Azure Storage Encryption Scope

This page shows how to write Terraform and Azure Resource Manager for Storage Encryption Scope and write them securely.

azurerm_storage_encryption_scope (Terraform)

The Encryption Scope in Storage can be configured in Terraform with the resource name azurerm_storage_encryption_scope. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "azurerm_storage_encryption_scope" "ses" {
  name                      = var.res_ses_name
  storage_account_id        = var.res_storage_account_id
  source                    = "Microsoft.Storage"
resource "azurerm_storage_encryption_scope" "sae" {
  name                      = var.res_sae_name
  storage_account_id        = var.res_storage_account_id
  source                    = "Microsoft.Storage"
resource "azurerm_storage_encryption_scope" "dev_ops" {
  name               = "microsoftmanaged"
  storage_account_id =
  source             = "Microsoft.Storage"

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


Explanation in Terraform Registry

Manages a Storage Encryption Scope.

Note: Storage Encryption Scopes are in Preview more information can be found here.

Tips: Best Practices for The Other Azure Storage Resources

In addition to the azurerm_storage_account, Azure Storage has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.



Ensure to use HTTPS connections

It is better to use HTTPS instead of HTTP, which could be vulnerable to person-in-the-middle attacks.



Ensure to allow Trusted Microsoft Services to bypass

It is better to allow Trusted Microsoft Services to bypass. They are not able to access storage account unless rules are set to allow them explicitly.

Review your Azure Storage settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Storage/storageAccounts/encryptionScopes (Azure Resource Manager)

The storageAccounts/encryptionScopes in Microsoft.Storage can be configured in Azure Resource Manager with the resource name Microsoft.Storage/storageAccounts/encryptionScopes. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.


  • apiVersion required - string
  • name required - string

    The name of the encryption scope within the specified storage account. Encryption scope names must be between 3 and 63 characters in length and use numbers, lower-case letters and dash (-) only. Every dash (-) character must be immediately preceded and followed by a letter or number.

  • properties optional
      • keyVaultProperties optional
          • keyUri optional - string

            The object identifier for a key vault key object. When applied, the encryption scope will use the key referenced by the identifier to enable customer-managed key support on this encryption scope.

      • requireInfrastructureEncryption optional - boolean

        A boolean indicating whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest.

      • source optional - string

        The provider for the encryption scope. Possible values (case-insensitive): Microsoft.Storage, Microsoft.KeyVault.

      • state optional - string

        The state of the encryption scope. Possible values (case-insensitive): Enabled, Disabled.

  • type required - string

Frequently asked questions

What is Azure Storage Encryption Scope?

Azure Storage Encryption Scope is a resource for Storage of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Storage Encryption Scope?

For Terraform, the avishekansible/AzureLandingZone, avishekansible/AzureLandingZone and dmaxim/terrademo source code examples are useful. See the Terraform Example section for further details.