Values for request parameters are invalid: properties.encryption.identity
Tommy-Ten opened this issue · 6 comments
Is there an existing issue for this?
- I have searched the existing issues
Greenfield/Brownfield provisioning
greenfield
Terraform Version
1.7.2
Module Version
0.1.1
AzureRM Provider Version
3.93.0
Affected Resource(s)/Data Source(s)
azurerm_storage_account_customer_managed_key
Terraform Configuration Files
Identity resources:
main.tf:
resource "azurerm_user_assigned_identity" "uami" {
for_each = local.identities
resource_group_name = each.value.resource_group_name
location = each.value.location
name = each.value.name
}
locals.tf:
locals {
identities = {
staraw = {
resource_group_name = var.resource_group_name
location = var.location
name = var.staraw_identity_name
},
staecu = {
resource_group_name = var.resource_group_name
location = var.location
name = var.staecu_identity_name
},
stawks = {
resource_group_name = var.resource_group_name
location = var.location
name = var.stawks_identity_name
}
}
}
outputs.tf:
output "identity_info" {
description = "The resource IDs, names, and principal IDs of the user-assigned identities"
value = { for i, identity in azurerm_user_assigned_identity.uami : "identity${i}" => { id = identity.id, name = identity.name, principal_id = identity.principal_id } }
}
AVM-RES storage account:
Module in main.tf:
module "avm-res-storage-storageaccount_int" {
source = "Azure/avm-res-storage-storageaccount/azurerm"
for_each = local.int_storage_accounts
version = "0.1.1"
account_kind = each.value.account_kind
account_replication_type = each.value.account_replication_type
account_tier = each.value.account_tier
allowed_copy_scope = each.value.allowed_copy_scope
blob_properties = each.value.blob_properties
customer_managed_key = each.value.customer_managed_key
enable_telemetry = each.value.enable_telemetry
is_hns_enabled = each.value.is_hns_enabled
name = each.key
resource_group_name = module.cog-res-resource-groups.data_resource_group_names["${module.naming_style.resource_group.name}-storage"]
shared_access_key_enabled = each.value.shared_access_key_enabled
depends_on = [module.cog-res-resource-groups, module.avm-res-keyvault-vault, module.cog-res-identity]
}
locals.tf:
locals {
int_storage_accounts = {
"sta${join("", var.company_prefix)}raw" = {
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
allowed_copy_scope = "AAD"
blob_properties = {
delete_retention_policy = {
days = 7
}
last_access_time_enabled = false
}
customer_managed_key = {
key_vault_resource_id = module.avm-res-keyvault-vault[0].resource.id
key_name = "${module.naming_style.key_vault_key.name}-raw"
user_assigned_identity_resource_id = module.cog-res-identity.identity_info["identitystaraw"].id
}
enable_telemetry = var.enable_telemetry
is_hns_enabled = true
shared_access_key_enabled = false
},
"sta${join("", var.company_prefix)}ecu" = {
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
allowed_copy_scope = "AAD"
blob_properties = {
delete_retention_policy = {
days = 7
}
last_access_time_enabled = false
}
customer_managed_key = {
key_vault_resource_id = module.avm-res-keyvault-vault[0].resource.id
key_name = "${module.naming_style.key_vault_key.name}-ecu"
user_assigned_identity_resource_id = module.cog-res-identity.identity_info["identitystaecu"].id
}
enable_telemetry = var.enable_telemetry
is_hns_enabled = true
shared_access_key_enabled = false
},
"sta${join("", var.company_prefix)}wks" = {
account_kind = "StorageV2"
account_replication_type = "LRS"
account_tier = "Standard"
allowed_copy_scope = "AAD"
blob_properties = {
delete_retention_policy = {
days = 7
}
last_access_time_enabled = false
}
customer_managed_key = {
key_vault_resource_id = module.avm-res-keyvault-vault[0].resource.id
key_name = "${module.naming_style.key_vault_key.name}-wks"
user_assigned_identity_resource_id = module.cog-res-identity.identity_info["identitystawks"].id
}
enable_telemetry = var.enable_telemetry
is_hns_enabled = true
shared_access_key_enabled = false
}
}
}tfvars variables values
N/ADebug Output/Panic Output
Expected Behaviour
Storage accounts encrypted using managed identities. Terraform plan shows the correct user-assigned managed identities being associated but fails with terraform apply.
TF plan:
module.avm-res-storage-storageaccount_int["stacogdevuksecu"].azurerm_storage_account_customer_managed_key.this[0] will be created
- resource "azurerm_storage_account_customer_managed_key" "this" {
- id = (known after apply)
- key_name = "kvk-cog-dev-uks-ecu"
- key_vault_id = "/subscriptions/xxx-xxx-xxx-xxx/resourceGroups/rg-cog-dev-uks-keyvault/providers/Microsoft.KeyVault/vaults/kv-cog-dev-uks"
- key_vault_uri = (known after apply)
- storage_account_id = "/subscriptions/xxx-xxx-xxx-xxx/resourceGroups/rg-cog-dev-uks-storage/providers/Microsoft.Storage/storageAccounts/stacogdevuksecu"
- user_assigned_identity_id = "/subscriptions/xxx-xxx-xxx-xxx/resourceGroups/rg-cog-dev-uks-storage/providers/Microsoft.ManagedIdentity/userAssignedIdentities/uai-cog-dev-uks-staecu"
}
Actual Behaviour
Error: updating Customer Managed Key for Storage Account (Subscription: "xxx-xxx-xxx-xxx"
│ Resource Group Name: "rg-cog-dev-uks-storage"
│ Storage Account Name: "stacogdevukswks"): storage.AccountsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidValuesForRequestParameters" Message="Values for request parameters are invalid: properties.encryption.identity."
│
│ with module.avm-res-storage-storageaccount_int["stacogdevukswks"].azurerm_storage_account_customer_managed_key.this[0],
│ on .terraform/modules/avm-res-storage-storageaccount_int/main.tf line 314, in resource "azurerm_storage_account_customer_managed_key" "this":
│ 314: resource "azurerm_storage_account_customer_managed_key" "this" {
Steps to Reproduce
- terraform plan
- terraform apply
Important Factoids
No response
References
No response
@Tommy-Ten thanks for reaching out. Please can you upload the variables files and other modules configuration files with minimum example to re-produce the issue.
@chinthakaru thanks for your reply.
Please find sanitised TF files attached for your testing. Please reach out, if anything else is needed.
Many thanks!
azure-data-landing-zone.zip
Hi @chinthakaru,
Have you been able to reproduce the issue based on the configuration I provided, please?
@Tommy-Ten Thanks for the sample configuration code. managed_identities block is missing in your local.tf for each storage account. Please can you update the main.tf and local.tf files with folowing code blocks and let us know ?
local.tf update on each storage account
managed_identities = { system_assigned = true user_assigned_resource_ids = [module.cog-res-identity.identity_info["identitystawks"].id] }
main.tf
managed_identities = each.value.managed_identities
hi @chinthakaru ,
Ah, that was it, can't believe that I missed it. Got it working now, thanks very much for your time looking into this!
Solved