Terraform Azure提供程序-静止的VM加密
尝试使用密钥库设置VM时出错。这是我认为相关的代码的一部分Terraform Azure提供程序-静止的VM加密,azure,encryption,terraform-provider-azure,Azure,Encryption,Terraform Provider Azure,尝试使用密钥库设置VM时出错。这是我认为相关的代码的一部分 resource "azurerm_key_vault_key" "example" { name = "TF-key-example" key_vault_id = "${azurerm_key_vault.example.id}" key_type = "RSA" key_size =
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
我应该在何处以及如何添加权限?作为错误打印-
请向磁盘加密集“示例集”授予获取、包装和展开密钥权限。#授予磁盘加密集的托管标识访问权限,以从密钥库读取数据
资源“azurerm\u密钥\u保险库\u访问\u策略”“磁盘加密”{
key\u vault\u id=azurerm\u key\u vault.example.id
密钥\u权限=[
“得到”,
“wrapkey”,
“解开钥匙”,
]
租户\u id=azurerm\u磁盘\u加密\u set.example.identity.0.tenant\u id
object\u id=azurerm\u disk\u encryption\u set.example.identity.0.principal\u id
}
#授予磁盘加密集“读取器”对密钥库的托管标识访问权限
资源“azurerm_角色分配”“磁盘加密读取密钥库”{
scope=azurerm\u key\u vault.example.id
角色\u定义\u name=“读者”
principal\u id=azurerm\u disk\u encryption\u set.example.identity.0.principal\u id
}
对象id“~/.SSH/id\u rsa.pub”ssh-keygen-t rsa-b4096-C“您的_email@example.com"
可以找到完整的工作代码。正如Amit Baranes指出的,您需要为加密集设置访问策略 在上面的示例中,您通过访问策略授予数据源客户端ID对密钥库的访问权限。但是,加密集的标识只能通过角色读取到vault 将AzureRM VM资源文档隐藏起来,说明: 注意:磁盘加密集必须具有读卡器角色分配 在密钥库上确定范围-除了密钥访问策略之外 拱顶 您需要确保将读取角色和访问策略授予加密ID 可能产生的完整块如下所示,我们通过访问策略向您的服务主体和身份授予对vault的访问权限。我们还保留了read角色
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
您可能希望减少服务主体的访问权限,但我暂时保持不变。谢谢。这已经是我代码的一部分(编辑了上面的代码),所以我不相信这是问题所在。你能分享整个地形吗?将更容易调试您指向
azurerm\u key\u vault\u access\u policydata.azurerm\u client\u config.current.object\u id