正在运行创建以下内容的 Terraform 脚本:
现在,我有一个定义为 is_transparent_data_encryption_enabled 的标志,默认情况下该标志为 false。当我将其启用为 true 时,它会生成如下计划:
# azurerm_mssql_server.primary will be updated in-place
~ resource "azurerm_mssql_server" "primary" {
id = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo"
name = "sqlautopocdemo"
+ transparent_data_encryption_key_vault_key_id = (known after apply)
# (12 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}`
# azurerm_mssql_server.secondary[0] will be updated in-place
~ resource "azurerm_mssql_server" "secondary" {
id = "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/sc-sql-msi-poc/providers/Microsoft.Sql/servers/sqlautopocdemo-secondary-new"
name = "sqlautopocdemo-secondary-new"
+ transparent_data_encryption_key_vault_key_id = (known after apply)
# (12 unchanged attributes hidden)
# (2 unchanged blocks hidden)
}
但是,当我运行 terraform apply 时,它失败并显示此消息 - `
我也尝试在一小时后运行,考虑到用户管理的身份可能需要一些时间才能反映访问策略,但它仍然不起作用。
此外,尝试首先在辅助设备上启用它(如 Microsoft 文档中所述),并尝试首先在主设备上启用它。两者都失败了。
请尽快提供建议/意见,会有帮助
################################################## ################################################
尝试:在启用了故障转移组的 SQL Server 上启用 TDE。但是,它失败并出现此错误 -
`
│ Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│ with azurerm_mssql_server.primary,
│ on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│ 48: resource "azurerm_mssql_server" "primary" {
Error: updating Server (Subscription: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
│ Resource Group Name: "sc-sql-msi-poc"
│ Server Name: "sqlautopocdemo"): polling after CreateOrUpdate: polling failed: the Azure API returned the following error:
│
│ Status: "SameKeyMaterialNotFoundOnRemoteServer"
│ Code: ""
│ Message: "All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."
│ Activity Id: ""
│
│ ---
│
│ API Response:
│
│ ----[start]----
│ {"name":"79d84913-ea6d-43c4-ba5c-20ccb225003f","status":"Failed","startTime":"2024-05-04T12:09:03.687Z","error":{"code":"SameKeyMaterialNotFoundOnRemoteServer","message":"All servers linked by Geo replication should have the same key material as the encryption protector of the primary server. Please add the key 'https://suhas-sql-tde-key-53.vault.azure.net/keys/example-key/54cd85cc10d745eb966676f7c5af06a5' with the same key material to the secondary server 'sqlautopocdemo-secondary-new'."}}
│ -----[end]-----
│
│
│ with azurerm_mssql_server.primary,
│ on azure_sql.tf line 48, in resource "azurerm_mssql_server" "primary":
│ 48: resource "azurerm_mssql_server" "primary" {
期望:需要有关问题所在的建议,因为所有先决条件都已涵盖。应在主服务器和辅助服务器上启用 TDE。谢谢你。
通过 Terraform 在 Azure SQL 服务器上启用 TDE 客户管理密钥
为了纠正错误并确保具有异地复制功能的透明数据加密 (TDE) 在 Terraform 脚本中正确运行,确保主 SQL 服务器和辅助 SQL 服务器使用 Azure Key Vault 中的相同密钥材料至关重要。这需要仔细协调 Terraform 中的资源和依赖项,以确认在 SQL 服务器上激活 TDE 之前可以访问和分配密钥。
我根据您的要求尝试了 terraform 配置,并且能够成功满足要求。
我的地形配置:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "samplevk-rg"
location = "East US2"
}
resource "azurerm_user_assigned_identity" "example" {
name = "vksb-admin"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_key_vault" "example" {
name = "mssqlvksbvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
enabled_for_disk_encryption = true
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
purge_protection_enabled = true
sku_name = "standard"
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = ["Get", "List", "Create", "Delete", "Update", "Recover", "Purge", "GetRotationPolicy"]
}
access_policy {
tenant_id = azurerm_user_assigned_identity.example.tenant_id
object_id = azurerm_user_assigned_identity.example.principal_id
key_permissions = ["Get", "WrapKey", "UnwrapKey"]
}
}
resource "azurerm_key_vault_key" "example" {
depends_on = [azurerm_key_vault.example]
name = "vksb-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = ["unwrapKey", "wrapKey"]
}
resource "azurerm_mssql_server" "primary" {
name = "sqlautopocdemovk"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "Administratorvk"
administrator_login_password = "YourPassword"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = azurerm_user_assigned_identity.example.name
object_id = azurerm_user_assigned_identity.example.principal_id
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.example.id]
}
primary_user_assigned_identity_id = azurerm_user_assigned_identity.example.id
transparent_data_encryption_key_vault_key_id = azurerm_key_vault_key.example.id
}
resource "azurerm_mssql_server" "secondary" {
name = "sqlautopocdemo-secondary-vksb"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "Administratorvk"
administrator_login_password = "YourPassword"
minimum_tls_version = "1.2"
azuread_administrator {
login_username = azurerm_user_assigned_identity.example.name
object_id = azurerm_user_assigned_identity.example.principal_id
}
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.example.id]
}
primary_user_assigned_identity_id = azurerm_user_assigned_identity.example.id
transparent_data_encryption_key_vault_key_id = azurerm_key_vault_key.example.id
}
部署成功: