Bicep 遍历 Key Vault 密钥并加密存储帐户
Bicep Loop over key vault keys and encrypt storage account
关于实现逻辑,我在这里遇到了一些阻碍。
我正在与二头肌一起创造这些资源。
- 存储帐户
- 密钥库
- 将存储帐户连接字符串传递给 Key Vault 机密
- 在密钥保管库中创建密钥并使用该密钥加密存储帐户。
前三步完成。如果我声明 2 个存储帐户,它将自动创建 2 个秘密连接字符串和 2 个密钥。它们匹配的所有配对(存储名称和连接字符串)。
现在我面临的问题如下,首先,这是我的代码。
param tenantCode array = [
'dsec'
'sdre'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for connection in storageName :{
name: '${connection.name}'
}]
output connectionStringSecretName array= [for connection in storageName :{
name: '${connection.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
keyvaultproperties: {
keyname: '${tenantKey[0]}'
keyvaulturi: keyVault.id
}
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for name in storageName :{
name: '${keyVault.name}/${name.name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0].name};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
resource tenantKey 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenant in tenantCode : {
name: '${keyVault.name}/Client-Key-${tenant}'
properties: {
keySize: 2048
kty: 'RSA'
}
}]
我有 2 个要创建的存储帐户。而钥匙,包含存储代码。我想做的是如何将正确的密钥与正确的存储帐户相匹配,但我在实施时遇到了问题。在这种特定情况下,我必须编写如下代码:
dsec
sdre
bicep 脚本将创建 2 个存储帐户和相应命名的机密:
sthrideveurdsec
sthrideveursdre
AND 2 secrets with the same name
sthrideveurdsec
sthrideveursdre
AND 2 Keys named
Client-Key-dsec
Client-Key-sdre
我要做的是用密钥 DSEC 加密存储帐户 DSEC,用密钥 SDRE 加密存储 SDRE。但是由于我是二头肌的新手,我在实现这个方面遇到了一些问题。
如果有人能帮助我理解如何实现这种正确的配对,我将不胜感激。
更新:
测试 Thomas 解决方案后,这是我得到的错误:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"},{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"}]}}
我假设密钥保管库已创建并使用访问策略。
如果您想使用客户管理的密钥创建存储,存储需要在创建之前访问密钥保管库,因此我在我的示例中使用用户分配的标识。
步骤如下:
- 创建托管标识并授予对密钥保管库的密钥权限
- 在密钥库中创建两个密钥
- 创建存储、分配托管标识并使用密钥进行加密
// Default values I'm using to test
param keyVaultName string = 'kvthomastest'
param managedIdentityName string = 'mi-storage-encryption-thomas-test'
param tenantCodes array = [
'dsec'
'sdre'
]
// I'm using prefix so I dont need to create additional arrays
var keyVaultKeyPrefix = 'Client-Key-'
var storagePrefix = 'stthomastest'
// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
}
// Create a managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: resourceGroup().location
}
// Grant permissions to key vault
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
// minimum required permissions
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
// Create key vault keys
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
name: '${keyVault.name}/${keyVaultKeyPrefix}${tenantCode}'
properties: {
keySize: 2048
kty: 'RSA'
// storage key should only needs these operations
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = [for tenantCode in tenantCodes: {
name: '${storagePrefix}${tenantCode}'
location: resourceGroup().location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
}
// Assign the identity
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
identity: {
// specify which identity to use
userAssignedIdentity: managedIdentity.id
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${tenantCode}'
keyvaulturi: keyVault.properties.vaultUri
}
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
}
accessTier: 'Cool'
}
}]
关于实现逻辑,我在这里遇到了一些阻碍。
我正在与二头肌一起创造这些资源。
- 存储帐户
- 密钥库
- 将存储帐户连接字符串传递给 Key Vault 机密
- 在密钥保管库中创建密钥并使用该密钥加密存储帐户。
前三步完成。如果我声明 2 个存储帐户,它将自动创建 2 个秘密连接字符串和 2 个密钥。它们匹配的所有配对(存储名称和连接字符串)。
现在我面临的问题如下,首先,这是我的代码。
param tenantCode array = [
'dsec'
'sdre'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for connection in storageName :{
name: '${connection.name}'
}]
output connectionStringSecretName array= [for connection in storageName :{
name: '${connection.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
keyvaultproperties: {
keyname: '${tenantKey[0]}'
keyvaulturi: keyVault.id
}
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for name in storageName :{
name: '${keyVault.name}/${name.name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0].name};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
resource tenantKey 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenant in tenantCode : {
name: '${keyVault.name}/Client-Key-${tenant}'
properties: {
keySize: 2048
kty: 'RSA'
}
}]
我有 2 个要创建的存储帐户。而钥匙,包含存储代码。我想做的是如何将正确的密钥与正确的存储帐户相匹配,但我在实施时遇到了问题。在这种特定情况下,我必须编写如下代码:
dsec
sdre
bicep 脚本将创建 2 个存储帐户和相应命名的机密:
sthrideveurdsec
sthrideveursdre
AND 2 secrets with the same name
sthrideveurdsec
sthrideveursdre
AND 2 Keys named
Client-Key-dsec
Client-Key-sdre
我要做的是用密钥 DSEC 加密存储帐户 DSEC,用密钥 SDRE 加密存储 SDRE。但是由于我是二头肌的新手,我在实现这个方面遇到了一些问题。
如果有人能帮助我理解如何实现这种正确的配对,我将不胜感激。
更新: 测试 Thomas 解决方案后,这是我得到的错误:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"},{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"}]}}
我假设密钥保管库已创建并使用访问策略。
如果您想使用客户管理的密钥创建存储,存储需要在创建之前访问密钥保管库,因此我在我的示例中使用用户分配的标识。
步骤如下:
- 创建托管标识并授予对密钥保管库的密钥权限
- 在密钥库中创建两个密钥
- 创建存储、分配托管标识并使用密钥进行加密
// Default values I'm using to test
param keyVaultName string = 'kvthomastest'
param managedIdentityName string = 'mi-storage-encryption-thomas-test'
param tenantCodes array = [
'dsec'
'sdre'
]
// I'm using prefix so I dont need to create additional arrays
var keyVaultKeyPrefix = 'Client-Key-'
var storagePrefix = 'stthomastest'
// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
}
// Create a managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: resourceGroup().location
}
// Grant permissions to key vault
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
// minimum required permissions
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
// Create key vault keys
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
name: '${keyVault.name}/${keyVaultKeyPrefix}${tenantCode}'
properties: {
keySize: 2048
kty: 'RSA'
// storage key should only needs these operations
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = [for tenantCode in tenantCodes: {
name: '${storagePrefix}${tenantCode}'
location: resourceGroup().location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
}
// Assign the identity
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
identity: {
// specify which identity to use
userAssignedIdentity: managedIdentity.id
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${tenantCode}'
keyvaulturi: keyVault.properties.vaultUri
}
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
}
accessTier: 'Cool'
}
}]