Enable storage account infrastructure encryption

[jonnyry]

Resolves #4001

What is being addressed

Enable storage account infrastructure encryption.

Since storage account infrastructure encryption can only be turned on when a storage account is first created (unless you allow terraform to destroy the storage account and recreate it), this change is only applied on first deployment of a TRE (or a template component). Storage accounts that exist within an existing TRE deployment will not be affected.

The terraform pattern used to acheive this behaviour is as follows:

resource "azurerm_storage_account" "stg" {

  ... existing attributes ...

  # changing this value is destructive, hence attribute is in lifecycle.ignore_changes block below
  infrastructure_encryption_enabled = true

  lifecycle { ignore_changes = [infrastructure_encryption_enabled ] }
}

[tim-p-allen]

LGTM

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 2200ac9.

♻️ This comment has been updated with latest results.

[tamirkamara]

We have a CMK contribution coming in too. Are the two compatible with each other?
@yuvalyaron

[yuvalyaron]

@tamirkamara yes, they are compatible

[jonnyry]

Hey @tamirkamara do you have any more outstanding thoughts or feedback with your review? Thanks

[tim-p-allen]

/test 019a1b4

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12082072675 (with refid 6913b829)

(in response to this comment from @tim-allen-ck)

[jonnyry]

@tim-allen-ck this ok to merge now? thanks

[tim-p-allen]

/test 2200ac9

[github-actions]

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/12100436162 (with refid 6913b829)

(in response to this comment from @tim-allen-ck)