个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
25
4
Terraform 在尝试为 Azure VM 启用磁盘加密时抛出以下错误
│ Error: Code=VMExtensionProvisioningError Message=VM has reported afailure when processing extension 'de-vm-conn-jb-1'. Error message:[2.2.0.45] Failed to configure bitlocker as expected. Exception:Invalid URI/subscriptions/xxxxxxxx-xx-xxx-573/resourceGroups/rg-connectivity-keyvault-centralus-001/providers/Microsoft.KeyVault/vaults/kv-conn-centralus-65/keys/des-key---/versions/xxxxx39e6,
key 保管库模块
data "azurerm_client_config" "current" {}
resource "azurerm_key_vault" "key_vault" {
name = var.keyvault_name_override != "" ? var.keyvault_name_override : "kv-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
location = var.location
resource_group_name = var.rg_name
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
sku_name = var.sku
tags = var.tags
public_network_access_enabled = var.enable_public_network_access
network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
}
resource "azurerm_key_vault_access_policy" "kv-access-policy" {
count = var.grant_access_to_service_principal == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
"Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update",
]
key_permissions = [
"Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
]
secret_permissions = [
"Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set",
]
depends_on = [
azurerm_key_vault.key_vault
]
}
resource "azurerm_key_vault_key" "vm-key" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des-key-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
key_vault_id = azurerm_key_vault.key_vault.id
key_type = "RSA"
key_size = 2048
depends_on = [
azurerm_key_vault_access_policy.kv-access-policy
]
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "en-set" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des_${var.app_or_service_name}_${var.subscription_type}_${var.instance_number}"
resource_group_name = var.rg_name
location = var.location
key_vault_key_id = azurerm_key_vault_key.vm-key[0].id
identity {
type = "SystemAssigned"
}
depends_on = [
azurerm_key_vault_key.vm-key
]
}
resource "azurerm_key_vault_access_policy" "kv-access-policy-des" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_disk_encryption_set.en-set[0].identity.0.principal_id
key_permissions = [
"Get",
"WrapKey",
"UnwrapKey"
]
depends_on = [
azurerm_disk_encryption_set.en-set
]
}
output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}
output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}
output "diskencryption_key_uri" {
value = length(azurerm_key_vault_key.vm-key) > 0 ? azurerm_key_vault_key.vm-key[0].resource_id : null
}
VM 模块:上述 key 保管库模块的输出作为输入传递到 VM 模块,如下所述
VM 模块定义如下突出显示
# Computer name can be up to 15 characters
resource "azurerm_windows_virtual_machine" "Lz_VM" {
name = "vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
resource_group_name = var.resource_group_name
location = var.location
size = "Standard_B2S"
admin_username = var.username
admin_password = var.password
provision_vm_agent = true
allow_extension_operations = true
network_interface_ids = [azurerm_network_interface.vm-nic.id]
encryption_at_host_enabled = var.enabled_for_disk_encryption == true ? false : var.encryption_at_host_enabled
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}
identity {
type = "SystemAssigned"
}
tags = var.tags
}
# This extension is needed for other extensions
resource "azurerm_virtual_machine_extension" "daa-agent" {
name = "DependencyAgentWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
# Add logging and monitoring extensions
resource "azurerm_virtual_machine_extension" "monitor-agent" {
depends_on = [ azurerm_virtual_machine_extension.daa-agent ]
name = "AzureMonitorWindowsAgent"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitor"
type = "AzureMonitorWindowsAgent"
type_handler_version = "1.5"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}
resource "azurerm_virtual_machine_extension" "omsagentwin" {
name = "OmsAgentForWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"workspaceId": "${var.log_analytics_workspaceid}",
"azureResourceId": "${azurerm_windows_virtual_machine.Lz_VM.id}",
"stopOnMultipleConnections": "false"
}
SETTINGS
protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${var.log_analytics_workspace_key}"
}
PROTECTED_SETTINGS
}
resource "azurerm_virtual_machine_extension" "gc" {
name = "AzurePolicyforWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.GuestConfiguration"
type = "ConfigurationforWindows"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
}
resource "azurerm_virtual_machine_extension" "disk-encryption" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "de-vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = 2.2
auto_upgrade_minor_version = true
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
}
当以下变量替换为实际值时,效果非常好
"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",
更新:设置 OS_Disk 加密
key 保管库的输出
output "disk_encryption_key_set_id" {
value = length(azurerm_disk_encryption_set.en-set) > 0 ? azurerm_disk_encryption_set.en-set[0].id : null
}
在VM模块中
variable "disk_encryption_key_set_id" {
type = string
default = null
}
并像下面一样使用它
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_key_set_id
}
这样可以吗?
