Skip to content

add support for Azure Data Explorer Encryption and Double Encryption #2196

Description

@fajterini

📝 Scenario

We have requirement that resources need to be deployed in secure and compliant way. One of these requirements that currently is not implemented is FinOps hub with ADX with double encryption.
Issue with doble encryption is that this feature can be enabled only on resource creation.

https://learn.microsoft.com/en-us/azure/data-explorer/cluster-encryption-double?tabs=portal

Image

💎 Solution

Posible implementation idea, ... Similar approach as storage account infrastructure encryption, as this feature be only enabled on resource creation.

Currently there is option to enable storage account Infrastructure encryption with BICEP parameter or UI during creation.

@description('Optional. Enable infrastructure encryption on the storage account. Default = false.')
param enableInfrastructureEncryption bool = false

So maybe similar approach

@description('Optional. Enable encryption on the Azure Data Explorer Cluster. Default = false.')
param enableADXEncryption bool = false

@description('Optional. Enable doble encryption on the Azure Data Explorer Cluster. Can be enabled only on resource creation. Default = false.')
param enableADXDobleEncryption bool = false

The modify all requred modules and add this parameters app.Bicep ..
src/templates/finops-hub/modules/Microsoft.FinOpsHubs/Analytics/app.bicep

//  Kusto cluster
resource cluster 'Microsoft.Kusto/clusters@2023-08-15' = if (useAzure) {
  name: replace(clusterName, '_', '-')
  dependsOn: [
    appRegistration
  ]
  location: app.hub.location
  tags: union(app.tags, app.hub.tagsByResource[?'Microsoft.Kusto/clusters'] ?? {})
  sku: {
    name: clusterSku
    tier: startsWith(clusterSku, 'Dev(No SLA)_') ? 'Basic' : 'Standard'
    capacity: startsWith(clusterSku, 'Dev(No SLA)_') ? 1 : (clusterCapacity == 1 ? 2 : clusterCapacity)
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    enableStreamingIngest: true
    enableAutoStop: true
    enableDiskEncryption: enableADXEncryption
    enableDoubleEncryption: enableADXDobleEncryption
    publicNetworkAccess: app.hub.options.privateRouting ? 'Disabled' : 'Enabled'
    // TODO: Figure out why this is breaking upgrades
    // trustedExternalTenants: [for tenantId in clusterTrustedExternalTenants: {
    //     value: tenantId
    // }]
  }

Idea is to make this available for new created hub without any effect on old deployments.

📋 Tasks

### Required tasks
- [ ] TODO: IaC implementations and Tests
### Stretch goals
- [ ] TODO: Updated documentation, that also mention Storage account infrastructure encryption and ADX double encryption can be enabled only during resource creation. And should be enabled in environments with strict security rules. I would also mention, cannot be disabled after enabling these features.

🙋‍♀️ Ask for the community

We could use your help:

  1. Please vote this issue up (👍) to prioritize it.
  2. Leave comments to help us solidify the vision.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Skill: DeploymentResource deployment automation via bicep or terraformStatus: ▶️ ReadyIssue is ready for a dev to start workType: Feature 💎Idea to improve the product

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions