Azure ARM 模板,用于创建 PostgreSQL 服务器并启用自定义密钥加密
[英]Azure ARM template for creating PostgreSQL server and enable custom key encryption
问题描述
I'm using the ARM template to create the PostgreSQL server and a Keyvault key to encrypt the server at the same time, I found the name of the resource "Microsoft.DBforPostgreSQL/servers/keys" must use this format (keyvaultname_keyname_version)to enable custom key encryption for the PostgreSQL server.
我正在使用ARM模板创建PostgreSQL服务器和Keyvault密钥同时加密服务器,我发现资源名称“Microsoft.DBforPostgreSQL/servers/keys”必须使用这种格式(keyvaultname_keyname_version)来启用PostgreSQL 服务器的自定义密钥加密。 Otherwise, it will fail.否则,它将失败。
The code block for enabling custom key encryption as below:启用自定义密钥加密的代码块如下:
{
"name": "[concat(parameters('serverName'), '/', variables('serverKeyName'), substring(reference('addAccessPolicy').outputs.keyUri.value, add(lastIndexOf(reference('addAccessPolicy').outputs.keyUri.value,'/'),1)))]",
"type": "Microsoft.DBforPostgreSQL/servers/keys",
"apiVersion": "2020-01-01-preview",
"dependsOn": [
"addAccessPolicy",
"[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('serverName'))]"
],
"properties": {
"serverKeyType": "AzureKeyVault",
"uri": "[reference('addAccessPolicy').outputs.keyUri.value]"
}
}
I create the key vault key in the same ARM template and output the keyUri for encryption, to comply with the naming convention, I need to use the code block to extract the version id from the keyUri.我在同一个 ARM 模板和 output 中创建密钥库密钥进行加密,为了符合命名约定,我需要使用代码块从 keyUri 中提取版本 ID。 But the point is the 'Reference' function cannot be used in the 'name' field, and it cannot be used in the 'variables' definition either.但关键是“参考”function 不能用于“名称”字段,也不能用于“变量”定义。
The questions is:问题是:
How to create and the PostgreSQL, the key vault key and enable the custom key encryption at the same time?如何创建和 PostgreSQL、密钥库密钥并同时启用自定义密钥加密?
Cheers.干杯。
2 个解决方案
解决方案1
0 2021-03-08 09:02:15
Regarding the issue, we have no way to implement it.关于这个问题,我们没有办法实施。 Because if we create Azure key vault key in arm template, we just can use the reference function to get the key URL. Because if we create Azure key vault key in arm template, we just can use the reference function to get the key URL. However, the reference function just can be used in the properties of a resource definition and the outputs section of a template or deployment.但是, reference function 只能用于资源定义的属性以及模板或部署的输出部分。 So if you want to create these resource at one time, I suggest you use Azure CLI to do that.因此,如果您想一次性创建这些资源,我建议您使用Azure CLI来执行此操作。 Otherwise, you need to create key and provide the key URL before deploying the template.否则,您需要在部署模板之前创建密钥并提供密钥 URL。
For example例如
az keyvault create -g <resource_group> -n <vault_name> --enable-soft-delete true --enable-purge-protection true
$keyurl=(az keyvault key create --name <key_name> -p software --vault-name <vault_name> --query "key.kid")
$id =(az postgres server create --name <server_name> -g <resource_group> --location <location> --storage-size <size> -u <user> -p <pwd> --backup-retention <7> --sku-name <sku name> --geo-redundant-backup <Enabled/Disabled> --assign-identity --query "identity.principalId")
az keyvault set-policy --name -g <resource_group> --key-permissions get unwrapKey wrapKey --object-id $id
az postgres server key create --name <server_name> -g <resource_group> --kid $keyurl
解决方案2
0 已采纳 2021-06-30 00:25:48
Use "expressionEvaluationOptions" with scope inner can fix this problem.将“expressionEvaluationOptions”与 scope 内部一起使用可以解决此问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.