Terraform Azure提供程序-静止的VM加密
尝试使用密钥库设置VM时出错。这是我认为相关的代码的一部分Terraform Azure提供程序-静止的VM加密,azure,encryption,terraform-provider-azure,Azure,Encryption,Terraform Provider Azure,尝试使用密钥库设置VM时出错。这是我认为相关的代码的一部分 resource "azurerm_key_vault_key" "example" { name = "TF-key-example" key_vault_id = "${azurerm_key_vault.example.id}" key_type = "RSA" key_size =
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
这就是我得到的错误:
错误:创建Linux虚拟机“示例vm”时出错(资源
组“加密资源”):
compute.VirtualMachine客户端#CreateOrUpdate:发送请求失败:
StatusCode=400——原始错误:Code=“KeyVaultAccessForbidden”
Message=“无法访问密钥库资源”
'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****'
要启用静态加密,请授予get、wrap和unwrap密钥
磁盘加密集“示例集”的权限。请访问
了解更多信息。”
我应该在何处以及如何添加权限?作为错误打印-
请向磁盘加密集“示例集”授予获取、包装和展开密钥权限。
添加以下块:
#授予磁盘加密集的托管标识访问权限,以从密钥库读取数据
资源“azurerm\u密钥\u保险库\u访问\u策略”“磁盘加密”{
key\u vault\u id=azurerm\u key\u vault.example.id
密钥\u权限=[
“得到”,
“wrapkey”,
“解开钥匙”,
]
租户\u id=azurerm\u磁盘\u加密\u set.example.identity.0.tenant\u id
object\u id=azurerm\u disk\u encryption\u set.example.identity.0.principal\u id
}
#授予磁盘加密集“读取器”对密钥库的托管标识访问权限
资源“azurerm_角色分配”“磁盘加密读取密钥库”{
scope=azurerm\u key\u vault.example.id
角色\u定义\u name=“读者”
principal\u id=azurerm\u disk\u encryption\u set.example.identity.0.principal\u id
}
更多关于和
更新-
该问题与未指定正确的对象id
有关。
后来,构建Terraform的机器丢失了SSH文件路径(例如-“~/.SSH/id\u rsa.pub”
)。
通过运行此命令修复:
ssh-keygen-t rsa-b4096-C“您的_email@example.com"
在此之后,terraform用户的密钥vault权限缺少访问策略
除此之外,资源的顺序是混合的。修正了逻辑顺序
可以找到完整的工作代码。正如Amit Baranes指出的,您需要为加密集设置访问策略 在上面的示例中,您通过访问策略授予数据源客户端ID对密钥库的访问权限。但是,加密集的标识只能通过角色读取到vault 将AzureRM VM资源文档隐藏起来,说明: 注意:磁盘加密集必须具有读卡器角色分配 在密钥库上确定范围-除了密钥访问策略之外 拱顶 您需要确保将读取角色和访问策略授予加密ID 可能产生的完整块如下所示,我们通过访问策略向您的服务主体和身份授予对vault的访问权限。我们还保留了read角色
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
您可能希望减少服务主体的访问权限,但我暂时保持不变。谢谢。这已经是我代码的一部分(编辑了上面的代码),所以我不相信这是问题所在。你能分享整个地形吗?将更容易调试您指向
azurerm\u key\u vault\u access\u policy
resource到data.azurerm\u client\u config.current.object\u id
,它不是对象的id。根据我上面发布的代码修复。应该有用:)谢谢。现在我得到了这个错误:错误:创建Linux虚拟机“示例vm”(资源组“加密资源”)时出错:compute.VirtualMachinesClient#CreateOrUpdate:Failure发送请求:StatusCode=400——原始错误:Code=“InvalidParameter”消息=“由于Linux provisioning agent中的一个已知问题,SSH公钥的目标路径当前被限制为其默认值/home/adminuser/.SSH/authorized_keys。”Target=“linuxConfiguration.SSH.publicKeys.path”知道如何修复它吗?这可能会有帮助:谢谢。现在我收到以下错误:错误:创建Linux虚拟机时出错”示例vm“(资源组“加密资源”):compute.VirtualMachinesClient#CreateOrUpdate:发送请求失败:StatusCode=400--原始错误:Code=“InvalidParameter”消息=”由于Linux provisioning agent中存在已知问题,SSH公钥的目标路径当前限制为其默认值/home/adminuser/.SSH/authorized_keys。“Target=”linuxConfiguration.SSH.publicKeys.path“知道如何修复它吗?