feat: configure infrastructure encryption (#253)

Add variable `infrastructure_encryption_enabled` to allow enabling infrastructure encryption. Ref: https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable
equinor · Jan 28, 2025 · 79bb0bc · 79bb0bc
1 parent 4aca641
commit 79bb0bc
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 8 deletions.
diff --git a/main.tf b/main.tf
@@ -28,14 +28,17 @@ resource "azurerm_storage_account" "this" {
   account_replication_type = var.account_replication_type
   access_tier              = local.access_tier
 
-  https_traffic_only_enabled       = true
-  min_tls_version                  = "TLS1_2"
-  shared_access_key_enabled        = var.shared_access_key_enabled
-  public_network_access_enabled    = var.public_network_access_enabled
-  is_hns_enabled                   = var.is_hns_enabled
-  sftp_enabled                     = var.sftp_enabled
-  queue_encryption_key_type        = var.queue_encryption_key_type
-  table_encryption_key_type        = var.table_encryption_key_type
+  https_traffic_only_enabled    = true
+  min_tls_version               = "TLS1_2"
+  shared_access_key_enabled     = var.shared_access_key_enabled
+  public_network_access_enabled = var.public_network_access_enabled
+  is_hns_enabled                = var.is_hns_enabled
+  sftp_enabled                  = var.sftp_enabled
+
+  queue_encryption_key_type         = var.queue_encryption_key_type
+  table_encryption_key_type         = var.table_encryption_key_type
+  infrastructure_encryption_enabled = var.infrastructure_encryption_enabled
+
   allow_nested_items_to_be_public  = var.allow_blob_public_access
   cross_tenant_replication_enabled = var.cross_tenant_replication_enabled
   default_to_oauth_authentication  = var.default_to_oauth_authentication

diff --git a/tests/unit.tftest.hcl b/tests/unit.tftest.hcl
@@ -30,6 +30,11 @@ run "standard_gpv2_storage" {
     condition     = azurerm_storage_account.this.is_hns_enabled == false
     error_message = "Hierarchical namespace (HNS) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "standard_blob_storage" {
@@ -60,6 +65,11 @@ run "standard_blob_storage" {
     condition     = azurerm_storage_account.this.is_hns_enabled == false
     error_message = "Hierarchical namespace (HNS) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "standard_data_lake_storage" {
@@ -95,6 +105,11 @@ run "standard_data_lake_storage" {
     condition     = azurerm_storage_account.this.sftp_enabled == false
     error_message = "SSH File Transfer Protocol (SFTP) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "premium_gpv2_storage" {
@@ -125,6 +140,11 @@ run "premium_gpv2_storage" {
     condition     = azurerm_storage_account.this.is_hns_enabled == false
     error_message = "Hierarchical namespace (HNS) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "premium_file_storage" {
@@ -155,6 +175,11 @@ run "premium_file_storage" {
     condition     = azurerm_storage_account.this.is_hns_enabled == false
     error_message = "Hierarchical namespace (HNS) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "premium_data_lake_storage" {
@@ -190,6 +215,11 @@ run "premium_data_lake_storage" {
     condition     = azurerm_storage_account.this.sftp_enabled == false
     error_message = "SSH File Transfer Protocol (SFTP) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "premium_block_blob_storage" {
@@ -220,6 +250,11 @@ run "premium_block_blob_storage" {
     condition     = azurerm_storage_account.this.is_hns_enabled == false
     error_message = "Hierarchical namespace (HNS) enabled"
   }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == false
+    error_message = "Infrastructure encryption enabled"
+  }
 }
 
 run "network_rules_enabled" {
@@ -360,3 +395,21 @@ run "sftp_enabled" {
     error_message = "SSH File Transfer Protocol (SFTP) disabled"
   }
 }
+
+run "infrastructure_encryption_enabled" {
+  command = plan
+
+  variables {
+    account_name               = run.setup_tests.account_name
+    resource_group_name        = run.setup_tests.resource_group_name
+    location                   = run.setup_tests.location
+    log_analytics_workspace_id = run.setup_tests.log_analytics_workspace_id
+
+    infrastructure_encryption_enabled = true
+  }
+
+  assert {
+    condition     = azurerm_storage_account.this.infrastructure_encryption_enabled == true
+    error_message = "Infrastructure encryption disabled"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -116,6 +116,13 @@ variable "table_encryption_key_type" {
   }
 }
 
+variable "infrastructure_encryption_enabled" {
+  description = "Should infrastructure encryption be enabled for this Storage account? When enabled, data is encrypted twice. Recommended for scenarios where doubly encrypting data is necessary for compliance requirements. For most other scenarios there is unlikely to be a benefit to using infrastructure encryption."
+  type        = bool
+  default     = false
+  nullable    = false
+}
+
 variable "allow_blob_public_access" {
   description = "Allow public access to this Blob Storage?"
   type        = bool