使用 ARM 模板在 Azure SQL 数据库上设置透明数据加密

Setting Transparent Data Encryption on Azure SQL DB using an ARM Template

是否可以使用 ARM json 模板为 SQL Azure 数据库打开透明数据加密?如果可以,怎么做?

模板应如下所示。

{
  "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "serverName": {
      "type": "string",
      "defaultValue": "TDETest2",
      "metadata": {
        "description": "The name of the new SQL Server to create."
      }
    },
    "administratorLogin": {
      "type": "string",
      "metadata": {
        "description": "The admin user of the SQL Server"
      }
    },
    "administratorLoginPassword": {
      "type": "securestring",
      "metadata": {
        "description": "The password of the admin user of the SQL Server"
      }

    },
    "databaseName": {
      "type": "string",
      "defaultValue": "TDETest2",
      "metadata": {
        "description": "The name of the new database to create."
      }
    },
    "collation": {
      "type": "string",
      "defaultValue": "SQL_Latin1_General_CP1_CI_AS",
      "metadata": {
        "description": "The database collation for governing the proper use of characters."
      }
    },
    "edition": {
      "type": "string",
      "defaultValue": "Basic",
      "allowedValues": [
        "Basic",
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "The type of database to create."
      }
    },
    "maxSizeBytes": {
      "type": "string",
      "defaultValue": "1073741824",
      "metadata": {
        "description": "The maximum size, in bytes, for the database"
      }
    },
    "requestedServiceObjectiveName": {
      "type": "string",
      "defaultValue": "Basic",
      "allowedValues": [
        "Basic",
        "S0",
        "S1",
        "S2",
        "P1",
        "P2",
        "P3"
      ],
      "metadata": {
        "description": "Describes the performance level for Edition"
      }
    }
  },
  "variables": {
  },
  "resources": [
    {
      "name": "[parameters('serverName')]",
      "type": "Microsoft.Sql/servers",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "SqlServer"
      },
      "apiVersion": "2014-04-01-preview",
      "properties": {
        "administratorLogin": "[parameters('administratorLogin')]",
        "administratorLoginPassword": "[parameters('administratorLoginPassword')]"
      },
      "resources": [
        {
          "name": "[parameters('databaseName')]",
          "type": "databases",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "Database"
          },
          "apiVersion": "2014-04-01-preview",
          "dependsOn": [
            "[parameters('serverName')]"
          ],
          "properties": {
            "edition": "[parameters('edition')]",
            "collation": "[parameters('collation')]",
            "maxSizeBytes": "[parameters('maxSizeBytes')]",
            "requestedServiceObjectiveName": "[parameters('requestedServiceObjectiveName')]"
          },
          "resources":[
            {
              "name": "current",
              "type": "transparentDataEncryption",
              "dependsOn": [
                "[parameters('databaseName')]"
              ],
              "location": null,
              "apiVersion": "2014-04-01",
              "properties": {
                "status": "Disabled"
              }
            }
          ]
        },
        {
          "type": "firewallrules",
          "apiVersion": "2014-04-01-preview",
          "dependsOn": [
            "[parameters('serverName')]"
          ],
          "location": "[resourceGroup().location]",
          "name": "AllowAllWindowsAzureIps",
          "properties": {
            "endIpAddress": "0.0.0.0",
            "startIpAddress": "0.0.0.0"
          }
        }
      ]
    }
  ],
  "outputs": {
    "sqlSvrFqdn": {
      "type": "string",
      "value": "[reference(concat('Microsoft.Sql/servers/', parameters('serverName'))).fullyQualifiedDomainName]"
    }
  }
}

transparentDataEncryption 应该是属于 SQL 数据库的资源。所以我把它放在数据库模板的资源下。

但是,在测试此模板后,我收到以下错误消息。

Code    : InvalidTemplate
Message : Deployment template validation failed: 'The template resource 'Microsoft.Sql/servers/TDETest2/databases/TDETest2' cannot reference itself. Please see http://aka.ms/arm-template-expressions/#reference for usage details.'.

这意味着 ARM 模板尚不支持透明数据加密。我已经发布了一个功能请求。请投票here

Thanks for @JeffBailey. I find out that I have made a mistake in my template, using serverName instead of databaseName in the dependsOn of the transparentDataEncryption. The template has been updated.

您需要添加资源:

        "resources":[
        {
          "name": "current",
          "type": "transparentDataEncryption",
          "dependsOn": [
            "[parameters('databaseName')]"
          ],
          "location": null,
          "apiVersion": "2014-04-01",
          "properties": {
            "status": "Enabled"
          }
        }
      ]

并且数据库版本必须是版本 12:

"resources": [
{
  "name": "[parameters('serverName')]",
  "type": "Microsoft.Sql/servers",
  "location": "[resourceGroup().location]",
  "tags": {
    "displayName": "SqlServer"
  },
  "apiVersion": "2014-04-01-preview",
  "properties": {
    "administratorLogin": "[parameters('administratorLogin')]",
    "administratorLoginPassword": "[parameters('administratorLoginPassword')]",
    "version": "12.0"
  },

现在加密默认是开启的,你不需要设置为开启。