Terraform Azure 提供商 - 虚拟机静态加密
Terraform Azure provider - VM encryption at rest
我在尝试使用密钥保管库设置 VM 时遇到错误。这是我认为相关的部分代码。
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
这是我遇到的错误:
Error: Error creating Linux Virtual Machine "example-vm" (Resource
Group "Encrypt-resources"):
compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request:
StatusCode=400 -- Original Error: Code="KeyVaultAccessForbidden"
Message="Unable to access key vault resource
'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****'
to enable encryption at rest. Please grant get, wrap and unwrap key
permissions to disk encryption set 'example-set'. Please visit
https://aka.ms/keyvaultaccessssecmk for more information."
我应该在哪里以及如何添加权限?
作为错误打印 - Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'.
添加以下块:
# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.example.id
key_permissions = [
"get",
"wrapkey",
"unwrapkey",
]
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.example.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
更多关于 azurerm_key_vault_access_policy and azurerm_role_assignment。
更新-
此问题与未指定正确的 object_id 有关。
后来,构建 Terraform 的机器错过了 SSH 文件路径(例如 -"~/.ssh/id_rsa.pub")。
已通过 运行 此命令修复:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
之后,密钥保管库权限缺少对 terraform 用户的访问策略。
除此之外,资源的顺序是混合的。将其固定为更合乎逻辑的顺序。
可以找到完整的工作代码 here。
正如 Amit Baranes 所指出的,您需要为您的加密集设置访问策略。
在上面的示例中,您通过访问策略授予数据源客户端 ID 对密钥保管库的访问权限。然而,您的加密集的身份只能通过角色读取到保管库。
隐藏 here AzureRM VM 资源文档指出:
NOTE: The Disk Encryption Set must have the Reader Role Assignment
scoped on the Key Vault - in addition to an Access Policy to the Key
Vault
您需要确保为加密 ID 授予读取角色和访问策略。
可能产生的完整块如下所示,我们通过访问策略为您的服务主体和身份提供对金库的访问权限。我们还保留了读取角色
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
您可能希望减少服务主体的访问权限,但我暂时保留了它。
我刚刚注意到 Reader 角色不再合适,您现在需要使用 Key Vault Crypto Service Encryption User。
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = ${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
我在尝试使用密钥保管库设置 VM 时遇到错误。这是我认为相关的部分代码。
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
这是我遇到的错误:
Error: Error creating Linux Virtual Machine "example-vm" (Resource Group "Encrypt-resources"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="KeyVaultAccessForbidden" Message="Unable to access key vault resource 'https://tf-keyvault-example.vault.azure.net/keys/TF-key-example/*****' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'. Please visit https://aka.ms/keyvaultaccessssecmk for more information."
我应该在哪里以及如何添加权限?
作为错误打印 - Please grant get, wrap and unwrap key permissions to disk encryption set 'example-set'.
添加以下块:
# grant the Managed Identity of the Disk Encryption Set access to Read Data from Key Vault
resource "azurerm_key_vault_access_policy" "disk-encryption" {
key_vault_id = azurerm_key_vault.example.id
key_permissions = [
"get",
"wrapkey",
"unwrapkey",
]
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
# grant the Managed Identity of the Disk Encryption Set "Reader" access to the Key Vault
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = azurerm_key_vault.example.id
role_definition_name = "Reader"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
更多关于 azurerm_key_vault_access_policy and azurerm_role_assignment。
更新-
此问题与未指定正确的 object_id 有关。
后来,构建 Terraform 的机器错过了 SSH 文件路径(例如 -"~/.ssh/id_rsa.pub")。
已通过 运行 此命令修复:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
之后,密钥保管库权限缺少对 terraform 用户的访问策略。
除此之外,资源的顺序是混合的。将其固定为更合乎逻辑的顺序。
可以找到完整的工作代码 here。
正如 Amit Baranes 所指出的,您需要为您的加密集设置访问策略。
在上面的示例中,您通过访问策略授予数据源客户端 ID 对密钥保管库的访问权限。然而,您的加密集的身份只能通过角色读取到保管库。
隐藏 here AzureRM VM 资源文档指出:
NOTE: The Disk Encryption Set must have the Reader Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault
您需要确保为加密 ID 授予读取角色和访问策略。
可能产生的完整块如下所示,我们通过访问策略为您的服务主体和身份提供对金库的访问权限。我们还保留了读取角色
resource "azurerm_key_vault_key" "example" {
name = "TF-key-example"
key_vault_id = "${azurerm_key_vault.example.id}"
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "example-set"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
key_vault_key_id = "${azurerm_key_vault_key.example.id}"
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "service-principal" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_key_vault_access_policy" "encryption-set" {
key_vault_id = "${azurerm_key_vault.example.id}"
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"create",
"get",
"list",
"wrapkey",
"unwrapkey",
]
secret_permissions = [
"get",
"list",
]
}
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Reader"
principal_id = "${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}
您可能希望减少服务主体的访问权限,但我暂时保留了它。
我刚刚注意到 Reader 角色不再合适,您现在需要使用 Key Vault Crypto Service Encryption User。
resource "azurerm_role_assignment" "disk-encryption-read-keyvault" {
scope = "${azurerm_key_vault.example.id}"
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = ${azurerm_disk_encryption_set.example.identity.0.principal_id}"
}