Merge branch 'main' into jr/upstream-main/77-porter-build-context

core/terraform/airlock/airlock_processor.tf

@@ -24,6 +24,8 @@ resource "azurerm_storage_account" "sa_airlock_processor_func_app" {
   location                         = var.location
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags

core/terraform/airlock/storage_accounts.tf

@@ -7,6 +7,8 @@ resource "azurerm_storage_account" "sa_import_external" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
@@ -71,6 +73,8 @@ resource "azurerm_storage_account" "sa_export_approved" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
 
   # Don't allow anonymous access (unrelated to the 'public' networking rules)
@@ -135,6 +139,8 @@ resource "azurerm_storage_account" "sa_import_in_progress" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
@@ -229,6 +235,8 @@ resource "azurerm_storage_account" "sa_import_rejected" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 
@@ -297,6 +305,8 @@ resource "azurerm_storage_account" "sa_import_blocked" {
   resource_group_name              = var.resource_group_name
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 

core/terraform/appgateway/staticweb.tf

@@ -6,6 +6,8 @@ resource "azurerm_storage_account" "staticweb" {
   account_kind                     = "StorageV2"
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   enable_https_traffic_only        = true
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false

core/terraform/azure-monitor/azure-monitor.tf

@@ -20,6 +20,8 @@ resource "azurerm_storage_account" "az_monitor" {
   account_kind                     = "StorageV2"
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
   tags                             = var.tre_core_tags

core/terraform/storage.tf

@@ -4,6 +4,8 @@ resource "azurerm_storage_account" "stg" {
   location                         = azurerm_resource_group.core.location
   account_tier                     = "Standard"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   allow_nested_items_to_be_public  = false
   cross_tenant_replication_enabled = false
 

core/version.txt

@@ -1 +1 @@
-__version__ = "0.11.8"
+__version__ = "0.11.9"

devops/terraform/bootstrap.sh

@@ -12,11 +12,16 @@ az group create --resource-group "$TF_VAR_mgmt_resource_group_name" --location "
 if ! az storage account show --resource-group "$TF_VAR_mgmt_resource_group_name" --name "$TF_VAR_mgmt_storage_account_name" --query "name" -o none 2>/dev/null; then
   # only run `az storage account create` if doesn't exist (to prevent error from occuring if storage account was originally created without infrastructure encryption enabled)
 
+  # Set default encryption types based on enable_cmk
+  encryption_type=$([ "${TF_VAR_enable_cmk_encryption:-false}" = true ] && echo "Account" || echo "Service")
+
   # shellcheck disable=SC2154
   az storage account create --resource-group "$TF_VAR_mgmt_resource_group_name" \
     --name "$TF_VAR_mgmt_storage_account_name" --location "$LOCATION" \
     --allow-blob-public-access false \
     --kind StorageV2 --sku Standard_LRS -o table \
+    --encryption-key-type-for-queue "$encryption_type" \
+    --encryption-key-type-for-table "$encryption_type" \
     --require-infrastructure-encryption true
 else
   echo "Storage account already exists..."

devops/terraform/main.tf

@@ -27,6 +27,8 @@ resource "azurerm_storage_account" "state_storage" {
   account_tier                     = "Standard"
   account_kind                     = "StorageV2"
   account_replication_type         = "LRS"
+  table_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
+  queue_encryption_key_type        = var.enable_cmk_encryption ? "Account" : "Service"
   cross_tenant_replication_enabled = false
   allow_nested_items_to_be_public  = false
   shared_access_key_enabled        = false