Storage Account: support for Customer Managed Key from another Subscription

[Nizol]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Creation of a customer managed key after the deployment of azurerm_storage_account works fine using the azurerm_storage_account_customer_managed_key resource. This approach will not work anymore after enabling Azure Policy to prevent any deployment without a customer managed key.

Using customer_managed_key as an alternative approach works as expected if the key exists within the same subscription. Using the same approach with any key in another subscription results in a failed deployment with the following message displayed:

Error: unexpected nil Key Vault ID retrieved at URL <Vault_URL>

Is there any workaround for deploying a storage account using a customer managed key in another subscription?

New or Affected Resource(s)/Data Source(s)

azurerm_storage_account

Potential Terraform Configuration

No response

References

No response

[magodo]

@Nizol Sorry that you are running into this issue.. Currently, the provider has some special cases where it need to link resource between its management plane ID and its data plane URL (e.g. key vault key, storage account container, etc).

In your case, the provider is provided by a key vault key's ID, which is a data plane URL. The provider then looks it up via:

https://github.com/hashicorp/terraform-provider-azurerm/blob/8cdfd601e731251e4b07b9a7e08f7b1df7cb4d3e/internal/services/keyvault/client/helpers.go#L125-L126

As is seen, the look up will need a LIST call to Azure at endpoint: /subscriptions/{subscriptionId}/resources. As there is no information about the subscription id from the input key id, the provider takes its configured subscription id (which makes sense). Hence there is no result found.

To fix this issue, there are two choices:

1. Change the resource id format for these affected resources to their management plane form. I've made some attempts in this direction, but is rejected for historical reasons (see: https://github.com/hashicorp/terraform-provider-azurerm/pull/16230)
2. Introduce a subscription_id in the customer_managed_key block, but I'd hesitate to go that route

To workaround it, you can try https://github.com/azure/terraform-provider-azapi

[MattoHopkins]

Oh chur @magodo. Clearly I missed this even after searching for stuff related to the customer_managed_key block. Would've saved me some digging during work today haha.

The azurerm_storage_account_customer_managed_key workaround has worked, so will move forward with that.

Cheers!

[MattoHopkins]

Hey @magodo, I think I'm hitting the same error on azurerm_managed_disk encryption block as well...

Error: creating/updating Managed Disk "vm-disk1" (Resource Group "rg"): performing CreateOrUpdate: disks.DisksClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidParameter" Message="The SubscriptionId:\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx1\" of the request must match the SubscriptionId \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx2\" contained in the Key Vault Id." Target="encryptionSettings.diskEncryptionKey.sourceVault.id"
│ 
│   with module.test-vm.azurerm_managed_disk.main,
│   on .terraform/modules/test-vm-demo/main.tf line 96, in resource "azurerm_managed_disk" "main":
│   96: resource "azurerm_managed_disk" "main" {
│ 

Assuming this is the same/similar issue

[slideroh]

Any update? Especially for #24385