Azure storage encryption scope

main.tf

resource "azurerm_key_vault_key" "storage" {
  name         = var.name
  key_vault_id = var.key_vault_id
  key_type     = "RSA"
  key_size     = 4096

  key_opts = [
    "unwrapKey",
    "wrapKey"
  ]

  rotation_policy {
    expire_after         = "P28D"
    notify_before_expiry = "P14D"
    automatic {
      time_before_expiry = "P7D"
    }
  }
}

resource "azurerm_storage_encryption_scope" "main" {
  name                               = var.name
  source                             = "Microsoft.KeyVault"
  key_vault_key_id                   = azurerm_key_vault_key.storage.versionless_id
  storage_account_id                 = var.storage_account_id
  infrastructure_encryption_required = true
}

resource "azurerm_storage_container" "main" {
  name                              = var.name
  storage_account_name              = var.storage_account_name
  default_encryption_scope          = azurerm_storage_encryption_scope.main.name
  encryption_scope_override_enabled = false
}

resource "azurerm_role_assignment" "storage_blob_data_contributor" {
  role_definition_name = "Storage Blob Data Contributor"
  principal_id         = azuread_service_principal.main.object_id
  scope                = azurerm_storage_container.main.resource_manager_id
}