Skip to content

Commit 3d6eed1

Browse files
sadasusadasu
committed
Fixed EncryptionIdentity and Storage Account Identity generation
1 parent 065c651 commit 3d6eed1

File tree

1 file changed

+49
-31
lines changed

1 file changed

+49
-31
lines changed

pkg/infrastructure/azure/storage.go

Lines changed: 49 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -81,23 +81,25 @@ func CreateStorageAccount(ctx context.Context, in *CreateStorageAccountInput) (*
8181
return nil, fmt.Errorf("failed to get storage account factory %w", err)
8282
}
8383

84-
logrus.Debugf("Generating Encrytption for Storage Account using Customer Managed Key")
85-
encryption, err := GenerateStorageAccountEncryption(
86-
ctx,
87-
&CustomerManagedKeyInput{
88-
SubscriptionID: in.SubscriptionID,
89-
ResourceGroupName: in.ResourceGroupName,
90-
CustomerManagedKey: in.CustomerManagedKey,
91-
TokenCredential: in.TokenCredential,
92-
},
93-
)
94-
if err != nil {
95-
return nil, fmt.Errorf("error generating encryption information for provided customer managed key: %w", err)
96-
}
97-
9884
sku := armstorage.SKU{
9985
Name: to.Ptr(armstorage.SKUNameStandardLRS),
10086
}
87+
accountCreateParameters := armstorage.AccountCreateParameters{
88+
Identity: nil,
89+
Kind: to.Ptr(armstorage.KindStorageV2),
90+
Location: to.Ptr(in.Region),
91+
SKU: &sku,
92+
Properties: &armstorage.AccountPropertiesCreateParameters{
93+
AllowBlobPublicAccess: to.Ptr(true),
94+
AllowSharedKeyAccess: to.Ptr(true),
95+
IsLocalUserEnabled: to.Ptr(true),
96+
LargeFileSharesState: to.Ptr(armstorage.LargeFileSharesStateEnabled),
97+
PublicNetworkAccess: to.Ptr(armstorage.PublicNetworkAccessEnabled),
98+
MinimumTLSVersion: &minimumTLSVersion,
99+
},
100+
Tags: in.Tags,
101+
}
102+
101103
if in.CustomerManagedKey != nil && in.CustomerManagedKey.KeyVault.Name != "" {
102104
// When encryption is enabled, Ignition is is stored as a page blob
103105
// (and not a block blob). To support this case, `Kind` can continue to be
@@ -106,6 +108,32 @@ func CreateStorageAccount(ctx context.Context, in *CreateStorageAccountInput) (*
106108
sku = armstorage.SKU{
107109
Name: to.Ptr(armstorage.SKUNamePremiumLRS),
108110
}
111+
identity := armstorage.Identity{
112+
Type: to.Ptr(armstorage.IdentityTypeUserAssigned),
113+
UserAssignedIdentities: map[string]*armstorage.UserAssignedIdentity{
114+
fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s",
115+
in.SubscriptionID,
116+
in.CustomerManagedKey.KeyVault.ResourceGroup,
117+
in.CustomerManagedKey.UserAssignedIdentityKey,
118+
): {},
119+
},
120+
}
121+
logrus.Debugf("Generating Encrytption for Storage Account using Customer Managed Key")
122+
encryption, err := GenerateStorageAccountEncryption(
123+
ctx,
124+
&CustomerManagedKeyInput{
125+
SubscriptionID: in.SubscriptionID,
126+
ResourceGroupName: in.ResourceGroupName,
127+
CustomerManagedKey: in.CustomerManagedKey,
128+
TokenCredential: in.TokenCredential,
129+
},
130+
)
131+
if err != nil {
132+
return nil, fmt.Errorf("error generating encryption information for provided customer managed key: %w", err)
133+
}
134+
accountCreateParameters.Identity = &identity
135+
accountCreateParameters.SKU = &sku
136+
accountCreateParameters.Properties.Encryption = encryption
109137
}
110138

111139
logrus.Debugf("Creating storage account")
@@ -114,21 +142,7 @@ func CreateStorageAccount(ctx context.Context, in *CreateStorageAccountInput) (*
114142
ctx,
115143
in.ResourceGroupName,
116144
in.StorageAccountName,
117-
armstorage.AccountCreateParameters{
118-
Kind: to.Ptr(armstorage.KindStorageV2),
119-
Location: to.Ptr(in.Region),
120-
SKU: &sku,
121-
Properties: &armstorage.AccountPropertiesCreateParameters{
122-
AllowBlobPublicAccess: to.Ptr(true),
123-
AllowSharedKeyAccess: to.Ptr(true),
124-
IsLocalUserEnabled: to.Ptr(true),
125-
LargeFileSharesState: to.Ptr(armstorage.LargeFileSharesStateEnabled),
126-
PublicNetworkAccess: to.Ptr(armstorage.PublicNetworkAccessEnabled),
127-
MinimumTLSVersion: &minimumTLSVersion,
128-
Encryption: encryption,
129-
},
130-
Tags: in.Tags,
131-
},
145+
accountCreateParameters,
132146
nil,
133147
)
134148
if err != nil {
@@ -434,7 +448,7 @@ func GenerateStorageAccountEncryption(ctx context.Context, in *CustomerManagedKe
434448
logrus.Debugf("Generating Encryption for Storage Account")
435449

436450
if in.CustomerManagedKey == nil {
437-
logrus.Debugf("No Customer Managed Key. So, Encryption not enabled on storage account.")
451+
logrus.Debugf("No Customer Managed Key provided. So, Encryption not enabled on storage account.")
438452
return &armstorage.Encryption{}, nil
439453
}
440454

@@ -487,7 +501,11 @@ func GenerateStorageAccountEncryption(ctx context.Context, in *CustomerManagedKe
487501
},
488502
},
489503
EncryptionIdentity: &armstorage.EncryptionIdentity{
490-
EncryptionUserAssignedIdentity: &in.CustomerManagedKey.UserAssignedIdentityKey,
504+
EncryptionUserAssignedIdentity: to.Ptr(fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s",
505+
in.SubscriptionID,
506+
in.CustomerManagedKey.KeyVault.ResourceGroup,
507+
in.CustomerManagedKey.UserAssignedIdentityKey,
508+
)),
491509
},
492510
KeySource: &keySource,
493511
KeyVaultProperties: &armstorage.KeyVaultProperties{

0 commit comments

Comments
 (0)