stackoom
  简体   繁体   中英

Azure ARM template for creating PostgreSQL server and enable custom key encryption

 原文  2021-03-06 06:37:48       postgresql/ encryption/ azure-resource-manager

Question

I'm using the ARM template to create the PostgreSQL server and a Keyvault key to encrypt the server at the same time, I found the name of the resource "Microsoft.DBforPostgreSQL/servers/keys" must use this format (keyvaultname_keyname_version)to enable custom key encryption for the PostgreSQL server. Otherwise, it will fail.
The code block for enabling custom key encryption as below:

{
    "name": "[concat(parameters('serverName'), '/', variables('serverKeyName'), substring(reference('addAccessPolicy').outputs.keyUri.value, add(lastIndexOf(reference('addAccessPolicy').outputs.keyUri.value,'/'),1)))]",
    "type": "Microsoft.DBforPostgreSQL/servers/keys",
    "apiVersion": "2020-01-01-preview",
    "dependsOn": [
        "addAccessPolicy",
        "[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('serverName'))]"
    ],
    "properties": {
        "serverKeyType": "AzureKeyVault",
        "uri": "[reference('addAccessPolicy').outputs.keyUri.value]"
    }
}

I create the key vault key in the same ARM template and output the keyUri for encryption, to comply with the naming convention, I need to use the code block to extract the version id from the keyUri. But the point is the 'Reference' function cannot be used in the 'name' field, and it cannot be used in the 'variables' definition either.
The questions is:
How to create and the PostgreSQL, the key vault key and enable the custom key encryption at the same time?

Cheers.

2 answers

solution1
 0  2021-03-08 09:02:15

Regarding the issue, we have no way to implement it. Because if we create Azure key vault key in arm template, we just can use the reference function to get the key URL. However, the reference function just can be used in the properties of a resource definition and the outputs section of a template or deployment. So if you want to create these resource at one time, I suggest you use Azure CLI to do that. Otherwise, you need to create key and provide the key URL before deploying the template.

For example

az keyvault create -g <resource_group> -n <vault_name> --enable-soft-delete true --enable-purge-protection true

$keyurl=(az keyvault key create --name <key_name> -p software --vault-name <vault_name> --query "key.kid")

$id =(az postgres server create --name <server_name> -g <resource_group> --location <location> --storage-size <size>  -u <user> -p <pwd> --backup-retention <7> --sku-name <sku name> --geo-redundant-backup <Enabled/Disabled> --assign-identity --query "identity.principalId")

az keyvault set-policy --name -g <resource_group> --key-permissions get unwrapKey wrapKey --object-id $id 

az postgres server key create --name <server_name> -g <resource_group> --kid $keyurl

在此处输入图像描述

solution2
 0 ACCPTED  2021-06-30 00:25:48

Use "expressionEvaluationOptions" with scope inner can fix this problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Adding VNET Rules to PostgreSQL Server via Azure ARM Template Adding NSG rules to enable high availability on Azure PostgreSQL Flexible Server Enable encryption on existing database - AWS RDS Postgresql Enable SSL connections on PostgreSQL server Postgresql Encryption Difference between PostgreSQL SKU Size and Storage Size(MB) in Azure ARM Email function for azure postgresql server Enable PHP support for postgresql in Ubuntu 11.04 server How to externalize the Postgresql column encryption key with Spring Boot JPA? PostgreSQL - creating database from a template database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM