Support for CMK in azurerm_postgresql_flexible_server resource

[rmoesbergen]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Azure Database for PostgreSQL flexible servers now supports using a customer managed encryption key (CMK / CMEK) for encryption of databases and backups. The feature is currently in public preview (starting october 2022). Please add support for this feature in the azurerm provider. The docs for this feature can be found here:

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-data-encryption

Thanks!

New or Affected Resource(s)/Data Source(s)

azurerm_postgresql_flexible_server

Potential Terraform Configuration

# Create a managed identity for encryption key access
resource "azurerm_user_assigned_identity" "example" {
  location            = "westeurope"
  name                = "example"
  resource_group_name = "myrg"
}

# Create an encryption key
resource "azurerm_key_vault_key" "example" {
  key_vault_id = var.keyvault_id
  name         = "example"

  key_type = "RSA"
  key_size = 2048
  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

# Allow managed identity to use the encryption key
resource "azurerm_role_assignment" "example-key-reader" {
  scope                = var.keyvault_id
  role_definition_name = "Key Vault Crypto Service Encryption User"
  principal_id         = azurerm_user_assigned_identity.example.principal_id
}


# Create a Postgres flexible instance with CMK
resource "azurerm_postgresql_flexible_server" "example" {
  name                   = "example-psqlflexibleserver"
  resource_group_name    = "myrg"
  location               = "westeurope"
  version                = "14"
  delegated_subnet_id    = var.subnet_id
  private_dns_zone_id    = var.private_dns_zone_id
  administrator_login    = "psqladmin"
  administrator_password = "H@Sh1CoR3!"
  zone                   = "1"

  storage_mb = 32768

  sku_name   = "GP_Standard_D4s_v3"
  depends_on = [azurerm_private_dns_zone_virtual_network_link.example]

  ## This would be the new bit for this feature request ##
  encryption {
    enabled            = true
    identity_id        = azurerm_user_assigned_identity.example.principal_id
    key_vault_key_id   = azurerm_key_vault_key.example.id
  }
}

References

• https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-data-encryption

[AndrzejK-Atende]

Support for MySQL Flexible has been just added #19842, waiting for postgresql : )

[sahitya12]

@AndrzejK-Atende when can we expect Support for CMK in azurerm_postgresql_flexible_server resource ? any approximate date ?

[igor-marinho]

I hope so! Is the last missing part for me.

[github-actions]

This functionality has been released in v3.41.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.