我已经创建了 terraform 脚本来使用 Azure keyvault 中的 CMK,但是我的操作系统磁盘仍然使用 PMK 而不是 CMK 进行加密,是否有其他可能使其通过 terraform 默认使用 CMK 访问磁盘加密
尝试使用磁盘加密集,添加扩展
我已经创建了 terraform 脚本来使用 Azure keyvault 中的 CMK,但是我的操作系统磁盘仍然使用 PMK 而不是 CMK 进行加密,是否有其他可能使其通过 terraform 默认使用 CMK 访问磁盘加密
这里是更新的 Terraform 代码,用于创建
VM
,默认情况下使用 CMK
进行磁盘加密。
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "encryption-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "encry-venkat-keyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
purge_protection_enabled = true
enable_rbac_authorization = true
}
resource "azurerm_role_assignment" "key_vault_admin_assignment" {
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Administrator"
principal_id = "b70519fb-7ca5-446d-b788-a5268970efd7"
}
resource "azurerm_key_vault_key" "example" {
name = "encryption-demo-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "encryptionset"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
key_vault_key_id = azurerm_key_vault_key.example.id
identity {
type = "SystemAssigned"
}
}
resource "azurerm_role_assignment" "example-disk" {
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = azurerm_disk_encryption_set.example.identity.0.principal_id
}
resource "azurerm_virtual_network" "tfencrypt_vnet" {
name = "tfencrypt_vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "tfencrypt_subnet" {
name = "tfencrypt_subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.tfencrypt_vnet.name
address_prefixes = ["10.0.0.0/24"]
}
resource "azurerm_network_interface" "tfencrypt_nic" {
name = "tfencrypt_nic"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
ip_configuration {
name = "ipconfig1"
subnet_id = azurerm_subnet.tfencrypt_subnet.id
private_ip_address_allocation = "Dynamic"
}
}
resource "azurerm_linux_virtual_machine" "tfencrypt_vm" {
name = "tfencrypt"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
network_interface_ids = [azurerm_network_interface.tfencrypt_nic.id]
size = "Standard_F2s"
admin_username = "benhu"
admin_password = "Password1234!"
disable_password_authentication = false
source_image_reference {
publisher = "Canonical"
offer = "UbuntuServer"
sku = "18.04-LTS"
version = "latest"
}
os_disk {
name = "tfencrypt_osdisk"
caching = "ReadWrite"
storage_account_type = "Premium_LRS"
disk_encryption_set_id = azurerm_disk_encryption_set.example.id
}
}
运行上述 terraform 代码后,虚拟机已默认使用 CMK 加密。