Storage accounts should use infrastructure encryption

[SvenAelterman]

Description

As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment

Acceptance criteria

• New TRE deployments' storage accounts use infrastructure encryption
• Existing TRE deployments are not modified

Notes

Existing storage accounts cannot be updated to support infrastructure encryption. A feature flag at the core TRE level might be required so that existing storage accounts aren't attempted to be upgraded. Perhaps this could also be accomplished with Terraform ignore statements, but I don't know those very well.

[jonnyry]

Hi @SvenAelterman @marrobi

I'm about to look at this one for our TRE instance, since we would like infrastructure encryption turned on.

Was planning to do something along the lines of:

resource "azurerm_storage_account" "stg" {

  ...

  infrastructure_encryption_enabled = true
  lifecycle { ignore_changes = [infrastructure_encryption_enabled] }
}

So essentially enabling infrastructure encryption on initial storage account creation, however if the storage account has already been created prior to the change, then it won't be enabled. (It's not possible to enable once created without destroying and recreating the storage account.)

@marrobi Would this be acceptable for a PR?

Should an additional build variable be introduced as well to control the default behaviour on initial creation? Such as ENABLE_SA_INFRASTRUCTURE_ENCRYPTION=false

Thanks

[marrobi]

@yuvalyaron does this overlap with the CMLK work #4002 that you have in progress?

@jonnyry I can't think of a reason it wouldn't want to be turned on, I presume its compatible with CMK. @SvenAelterman any ideas? As long as no errors or risk of terraform recreating the storage account when it's turned on (main concern), lets always have it on, otherwise need to have the config flag with default to false.

[yuvalyaron]

@marrobi I don't think there's an overlap, and they can coexist.
However, as mentioned here, changing this will force the creation of a new resource:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_encryption_scope#infrastructure_encryption_required-1

[jonnyry]

@marrobi OK thanks, I will draft something locally with the following pattern and test on an existing TRE instance that was spun up before the change:

resource "azurerm_storage_account" "stg" {

  ...

  infrastructure_encryption_enabled = true
  lifecycle { ignore_changes = [infrastructure_encryption_enabled] }
}

We could also add this as a double protection against storage account deletion, however this would be problematic for workspaces/workspace services etc since it would prevent them being deleted:

  lifecycle {
    prevent_destroy = true
  }