Problems with Infrastructure Encryption (Azure Storage)

Bret Spencer 21 Reputation points
2024-02-23T15:54:59.3566667+00:00

I am having difficulties creating Storage Accounts using Infrastructure Encryption. Our org uses ARM Templates IaC to create our resources. We have several hundred storage accounts that were created without the Infrastructure encryption enabled. I understand that I cannot just enable it, so my plan was to create parallel accounts with encryption enabled and then migrate the data. However, when I create the new accounts with what I think are the correct IaC it's still showing disabled in the storage account. We are using Storage V2, with PE links to our internal vnets. We also want to use MSFT managed keys. Here is the JSON IaC I am using.

{
    "type": "Microsoft.Storage/storageAccounts",
    "apiVersion": "2019-04-01",
    "name": "[variables('storageAccountName')]",
    "location": "[resourceGroup().location]",
    "sku": {
        "name": "Standard_GRS"
    },
    "kind": "StorageV2",
    "properties": {
        "defaultToOAuthAuthentication": false,
        "publicNetworkAccess": "Disabled",
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": false,
        "allowSharedKeyAccess": false,
        "bypass": "AzureServices",
        "networkAcls": {
            "virtualNetworkRules": [
                {
                    "id": "[parameters('subnetId')]",
                    "action": "Allow"
                }
            ],
            "ipRules": [],
            "defaultAction": "Deny"
        },
        "supportsHttpsTrafficOnly": true,
        "encryption": {
            "requireInfrastructureEncryption": true,
            "services": {
                "file": {
                    "keyType": "Account",
                    "enabled": true
                },
                "table": {
                    "keyType": "Account",
                    "enabled": true
                },
                "queue": {
                    "keyType": "Account",
                    "enabled": true
                },
                "blob": {
                    "keyType": "Account",
                    "enabled": true
                }
            },
            "keySource": "Microsoft.Storage"
        },
        "accessTier": "Hot"
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts/blobServices",
            "apiVersion": "2021-09-01",
            "name": "[concat(variables('storageAccountName'),'/default')]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
            ],
            "properties": {
                "changeFeed": {
                    "retentionInDays": 90,
                    "enabled": true
                },
                "containerDeleteRetentionPolicy": {
                    "enabled": true,
                    "days": 7
                },
                "deleteRetentionPolicy": {
                    "allowPermanentDelete": false,
                    "enabled": true,
                    "days": 7
                },
                "isVersioningEnabled": true
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/fileServices",
            "apiVersion": "2021-09-01",
            "name": "[concat(variables('storageAccountName'), '/default')]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
            ],
            "properties": {
                "shareDeleteRetentionPolicy": {
                    "enabled": true,
                    "days": 7
                }
            }
        },
        {
            "type": "Microsoft.Storage/storageAccounts/encryptionScopes",
            "apiVersion": "2023-01-01",
            "name": "[concat( variables('storageAccountName'), '/swatencryptscope')]",
            "dependsOn": [
                "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
            ],
            "properties": {
                "source": "Microsoft.Storage",
                "state": "Enabled",
                "requireInfrastructureEncryption": true
            }
        }
    ]
}

I have the flags set to true for "requireInfrastructureEncryption", and the encryption scope resource is also created at the time the account is created. But the resource shows the encryption as disabled. User's image

User's image

User's image The encryption scope shows as enabled. But, not in the overview blade. User's image

I assume that there is an issue in the IaC, but I can't spot the problem.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,115 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,033 questions
{count} votes

Accepted answer
  1. KarishmaTiwari-MSFT 19,952 Reputation points Microsoft Employee
    2024-03-01T20:15:00.5066667+00:00

    @Bret Spencer I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: Problems creating Storage Accounts using Infrastructure Encryption.

    Solution: Customer shared - "This specific storage account doesn't use tables or queues. When I removed the two "services" for that in the encryption JSON block, it changed the behavior of the ARM deployment. It now shows the Infrastructure Encryption as enabled."


    If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and value your feedback.

    User's image

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Bret Spencer 21 Reputation points
    2024-02-29T15:03:33.3866667+00:00

    I think I may have found the issue. This specific storage account doesn't use tables or queues. When I removed the two "services" for that in the encryption JSON block it changed the behavior of the ARM deployment. It now shows the Infrastructure Encryption as enabled.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.