Skip to content

Commit 4fc7003

Browse files
ajeffowensajeffowens
committed
netapp_enable_cmk_encryption
Signed-off-by: Jeff Owens <[email protected]>
1 parent 62b0266 commit 4fc7003

File tree

4 files changed

+64
-2
lines changed

4 files changed

+64
-2
lines changed

main.tf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -247,14 +247,18 @@ module "netapp" {
247247
resource_group_name = local.aks_rg.name
248248
location = var.location
249249
subnet_id = module.vnet.subnets["netapp"].id
250-
network_features = var.netapp_network_features
250+
network_features = var.netapp_enable_cmk_encryption ? "Standard" : var.netapp_network_features
251251
service_level = var.netapp_service_level
252252
size_in_tb = var.netapp_size_in_tb
253253
protocols = var.netapp_protocols
254254
volume_path = "${var.prefix}-${var.netapp_volume_path}"
255255
tags = var.tags
256256
allowed_clients = concat(module.vnet.subnets["aks"].address_prefixes, module.vnet.subnets["misc"].address_prefixes)
257257
depends_on = [module.vnet]
258+
259+
netapp_enable_cmk_encryption = var.netapp_enable_cmk_encryption
260+
netapp_cmk_encryption_key_id = var.netapp_cmk_encryption_key_id
261+
netapp_cmk_encryption_key_uai = var.netapp_cmk_encryption_key_uai
258262
}
259263

260264
data "external" "git_hash" {

modules/azurerm_netapp/main.tf

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,22 @@ resource "azurerm_netapp_account" "anf" {
1010
location = var.location
1111
resource_group_name = var.resource_group_name
1212
tags = var.tags
13+
14+
dynamic "identity" {
15+
for_each = var.netapp_enable_cmk_encryption ? [1] : []
16+
content {
17+
type = "UserAssigned"
18+
identity_ids = [var.netapp_cmk_encryption_key_uai]
19+
}
20+
}
21+
}
22+
23+
resource "azurerm_netapp_account_encryption" "anf" {
24+
count = var.netapp_enable_cmk_encryption ? 1 : 0
25+
26+
netapp_account_id = azurerm_netapp_account.anf.id
27+
encryption_key = var.netapp_cmk_encryption_key_id
28+
user_assigned_identity_id = var.netapp_cmk_encryption_key_uai
1329
}
1430

1531
resource "azurerm_netapp_pool" "anf" {
@@ -20,6 +36,10 @@ resource "azurerm_netapp_pool" "anf" {
2036
service_level = var.service_level
2137
size_in_tb = var.size_in_tb
2238
tags = var.tags
39+
40+
depends_on = [
41+
azurerm_netapp_account_encryption.anf
42+
]
2343
}
2444

2545
resource "azurerm_netapp_volume" "anf" {
@@ -49,6 +69,8 @@ resource "azurerm_netapp_volume" "anf" {
4969
}
5070

5171
depends_on = [
52-
azurerm_netapp_pool.anf
72+
azurerm_netapp_pool.anf,
73+
azurerm_netapp_account_encryption.anf
5374
]
5475
}
76+

modules/azurerm_netapp/variables.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,24 @@ variable "allowed_clients" {
5555
default = ["0.0.0.0/0"]
5656
}
5757

58+
variable "netapp_enable_cmk_encryption" {
59+
description = "Setting this variable to true enables CMK encryption on the netapp account. Only relevant when storage_type=ha."
60+
type = bool
61+
default = false
62+
}
63+
64+
variable "netapp_cmk_encryption_key_id" {
65+
description = "The ID of the key in keyvault to Encrypt ANF with (i.e. https://<keyvault-name>.vault.azure.net/keys/<key-name>). Must exist before running terraform. Only relevant when storage_type=ha. Required if enable_anf_cmk_encryption is true."
66+
type = string
67+
default = null
68+
}
69+
70+
variable "netapp_cmk_encryption_key_uai" {
71+
description = "The user assigned identity that will be used to access the key (i.e. /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uai name>). Must exist and have Key Vault Crypto Service Encryption User permission on the keyvault before running terraform. Only relevant when storage_type=ha. Required if enable_anf_cmk_encryption is true."
72+
type = string
73+
default = null
74+
}
75+
5876
variable "tags" {
5977
description = "Map of tags to be placed on the Resources"
6078
type = map(any)

variables.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -528,6 +528,24 @@ variable "netapp_network_features" {
528528
}
529529
}
530530

531+
variable "netapp_enable_cmk_encryption" {
532+
description = "Setting this variable to true enables CMK encryption on the netapp account. Only relevant when storage_type=ha."
533+
type = bool
534+
default = false
535+
}
536+
537+
variable "netapp_cmk_encryption_key_id" {
538+
description = "The ID of the key in keyvault to Encrypt ANF with (i.e. https://<keyvault-name>.vault.azure.net/keys/<key-name>). Must exist before running terraform. Only relevant when storage_type=ha. Required if enable_anf_cmk_encryption is true."
539+
type = string
540+
default = null
541+
}
542+
543+
variable "netapp_cmk_encryption_key_uai" {
544+
description = "The user assigned identity that will be used to access the key (i.e. /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uai name>). Must exist and have Key Vault Crypto Service Encryption User permission on the keyvault before running terraform. Only relevant when storage_type=ha. Required if enable_anf_cmk_encryption is true."
545+
type = string
546+
default = null
547+
}
548+
531549
variable "node_pools_availability_zone" {
532550
description = "Specifies a Availability Zone in which the Kubernetes Cluster Node Pool should be located."
533551
type = string

0 commit comments

Comments
 (0)