如何解决Terraform Azure提供程序-静态VM加密
尝试通过Key Vault设置VM时出现错误。这是我认为相关的代码的一部分。
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt","encrypt","sign","unwrapKey","verify","wrapKey",]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create","get","list","wrapkey","unwrapkey",]
secret_permissions = [
"get",]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_deFinition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
这是我得到的错误:
错误:创建Linux虚拟机“ example-vm”时出错(资源 组“加密资源”): compute.VirtualMachinesClient#CreateOrUpdate:发送请求失败: StatusCode = 400-原始错误:Code =“ keyvaultAccessForbidden” Message =“无法访问密钥库资源 'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****' 启用静态加密。请授予获取,包装和解开密钥 磁盘加密权限设置为“ example-set”。请拜访 https://aka.ms/keyvaultaccessssecmk,以了解更多信息。”
我应该在哪里以及如何添加权限?
解决方法
作为错误打印-Please grant get,wrap and unwrap key permissions to disk encryption set 'example-set'.
添加以下代码段:
# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.example.id
key_permissions = [
"get","wrapkey","unwrapkey",]
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.example.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
有关azurerm_key_vault_access_policy和azurerm_role_assignment的更多信息。
更新-
该问题与未指定正确的object_id有关。
稍后,用于构建Terraform的计算机丢失了SSH文件路径(例如-"~/.ssh/id_rsa.pub")。
通过运行以下命令进行修复:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
此后,密钥库权限丢失了对地形用户的访问策略。
除此之外,资源的顺序是混杂的。将其固定为更合理的顺序。
完整和有效的代码可以在here中找到。
,正如阿米特·巴拉恩斯(Amit Baranes)指出的那样,您需要为加密集设置访问策略。
在上面的示例中,您通过访问策略授予数据源客户端ID对密钥库的访问权限。但是,加密集的身份只能通过角色读取到Vault。
AzureRM VM资源文档中的here隐藏:
注意:磁盘加密集必须具有读取器角色分配 限于密钥库-除了对密钥的访问策略 保管箱
您需要确保同时向加密ID授予读取角色和访问策略。
可能出现的完整块如下所示,其中我们通过访问策略为您的服务主体和身份提供对保管库的访问。我们还保留读取角色
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt","encrypt","sign","unwrapKey","verify","wrapKey",]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create","get","list",]
secret_permissions = [
"get",]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
您可能希望减少对服务主体的访问,但是我现在还是保留了它。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
