通过 Terraform 在 Azure SQL 上启用 TDE 时出现错误
问题描述 投票:0回答:1
正在运行创建以下内容的 Terraform 脚本:
- 创建主服务器。
- 启用sql/ad登录。
- 创建数据库。
- 启用故障转移组。(在此步骤中,它还会创建辅助服务器并复制数据库)
- 将用户托管身份分配给主 SQL Server 和辅助 SQL Server。
现在,我有一个定义为 is_transparent_data_encryption_enabled 的标志,默认情况下该标志为 false。当我将其启用为 true 时,它会生成如下计划:
# azurerm_mssql_server.primary will be updated in-place
~ resource "azurerm_mssql_server" "primary" {
id = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo"
name = "sqlautopocdemo"
+ transparent_data_encryption_key_vault_key_id = (known after apply)
# (12 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}`
# azurerm_mssql_server.secondary[0] will be updated in-place
~ resource "azurerm_mssql_server" "secondary" {
id = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo-secondary-new"
name = "sqlautopocdemo-secondary-new"
+ transparent_data_encryption_key_vault_key_id = (known after apply)
# (12 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
但是,当我运行 terraform apply 时,它失败并显示此消息 - `
我也尝试在一小时后运行,考虑到用户管理的身份可能需要一些时间才能反映访问策略,但它仍然不起作用。
此外,尝试首先在辅助设备上启用它(如 Microsoft 文档中所述),并尝试首先在主设备上启用它。两者都失败了。
请尽快提供建议/意见,会有帮助
################################################## ################################################
尝试:在启用了故障转移组的 SQL Server 上启用 TDE。但是,它失败并出现此错误 -
`
│ Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│ with azurerm_mssql_server.primary,
│ on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│ 48: resource "azurerm_mssql_server" "primary" {
Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│ with azurerm_mssql_server.primary,
│ on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│ 48: resource "azurerm_mssql_server" "primary" {
期望:需要有关问题所在的建议,因为所有先决条件都已涵盖。应在主服务器和辅助服务器上启用 TDE。谢谢你。
1个回答
0
投票
投票
通过 Terraform 在 Azure SQL 服务器上启用 TDE 客户管理密钥
为了纠正错误并确保具有异地复制功能的透明数据加密 (TDE) 在 Terraform 脚本中正确运行,确保主 SQL 服务器和辅助 SQL 服务器使用 Azure Key Vault 中的相同密钥材料至关重要。这需要仔细协调 Terraform 中的资源和依赖项,以确认在 SQL 服务器上激活 TDE 之前可以访问和分配密钥。
我根据您的要求尝试了 terraform 配置,并且能够成功满足要求。
我的地形配置:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "samplevk-rg"
location = "East US2"
}
resource "azurerm_user_assigned_identity" "example" {
name = "vksb-admin"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_key_vault" "example" {
name = "mssqlvksbvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "List", "Create", "Delete", "Update", "Recover", "Purge", "GetRotationPolicy"]
}
access_policy {
tenant_id = azurerm_user_assigned_identity.example.tenant_id
object_id = azurerm_user_assigned_identity.example.principal_id
key_permissions = ["Get", "WrapKey", "UnwrapKey"]
}
}
resource "azurerm_key_vault_key" "example" {
depends_on = [azurerm_key_vault.example]
name = "vksb-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["unwrapKey", "wrapKey"]
}
resource "azurerm_mssql_server" "primary" {
name = "sqlautopocdemovk"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "Administratorvk"
administrator_login_password = "YourPassword"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = azurerm_user_assigned_identity.example.name
object_id = azurerm_user_assigned_identity.example.principal_id
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.example.id]
}
primary_user_assigned_identity_id = azurerm_user_assigned_identity.example.id
transparent_data_encryption_key_vault_key_id = azurerm_key_vault_key.example.id
}
resource "azurerm_mssql_server" "secondary" {
name = "sqlautopocdemo-secondary-vksb"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "Administratorvk"
administrator_login_password = "YourPassword"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = azurerm_user_assigned_identity.example.name
object_id = azurerm_user_assigned_identity.example.principal_id
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.example.id]
}
primary_user_assigned_identity_id = azurerm_user_assigned_identity.example.id
transparent_data_encryption_key_vault_key_id = azurerm_key_vault_key.example.id
}
部署成功:
最新问题
- 为什么在 Java Spring Boot 中调用我的微服务会返回 403 Forbidden?
- 不正确的绘图图形对象输出错误
- 为什么 Visual Studio 无法编译我的 QT 项目,因为它找不到库?
- 我的C程序实际上是从_start开始的吗?
- 使用 Deno 和 Oak 处理多部分/表单数据
- 如何在 Eric7 Python ide 中将语言从德语更改为英语?
- mysql.connector.errors.ProgrammingError:Python 上的 1064 (42000)
- 错误:MySQL 意外关闭。插件“反馈”已禁用
- React Native DEbugger 支持 React Native 0.74.0
- 在 MySQL 中获取数据时出现意外语法错误
- 通过在测验程序中添加解释来强化学习
- 在 if 语句中重新声明与函数参数同名的变量
- 错误:函数组件不能有字符串引用。我们建议使用 useRef() 代替
- 具有全局组件和 TypeScript 支持的 Vue 3 库
- 松木脚本< closing one indicator when another has triggered>
- 如何使用jquery将数据从表导出到csv文件
- ASP.NET NormalizedUsername 在更新用户数据时发生变化
- 如何让超链接出现在页面右侧?
- 如何在 Windows 上使用 ffmpeg 从网络摄像头录制视频和音频?
- 没有名为 ipykernel_launcher 的模块
© www.soinside.com 2019 - 2024. All rights reserved.