[英]How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform
不幸的是,不能直接從 Terraform 激活托管 HSM 。 Currently, you can only provision it from terraform or ARM template but for activating it has to be done only from PowerShell and Azure CLI . 使用客戶管理的密鑰更新存儲帳戶並分配密鑰保管庫角色分配時也是如此。
如果您使用azurerm_storage_account_customer_managed_key ,那么您將收到以下錯誤:
總體而言,所有 HSM 密鑰保管庫操作都需要在 CLI 或 Powershell 上執行。
因此,對於解決方法,您可以在 terraform 中使用local-exec直接運行它,而無需執行單獨的操作。
代碼:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {
}
resource "azurerm_resource_group" "example" {
name = "keyvaulthsm-resources"
location = "West Europe"
}
resource "azurerm_key_vault_managed_hardware_security_module" "example" {
name = "mindtreeKVHsm"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku_name = "Standard_B1"
purge_protection_enabled = true
soft_delete_retention_days = 90
tenant_id = data.azurerm_client_config.current.tenant_id
admin_object_ids = [data.azurerm_client_config.current.object_id]
tags = {
Env = "Test"
}
}
variable "KeyName" {
default=["C:/<Path>/cert_0.key","C:/<Path>/cert_1.key","C:/<Path>/cert_2.key"]
}
variable "CertName" {
default=["C:/<Path>/cert_0.cer","C:/<Path>/cert_1.cer","C:/<Path>/cert_2.cer"]
}
resource "null_resource" "OPENSSLCERT" {
count = 3
provisioner "local-exec" {
command = <<EOT
cd "C:\Program Files\OpenSSL-Win64\bin"
./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]} -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=Telangana/L=Hyderabad/O=exy ltd/OU=Stack/CN=domain.onmicrosoft.com"
EOT
interpreter = [
"PowerShell","-Command"
]
}
}
resource "null_resource" "securityDomain" {
provisioner "local-exec" {
command = <<EOT
az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --sd-wrapping-keys ./cert_0.cer ./cert_1.cer ./cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.example.name}-SD.json
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.OPENSSLCERT
]
}
resource "azurerm_storage_account" "example" {
name = "ansumanhsmstor1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "null_resource" "roleassignkv" {
provisioner "local-exec" {
command = <<EOT
az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto Service Encryption User" --assignee ${azurerm_storage_account.example.identity[0].principal_id} --scope /keys
az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
az keyvault key create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --name storageencryptionkey --ops wrapKey unwrapKey --kty RSA-HSM --size 3072
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain,
azurerm_storage_account.example
]
}
resource "null_resource" "storageupdate" {
provisioner "local-exec" {
command = <<EOT
az storage account update --name ${azurerm_storage_account.example.name} --resource-group ${azurerm_resource_group.example.name} --encryption-key-name storageencryptionkey --encryption-key-source Microsoft.Keyvault --encryption-key-vault ${azurerm_key_vault_managed_hardware_security_module.example.hsm_uri}
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain,
azurerm_storage_account.example,
null_resource.roleassignkv
]
}
Output:
注意:請確保在 HSM Keyvault 上啟用清除保護,並在管理平面(未在代碼中添加)和控制平面(我已在代碼中添加)擁有所有必需的權限。 要安裝 OpenSSL,您可以在此SO thread上通過mtotowamkwe參考此答案。
如何使用存儲在托管 HSM 中的客戶托管密鑰為托管磁盤啟用服務器端加密?
[英]How to enable the server-side encryption with customer-managed keys stored in Managed HSM for managed disks?
如何使用 ForEach 循環為多個存儲帳戶啟用存儲在托管 HSM 中的客戶托管密鑰的加密?
[英]How to use ForEach loop for enabling the encryption with customer-managed key stored in Managed HSM for multiple storage accounts?
用於配置客戶管理的密鑰以加密 rest 處的 Azure 服務總線數據的 AZ CLI 命令使用 Keyvault 值引發錯誤
[英]AZ CLI command to Configure customer-managed keys for encrypting Azure Service Bus data at rest throws error with Keyvault values
“KeyVaultAuthenticationFailure”當存儲帳戶嘗試使用專用端點訪問 Key Vault 中的客戶托管密鑰時(使用 Terraform)
[英]"KeyVaultAuthenticationFailure" when Storage Account attempts to Access Customer Managed Key in Key Vault with Private Endpoint (Using Terraform)
azure 存儲加密中客戶管理的密鑰和客戶提供的密鑰有什么區別
[英]what is the difference between customer managed keys and customer provided keys in azure storage encryption
Azure 身份和密鑰保管庫:如何使用托管身份進行身份驗證?
[英]Azure Identity and Key Vault: How to use managed identities to authenticate?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.