如何激活托管 HSM 并使用 Terraform 使用存储在 Azure Key Vault 托管 HSM 中的客户管理密钥配置加密

How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform

我正在努力使用 terraform 创建 Azure Key Vault Managed HSM。为此,我遵循了 this 文档。

以上文档包含创建 HSM 的代码,但不包含激活托管 HSM 的代码。

我想使用 Terraform 预配和激活托管 HSM。是否可以通过地形?

激活托管 HSM 后,我想使用存储在 Azure Key Vault 托管 HSM 中的客户管理密钥配置加密。为此,我遵循了 this 文档,但它包含 Azure CLI 代码。

不幸的是,无法直接从 Terraform激活托管 HSM。目前,您只能从 Terraform 或 ARM 模板配置它,但必须完成激活它仅来自 PowerShell 和 Azure CLI。在使用客户管理的密钥更新存储帐户并分配密钥保管库角色分配时也是如此。

如果你使用azurerm_storage_account_customer_managed_key,那么你会得到以下错误:

总的来说,所有 HSM Key vault 操作都需要在 CLI 或 Powershell 上执行。

因此,对于解决方法,您可以在 terraform 中使用 local-exec 直接 运行 它而无需执行单独的操作。

代码:

provider "azurerm" {
  features {}
}
data "azurerm_client_config" "current" {
}

resource "azurerm_resource_group" "example" {
  name     = "keyvaulthsm-resources"
  location = "West Europe"
}

resource "azurerm_key_vault_managed_hardware_security_module" "example" {
  name                       = "testKVHsm"
  resource_group_name        = azurerm_resource_group.example.name
  location                   = azurerm_resource_group.example.location
  sku_name                   = "Standard_B1"
  purge_protection_enabled   = true
  soft_delete_retention_days = 90
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  admin_object_ids           = [data.azurerm_client_config.current.object_id]

  tags = {
    Env = "Test"
  }
}

variable "KeyName" {
  default=["C:/<Path>/cert_0.key","C:/<Path>/cert_1.key","C:/<Path>/cert_2.key"]
}

variable "CertName" {
  default=["C:/<Path>/cert_0.cer","C:/<Path>/cert_1.cer","C:/<Path>/cert_2.cer"]
}

resource "null_resource" "OPENSSLCERT" {
    count = 3
  provisioner "local-exec" {
    command = <<EOT
     cd  "C:\Program Files\OpenSSL-Win64\bin"
    ./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]}  -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=Telangana/L=Hyderabad/O=exy ltd/OU=Stack/CN=domain.onmicrosoft.com"
    EOT
    interpreter = [
      "PowerShell","-Command"
    ]
  }
}

resource "null_resource" "securityDomain" {
  provisioner "local-exec" {
    command = <<EOT
    az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --sd-wrapping-keys ./cert_0.cer ./cert_1.cer ./cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.example.name}-SD.json
    EOT
    interpreter = [
      "PowerShell","-Command"
    ]
  }
  depends_on = [
    null_resource.OPENSSLCERT
  ]
}

resource "azurerm_storage_account" "example" {
  name                     = "ansumanhsmstor1"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"

  identity {
    type = "SystemAssigned"
  }
}
resource "null_resource" "roleassignkv" {
  provisioner "local-exec" {
    command = <<EOT
    az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto Service Encryption User" --assignee ${azurerm_storage_account.example.identity[0].principal_id} --scope /keys
    az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
    az keyvault key create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --name storageencryptionkey --ops wrapKey unwrapKey --kty RSA-HSM --size 3072
    EOT
    interpreter = [
      "PowerShell","-Command"
    ]
  }
  depends_on = [
    null_resource.securityDomain,
    azurerm_storage_account.example
  ]
}

resource "null_resource" "storageupdate" {
  provisioner "local-exec" {
    command = <<EOT
    az storage account update --name ${azurerm_storage_account.example.name} --resource-group ${azurerm_resource_group.example.name} --encryption-key-name storageencryptionkey --encryption-key-source Microsoft.Keyvault --encryption-key-vault ${azurerm_key_vault_managed_hardware_security_module.example.hsm_uri}
    EOT
    interpreter = [
      "PowerShell","-Command"
    ]
  }
  depends_on = [
    null_resource.securityDomain,
    azurerm_storage_account.example,
    null_resource.roleassignkv
  ]
}

输出:

注意:请确保在 HSM Keyvault 上启用清除保护并Management Plane (not added in code) and Control Plane (I have added in the code). To install OpenSSL you can refer this answer by mtotowamkwe on this .

的所有必需权限