diff --git a/core/terraform/cmk_encryption.tf b/core/terraform/cmk_encryption.tf index c8b4b9a483..4c0b5a1b1c 100644 --- a/core/terraform/cmk_encryption.tf +++ b/core/terraform/cmk_encryption.tf @@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "kv_encryption_key_user" { resource "azurerm_key_vault_key" "tre_encryption" { count = var.enable_cmk_encryption ? 1 : 0 - name = var.kv_encryption_key_name + name = local.cmk_name key_vault_id = local.key_store_id key_type = "RSA" key_size = 2048 diff --git a/core/terraform/locals.tf b/core/terraform/locals.tf index d8620aeb5f..bac02640e6 100644 --- a/core/terraform/locals.tf +++ b/core/terraform/locals.tf @@ -43,4 +43,6 @@ locals { # The key store for encryption keys could either be external or created by terraform key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : data.azurerm_key_vault.encryption_kv[0].id) : "" + + cmk_name = "tre-encryption-${var.tre_id}" } diff --git a/core/terraform/main.tf b/core/terraform/main.tf index 6a554f9ff8..e280650344 100644 --- a/core/terraform/main.tf +++ b/core/terraform/main.tf @@ -79,7 +79,7 @@ module "azure_monitor" { enable_local_debugging = var.enable_local_debugging enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -112,7 +112,7 @@ module "appgateway" { enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -152,7 +152,7 @@ module "airlock_resources" { myip = local.myip enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null depends_on = [ @@ -192,7 +192,7 @@ module "resource_processor_vmss_porter" { rp_bundle_values = var.rp_bundle_values enable_cmk_encryption = var.enable_cmk_encryption key_store_id = local.key_store_id - kv_encryption_key_name = var.kv_encryption_key_name + kv_encryption_key_name = local.cmk_name depends_on = [ module.network, diff --git a/core/terraform/servicebus.tf b/core/terraform/servicebus.tf index 3a056017ba..faef9322d7 100644 --- a/core/terraform/servicebus.tf +++ b/core/terraform/servicebus.tf @@ -29,6 +29,22 @@ resource "azurerm_servicebus_namespace" "sb" { } } + dynamic "customer_managed_key" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id + identity_id = azurerm_user_assigned_identity.encryption[0].id + } + } + + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.encryption[0].id] + } + } + lifecycle { ignore_changes = [tags] } } diff --git a/core/terraform/storage.tf b/core/terraform/storage.tf index 0a9a823f71..fc9e552eec 100644 --- a/core/terraform/storage.tf +++ b/core/terraform/storage.tf @@ -80,10 +80,11 @@ resource "azurerm_storage_account_customer_managed_key" "encryption" { count = var.enable_cmk_encryption ? 1 : 0 storage_account_id = azurerm_storage_account.stg.id key_vault_id = local.key_store_id - key_name = var.kv_encryption_key_name + key_name = local.cmk_name user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id depends_on = [ - azurerm_role_assignment.kv_encryption_key_user[0] + azurerm_role_assignment.kv_encryption_key_user[0], + azurerm_key_vault_key.tre_encryption[0] ] } diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index d364d027b8..1f1004d8bb 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -241,10 +241,3 @@ variable "encryption_kv_name" { description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)" default = null } - -variable "kv_encryption_key_name" { - type = string - description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)" - default = "tre-encryption" -} - diff --git a/core/version.txt b/core/version.txt index eec2a4dd5e..5dae1332b4 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.7" +__version__ = "0.11.8" diff --git a/devops/terraform/main.tf b/devops/terraform/main.tf index 50cd3d7c0d..ec0ff94722 100644 --- a/devops/terraform/main.tf +++ b/devops/terraform/main.tf @@ -65,9 +65,27 @@ resource "azurerm_container_registry" "shared_acr" { name = var.acr_name resource_group_name = azurerm_resource_group.mgmt.name location = azurerm_resource_group.mgmt.location - sku = var.acr_sku + sku = var.acr_sku != null ? var.acr_sku : (var.enable_cmk_encryption ? "Premium" : "Standard") admin_enabled = true + dynamic "identity" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + type = "UserAssigned" + identity_ids = [azurerm_user_assigned_identity.tre_mgmt_encryption[0].id] + } + } + + dynamic "encryption" { + for_each = var.enable_cmk_encryption ? [1] : [] + content { + enabled = true + key_vault_key_id = azurerm_key_vault_key.tre_mgmt_encryption[0].id + identity_client_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].client_id + } + + } + lifecycle { ignore_changes = [tags] } } diff --git a/devops/terraform/variables.tf b/devops/terraform/variables.tf index 238bc2f26e..9c9ad2bfbe 100644 --- a/devops/terraform/variables.tf +++ b/devops/terraform/variables.tf @@ -15,8 +15,8 @@ variable "location" { variable "acr_sku" { type = string - default = "Standard" description = "Price tier for ACR" + default = null } variable "acr_name" { @@ -45,5 +45,5 @@ variable "encryption_kv_name" { variable "kv_mgmt_encryption_key_name" { type = string description = "Name of Key Vault Encryption Key for management resources (only used if enable_cmk_encryption is true)" - default = "tre-mgmt-encryption" + default = "tre-encryption-mgmt" } diff --git a/docs/tre-admins/customer-managed-keys.md b/docs/tre-admins/customer-managed-keys.md index 711ac50015..e97bc61655 100644 --- a/docs/tre-admins/customer-managed-keys.md +++ b/docs/tre-admins/customer-managed-keys.md @@ -7,6 +7,9 @@ You can enable customer-managed keys (CMK) for supporting resources in Azure TRE CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace. +!!! caution + Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation. + When enabled, CMK encryption provides an additional layer of encryption control for supported Azure resources within the TRE by allowing you to manage and control the encryption keys used to protect your data. To enable CMK encryption, set `enable_cmk_encryption: true` in the developer settings section of your `config.yaml` file.