gpt4 book ai didi

Azure VM 磁盘加密 : Failed to configure bitlocker as expected. 异常:无效 URI

转载 作者:行者123 更新时间:2023-12-03 06:34:16 26 4
gpt4 key购买 nike

Terraform 在尝试为 Azure VM 启用磁盘加密时抛出以下错误

│ Error: Code=VMExtensionProvisioningError Message=VM has reported afailure when processing extension 'de-vm-conn-jb-1'. Error message:[2.2.0.45] Failed to configure bitlocker as expected. Exception:Invalid URI/subscriptions/xxxxxxxx-xx-xxx-573/resourceGroups/rg-connectivity-keyvault-centralus-001/providers/Microsoft.KeyVault/vaults/kv-conn-centralus-65/keys/des-key---/versions/xxxxx39e6,

key 保管库模块

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "key_vault" {
name = var.keyvault_name_override != "" ? var.keyvault_name_override : "kv-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
location = var.location
resource_group_name = var.rg_name
tenant_id = data.azurerm_client_config.current.tenant_id
enabled_for_deployment = var.enabled_for_deployment
enabled_for_disk_encryption = var.enabled_for_disk_encryption
enabled_for_template_deployment = var.enabled_for_template_deployment
enable_rbac_authorization = var.enable_rbac_authorization
purge_protection_enabled = var.purge_protection_enabled
soft_delete_retention_days = var.soft_delete_retention_days
sku_name = var.sku
tags = var.tags
public_network_access_enabled = var.enable_public_network_access

network_acls {
bypass = "AzureServices"
default_action = "Deny"
}
}

resource "azurerm_key_vault_access_policy" "kv-access-policy" {
count = var.grant_access_to_service_principal == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id

certificate_permissions = [
"Backup", "Create", "Delete", "DeleteIssuers", "Get", "GetIssuers", "Import", "List", "ListIssuers", "ManageContacts", "ManageIssuers", "Purge", "Recover", "Restore", "SetIssuers", "Update",
]

key_permissions = [
"Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy",
]

secret_permissions = [
"Backup", "Delete", "Get", "List", "Purge", "Recover", "Restore", "Set",
]

depends_on = [
azurerm_key_vault.key_vault
]
}

resource "azurerm_key_vault_key" "vm-key" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des-key-${var.app_or_service_name}-${var.subscription_type}-${var.instance_number}"
key_vault_id = azurerm_key_vault.key_vault.id
key_type = "RSA"
key_size = 2048

depends_on = [
azurerm_key_vault_access_policy.kv-access-policy
]

key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}

resource "azurerm_disk_encryption_set" "en-set" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "des_${var.app_or_service_name}_${var.subscription_type}_${var.instance_number}"
resource_group_name = var.rg_name
location = var.location
key_vault_key_id = azurerm_key_vault_key.vm-key[0].id

identity {
type = "SystemAssigned"
}

depends_on = [
azurerm_key_vault_key.vm-key
]
}

resource "azurerm_key_vault_access_policy" "kv-access-policy-des" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
key_vault_id = azurerm_key_vault.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = azurerm_disk_encryption_set.en-set[0].identity.0.principal_id

key_permissions = [
"Get",
"WrapKey",
"UnwrapKey"
]

depends_on = [
azurerm_disk_encryption_set.en-set
]
}

output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}

output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}

output "diskencryption_key_uri" {
value = length(azurerm_key_vault_key.vm-key) > 0 ? azurerm_key_vault_key.vm-key[0].resource_id : null
}

VM 模块:上述 key 保管库模块的输出作为输入传递到 VM 模块,如下所述

  1. keyvault_uri 作为 KeyVaultURL 提供
  2. keyvault_id 作为 KeyVaultResourceID 提供
  3. diskencryption_key_uri 作为 KeyEncryptionKeyURL 提供
  4. keyvault_id 作为 KekVaultResourceId 提供

VM 模块定义如下突出显示

# Computer name can be up to 15 characters
resource "azurerm_windows_virtual_machine" "Lz_VM" {
name = "vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
resource_group_name = var.resource_group_name
location = var.location
size = "Standard_B2S"
admin_username = var.username
admin_password = var.password
provision_vm_agent = true
allow_extension_operations = true
network_interface_ids = [azurerm_network_interface.vm-nic.id]
encryption_at_host_enabled = var.enabled_for_disk_encryption == true ? false : var.encryption_at_host_enabled

os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}

source_image_reference {
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2016-Datacenter"
version = "latest"
}

identity {
type = "SystemAssigned"
}

tags = var.tags
}

# This extension is needed for other extensions
resource "azurerm_virtual_machine_extension" "daa-agent" {
name = "DependencyAgentWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitoring.DependencyAgent"
type = "DependencyAgentWindows"
type_handler_version = "9.10"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}

# Add logging and monitoring extensions
resource "azurerm_virtual_machine_extension" "monitor-agent" {
depends_on = [ azurerm_virtual_machine_extension.daa-agent ]
name = "AzureMonitorWindowsAgent"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Monitor"
type = "AzureMonitorWindowsAgent"
type_handler_version = "1.5"
automatic_upgrade_enabled = true
auto_upgrade_minor_version = true
}

resource "azurerm_virtual_machine_extension" "omsagentwin" {
name = "OmsAgentForWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.EnterpriseCloud.Monitoring"
type = "MicrosoftMonitoringAgent"
type_handler_version = "1.0"
auto_upgrade_minor_version = true

settings = <<SETTINGS
{
"workspaceId": "${var.log_analytics_workspaceid}",
"azureResourceId": "${azurerm_windows_virtual_machine.Lz_VM.id}",
"stopOnMultipleConnections": "false"
}
SETTINGS

protected_settings = <<PROTECTED_SETTINGS
{
"workspaceKey": "${var.log_analytics_workspace_key}"
}
PROTECTED_SETTINGS
}
resource "azurerm_virtual_machine_extension" "gc" {
name = "AzurePolicyforWindows"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.GuestConfiguration"
type = "ConfigurationforWindows"
type_handler_version = "1.0"
auto_upgrade_minor_version = true
}

resource "azurerm_virtual_machine_extension" "disk-encryption" {
count = var.enabled_for_disk_encryption == true ? 1 : 0
name = "de-vm-${var.subscription_type}-${var.vm_type}-${var.instance_number}"
virtual_machine_id = azurerm_windows_virtual_machine.Lz_VM.id
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = 2.2
auto_upgrade_minor_version = true

settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
}

当以下变量替换为实际值时,效果非常好

"KeyVaultURL": "${var.keyvaultURL}",
"KeyVaultResourceId": "${var.keyvaultResourceId}",
"KeyEncryptionKeyURL": "${var.keyResourceURL}",
"KekVaultResourceId": "${var.keyvaultResourceId}",

更新:设置 OS_Disk 加密

key 保管库的输出

output "disk_encryption_key_set_id" {
value = length(azurerm_disk_encryption_set.en-set) > 0 ? azurerm_disk_encryption_set.en-set[0].id : null
}

在VM模块中

variable "disk_encryption_key_set_id" {
type = string
default = null
}

并像下面一样使用它

  os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_key_set_id
}

这样可以吗?

最佳答案

这个设置 block 对我来说适用于你的代码。

  settings = <<SETTINGS
{
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${azurerm_key_vault.key_vault.vault_uri}",
"KeyVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionKeyURL": "${azurerm_key_vault_key.vm-key[0].id}",
"KekVaultResourceId": "${azurerm_key_vault.key_vault.id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS

由于我没有模块引用的名称,因此无法自己决定,但根据您的命名架构,在 key 保管库模块中获得以下输出后。

output "keyvault_id" {
value = azurerm_key_vault.key_vault.id
}
output "keyvault_uri" {
value = azurerm_key_vault.key_vault.vault_uri
}
output "diskencryption_key_uri" {
value = azurerm_key_vault_key.vm-key[0].id. #<<----CHANGED--->>#
}

在您的key_vault模块中,可以按如下方式调整:

    {
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${module.<module_name>.keyvault_uri}",
"KeyVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionKeyURL": "${module.<module_name>.diskencryption_key_uri}",
"KekVaultResourceId": "${module.<module_name>.keyvault_id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}

引用成功申请

azurerm_windows_virtual_machine.Lz_VM: Modifications complete after 47s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001]
azurerm_virtual_machine_extension.disk-encryption[0]: Creating...
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m10s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m20s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m30s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m40s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [1m50s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Still creating... [2m0s elapsed]
azurerm_virtual_machine_extension.disk-encryption[0]: Creation complete after 2m3s [id=/subscriptions/yoursubscriptionid/resourceGroups/rg-kv-stackoverflow/providers/Microsoft.Compute/virtualMachines/vm-stackoverflow-001/ext

但是

我建议使用azurerm_disk_encryption_set甚至可以使用 disk_encryption_set_id 对虚拟机进行 os_disk 加密os_disk block 中的属性。

示例:

resource "azurerm_windows_virtual_machine" "Lz_VM" {
[.....]

os_disk {
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
disk_encryption_set_id = var.disk_encryption_set_id ## pass this from KV module, need one more output on KV module.
}
[....]

我希望这有帮助。

关于Azure VM 磁盘加密 : Failed to configure bitlocker as expected. 异常:无效 URI,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75044657/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com