不幸的是,无法直接从 Terraform 激活托管 HSM。目前,您只能从 terraform 或 ARM 模板配置它,但只能通过 PowerShell 和 Azure CLI 来激活它 。使用客户管理的密钥更新存储帐户并分配密钥保管库角色分配时也是如此。
如果你使用azurerm_storage_account_customer_managed_key,那么你会得到以下错误:
总体而言,所有 HSM 密钥保管库操作都需要在 CLI 或 Powershell 上执行。
因此,对于解决方法,您可以在 terraform 中使用 local-exec 直接运行它,而无需执行单独的操作。
代码:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {
}
resource "azurerm_resource_group" "example" {
name = "keyvaulthsm-resources"
location = "West Europe"
}
resource "azurerm_key_vault_managed_hardware_security_module" "example" {
name = "testKVHsm"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku_name = "Standard_B1"
purge_protection_enabled = true
soft_delete_retention_days = 90
tenant_id = data.azurerm_client_config.current.tenant_id
admin_object_ids = [data.azurerm_client_config.current.object_id]
tags = {
Env = "Test"
}
}
variable "KeyName" {
default=["C:/<Path>/cert_0.key","C:/<Path>/cert_1.key","C:/<Path>/cert_2.key"]
}
variable "CertName" {
default=["C:/<Path>/cert_0.cer","C:/<Path>/cert_1.cer","C:/<Path>/cert_2.cer"]
}
resource "null_resource" "OPENSSLCERT" {
count = 3
provisioner "local-exec" {
command = <<EOT
cd "C:\Program Files\OpenSSL-Win64\bin"
./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]} -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=Telangana/L=Hyderabad/O=exy ltd/OU=Stack/CN=domain.onmicrosoft.com"
EOT
interpreter = [
"PowerShell","-Command"
]
}
}
resource "null_resource" "securityDomain" {
provisioner "local-exec" {
command = <<EOT
az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --sd-wrapping-keys ./cert_0.cer ./cert_1.cer ./cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.example.name}-SD.json
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.OPENSSLCERT
]
}
resource "azurerm_storage_account" "example" {
name = "ansumanhsmstor1"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
identity {
type = "SystemAssigned"
}
}
resource "null_resource" "roleassignkv" {
provisioner "local-exec" {
command = <<EOT
az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto Service Encryption User" --assignee ${azurerm_storage_account.example.identity[0].principal_id} --scope /keys
az keyvault role assignment create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --role "Managed HSM Crypto User" --assignee ${data.azurerm_client_config.current.object_id} --scope /
az keyvault key create --hsm-name ${azurerm_key_vault_managed_hardware_security_module.example.name} --name storageencryptionkey --ops wrapKey unwrapKey --kty RSA-HSM --size 3072
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain,
azurerm_storage_account.example
]
}
resource "null_resource" "storageupdate" {
provisioner "local-exec" {
command = <<EOT
az storage account update --name ${azurerm_storage_account.example.name} --resource-group ${azurerm_resource_group.example.name} --encryption-key-name storageencryptionkey --encryption-key-source Microsoft.Keyvault --encryption-key-vault ${azurerm_key_vault_managed_hardware_security_module.example.hsm_uri}
EOT
interpreter = [
"PowerShell","-Command"
]
}
depends_on = [
null_resource.securityDomain,
azurerm_storage_account.example,
null_resource.roleassignkv
]
}
输出:
注意: 请确保在 HSM Keyvault 上启用 Purge Protection 并在 Management Plane 上拥有所有必需的权限(未添加在代码中)和Control Plane(我在代码中添加了)。要安装 OpenSSL,您可以在 SO thread 上通过 mtotowamkwe 参考这个答案。