-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storage accounts should use infrastructure encryption #4001
Comments
I'm about to look at this one for our TRE instance, since we would like infrastructure encryption turned on. Was planning to do something along the lines of:
So essentially enabling infrastructure encryption on initial storage account creation, however if the storage account has already been created prior to the change, then it won't be enabled. (It's not possible to enable once created without destroying and recreating the storage account.) @marrobi Would this be acceptable for a PR? Should an additional build variable be introduced as well to control the default behaviour on initial creation? Such as Thanks |
@yuvalyaron does this overlap with the CMLK work #4002 that you have in progress? @jonnyry I can't think of a reason it wouldn't want to be turned on, I presume its compatible with CMK. @SvenAelterman any ideas? As long as no errors or risk of terraform recreating the storage account when it's turned on (main concern), lets always have it on, otherwise need to have the config flag with default to false. |
@marrobi I don't think there's an overlap, and they can coexist. |
@marrobi OK thanks, I will draft something locally with the following pattern and test on an existing TRE instance that was spun up before the change:
We could also add this as a double protection against storage account deletion, however this would be problematic for workspaces/workspace services etc since it would prevent them being deleted:
|
Description
As a TRE Administrator
I want to deploy TRE in a manner compliant with common regulatory frameworks, like NIST SP 800-171 R2 and Microsoft's built-in compliance initiatives for those frameworks
So that research takes place in a compliant environment
Acceptance criteria
Notes
Existing storage accounts cannot be updated to support infrastructure encryption. A feature flag at the core TRE level might be required so that existing storage accounts aren't attempted to be upgraded. Perhaps this could also be accomplished with Terraform ignore statements, but I don't know those very well.
The text was updated successfully, but these errors were encountered: