📝 Scenario
We have requirement that resources need to be deployed in secure and compliant way. One of these requirements that currently is not implemented is FinOps hub with ADX with double encryption.
Issue with doble encryption is that this feature can be enabled only on resource creation.
https://learn.microsoft.com/en-us/azure/data-explorer/cluster-encryption-double?tabs=portal
💎 Solution
Posible implementation idea, ... Similar approach as storage account infrastructure encryption, as this feature be only enabled on resource creation.
Currently there is option to enable storage account Infrastructure encryption with BICEP parameter or UI during creation.
@description('Optional. Enable infrastructure encryption on the storage account. Default = false.')
param enableInfrastructureEncryption bool = false
So maybe similar approach
@description('Optional. Enable encryption on the Azure Data Explorer Cluster. Default = false.')
param enableADXEncryption bool = false
@description('Optional. Enable doble encryption on the Azure Data Explorer Cluster. Can be enabled only on resource creation. Default = false.')
param enableADXDobleEncryption bool = false
The modify all requred modules and add this parameters app.Bicep ..
src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep
// Kusto cluster
resource cluster 'Microsoft.Kusto/clusters@2023-08-15' = if (useAzure) {
name: replace(clusterName, '_', '-')
dependsOn: [
appRegistration
]
location: app.hub.location
tags: union(app.tags, app.hub.tagsByResource[?'Microsoft.Kusto/clusters'] ?? {})
sku: {
name: clusterSku
tier: startsWith(clusterSku, 'Dev(No SLA)_') ? 'Basic' : 'Standard'
capacity: startsWith(clusterSku, 'Dev(No SLA)_') ? 1 : (clusterCapacity == 1 ? 2 : clusterCapacity)
}
identity: {
type: 'SystemAssigned'
}
properties: {
enableStreamingIngest: true
enableAutoStop: true
enableDiskEncryption: enableADXEncryption
enableDoubleEncryption: enableADXDobleEncryption
publicNetworkAccess: app.hub.options.privateRouting ? 'Disabled' : 'Enabled'
// TODO: Figure out why this is breaking upgrades
// trustedExternalTenants: [for tenantId in clusterTrustedExternalTenants: {
// value: tenantId
// }]
}
Idea is to make this available for new created hub without any effect on old deployments.
📋 Tasks
### Required tasks
- [ ] TODO: IaC implementations and Tests
### Stretch goals
- [ ] TODO: Updated documentation, that also mention Storage account infrastructure encryption and ADX double encryption can be enabled only during resource creation. And should be enabled in environments with strict security rules. I would also mention, cannot be disabled after enabling these features.
🙋♀️ Ask for the community
We could use your help:
- Please vote this issue up (👍) to prioritize it.
- Leave comments to help us solidify the vision.
📝 Scenario
We have requirement that resources need to be deployed in secure and compliant way. One of these requirements that currently is not implemented is FinOps hub with ADX with double encryption.
Issue with doble encryption is that this feature can be enabled only on resource creation.
https://learn.microsoft.com/en-us/azure/data-explorer/cluster-encryption-double?tabs=portal
💎 Solution
Posible implementation idea, ... Similar approach as storage account infrastructure encryption, as this feature be only enabled on resource creation.
Currently there is option to enable storage account Infrastructure encryption with BICEP parameter or UI during creation.
So maybe similar approach
The modify all requred modules and add this parameters app.Bicep ..
src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep
Idea is to make this available for new created hub without any effect on old deployments.
📋 Tasks
🙋♀️ Ask for the community
We could use your help: