目标是使用 Azure 磁盘加密为虚拟机启用磁盘加密。但是,我不断遇到错误,并且无法解决它。
错误:等待创建磁盘加密集时出错 “示例磁盘加密集”(资源组“示例资源”): Code="DiskEncryptionSetCreationFailed" Message="磁盘加密设置 “示例磁盘加密集”创建失败。”
类似这样的事情
我使用链接作为参考
我尝试使用 Terraform 为 Azure VM 预配 azurerm_disk_encryption_set,我能够成功预配该要求。
由于您提供了查询中共享的链接,如果您使用的代码也相同,则有多种原因,这表明在 Azure 中创建磁盘加密集时出现问题。 Azure 磁盘加密使用磁盘加密集来管理虚拟机磁盘的加密。
Azure policies
或 role-based access control (RBAC)
分配限制您创建磁盘加密集的能力。这些策略可以限制您的 Azure 订阅中的特定操作。我的地形配置:
data "azurerm_client_config" "current" {}
data "azurerm_resource_group" "example" {
name = "v-sakavya"
}
resource "azurerm_key_vault" "example" {
name = "desvksb-example-keyvault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "des-example-keyvksb"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
depends_on = [
azurerm_key_vault_access_policy.example-user
]
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "des"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
key_vault_key_id = azurerm_key_vault_key.example.id
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "example-disk" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = azurerm_disk_encryption_set.example.identity.0.tenant_id
object_id = azurerm_disk_encryption_set.example.identity.0.principal_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
]
}
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
]
}
resource "azurerm_role_assignment" "example-disk" {
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
输出: