feat: Allow user assigned identities (#6)

* allow supplying user assigned identities

README.md

@@ -64,6 +64,7 @@ No modules.
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs that are allowed to access this storage account. Defaults to an empty list. | `list(string)` | `[]` | no |
 | <a name="input_system_assigned_identity_enabled"></a> [system\_assigned\_identity\_enabled](#input\_system\_assigned\_identity\_enabled) | Enable or disable the system-assigned managed identity for this storage account. Defaults to true. | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `{}` | no |
+| <a name="input_user_assigned_identities"></a> [user\_assigned\_identities](#input\_user\_assigned\_identities) | List of user assigned identities to assign to the storage account | `list(string)` | `[]` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | Is versioning enabled? | `bool` | `true` | no |
 
 ## Outputs

locals.tf

@@ -1,3 +1,20 @@
 locals {
-  cmk = var.cmk_key_vault_id == null ? 0 : 1
+  identity_system_assigned_user_assigned = (var.system_assigned_identity_enabled && (length(var.user_assigned_identities) > 0)) ? {
+    this = {
+      type                       = "SystemAssigned, UserAssigned"
+      user_assigned_resource_ids = var.user_assigned_identities
+    }
+  } : null
+  identity_system_assigned = var.system_assigned_identity_enabled ? {
+    this = {
+      type                       = "SystemAssigned"
+      user_assigned_resource_ids = null
+    }
+  } : null
+  identity_user_assigned = (length(var.user_assigned_identities) > 0) ? {
+    this = {
+      type                       = "UserAssigned"
+      user_assigned_resource_ids = var.user_assigned_identities
+    }
+  } : null
 }

main.tf

@@ -17,8 +17,8 @@ resource "azurerm_storage_account" "this" {
   infrastructure_encryption_enabled = var.infrastructure_encryption_enabled
   sftp_enabled                      = var.sftp_enabled
   allow_nested_items_to_be_public   = var.allow_nested_items_to_be_public
-  queue_encryption_key_type         = (var.enable_cmk_encryption || local.cmk == 1) ? "Account" : "Service"
-  table_encryption_key_type         = (var.enable_cmk_encryption || local.cmk == 1) ? "Account" : "Service"
+  queue_encryption_key_type         = (var.enable_cmk_encryption || var.cmk_key_vault_id != null) ? "Account" : "Service"
+  table_encryption_key_type         = (var.enable_cmk_encryption || var.cmk_key_vault_id != null) ? "Account" : "Service"
 
   blob_properties {
     delete_retention_policy {
@@ -32,10 +32,11 @@ resource "azurerm_storage_account" "this" {
   }
 
   dynamic "identity" {
-    for_each = var.system_assigned_identity_enabled ? [true] : []
+    for_each = coalesce(local.identity_system_assigned_user_assigned, local.identity_system_assigned, local.identity_user_assigned, {})
 
     content {
-      type = "SystemAssigned"
+      type         = identity.value.type
+      identity_ids = identity.value.user_assigned_resource_ids
     }
   }
 
@@ -85,19 +86,20 @@ resource "azurerm_role_assignment" "extra" {
 }
 
 resource "azurerm_storage_account_customer_managed_key" "this" {
-  count = local.cmk
+  count = var.cmk_key_vault_id != null ? 1 : 0
 
-  storage_account_id = azurerm_storage_account.this.id
-  key_vault_id       = var.cmk_key_vault_id
-  key_name           = var.cmk_key_name
+  storage_account_id        = azurerm_storage_account.this.id
+  user_assigned_identity_id = local.identity_user_assigned != null ? var.user_assigned_identities[0] : null
+  key_vault_id              = var.cmk_key_vault_id
+  key_name                  = var.cmk_key_name
 
   depends_on = [
     azurerm_role_assignment.cmk
   ]
 }
 
 resource "azurerm_role_assignment" "cmk" {
-  count = local.cmk
+  count = (var.cmk_key_vault_id != null && (local.identity_system_assigned != null || local.identity_system_assigned_user_assigned != null)) ? 1 : 0
 
   scope                = var.cmk_key_vault_id
   role_definition_name = "Key Vault Crypto Service Encryption User"

variables.tf

@@ -86,6 +86,12 @@ variable "system_assigned_identity_enabled" {
   description = "Enable or disable the system-assigned managed identity for this storage account. Defaults to true."
 }
 
+variable "user_assigned_identities" {
+  type        = list(string)
+  default     = []
+  description = "List of user assigned identities to assign to the storage account"
+}
+
 variable "allow_nested_items_to_be_public" {
   description = "Allow or disallow nested items to be public. Defaults to false."
   type        = bool