Open bfrancisco123 opened 5 months ago
@bfrancisco123 The storage account created in your step 1 by default will have the encryption scope enabled (i.e. the api attribute x-ms-deny-encryption-scope-ove = false
). This means after you upgrade to v3.99.0, it will have no plan diff. I've verified this locally by repeat your step 1 and 3 using provider v3.98.0 and then v3.99.0.
The reason why you have a plan diff probably because you have disabled the encryption scope via some out-of-band way?
im seeing the same issue, but in my case new storage account creation end up in failure with error message.
tried the encryption_scope_override_enabled
= true
as default suggests and also set to false
but no change in error message :
with module.defaults.azurerm_storage_container.this["container03"],
on ../../main.tf line 546, in resource "azurerm_storage_container" "this":
546: encryption_scope_override_enabled = each.value["encryption_scope_override_enabled"]
"encryption_scope_override_enabled": all of `default_encryption_scope,encryption_scope_override_enabled` must be specified
the only way how to make this work is to not set default value for it or set the default to null.
@magodo We haven't adjusted the encryption scope outside of Terraform. When we created the storage accounts, we didn't set a default encryption scope override setting so it's effectively set to null. In this case, the encryption scope for our containers is "$account-encryption-key" scope.
I tried retrieving this scope via a data block (and via the powershell cmd Get-AzStorageEncryptionScope -ResourceGroupName $rgName -StorageAccountName $accountName) which returns nothing since we don't have any encryption scopes defined on our storage accounts. It seems the "$account-encryption-key" scope is some sort of internal Azure default that isn't available to set yourself.
if you look in azure portal, you see the listed encryption scope in the properties of a container
Like what @farwind posted, if we set the encryption_scope_override_enabled to false, we are forced to specify an encryption scope for the existing storage containers. Which then replaces the "$account-encryption-key" scope and recreates the containers.
Can we get a null option for override enabled? Any version of azurerm prior to 3.99.0 touch the encryption_scope_override_enabled or encryption_scope setting at all.
Thanks
@manicminer Do you have any insight on this?
Hi all,
Need any additional data for this issue? Is this an issue that might be resolved in a future release?
Thanks, Ben
@magodo @manicminer Checking to see if there's any update on this? Any possibility that we can not set a default value for encryption_scope_override in a future release? Thanks!
Is there an existing issue for this?
Community Note
Terraform Version
1.2.0
AzureRM Provider Version
3.99.0
Affected Resource(s)/Data Source(s)
azurerm_storage_container
Terraform Configuration Files
Debug Output/Panic Output
Expected Behaviour
The attribute encryption_scope_override_enabled for resource, azurerm_storage_container, should be optional. I have not set a value for encryption_scope_override_enabled which should result in "null" instead of "true"
Actual Behaviour
A default of "true" is set for encryption_scope_override_enabled. Any value set forces a default encryption scope to be set on all containers which results in a re-creation of containers.
Steps to Reproduce
Important Factoids
No response
References
A storage account with no encryption scopes defined will assign an encyption scope of "$account-encryption-key" to all containers in the storage account. I am not able to set the "$account-encryption-key" scope to a new container using the azurerm_storage_container resource in version 3.99.0.