- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
Terraform 在尝试为 Azure VM 启用磁盘加密时抛出以下错误
│ Error: Code=VMExtensionProvisioningError Message=VM has reported afailure when processing extension 'de-vm-conn-jb-1'. Error message:[2.2.0.45] Failed to configure bitlocker as expected. Exception:Invalid URI/subscriptions/xxxxxxxx-xx-xxx-573/resourceGroups/rg-connectivity-keyvault-centralus-001/providers/Microsoft.KeyVault/vaults/kv-conn-centralus-65/keys/des-key---/versions/xxxxx39e6,
key 保管库模块
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "key_vault" {
name = var.keyvault_name_override != "" ? var.keyvault_name_override : "kv-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
location = var.location
resource_group_name = var.rg_name
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
sku_name = var.sku
tags = var.tags
public_network_access_enabled = var.enable_public_network_access
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
}
resource "azurerm_key_vault_access_policy" "kv-access-policy" {
count = var.grant_access_to_service_principal == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update",
]
key_permissions = [
"Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
]
secret_permissions = [
"Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set",
]
depends_on = [
azurerm_key_vault.key_vault
]
}
resource "azurerm_key_vault_key" "vm-key" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des-key-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
key_vault_id = azurerm_key_vault.key_vault.id
key_type = "RSA"
key_size = 2048
depends_on = [
azurerm_key_vault_access_policy.kv-access-policy
]
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "en-set" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des_${var.app_or_service_name}_${var.subscription_type}_${var.instance_number}"
resource_group_name = var.rg_name
location = var.location
key_vault_key_id = azurerm_key_vault_key.vm-key[0].id
identity {
type = "SystemAssigned"
}
depends_on = [
azurerm_key_vault_key.vm-key
]
}
resource "azurerm_key_vault_access_policy" "kv-access-policy-des" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_disk_encryption_set.en-set[0].identity.0.principal_id
key_permissions = [
"Get",
"WrapKey",
"UnwrapKey"
]
depends_on = [
azurerm_disk_encryption_set.en-set
]
}
output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}
output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}
output "diskencryption_key_uri" {
value = length(azurerm_key_vault_key.vm-key) > 0 ? azurerm_key_vault_key.vm-key[0].resource_id : null
}
VM 模块:上述 key 保管库模块的输出作为输入传递到 VM 模块,如下所述
VM 模块定义如下突出显示
# Computer name can be up to 15 characters
resource "azurerm_windows_virtual_machine" "Lz_VM" {
name = "vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
resource_group_name = var.resource_group_name
location = var.location
size = "Standard_B2S"
admin_username = var.username
admin_password = var.password
provision_vm_agent = true
allow_extension_operations = true
network_interface_ids = [azurerm_network_interface.vm-nic.id]
encryption_at_host_enabled = var.enabled_for_disk_encryption == true ? false : var.encryption_at_host_enabled
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
identity {
type = "SystemAssigned"
}
tags = var.tags
}
# This extension is needed for other extensions
resource "azurerm_virtual_machine_extension" "daa-agent" {
name = "DependencyAgentWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
# Add logging and monitoring extensions
resource "azurerm_virtual_machine_extension" "monitor-agent" {
depends_on = [ azurerm_virtual_machine_extension.daa-agent ]
name = "AzureMonitorWindowsAgent"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitor"
type = "AzureMonitorWindowsAgent"
type_handler_version = "1.5"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
resource "azurerm_virtual_machine_extension" "omsagentwin" {
name = "OmsAgentForWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId": "${var.log_analytics_workspaceid}",
"azureResourceId": "${azurerm_windows_virtual_machine.Lz_VM.id}",
"stopOnMultipleConnections": "false"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${var.log_analytics_workspace_key}"
}
PROTECTED_SETTINGS
}
resource "azurerm_virtual_machine_extension" "gc" {
name = "AzurePolicyforWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.GuestConfiguration"
type = "ConfigurationforWindows"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
}
resource "azurerm_virtual_machine_extension" "disk-encryption" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "de-vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = 2.2
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
}
当以下变量替换为实际值时,效果非常好
"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",
更新:设置 OS_Disk 加密
key 保管库的输出
output "disk_encryption_key_set_id" {
value = length(azurerm_disk_encryption_set.en-set) > 0 ? azurerm_disk_encryption_set.en-set[0].id : null
}
在VM模块中
variable "disk_encryption_key_set_id" {
type = string
default = null
}
并像下面一样使用它
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_key_set_id
}
这样可以吗?
