Skip to content

Commit

Permalink
feat: Updated Storage-Account CMK Implementation (Azure#3853)
Browse files Browse the repository at this point in the history
## Description

- Updated Storage-Account CMK Implementation
- Implemented AVM-Common-Types

Linked to 
- Update CMK implementations as per
Azure#2842 (comment)
- Docs Update: Azure/Azure-Verified-Modules#1683
- UDT update: Azure#3724

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.storage.storage-account](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg?branch=users%2Falsehr%2FcmkUpdateStorageAccount&event=workflow_dispatch)](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation
  • Loading branch information
AlexanderSehr authored Dec 12, 2024
1 parent 978f70d commit 937f1c0
Show file tree
Hide file tree
Showing 23 changed files with 166 additions and 147 deletions.
13 changes: 11 additions & 2 deletions avm/res/storage/storage-account/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3306,7 +3306,8 @@ The customer managed key definition.

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. |
| [`autoRotationEnabled`](#parameter-customermanagedkeyautorotationenabled) | bool | Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used. |
| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting. |
| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. |

### Parameter: `customerManagedKey.keyName`
Expand All @@ -3323,9 +3324,16 @@ The resource ID of a key vault to reference a customer managed key for encryptio
- Required: Yes
- Type: string

### Parameter: `customerManagedKey.autoRotationEnabled`

Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used.

- Required: No
- Type: bool

### Parameter: `customerManagedKey.keyVersion`

The version of the customer managed key to reference for encryption. If not provided, using 'latest'.
The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting.

- Required: No
- Type: string
Expand Down Expand Up @@ -4485,6 +4493,7 @@ This section gives you an overview of all local-referenced module files (i.e., o
| :-- | :-- |
| `br/public:avm/res/network/private-endpoint:0.7.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference |

## Notes

Expand Down
2 changes: 1 addition & 1 deletion avm/res/storage/storage-account/blob-service/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -341,4 +341,4 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference |
Original file line number Diff line number Diff line change
Expand Up @@ -273,4 +273,4 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference |
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "17642721918788484059"
"version": "0.31.92.45157",
"templateHash": "377117240673904242"
},
"name": "Storage Account Blob Container Immutability Policies",
"description": "This module deploys a Storage Account Blob Container Immutability Policy.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ param metadata object = {}
@description('Optional. Specifies whether data in the container may be accessed publicly and the level of access.')
param publicAccess string = 'None'

import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType[]?

Expand Down
10 changes: 5 additions & 5 deletions avm/res/storage/storage-account/blob-service/container/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "2340678191837281561"
"version": "0.31.92.45157",
"templateHash": "13866122608356514480"
},
"name": "Storage Account Blob Containers",
"description": "This module deploys a Storage Account Blob Container.",
Expand Down Expand Up @@ -84,7 +84,7 @@
"metadata": {
"description": "An AVM-aligned type for a role assignment.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -301,8 +301,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "17642721918788484059"
"version": "0.31.92.45157",
"templateHash": "377117240673904242"
},
"name": "Storage Account Blob Container Immutability Policies",
"description": "This module deploys a Storage Account Blob Container Immutability Policy.",
Expand Down
2 changes: 1 addition & 1 deletion avm/res/storage/storage-account/blob-service/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ param restorePolicyDays int = 6
@description('Optional. Blob containers to create.')
param containers array?

import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The diagnostic settings of the service.')
param diagnosticSettings diagnosticSettingFullType[]?

Expand Down
16 changes: 8 additions & 8 deletions avm/res/storage/storage-account/blob-service/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "12420339026638684809"
"version": "0.31.92.45157",
"templateHash": "13498928590492156888"
},
"name": "Storage Account blob Services",
"description": "This module deploys a Storage Account Blob Service.",
Expand Down Expand Up @@ -131,7 +131,7 @@
"metadata": {
"description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -412,8 +412,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "2340678191837281561"
"version": "0.31.92.45157",
"templateHash": "13866122608356514480"
},
"name": "Storage Account Blob Containers",
"description": "This module deploys a Storage Account Blob Container.",
Expand Down Expand Up @@ -491,7 +491,7 @@
"metadata": {
"description": "An AVM-aligned type for a role assignment.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -708,8 +708,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "17642721918788484059"
"version": "0.31.92.45157",
"templateHash": "377117240673904242"
},
"name": "Storage Account Blob Container Immutability Policies",
"description": "This module deploys a Storage Account Blob Container Immutability Policy.",
Expand Down
2 changes: 1 addition & 1 deletion avm/res/storage/storage-account/file-service/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -239,4 +239,4 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference |
2 changes: 1 addition & 1 deletion avm/res/storage/storage-account/file-service/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ param shareDeleteRetentionPolicy object = {
days: 7
}

import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The diagnostic settings of the service.')
param diagnosticSettings diagnosticSettingFullType[]?

