I am having difficulties creating Storage Accounts using Infrastructure Encryption. Our org uses ARM Templates IaC to create our resources. We have several hundred storage accounts that were created without the Infrastructure encryption enabled. I understand that I cannot just enable it, so my plan was to create parallel accounts with encryption enabled and then migrate the data. However, when I create the new accounts with what I think are the correct IaC it's still showing disabled in the storage account.
We are using Storage V2, with PE links to our internal vnets. We also want to use MSFT managed keys. Here is the JSON IaC I am using.
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-04-01",
"name": "[variables('storageAccountName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_GRS"
},
"kind": "StorageV2",
"properties": {
"defaultToOAuthAuthentication": false,
"publicNetworkAccess": "Disabled",
"minimumTlsVersion": "TLS1_2",
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": false,
"bypass": "AzureServices",
"networkAcls": {
"virtualNetworkRules": [
{
"id": "[parameters('subnetId')]",
"action": "Allow"
}
],
"ipRules": [],
"defaultAction": "Deny"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"requireInfrastructureEncryption": true,
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"table": {
"keyType": "Account",
"enabled": true
},
"queue": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"accessTier": "Hot"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2021-09-01",
"name": "[concat(variables('storageAccountName'),'/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"changeFeed": {
"retentionInDays": 90,
"enabled": true
},
"containerDeleteRetentionPolicy": {
"enabled": true,
"days": 7
},
"deleteRetentionPolicy": {
"allowPermanentDelete": false,
"enabled": true,
"days": 7
},
"isVersioningEnabled": true
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2021-09-01",
"name": "[concat(variables('storageAccountName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"shareDeleteRetentionPolicy": {
"enabled": true,
"days": 7
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/encryptionScopes",
"apiVersion": "2023-01-01",
"name": "[concat( variables('storageAccountName'), '/swatencryptscope')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
],
"properties": {
"source": "Microsoft.Storage",
"state": "Enabled",
"requireInfrastructureEncryption": true
}
}
]
}
I have the flags set to true for "requireInfrastructureEncryption", and the encryption scope resource is also created at the time the account is created. But the resource shows the encryption as disabled.
The encryption scope shows as enabled. But, not in the overview blade.
I assume that there is an issue in the IaC, but I can't spot the problem.