Enhancements to azure.azcollection.azure_rm_storageaccount for Improved Security Compliance and Functionality

[chitender]

SUMMARY

This feature request proposes several enhancements to the azure.azcollection.azure_rm_storageaccount collection in Ansible. These changes aim to align more closely with Azure security policies and address common functional requirements in managing Azure Storage Accounts.

• Option to Enable/Disable allow_shared_key_access for Storage Accounts: Introduce a configurable option to enable or disable shared key access, enhancing security and compliance with organizational policies.

• Identity Block for Key Vault Encryption Prerequisites: Implement an identity block within the module to support scenarios requiring user-assigned identities as a prerequisite for Key Vault encryption (CMK encryption).

• Inclusion of Key Vault Properties in Encryption Block: Add support for specifying Key Vault properties directly within the encryption block when the encryption source is set to Microsoft.Keyvault. This will facilitate smoother integration with Azure Key Vault for encryption purposes.

• Incorporate Network ACL Rule Sets in create_account Requests: Instead of setting network ACLs separately, include them directly in the create_account request. This change aims to streamline the process and reduce the complexity of storage account creation.

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

azure.azcollection.azure_rm_storageaccount

ADDITIONAL INFORMATION

These enhancements are motivated by the need for improved compliance with Azure security policies and functional requirements in resource management. Enforcing security policies at subscription and resource group levels is a common practice, and non-compliance can lead to service denial due to policy violations. The proposed changes address specific areas like encryption, identity management, and network access control, which are crucial for maintaining high-security standards.

not sure how to add verbatim command output, so have added below task snippet which is as per the changes in plugins/modules/azure_rm_storageaccount.py

- name: Create Storage account
  azure.azcollection.azure_rm_storageaccount:
    allow_shared_key_access: 'False'
    minimum_tls_version: "TLS1_2"
    resource_group: "{{ project.resource_group_name }}"
    name: "{{ project.storage_account_name }}"
    location: "{{ project.region }}"
    type: Standard_RAGRS
    kind: BlobStorage
    access_tier: Cool
    subscription_id: "{{ azure_env.ARM_SUBSCRIPTION_ID }}"
    tenant: "{{ azure_env.ARM_TENANT_ID }}"
    client_id: "{{ azure_env.ARM_CLIENT_ID }}"
    secret: "{{ azure_env.ARM_CLIENT_SECRET }}"
    https_only: 'True'
    allow_blob_public_access: 'False'
    public_network_access: 'Enabled'
    identity:
      type: UserAssigned
      user_assigned_identities: "/subscriptions/{{ azure_env.ARM_SUBSCRIPTION_ID }}/resourceGroups/{{ project.resource_group_name }}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{ project.storage_account_name }}"

    network_acls:
      bypass: AzureServices,Metrics,Logging
      default_action: Deny
      virtual_network_rules:
        - id: /subscriptions/subscriptionId/resourceGroups/resourceGroup/providers/Microsoft.Network/virtualNetworks/vnetName/subnets/vnetSubnetName
          action: Allow
    encryption:
      require_infrastructure_encryption: false
      services:
        blob:
          enabled: true
        file:
          enabled: true
        table:
          enabled: true
        queue:
          enabled: true
      key_source: 'Microsoft.Keyvault'
      key_vault_properties:
        key_vault_uri: "{{ keyVaultInfo.keyvaults[0].vault_uri }}"
        key_name: "storage-encryption-key"
        key_version: "{{ keyvault_key.state.key_id.split('/')[-1] }}"
      encryption_identity:
        encryption_user_assigned_identity: "{{ user_identity }}"

if i have made any mistakes which are not as per community guidelines then please guide me to correct it as this is first time me raising pull request.

[Fred-sun]

@chitender Please help fix the error as below:

ERROR: plugins/modules/azure_rm_storageaccount.py:850:9: E303: too many blank lines
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'key_version' in argument_spec found in encryption -> key_vault_properties defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'type' in argument_spec found in identity defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: parameter-type-not-in-doc: Argument 'user_assigned_identities' in argument_spec found in identity defines type as 'str' but documentation doesn't define type
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'allow_shared_key_access' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'encryption_identity' found in encryption is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'encryption_user_assigned_identity' found in encryption -> encryption_identity is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'identity' is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_name' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_vault_properties' found in encryption is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_vault_uri' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'key_version' found in encryption -> key_vault_properties is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'type' found in identity is listed in the argument_spec, but not documented in the module documentation
ERROR: plugins/modules/azure_rm_storageaccount.py:0:0: undocumented-parameter: Argument 'user_assigned_identities' found in identity is listed in the argument_spec, but not documented in the module documentation

[chitender]

@Fred-sun have updated the documentation.

[chitender]

@Fred-sun could you please check this?

[Fred-sun]

It would be even better if we could add test cases for the newly added parameters!

[Fred-sun]

It would be perfect if we could also increase this return value to azure_rm_storageaccount_info.py!

[Fred-sun]

@chitender There is a conflict in the PR you submitted, please help solve the conflict, we will review this PR as soon as possible! Thank you!

[Fred-sun]

kindly ping!