最佳答案
这个设置 block 对我来说适用于你的代码。
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${azurerm_key_vault.key_vault.vault_uri}",
"KeyVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionKeyURL": "${azurerm_key_vault_key.vm-key[0].id}",
"KekVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
由于我没有模块引用的名称,因此无法自己决定,但根据您的命名架构,在 key 保管库模块中获得以下输出后。
output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}
output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}
output "diskencryption_key_uri" {
value = azurerm_key_vault_key.vm-key[0].id. #<<----CHANGED--->>#
}
在您的key_vault
模块中,可以按如下方式调整:
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${module.<module_name>.keyvault_uri}",
"KeyVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionKeyURL": "${module.<module_name>.diskencryption_key_uri}",
"KekVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
引用成功申请
azurerm_windows_virtual_machine.Lz_VM: Modifications complete after 47s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001]
azurerm_virtual_machine_extension.disk-encryption[0]: Creating...
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [2m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Creation complete after 2m3s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001/ext
但是
我建议使用azurerm_disk_encryption_set
甚至可以使用 disk_encryption_set_id
对虚拟机进行 os_disk
加密os_disk
block 中的属性。
示例:
resource "azurerm_windows_virtual_machine" "Lz_VM" {
[.....]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_set_id ## pass this from KV module, need one more output on KV module.
}
[....]
我希望这有帮助。
关于Azure VM 磁盘加密 : Failed to configure bitlocker as expected. 异常:无效 URI,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75044657/
关闭。这个问题是opinion-based 。目前不接受答案。 想要改进这个问题吗?更新问题,以便 editing this post 可以用事实和引文来回答它。 . 已关闭 7 年前。 Improv
我想要实现的是创建一个非常小的脚本来解锁我的 bitlocker 驱动器,使用密码而不是恢复密码。 Microsoft 有一个命令,它是: manage-bde -unlock D: -passwor
出于我的目的,我只需要知道驱动器的 DOS 路径的 BitLocker 加密状态。像这样: enum DriveEncryptionStatus{ Unprotected, Prote
我正在尝试制作一个脚本来自动检查 BitLocker 状态,然后在未启用时发送电子邮件。 这是我目前所拥有的: Get-BitlockerVolume -MountPoint "C:" | Selec
从各种线程中,我拼凑了如何像这样以编程方式检查 BitLocker: private void TestBitLockerMenuItem_Click(object sender, RoutedEve
我正在尝试确定 BitLocker 是否已更新。我在 BitLocker 上所能找到的只是服务是否按以下方式运行: Get-Service -name "BDESVC*" 通常 gwmi -class
我正在使用 WMI Code Creator,代码看起来可以从应用程序正常运行。但是,它在我的代码内部出现了我似乎无法摆脱的错误。我应该为这个工作提供引用吗?如果是这样,我在哪里可以得到它?
情况是这样的。我的系统自带 Windows 10 Pro,并且带有 BitLocker 加密功能。我 甚至在 Windows 启用了 BitLocker 加密的情况下,以双启动模式安装
我正在尝试通过 Visual Basic 在 Visual Studio 中构建一个应用程序,并正在提取当前机器的信息。基本上,我想要做的是在 Visual Basic 中拉出 Bitlocker 的
已关闭。此问题不符合Stack Overflow guidelines 。目前不接受答案。 这个问题似乎不是关于 a specific programming problem, a software
我已经为此苦苦挣扎了一段时间,我正在尝试使用 PHP 从 AD 中找到 BitLocker 恢复 key ,这是跟踪工具的一部分。 我可以访问计算机元素,也可以访问 key ,但是当我检查 objec
Terraform 在尝试为 Azure VM 启用磁盘加密时抛出以下错误 │ Error: Code=VMExtensionProvisioningError Message=VM has repo
我们正在尝试在我们的环境中创建一个脚本,以使用 powershell 和 BackupToAAD-BitLockerKeyProtector 将 Bitlocker key 上传到 Azure AD
我们最近对硬盘进行了加密,从那时起我就无法在 Windows 上使用 Docker。每次我启动 Windows 版 Docker 时都会收到以下错误, “当前操作失败,因为启用了 Windows 策略
我是一名优秀的程序员,十分优秀!