes a policy initiative called Enforce recommended guardrails for Storage. I can't make a valid configuration of this module which is compliant with this initiative.

Here's my attempt

module "avm-res-storage-storageaccount" {
  source  = "Azure/avm-res-storage-storageaccount/azurerm"
  version = "0.2.7"

  resource_group_name             = azurerm_resource_group.rg.name
  location                        = var.location
  name                            = var.storage_account_name
  default_to_oauth_authentication = true
  infrastructure_encryption_enabled = true
  allowed_copy_scope = "AAD"
  queue_encryption_key_type = "Account"
  table_encryption_key_type = "Account"
  blob_properties = {
    delete_retention_policy_days = 7
    container_delete_retention_policy_days = 7
  }
}

This deployment fails with this error

{
    "error": {
      "code": "RequestDisallowedByPolicy",
      "target": "magnusdeletemesayft",
      "message": "Resource magnusdeletemesayft was disallowed by policy. Reasons: Recommended guardrails must be enforced for Storage. See error details for policy resource IDs.",
      "additionalInfo": [
        {
          "type": "PolicyViolation",
          "info": {
            "evaluationDetails": {
              "evaluatedExpressions": [
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "type",
                  "path": "type",
                  "expressionValue": "Microsoft.Storage/storageAccounts",
                  "targetValue": "Microsoft.Storage/storageAccounts",
                  "operator": "Equals"
                },
                {
                  "result": "True",
                  "expressionKind": "Field",
                  "expression": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
                  "path": "properties.encryption.services.blob.enabled",
                  "targetValue": "false",
                  "operator": "Exists"
                }
              ],
              "reason": "Recommended guardrails must be enforced for Storage"
            },
            "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/mgmtgroup1/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption",
            "policySetDefinitionId": "/providers/Microsoft.Management/managementGroups/mgmtgroup1/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage",
            "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption",
            "policySetDefinitionName": "Enforce-Guardrails-Storage",
            "policySetDefinitionDisplayName": "Enforce recommended guardrails for Storage Account",
            "policyDefinitionName": "Deny-Storage-ServicesEncryption",
            "policyDefinitionDisplayName": "Encryption for storage services should be enforced for Storage Accounts",
            "policyDefinitionEffect": "Deny",
            "policyAssignmentId": "/providers/Microsoft.Management/managementGroups/mgmtgroup2/providers/Microsoft.Authorization/policyAssignments/Enforce-GR-Storage",
            "policyAssignmentName": "Enforce-GR-Storage",
            "policyAssignmentDisplayName": "Enforce recommended guardrails for Storage.",
            "policyAssignmentScope": "/providers/Microsoft.Management/managementGroups/mgmtgroup2",
            "policyAssignmentParameters": {
              "storageAllowedNetworkAclsBypass": [
                "None",
                "Logging",
                "Metrics",
                "AzureServices",
                "Logging, Metrics",
                "Logging, AzureServices",
                "Metrics, AzureServices",
                "Logging, Metrics, AzureServices"
              ]
            },
            "policyExemptionIds": []
          }
        }
      ]
    }
  }

I don't see any option in this module to make the field encryption.services.blob.enabled equal to true.

New or Affected Resource(s)/Data Source(s)

azurerm_storage_account.this

Potential Terraform Configuration

module "avm-res-storage-storageaccount" {
  source  = "Azure/avm-res-storage-storageaccount/azurerm"
  version = "0.2.7"

  resource_group_name             = azurerm_resource_group.rg.name
  location                        = var.location
  name                            = var.storage_account_name
  default_to_oauth_authentication = true
  infrastructure_encryption_enabled = true
  allowed_copy_scope = "AAD"
  queue_encryption_key_type = "Account"
  table_encryption_key_type = "Account"
  blob_encryption_key_type  = "Account"
  file_encryption_key_type  = "Account"
  blob_properties = {
    delete_retention_policy_days = 7
    container_delete_retention_policy_days = 7
  }
}

References

This seems sort of similar, but this guy has a different problem with some different policy which is also called a guardrail.

https://github.com/Azure/terraform-azurerm-avm-res-storage-storageaccount/issues/41

matt-FFFFFF commented 2 days ago

Hi @magnus-longva-bouvet

There is an issue with this policy as it's not technically possible to disable blob encryption. The AzureRM provider removed the ability to set this value as the service always sets this to true despite the value in the payload.

We have an open issue about it on the enterprise scale repo.