Add CMK encryption support for Azure Container Registry (ACR) and Ser…

…vice Bus (#4178) * change cmk name to include tre-id + add dependency to one of the stg accounts * add cmk for ACR and service bus * add null default for acr_sku * bump core version to 0.11.8 * revert mistake
microsoft · Dec 11, 2024 · 6146484 · 6146484
1 parent 80c7ab9
commit 6146484
Show file tree

Hide file tree

Showing 10 changed files with 51 additions and 18 deletions.
diff --git a/core/terraform/cmk_encryption.tf b/core/terraform/cmk_encryption.tf
@@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "kv_encryption_key_user" {
 resource "azurerm_key_vault_key" "tre_encryption" {
   count = var.enable_cmk_encryption ? 1 : 0
 
-  name         = var.kv_encryption_key_name
+  name         = local.cmk_name
   key_vault_id = local.key_store_id
   key_type     = "RSA"
   key_size     = 2048

diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf
@@ -43,4 +43,6 @@ locals {
 
   # The key store for encryption keys could either be external or created by terraform
   key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : data.azurerm_key_vault.encryption_kv[0].id) : ""
+
+  cmk_name = "tre-encryption-${var.tre_id}"
 }
diff --git a/core/terraform/main.tf b/core/terraform/main.tf
@@ -79,7 +79,7 @@ module "azure_monitor" {
   enable_local_debugging                   = var.enable_local_debugging
   enable_cmk_encryption                    = var.enable_cmk_encryption
   key_store_id                             = local.key_store_id
-  kv_encryption_key_name                   = var.kv_encryption_key_name
+  kv_encryption_key_name                   = local.cmk_name
   encryption_identity_id                   = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null
 
   depends_on = [
@@ -112,7 +112,7 @@ module "appgateway" {
 
   enable_cmk_encryption  = var.enable_cmk_encryption
   key_store_id           = local.key_store_id
-  kv_encryption_key_name = var.kv_encryption_key_name
+  kv_encryption_key_name = local.cmk_name
   encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null
 
   depends_on = [
@@ -152,7 +152,7 @@ module "airlock_resources" {
   myip                   = local.myip
   enable_cmk_encryption  = var.enable_cmk_encryption
   key_store_id           = local.key_store_id
-  kv_encryption_key_name = var.kv_encryption_key_name
+  kv_encryption_key_name = local.cmk_name
   encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null
 
   depends_on = [
@@ -192,7 +192,7 @@ module "resource_processor_vmss_porter" {
   rp_bundle_values                                 = var.rp_bundle_values
   enable_cmk_encryption                            = var.enable_cmk_encryption
   key_store_id                                     = local.key_store_id
-  kv_encryption_key_name                           = var.kv_encryption_key_name
+  kv_encryption_key_name                           = local.cmk_name
 
   depends_on = [
     module.network,

diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf
@@ -29,6 +29,22 @@ resource "azurerm_servicebus_namespace" "sb" {
     }
   }
 
+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id
+      identity_id      = azurerm_user_assigned_identity.encryption[0].id
+    }
+  }
+
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.encryption[0].id]
+    }
+  }
+
   lifecycle { ignore_changes = [tags] }
 }
 

diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf
@@ -80,10 +80,11 @@ resource "azurerm_storage_account_customer_managed_key" "encryption" {
   count                     = var.enable_cmk_encryption ? 1 : 0
   storage_account_id        = azurerm_storage_account.stg.id
   key_vault_id              = local.key_store_id
-  key_name                  = var.kv_encryption_key_name
+  key_name                  = local.cmk_name
   user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id
 
   depends_on = [
-    azurerm_role_assignment.kv_encryption_key_user[0]
+    azurerm_role_assignment.kv_encryption_key_user[0],
+    azurerm_key_vault_key.tre_encryption[0]
   ]
 }
diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
@@ -241,10 +241,3 @@ variable "encryption_kv_name" {
   description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)"
   default     = null
 }
-
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
-  default     = "tre-encryption"
-}
-
diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.7"
+__version__ = "0.11.8"
diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf
@@ -65,9 +65,27 @@ resource "azurerm_container_registry" "shared_acr" {
   name                = var.acr_name
   resource_group_name = azurerm_resource_group.mgmt.name
   location            = azurerm_resource_group.mgmt.location
-  sku                 = var.acr_sku
+  sku                 = var.acr_sku != null ? var.acr_sku : (var.enable_cmk_encryption ? "Premium" : "Standard")
   admin_enabled       = true
 
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.tre_mgmt_encryption[0].id]
+    }
+  }
+
+  dynamic "encryption" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      enabled            = true
+      key_vault_key_id   = azurerm_key_vault_key.tre_mgmt_encryption[0].id
+      identity_client_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].client_id
+    }
+
+  }
+
   lifecycle { ignore_changes = [tags] }
 }
 

diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf
@@ -15,8 +15,8 @@ variable "location" {
 
 variable "acr_sku" {
   type        = string
-  default     = "Standard"
   description = "Price tier for ACR"
+  default     = null
 }
 
 variable "acr_name" {
@@ -45,5 +45,5 @@ variable "encryption_kv_name" {
 variable "kv_mgmt_encryption_key_name" {
   type        = string
   description = "Name of Key Vault Encryption Key for management resources (only used if enable_cmk_encryption is true)"
-  default     = "tre-mgmt-encryption"
+  default     = "tre-encryption-mgmt"
 }
diff --git a/docs/tre-admins/customer-managed-keys.md b/docs/tre-admins/customer-managed-keys.md
@@ -7,6 +7,9 @@ You can enable customer-managed keys (CMK) for supporting resources in Azure TRE
     CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace.
 
 
+!!! caution
+    Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation.
+
 When enabled, CMK encryption provides an additional layer of encryption control for supported Azure resources within the TRE by allowing you to manage and control the encryption keys used to protect your data.
 
 To enable CMK encryption, set `enable_cmk_encryption: true` in the developer settings section of your `config.yaml` file.