Add CMK encryption support for Azure Container Registry (ACR) and Service Bus (#4178)

* change cmk name to include tre-id + add dependency to one of the stg accounts * add cmk for ACR and service bus * add null default for acr_sku * bump core version to 0.11.8 * revert mistake
2024-12-11 11:44:27 +02:00 · 2024-12-11 11:44:27 +02:00 · 6146484201
--- a/core/terraform/cmk_encryption.tf
+++ b/core/terraform/cmk_encryption.tf
@ -20,7 +20,7 @@ resource "azurerm_role_assignment" "kv_encryption_key_user" {
 resource "azurerm_key_vault_key" "tre_encryption" {
  count = var.enable_cmk_encryption ? 1 : 0

-  name         = var.kv_encryption_key_name
+  name         = local.cmk_name
  key_vault_id = local.key_store_id
  key_type     = "RSA"
  key_size     = 2048
--- a/core/terraform/locals.tf
+++ b/core/terraform/locals.tf
@ -43,4 +43,6 @@ locals {

  # The key store for encryption keys could either be external or created by terraform
  key_store_id = var.enable_cmk_encryption ? (var.external_key_store_id != null ? var.external_key_store_id : data.azurerm_key_vault.encryption_kv[0].id) : ""
+
+  cmk_name = "tre-encryption-${var.tre_id}"
 }
--- a/core/terraform/main.tf
+++ b/core/terraform/main.tf
@ -79,7 +79,7 @@ module "azure_monitor" {
  enable_local_debugging                   = var.enable_local_debugging
  enable_cmk_encryption                    = var.enable_cmk_encryption
  key_store_id                             = local.key_store_id
-  kv_encryption_key_name                   = var.kv_encryption_key_name
+  kv_encryption_key_name                   = local.cmk_name
  encryption_identity_id                   = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null

  depends_on = [
@ -112,7 +112,7 @@ module "appgateway" {

  enable_cmk_encryption  = var.enable_cmk_encryption
  key_store_id           = local.key_store_id
-  kv_encryption_key_name = var.kv_encryption_key_name
+  kv_encryption_key_name = local.cmk_name
  encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null

  depends_on = [
@ -152,7 +152,7 @@ module "airlock_resources" {
  myip                   = local.myip
  enable_cmk_encryption  = var.enable_cmk_encryption
  key_store_id           = local.key_store_id
-  kv_encryption_key_name = var.kv_encryption_key_name
+  kv_encryption_key_name = local.cmk_name
  encryption_identity_id = var.enable_cmk_encryption ? azurerm_user_assigned_identity.encryption[0].id : null

  depends_on = [
@ -192,7 +192,7 @@ module "resource_processor_vmss_porter" {
  rp_bundle_values                                 = var.rp_bundle_values
  enable_cmk_encryption                            = var.enable_cmk_encryption
  key_store_id                                     = local.key_store_id
-  kv_encryption_key_name                           = var.kv_encryption_key_name
+  kv_encryption_key_name                           = local.cmk_name

  depends_on = [
    module.network,
--- a/core/terraform/servicebus.tf
+++ b/core/terraform/servicebus.tf
@ -29,6 +29,22 @@ resource "azurerm_servicebus_namespace" "sb" {
    }
  }

+  dynamic "customer_managed_key" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      key_vault_key_id = azurerm_key_vault_key.tre_encryption[0].id
+      identity_id      = azurerm_user_assigned_identity.encryption[0].id
+    }
+  }
+
+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.encryption[0].id]
+    }
+  }
+
  lifecycle { ignore_changes = [tags] }
 }

--- a/core/terraform/storage.tf
+++ b/core/terraform/storage.tf
@ -80,10 +80,11 @@ resource "azurerm_storage_account_customer_managed_key" "encryption" {
  count                     = var.enable_cmk_encryption ? 1 : 0
  storage_account_id        = azurerm_storage_account.stg.id
  key_vault_id              = local.key_store_id
-  key_name                  = var.kv_encryption_key_name
+  key_name                  = local.cmk_name
  user_assigned_identity_id = azurerm_user_assigned_identity.encryption[0].id

  depends_on = [
-    azurerm_role_assignment.kv_encryption_key_user[0]
+    azurerm_role_assignment.kv_encryption_key_user[0],
+    azurerm_key_vault_key.tre_encryption[0]
  ]
 }
--- a/core/terraform/variables.tf
+++ b/core/terraform/variables.tf
@ -241,10 +241,3 @@ variable "encryption_kv_name" {
  description = "Name of Key Vault for encryption keys, required only if external_key_store_id is not set (only used if enable_cmk_encryption is true)"
  default     = null
 }
-
-variable "kv_encryption_key_name" {
-  type        = string
-  description = "Name of Key Vault Encryption Key (only used if enable_cmk_encryption is true)"
-  default     = "tre-encryption"
-}
-
--- a/core/version.txt
+++ b/core/version.txt
@ -1 +1 @@
-__version__ = "0.11.7"
+__version__ = "0.11.8"
--- a/devops/terraform/main.tf
+++ b/devops/terraform/main.tf
@ -65,9 +65,27 @@ resource "azurerm_container_registry" "shared_acr" {
  name                = var.acr_name
  resource_group_name = azurerm_resource_group.mgmt.name
  location            = azurerm_resource_group.mgmt.location
-  sku                 = var.acr_sku
+  sku                 = var.acr_sku != null ? var.acr_sku : (var.enable_cmk_encryption ? "Premium" : "Standard")
  admin_enabled       = true

+  dynamic "identity" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      type         = "UserAssigned"
+      identity_ids = [azurerm_user_assigned_identity.tre_mgmt_encryption[0].id]
+    }
+  }
+
+  dynamic "encryption" {
+    for_each = var.enable_cmk_encryption ? [1] : []
+    content {
+      enabled            = true
+      key_vault_key_id   = azurerm_key_vault_key.tre_mgmt_encryption[0].id
+      identity_client_id = azurerm_user_assigned_identity.tre_mgmt_encryption[0].client_id
+    }
+
+  }
+
  lifecycle { ignore_changes = [tags] }
 }

--- a/devops/terraform/variables.tf
+++ b/devops/terraform/variables.tf
@ -15,8 +15,8 @@ variable "location" {

 variable "acr_sku" {
  type        = string
-  default     = "Standard"
  description = "Price tier for ACR"
+  default     = null
 }

 variable "acr_name" {
@ -45,5 +45,5 @@ variable "encryption_kv_name" {
 variable "kv_mgmt_encryption_key_name" {
  type        = string
  description = "Name of Key Vault Encryption Key for management resources (only used if enable_cmk_encryption is true)"
-  default     = "tre-mgmt-encryption"
+  default     = "tre-encryption-mgmt"
 }
--- a/docs/tre-admins/customer-managed-keys.md
+++ b/docs/tre-admins/customer-managed-keys.md
@ -7,6 +7,9 @@ You can enable customer-managed keys (CMK) for supporting resources in Azure TRE
    CMK encryption is not supported for the rest of the resources such as those deployed by a TRE workspace.


+!!! caution
+    Currently, it is not possible to redeploy TRE with CMK enabled if it has previously been deployed without it. This is due to limitations of resources such as Azure Container Registry (ACR) that only allow enabling the CMK encryption at the time of resource creation.
+
 When enabled, CMK encryption provides an additional layer of encryption control for supported Azure resources within the TRE by allowing you to manage and control the encryption keys used to protect your data.

 To enable CMK encryption, set `enable_cmk_encryption: true` in the developer settings section of your `config.yaml` file.