Share via

Error creating a azurerm_storage_encryption_scope for a storage account with terraform

Vikrant 20 Reputation points
2023-08-09T17:01:58.9766667+00:00

Hi all i am working on a terraform script for creating my infra on azure. i am facing some issue.
i want to set encryption_scope for my storage container but i don't find any reference for setting for storage container. i found the reference for setting encryption_scope for my full storage but i also got a error there.

error. 

Error: creating Storage Encryption Scope "microsoftmanaged" (Storage Account Name "greensightdev" / Resource Group "greensight-dev-rg"): storage.EncryptionScopesClient#Put: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ManagedServiceIdentityNotFound" Message="Managed Service Identity (MSI) was not found for resource 'microsoftmanaged'."

code. 

resource "azurerm_storage_encryption_scope" "example" {
  name               = "microsoftmanaged"
  storage_account_id = azurerm_storage_account.storage.id
  source             = "Microsoft.KeyVault"
  key_vault_key_id = var.key_vault_id
}
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,809 questions
Azure Disk Encryption
Azure Disk Encryption
An Azure service for virtual machines (VMs) that helps address organizational security and compliance requirements by encrypting the VM boot and data disks with keys and policies that are controlled in Azure Key Vault.
162 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 44,416 Reputation points Microsoft Employee
    2023-08-17T04:58:49.1366667+00:00

    @Vikrant Firstly, Apologies for the delay repones, Thank you for posting your query here!

    Based on the error code "ManagedServiceIdentityNotFound" suggests that the Managed Service Identity associated with the resource is not found or not properly configured.

    Check Managed Service Identity (MSI) Configuration:

    Ensure that Managed Service Identity (MSI) is enabled for the Storage Account. You can configure this in the Azure portal under the "Identity" section of the Storage Account.

    Make sure that the Managed Service Identity (MSI) has the necessary permissions on the Azure Key Vault you are referencing (var.key_vault_id) for encryption.

    Resource Names:

    Verify that the Storage Account name ("greensightdev") and the Encryption Scope name ("microsoftmanaged") match the actual names you intend to use.

    Double-check that the azurerm_storage_account resource (azurerm_storage_account.storage) is defined correctly with the correct ID.

    Key Vault Configuration:

    • Ensure that the var.key_vault_id you are using is the correct ID of the Key Vault where your keys are stored.

    Retry:

    • After confirming the above configurations, retry creating the Storage Encryption Scope.

    If you're still encountering issues after verifying the above steps, you might consider the following:

    • Check the Azure Activity Logs or Diagnostic Logs for more detailed information about the error. This might provide additional context about the MSI issue.
    • Make sure you're using the correct versions of the Terraform Azure provider and Terraform itself. Updating to the latest versions may resolve some compatibility issues.
    • Review the documentation and examples provided by Azure and HashiCorp (Terraform) for setting up Managed Service Identity and Storage Encryption Scopes.

    This error occurs when the MSI is not enabled for the storage account. To enable MSI for the storage account, you can use the following Terraform code:

    

resource "azurerm_storage_account" "example" {
  name                     = "examplestorageaccount"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"

  identity {
    type = "SystemAssigned"
  }
}

    || Create and manage encryption scopes 

    #Data Source: azurerm_storage_encryption_scope
#Use this data source to access information about an existing Storage Encryption Scope.

#Example Usage

data "azurerm_storage_account" "example" {
  name                = "storageaccountname"
  resource_group_name = "resourcegroupname"
}

data "azurerm_storage_encryption_scope" "example" {
  name               = "existingStorageES"
  storage_account_id = data.azurerm_storage_account.example.id
}

output "id" {
  value = data.azurerm_storage_encryption_scope.example.id
}

    Once the MSI is enabled, you can create the storage encryption scope using the following Terraform code

    resource "azurerm_storage_encryption_scope" "example" {
  name               = "microsoftmanaged"
  storage_account_id = azurerm_storage_account.example.id
  source             = "Microsoft.Storage"
}

    For more information refer to this article

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments