azurerm_storage_container encryption_scope_override_enabled attribute not optional

bfrancisco123 commented 5 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.2.0

AzureRM Provider Version

3.99.0

Affected Resource(s)/Data Source(s)

azurerm_storage_container

Terraform Configuration Files

module "proj_container" {
  source = "git@ssh.dev.azure.com:v3/Storage//StorageContainer?ref=v1.0.5"
  providers = {
    azurerm.storage_container = azurerm.pdns
  }
  storage_account_name   = local.app_storage_account_name
  storage_container_name = "fogl-dev"
  resource_group_name    = local.devops_resource_group_name
  main_tags = local.proj_tags
}

Debug Output/Panic Output

resource "azurerm_storage_container" "storage_container" {
      + default_encryption_scope          = (known after apply)
      + encryption_scope_override_enabled = true # forces replacement

Expected Behaviour

The attribute encryption_scope_override_enabled for resource, azurerm_storage_container, should be optional. I have not set a value for encryption_scope_override_enabled which should result in "null" instead of "true"

Actual Behaviour

A default of "true" is set for encryption_scope_override_enabled. Any value set forces a default encryption scope to be set on all containers which results in a re-creation of containers.

Steps to Reproduce

Create an azurerm_storage_container resource in a storage account with no encryption scopes defined with AzureRM using any version before 3.99.0
Attempt to create another azurerm_storage_container resource in a storage account with no encryption scopes defined with AzureRM using version 3.99.0
The azurerm_storage_container resource from step one will be set to "forces replacement" due to the default value of encryption_scope_override_enabled being set to true

Important Factoids

No response

References

A storage account with no encryption scopes defined will assign an encyption scope of "$account-encryption-key" to all containers in the storage account. I am not able to set the "$account-encryption-key" scope to a new container using the azurerm_storage_container resource in version 3.99.0.

magodo commented 4 months ago

@bfrancisco123 The storage account created in your step 1 by default will have the encryption scope enabled (i.e. the api attribute x-ms-deny-encryption-scope-ove = false). This means after you upgrade to v3.99.0, it will have no plan diff. I've verified this locally by repeat your step 1 and 3 using provider v3.98.0 and then v3.99.0.

The reason why you have a plan diff probably because you have disabled the encryption scope via some out-of-band way?

farwind commented 4 months ago

im seeing the same issue, but in my case new storage account creation end up in failure with error message. tried the encryption_scope_override_enabled = true as default suggests and also set to false but no change in error message :

 with module.defaults.azurerm_storage_container.this["container03"],
 on ../../main.tf line 546, in resource "azurerm_storage_container" "this":
 546:   encryption_scope_override_enabled = each.value["encryption_scope_override_enabled"]

"encryption_scope_override_enabled": all of `default_encryption_scope,encryption_scope_override_enabled` must be specified

the only way how to make this work is to not set default value for it or set the default to null.

bfrancisco123 commented 4 months ago

@magodo We haven't adjusted the encryption scope outside of Terraform. When we created the storage accounts, we didn't set a default encryption scope override setting so it's effectively set to null. In this case, the encryption scope for our containers is "$account-encryption-key" scope.

I tried retrieving this scope via a data block (and via the powershell cmd Get-AzStorageEncryptionScope -ResourceGroupName $rgName -StorageAccountName $accountName) which returns nothing since we don't have any encryption scopes defined on our storage accounts. It seems the "$account-encryption-key" scope is some sort of internal Azure default that isn't available to set yourself.

if you look in azure portal, you see the listed encryption scope in the properties of a container

Like what @farwind posted, if we set the encryption_scope_override_enabled to false, we are forced to specify an encryption scope for the existing storage containers. Which then replaces the "$account-encryption-key" scope and recreates the containers.

Can we get a null option for override enabled? Any version of azurerm prior to 3.99.0 touch the encryption_scope_override_enabled or encryption_scope setting at all.

Thanks

magodo commented 4 months ago

@manicminer Do you have any insight on this?

bfrancisco123 commented 4 months ago

Hi all,

Need any additional data for this issue? Is this an issue that might be resolved in a future release?

Thanks, Ben

bfrancisco123 commented 3 months ago

@magodo @manicminer Checking to see if there's any update on this? Any possibility that we can not set a default value for encryption_scope_override in a future release? Thanks!

hashicorp / terraform-provider-azurerm