Has anybody been able to deploy a storage account ...
# azureh
hundreds-optician-54090
06/22/2021, 3:50 PMHas anybody been able to deploy a storage account with customer managed keys?
If I try and use the Python example from the Pulumi documentation (https://www.pulumi.com/docs/reference/pkg/azure-native/storage/storageaccount/#storageaccountcreateuserassignedencryptionidentitywithcmk) I get an error:
error: Code="CannotSetResourceIdentity" Message="Resource type 'Microsoft.Storage/storageAccounts' does not support creation of 'UserAssigned' resource identity. The supported types are 'SystemAssigned'."If I change the identity to 'SystemAssigned' and remove the user_assigned_identities, the storage account them fails to build with this error instead:
error: Code="InvalidValuesForRequestParameters" Message="Values for request parameters are invalid: properties.encryption.identity."Here's the proof-of-concept code I've been playing with:
Copy code
import pulumi
import pulumi_azure_native as azure_native
import pulumi_azuread as azuread
config = pulumi.Config()
tenant_id = config.get('azure-native:tenantId')
resource_group = azure_native.resources.ResourceGroup("test-resource-group",
location="usgovvirginia",
resource_group_name="test-resource-group",
tags={'ENV': 'test'},
)
storage_security_group = azuread.Group("storage_security_group", display_name="storage_security_group")
key_vault = vault = azure_native.keyvault.Vault("Ish5booweur",
location="usgovvirginia",
properties=azure_native.keyvault.VaultPropertiesArgs(
access_policies=[azure_native.keyvault.AccessPolicyEntryArgs(
object_id=storage_security_group.id,
permissions=azure_native.keyvault.PermissionsArgs(
certificates=[],
keys=[
"wrapKey",
"unwrapKey",
"get",
],
secrets=[],
),
tenant_id=tenant_id,
)],
enable_soft_delete=False,
soft_delete_retention_in_days=15,
enabled_for_deployment=False,
enabled_for_disk_encryption=True,
enabled_for_template_deployment=False,
network_acls=azure_native.keyvault.NetworkRuleSetArgs(
bypass="AzureServices",
default_action="Allow",
),
sku=azure_native.keyvault.SkuArgs(
family="A",
name="Premium",
),
tenant_id=tenant_id,
),
resource_group_name=resource_group.name,
vault_name="Ish5booweur",
tags={'ENV': 'test'},
)
storage_key = azure_native.keyvault.Key("storage-encryption-key",
key_name="storage-encryption-key",
properties=azure_native.keyvault.KeyPropertiesArgs(
kty="RSA-HSM",
key_size=4096,
),
resource_group_name=resource_group.name,
vault_name=key_vault.name,
tags={'ENV': 'test'},
)
storage_account_managed_identity = azure_native.managedidentity.UserAssignedIdentity("storage-account-managed-id",
location="usgovvirginia",
resource_group_name=resource_group.name,
tags={'ENV': 'test'},
)
cmk_storage_account = azure_native.storage.StorageAccount("storeaccount01",
account_name="storeaccount01",
allow_blob_public_access=False,
encryption=azure_native.storage.EncryptionArgs(
require_infrastructure_encryption=True,
encryption_identity=azure_native.storage.EncryptionIdentityArgs(
encryption_user_assigned_identity=storage_account_managed_identity.id,
),
key_source="Microsoft.Keyvault",
key_vault_properties=azure_native.storage.KeyVaultPropertiesArgs(
key_name=storage_key.name,
key_vault_uri=key_vault.properties.vault_uri, # "<https://Ish5booweur.vault.usgovcloudapi.net/>",
),
services=azure_native.storage.EncryptionServicesArgs(
blob=azure_native.storage.EncryptionServiceArgs(
enabled=True,
key_type="Account",
),
file=azure_native.storage.EncryptionServiceArgs(
enabled=True,
key_type="Account",
),
),
),
identity=azure_native.storage.IdentityArgs(type="SystemAssigned"),
# identity=azure_native.storage.IdentityArgs(type="UserAssigned",
# user_assigned_identities={str(storage_account_managed_identity.id): {}},
# ),
kind="StorageV2",
location="usgovvirginia",
minimum_tls_version="TLS1_2",
network_rule_set=azure_native.storage.NetworkRuleSetArgs(bypass="AzureServices",
default_action="Deny",
),
resource_group_name=resource_group.name,
sku=azure_native.storage.SkuArgs(name="Standard_ZRS"),
tags={'ENV': 'test'},
)3 Views