azure - Terraform Azure 提供商 - 静态虚拟机加密

Question

我在尝试设置具有 key 保管库的虚拟机时遇到错误。这是我认为相关的代码的一部分。

resource "azurerm_key_vault_key" "example" {
  name         = "TF-key-example"
  key_vault_id = "${azurerm_key_vault.example.id}"
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

resource "azurerm_disk_encryption_set" "example" {
  name                = "example-set"
  resource_group_name = "${azurerm_resource_group.example.name}"
  location            = "${azurerm_resource_group.example.location}"
  key_vault_key_id    = "${azurerm_key_vault_key.example.id}"
  
  identity {
    type = "SystemAssigned"
  }
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = "${azurerm_key_vault.example.id}"

  tenant_id = data.azurerm_client_config.current.tenant_id
  object_id = data.azurerm_client_config.current.object_id
  key_permissions = [
    "create",
    "get",
    "list",
    "wrapkey",
    "unwrapkey",
  ]
  secret_permissions = [
    "get",
    "list",
  ]
}

resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = "${azurerm_key_vault.example.id}"
  role_definition_name = "Reader"
  principal_id         = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}

这是我收到的错误:

Error: Error creating Linux Virtual Machine "example-vm" (ResourceGroup "Encrypt-resources"):compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request:StatusCode=400 -- Original Error: Code="KeyVaultAccessForbidden"Message="Unable to access key vault resource'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****'to enable encryption at rest. Please grant get, wrap and unwrap keypermissions to disk encryption set 'example-set'. Please visithttps://aka.ms/keyvaultaccessssecmk for more information."

我应该在哪里以及如何添加权限？

Answer 1

作为错误打印 - 请授予对磁盘加密集“example-set”的获取、包装和解开 key 权限。

添加以下 block :

# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
  key_vault_id = azurerm_key_vault.example.id

  key_permissions = [
    "get",
    "wrapkey",
    "unwrapkey",
  ]

  tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
  object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}


# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
  scope                = azurerm_key_vault.example.id
  role_definition_name = "Reader"
  principal_id         = azurerm_disk_encryption_set.example.identity.0.principal_id
}

更多关于azurerm_key_vault_access_policy和 azurerm_role_assignment .

更新-

该问题与未指定正确的 object_id 有关。后来，构建 Terraform 的机器错过了 SSH 文件路径(例如 -"~/.ssh/id_rsa.pub")。通过运行以下命令修复:

ssh-keygen -t rsa -b 4096 -C "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="20594f55527f454d41494c604558414d504c450e434f4d" rel="noreferrer noopener nofollow">[email protected]</a>"

此后，Key Vault 权限缺少 terraform 用户的访问策略。

除此之外，资源的顺序也是混合的。将其修复为更符合逻辑的顺序。

可以找到完整的工作代码 here .