最佳答案
这个设置 block 对我来说适用于你的代码。
settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${azurerm_key_vault.key_vault.vault_uri}",
"KeyVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionKeyURL": "${azurerm_key_vault_key.vm-key[0].id}",
"KekVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
由于我没有模块引用的名称,因此无法自己决定,但根据您的命名架构,在 key 保管库模块中获得以下输出后。
output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}
output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}
output "diskencryption_key_uri" {
value = azurerm_key_vault_key.vm-key[0].id. #<<----CHANGED--->>#
}
在您的key_vault模块中,可以按如下方式调整:
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${module.<module_name>.keyvault_uri}",
"KeyVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionKeyURL": "${module.<module_name>.diskencryption_key_uri}",
"KekVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
引用成功申请
azurerm_windows_virtual_machine.Lz_VM: Modifications complete after 47s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001]
azurerm_virtual_machine_extension.disk-encryption[0]: Creating...
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [2m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Creation complete after 2m3s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001/ext
但是
我建议使用azurerm_disk_encryption_set甚至可以使用 disk_encryption_set_id 对虚拟机进行 os_disk 加密os_disk block 中的属性。
示例:
resource "azurerm_windows_virtual_machine" "Lz_VM" {
[.....]
os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_set_id ## pass this from KV module, need one more output on KV module.
}
[....]
我希望这有帮助。
关于Azure VM 磁盘加密 : Failed to configure bitlocker as expected. 异常:无效 URI,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75044657/
25
4
0
问题很简单:我正在寻找一种优雅的使用方式 CompletableFuture#exceptionally与 CompletableFuture#supplyAsync 一起.这是行不通的: priva
对于 Web 服务,我们通常使用 maven-jaxb2-plugin 生成 java bean,并在 Spring 中使用 JAXB2 编码。我想知道如何处理 WSDL/XSD 中声明的(SOAP-
这个问题已经有答案了: Array index out of bound behavior (10 个回答) 已关闭 8 年前。 我对下面的 C 代码感到好奇 int main(){
当在类的开头使用上下文和资源初始化 MediaPlayer 对象时,它会抛出 NullPointer 异常,但是当在类的开头声明它时(因此它是 null),然后以相同的方式初始化它在onCreate方
嘿 我尝试将 java 程序连接到 REST API。 使用相同的代码部分,我在 Java 6 中遇到了 Java 异常,并且在 Java 8 中运行良好。 环境相同: 信任 机器 unix 用户 代
我正在尝试使用 Flume 和 Hive 进行 Twitter 分析。为了从 twitter 获取推文,我在 flume.conf 文件中设置了所有必需的参数(consumerKey、consumer
我在 JavaFX 异常方面遇到一些问题。我的项目在我的 Eclipse 中运行,但现在我的 friend 也尝试访问该项目。我们已共享并直接保存到保管箱文件夹中。但他根本无法让它发挥作用。他在控制台
假设我使用 blur() 事件验证了电子邮件 ID,我正在这样做: $('#email').blur(function(){ //make ajax call , check if dupli
我这样做是为了从 C 代码调用非托管函数。 pCallback 是一个函数指针,因此在托管端是一个委托(delegate)。 [DllImport("MyDLL.dll")] public stati
为什么这段代码是正确的: try { } catch(ArrayOutOfBoundsException e) {} 这是错误的: try { } catch(IOException e) {} 这段
我遇到了以下问题:有导出函数的DLL。 代码示例如下:[动态链接库] __declspec(dllexport) int openDevice(int,void**) [应用] 开发者.h: __de
从其他线程,我知道我们不应该在析构函数中抛出异常!但是对于下面的例子,它确实有效。这是否意味着我们只能在一个实例的析构函数中抛出异常?我们应该如何理解这个代码示例! #include using n
为什么需要异常 引出 public static void main(String[
1. Java的异常机制 Throwable类是Java异常类型的顶层父类,一个对象只有是 Throwable 类的(直接或者间接)实例,他才是一个异常对象,才能被异常处理机制识别。JDK中内
我是 Python 的新手,我对某种异常方法的实现有疑问。这是代码(缩写): class OurException(Exception): """User defined Exception"
我已经创建了以下模式来表示用户和一组线程之间的关联,这些线程按他们的最后一条消息排序(用户已经阅读了哪些线程,哪些没有): CREATE TABLE table(user_id bigint, mes
我正在使用 Python 编写一个简单的自动化脚本,它可能会在多个位置引发异常。在他们每个人中,我都想记录一条特定的消息并退出程序。为此,我在捕获异常并处理它(执行特定的日志记录操作等)后引发 Sys
谁能解释一下为什么这会导致错误: let xs = [| "Mary"; "Mungo"; "Midge" |] Array.iter printfn xs 虽然不是这样: Array.iter pr
在我使用 Play! 的网站上,我有一个管理部分。所有 Admin Controller 都有一个 @With 和一个 @Check 注释。 断开连接后,一切正常。连接后,每次加载页面(任何页面,无论
我尝试连接到 azure 表存储并添加一个对象。它在本地主机上工作得很好,但是在我使用的服务器上我得到以下异常及其内部异常: Exception of type 'Microsoft.Wind
我是一名优秀的程序员,十分优秀!