Expand Down
16 changes: 8 additions & 8 deletions avm/res/storage/storage-account/file-service/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "11334292387756483860"
"version": "0.31.92.45157",
"templateHash": "652717210213575792"
},
"name": "Storage Account File Share Services",
"description": "This module deploys a Storage Account File Share Service.",
Expand Down Expand Up @@ -131,7 +131,7 @@
"metadata": {
"description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -292,8 +292,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "6729752654389555660"
"version": "0.31.92.45157",
"templateHash": "647440482037193710"
},
"name": "Storage Account File Shares",
"description": "This module deploys a Storage Account File Share.",
Expand Down Expand Up @@ -371,7 +371,7 @@
"metadata": {
"description": "An AVM-aligned type for a role assignment.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -505,8 +505,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "11498628270290452072"
"version": "0.31.92.45157",
"templateHash": "9505259635631318962"
}
},
"parameters": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -229,4 +229,4 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference |
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ param enabledProtocols string = 'SMB'
@description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.')
param rootSquash string = 'NoRootSquash'

import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType[]?

Expand Down
10 changes: 5 additions & 5 deletions avm/res/storage/storage-account/file-service/share/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "6729752654389555660"
"version": "0.31.92.45157",
"templateHash": "647440482037193710"
},
"name": "Storage Account File Shares",
"description": "This module deploys a Storage Account File Share.",
Expand Down Expand Up @@ -84,7 +84,7 @@
"metadata": {
"description": "An AVM-aligned type for a role assignment.",
"__bicep_imported_from!": {
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
"sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0"
}
}
}
Expand Down Expand Up @@ -218,8 +218,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "11498628270290452072"
"version": "0.31.92.45157",
"templateHash": "9505259635631318962"
}
},
"parameters": {
Expand Down
4 changes: 2 additions & 2 deletions avm/res/storage/storage-account/local-user/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.30.23.60470",
"templateHash": "4771770611168248415"
"version": "0.31.92.45157",
"templateHash": "13871524692494146314"
},
"name": "Storage Account Local Users",
"description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.",
Expand Down
22 changes: 12 additions & 10 deletions avm/res/storage/storage-account/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ param name string
@description('Optional. Location for all resources.')
param location string = resourceGroup().location

import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType[]?

import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The managed identity definition for this resource.')
param managedIdentities managedIdentityAllType?

Expand Down Expand Up @@ -64,7 +64,7 @@ param defaultToOAuthAuthentication bool = false
@description('Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.')
param allowSharedKeyAccess bool = true

import { privateEndpointMultiServiceType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { privateEndpointMultiServiceType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints privateEndpointMultiServiceType[]?

Expand Down Expand Up @@ -138,11 +138,11 @@ param isLocalUserEnabled bool = false
@description('Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true.')
param enableNfsV3 bool = false

import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The diagnostic settings of the service.')
param diagnosticSettings diagnosticSettingFullType[]?

import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The lock settings of the service.')
param lock lockType?

Expand Down Expand Up @@ -171,9 +171,9 @@ param publicNetworkAccess string = ''
@description('Optional. Allows HTTPS traffic only to storage service if sets to true.')
param supportsHttpsTrafficOnly bool = true

import { customerManagedKeyType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
import { customerManagedKeyWithAutoRotateType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
@description('Optional. The customer managed key definition.')
param customerManagedKey customerManagedKeyType?
param customerManagedKey customerManagedKeyWithAutoRotateType?

@description('Optional. The SAS expiration period. DD.HH:MM:SS.')
param sasExpirationPeriod string = ''
Expand Down Expand Up @@ -393,9 +393,11 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = {
? {
keyname: customerManagedKey!.keyName
keyvaulturi: cMKKeyVault.properties.vaultUri
keyversion: !empty(customerManagedKey.?keyVersion ?? '')
keyversion: !empty(customerManagedKey.?keyVersion)
? customerManagedKey!.keyVersion
: last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/'))
: (customerManagedKey.?autoRotationEnabled ?? true)
? null
: last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/'))
}
: null
identity: {
Expand Down Expand Up @@ -696,7 +698,7 @@ output primaryBlobEndpoint string = !empty(blobServices) && contains(blobService
: ''

@description('The principal ID of the system assigned identity.')
output systemAssignedMIPrincipalId string = storageAccount.?identity.?principalId ?? ''
output systemAssignedMIPrincipalId string? = storageAccount.?identity.?principalId

@description('The location the resource was deployed into.')
output location string = storageAccount.location
Expand Down
Loading

0 comments on commit 937f1c0

Please sign in to comment.