Terraform Azure提供程序-静态VM加密

时间:2020-09-07 09:15:16

标签: azure encryption terraform-provider-azure

尝试通过Key Vault设置VM时出现错误。这是我认为相关的代码的一部分。

resource "azurerm_key_vault_key" "example" {
  name         = "TF-key-example"
  key_vault_id = "${azurerm_key_vault.example.id}"
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

resource "azurerm_disk_encryption_set" "example" {
  name                = "example-set"
  resource_group_name = "${azurerm_resource_group.example.name}"
  location            = "${azurerm_resource_group.example.location}"
  key_vault_key_id    = "${azurerm_key_vault_key.example.id}"
  
  identity {
    type = "SystemAssigned"
  }
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = "${azurerm_key_vault.example.id}"

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id
  key_permissions = [
    "create",
    "get",
    "list",
    "wrapkey",
    "unwrapkey",
  ]
  secret_permissions = [
    "get",
    "list",
  ]
}

resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = "${azurerm_key_vault.example.id}"
  role_definition_name = "Reader"
  principal_id         = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}

这是我得到的错误:

错误:创建Linux虚拟机“ example-vm”时出错(资源 组“加密资源”): compute.VirtualMachinesClient#CreateOrUpdate:发送请求失败: StatusCode = 400-原始错误:Code =“ KeyVaultAccessForbidden” Message =“无法访问密钥库资源 'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****' 启用静态加密。请授予获取,包装和解开密钥 磁盘加密权限设置为“ example-set”。请拜访 https://aka.ms/keyvaultaccessssecmk,以了解更多信息。”

我应该在哪里以及如何添加权限?

2 个答案:

答案 0 :(得分:1)

作为错误打印-Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'.

添加以下代码段:

# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = azurerm_key_vault.example.id

  key_permissions = [
    "get",
    "wrapkey",
    "unwrapkey",
  ]

  tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
  object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}


# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Reader"
  principal_id         = azurerm_disk_encryption_set.example.identity.0.principal_id
}

有关azurerm_key_vault_access_policyazurerm_role_assignment的更多信息。

更新-

该问题与未指定正确的object_id有关。 稍后,用于构建Terraform的计算机丢失了SSH文件路径(例如-"~/.ssh/id_rsa.pub")。 通过运行以下命令进行修复:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

此后,密钥库权限丢失了对地形用户的访问策略。

除此之外,资源的顺序是混杂的。将其固定为更合理的顺序。

完整和有效的代码可以在here中找到。

答案 1 :(得分:0)

正如阿米特·巴拉恩斯(Amit Baranes)指出的那样,您需要为加密集设置访问策略。

在上面的示例中,您通过访问策略授予数据源客户端ID对密钥库的访问权限。但是,加密集的身份只能通过角色读取到Vault。

AzureRM VM资源文档中的here隐藏:

注意:磁盘加密集必须具有读取器角色分配 限于密钥库-除了对密钥的访问策略 保管箱

您需要确保同时向加密ID授予读取角色和访问策略。

可能出现的完整块如下所示,其中我们通过访问策略为您的服务主体和身份提供对保管库的访问。我们还保留读取角色

    resource "azurerm_key_vault_key" "example" {
      name         = "TF-key-example"
      key_vault_id = "${azurerm_key_vault.example.id}"
      key_type     = "RSA"
      key_size     = 2048
    
      key_opts = [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
      ]
    }
    
    resource "azurerm_disk_encryption_set" "example" {
      name                = "example-set"
      resource_group_name = "${azurerm_resource_group.example.name}"
      location            = "${azurerm_resource_group.example.location}"
      key_vault_key_id    = "${azurerm_key_vault_key.example.id}"
      
      identity {
        type = "SystemAssigned"
      }
    }

    resource "azurerm_key_vault_access_policy" "service-principal" {
      key_vault_id = "${azurerm_key_vault.example.id}"
    
      tenant_id = data.azurerm_client_config.current.tenant_id
      object_id = data.azurerm_client_config.current.object_id
      key_permissions = [
        "create",
        "get",
        "list",
        "wrapkey",
        "unwrapkey",
      ]
      secret_permissions = [
        "get",
        "list",
      ]
    }

    resource "azurerm_key_vault_access_policy" "encryption-set" {
      key_vault_id = "${azurerm_key_vault.example.id}"
    
      tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
      object_id = azurerm_disk_encryption_set.example.identity.0.principal_id

      key_permissions = [
        "create",
        "get",
        "list",
        "wrapkey",
        "unwrapkey",
      ]
      secret_permissions = [
        "get",
        "list",
      ]
    }
    
    resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
      scope                = "${azurerm_key_vault.example.id}"
      role_definition_name = "Reader"
      principal_id         = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
    }

您可能希望减少对服务主体的访问,但是我现在还是保留了它。

相关问题
最新问题