加密 vm azure 备份的 key Vault 访问策略 - Terraform

key Vault access policies for encrypted vm azure backup - Terraform

我正在使用 terraform 部署 azure infra。 我有一个加密的虚拟机 - 它的备份一直失败 - 原因如下:

Azure 备份服务没有足够的权限访问用于备份加密虚拟机的 Key Vault

我检查了文档,发现我必须为 keyvault - azure 备份创建访问策略。

To set permissions:

In the Azure portal, select All services, and search for Key vaults.

Select the key vault associated with the encrypted VM you're backing up.

Select Access policies > Add Access Policy.

Add access policy

In Add access policy > Configure from template (optional), select Azure Backup.

The required permissions are prefilled for Key permissions and Secret permissions.
If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets.

我如何在 terraform 中执行此操作。找不到这个例子?

如您提供的屏幕截图所示,当您 select Azure 备份时,它 select 是主要的备份管理服务并授予它必要的权限。在 Terraform 中,它应该是这样的:

resource "azurerm_key_vault_access_policy" "example" {
  key_vault_id = azurerm_key_vault.example.id

  tenant_id = "tenant_id"
  object_id = "Backup Management Service object Id"

  key_permissions = [
    "get",
    "list",
    "backup"
  ]

  secret_permissions = [
    "get",
    "list",
    "backup"
  ]
}

获取有关 key vault access policy 的更多详细信息。