Azure Terraform-加密VM OS磁盘

时间:2019-11-18 17:47:34

标签: azure encryption virtual-machine terraform

我正在尝试通过Terraform加密Azure VM上的“ storage_os_disk”。 我已经在VM OS磁盘上设置了托管磁盘类型,因此将对其进行管理,因为我知道必须对该磁盘进行管理以允许加密。

我似乎无法弄清楚如何以Terraform格式加密OS磁盘

这是我正在尝试的代码: 

resource "azurerm_network_interface" "nic" {
  name                = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
  location            = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name = "${data.azurerm_resource_group.core-rg.name}"
  depends_on            = ["azurerm_virtual_machine.dns-vm"]

  ip_configuration {
    name                          = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
    subnet_id                     ="${data.terraform_remote_state.network.sn1_id}"
    private_ip_address_allocation = "static"
    private_ip_address            = "${cidrhost(data.terraform_remote_state.network.sn1_address_prefix, 6 )}"
  }  
}

resource "azurerm_virtual_machine" "admin-vm-encrpytest" {
  name                  = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-encrpytest"
  location              = "${data.azurerm_resource_group.core-rg.location}"
  resource_group_name   = "${data.azurerm_resource_group.core-rg.name}"
  network_interface_ids = ["${azurerm_network_interface.nic.id}"]
  vm_size               = "Standard_B2s"
  depends_on            = ["azurerm_virtual_machine.dns-vm"]


  # Requires LRS Storage Account
   boot_diagnostics {
   enabled      = "True"
   storage_uri  = "${data.terraform_remote_state.sa.sa_2_prim_blob_ep}"
   #storage_uri  = "${data.azurerm_storage_account.storage-account-2.primary_blob_endpoint}"
  }

  storage_os_disk {
    name          = "${var.project_ident}-${var.env_ident}-${var.admin_vm_name}-${var.region_suffix}-encrpytest"
    create_option = "FromImage"
    managed_disk_type = "Standard_LRS"

    encryption_settings {
      enabled      = "True"

      key_encryption_key {
        key_url = "${data.terraform_remote_state.kv.vault_key_1_id}"
        source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
      }

      disk_encryption_key {
        secret_url = "${data.terraform_remote_state.kv.vault_key_2_id}"
        source_vault_id = "${data.terraform_remote_state.kv.vault_id}"
      }
    }


  }

  os_profile {
    computer_name  = "encrpytest"
    admin_username = "cactusadmin"
    admin_password = "${var.admin_vm_password}"
  }

  os_profile_windows_config {
    provision_vm_agent        = true
    enable_automatic_upgrades = true
  }

  # Uncomment this line to delete the OS disk automatically when deleting the VM
  delete_os_disk_on_termination = true

  # Uncomment this line to delete the data disks automatically when deleting the VM
  delete_data_disks_on_termination = true

  storage_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2016-Datacenter"
    version   = "latest"
  }
}

谢谢

2 个答案:

答案 0 :(得分:1)

首先,encryption_settingsstorage_os_disk块中不存在,而在azurerm_managed_disk中。因此,您可以创建一个单独的azurerm_managed_disk资源,然后从托管磁盘创建VM,并且平台映像引用here

或者,您可以尝试使用azurerm_virtual_machine_extension进行磁盘加密,请参考this

resource "azurerm_virtual_machine_extension" "disk-encryption" {
  name                 = "DiskEncryption"
  location             = "${local.location}"
  resource_group_name  = "${azurerm_resource_group.environment-rg.name}"
  virtual_machine_name = "${azurerm_virtual_machine.server.name}"
  publisher            = "Microsoft.Azure.Security"
  type                 = "AzureDiskEncryption"
  type_handler_version = "2.2"

  settings = <<SETTINGS
{
  "EncryptionOperation": "EnableEncryption",
  "KeyVaultURL": "https://${local.vaultname}.vault.azure.net",
  "KeyVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
  "KeyEncryptionKeyURL": "https://${local.vaultname}.vault.azure.net/keys/${local.keyname}/${local.keyversion}",
  "KekVaultResourceId": "/subscriptions/${local.subscriptionid}/resourceGroups/${local.vaultresourcegroup}/providers/Microsoft.KeyVault/vaults/${local.vaultname}",
  "KeyEncryptionAlgorithm": "RSA-OAEP",
  "VolumeType": "All"
}
SETTINGS
}

答案 1 :(得分:0)

我使用了vm扩展示例,它运行良好。我新部署的Windows VM上的OS磁盘已立即加密

相关问题
最新问题