Deploying storage account with CMK

[Koalion]

Hello,

I wanted to deploy a storage account, that has a CMK (Customer managed key) encryption enabled. I found out that the API prohibits that from happening at deployment time. I found an ARM template that achieves that, using nested resources. So basically it deploys the storage account, then key vault with proper access policy from storage accounts MI and then updates the storage account with CMK encryption, all in one template. But i couldn't find any way to implement that in Bicep. DependsOn doesnt accept the fact that two resources have the same name, and parent doesn't accept the fact that's it not actually a child resource.

I also found out that i can do it through powershell, but didnt find a way to include that in bicep (as i understand that's not the point of using bicep in the first place).

So, after this a little too long introduction, my main goal is to have a single deployment file/module for a storage account that encrypts it using CMK. Could you guys point me in the correct direction/bicep feature to achieve something like this?

[anthony-c-martin]

ARM templates are subject to the same limitation around not being able to deploy the same resource twice in a single template. The example you shared from StackOverflow uses a nested deployment to work around this fact. You should be able to achieve the same in Bicep with the following by using modules.

Here I've decompiled and cleaned up the StackOverflow sample:

• main.bicep

  param keyName string = ''
  param keyVersion string = ''
  param vaultName string = ''
  param location string = resourceGroup().location
  param accountName string = 'tetsdfgfgdffd'
  
  resource storageAcc 'Microsoft.Storage/storageAccounts@2019-06-01' = {
    sku: {
      name: 'Standard_LRS'
      tier: 'Standard'
    }
    kind: 'Storage'
    name: accountName
    location: location
    identity: {
      type: 'SystemAssigned'
    }
    properties: {
      supportsHttpsTrafficOnly: true
    }
    dependsOn: []
  }
  
  resource keyVault 'Microsoft.KeyVault/vaults@2016-10-01' = {
    name: vaultName
    location: 'eastasia'
    properties: {
      sku: {
        family: 'A'
        name: 'standard'
      }
      tenantId: subscription().tenantId
      accessPolicies: []
      enabledForDeployment: true
      enabledForDiskEncryption: true
      enabledForTemplateDeployment: true
      enableSoftDelete: true
    }
  }
  
  module updateStorageAccount './enableEncryption.bicep' = {
    name: 'updateStorageAccount'
    params: {
      msiObjectId: storageAcc.identity.principalId
      vaultUri: keyVault.properties.vaultUri
      vaultName: vaultName
      accountName: accountName
      location: location
      keyName: keyName
      keyversion: keyVersion
    }
  }

• enableEncryption.bicep

  param msiObjectId string
  param vaultUri string
  param vaultName string
  param accountName string
  param location string
  param keyName string
  param keyversion string
  
  resource keyVaultAddPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
    name: '${vaultName}/add'
    properties: {
      accessPolicies: [
        {
          tenantId: subscription().tenantId
          objectId: msiObjectId
          permissions: {
            keys: [
              'wrapKey'
              'unwrapKey'
              'get'
            ]
            secrets: []
            certificates: []
          }
        }
      ]
    }
  }
  
  resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' = {
    name: accountName
    location: location
    sku: {
      name: 'Standard_LRS'
      tier: 'Standard'
    }
    kind: 'Storage'
    identity: {
      type: 'SystemAssigned'
    }
    properties: {
      encryption: {
        services: {
          file: {
            enabled: true
          }
          blob: {
            enabled: true
          }
        }
        keySource: 'Microsoft.Keyvault'
        keyvaultproperties: {
          keyvaulturi: vaultUri
          keyname: keyName
          keyversion: keyversion
        }
      }
    }
    dependsOn: [
      keyVaultAddPolicy
    ]
  }

[Koalion]

Thank you! I implemented that in my scenario and it works just fine. What i've stumbled upon is that when i do a 'what-if' deployment, then it doesn't show me the module output, only from the resources from the main file, is there some workaround for that?

[alex-frankel]

This is a known issue that we are looking to resolve this semester:
Azure/arm-template-whatif#157

[Koalion]

Thank you both for all your help :)