1

关于实现逻辑,我在这里有一个巨大的障碍。

我正在与二头肌合作创建这些资源。

  • 存储帐户
  • 密钥库
  • 将存储帐户连接字符串传递给密钥保管库机密
  • 在密钥保管库中创建密钥并使用该密钥加密存储帐户。

前三个步骤完成。如果我声明 2 个存储帐户,它将自动创建 2 个秘密连接字符串和 2 个密钥。它们匹配的所有配对(存储名称和连接字符串)。

现在我面临的问题如下,首先,这是我的代码。

param tenantCode array = [
  'dsec'
  'sdre'
]

var storageName = [for item in tenantCode :{
  name: string('sthrideveur${item}')
}]


var connectionStringSecretName = [for connection in storageName :{
  name: '${connection.name}'
  
}]

output connectionStringSecretName array= [for connection in storageName :{
  name: '${connection.name}'
  
}]






resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
  name: '${name.name}'
  location: 'westeurope'
  sku: {
    name: 'Standard_RAGRS'
  }
  kind: 'StorageV2'
  properties: {
    allowCrossTenantReplication: true
    minimumTlsVersion: 'TLS1_2'
    allowBlobPublicAccess: false
    allowSharedKeyAccess: true
    networkAcls: {
      bypass: 'AzureServices'
      virtualNetworkRules: []
      ipRules: []
      defaultAction: 'Allow'
    }
    supportsHttpsTrafficOnly: true
    encryption: {
      services: {
        file: {
          keyType: 'Account'
          enabled: true
        }
        blob: {
          keyType: 'Account'
          enabled: true
        }
      }
      keySource: 'Microsoft.Storage'
      keyvaultproperties: { 
        keyname: '${tenantKey[0]}'
        keyvaulturi: keyVault.id
      }
    }
    accessTier: 'Cool'
  }
}]

resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
  name : 'XXX'
}

// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for name in storageName :{
  name: '${keyVault.name}/${name.name}'
  properties: {
    value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0].name};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
  }
}]

resource tenantKey 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenant in tenantCode : {
  name: '${keyVault.name}/Client-Key-${tenant}'
  properties: {
    keySize: 2048
    kty: 'RSA'
  }
  
}]

我有 2 个要创建的存储帐户。和钥匙,包含存储代码。我想要做并且我有问题要实现,是如何将正确的密钥与正确的存储帐户匹配。在这种特定情况下,我必须编写如下代码:

dsec
sdre

bicep 脚本将创建 2 个存储帐户和相应命名的机密:

sthrideveurdsec
sthrideveursdre

AND 2 secrets with the same name
sthrideveurdsec
sthrideveursdre

AND 2 Keys named
Client-Key-dsec
Client-Key-sdre

我要做的是用密钥 DSEC 加密存储帐户 DSEC,用密钥 SDRE 加密存储 SDRE。但是由于我是二头肌新手,所以我在实现这一点时遇到了一些问题。

如果有人可以帮助我了解如何实现这种正确的配对,我将不胜感激。

更新:测试托马斯解决方案后,这是我得到的错误:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"KeyVaultPolicyError\",\r\n    \"message\": \"Keyvault policy recoverable is not set\"\r\n  }\r\n}"},{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"KeyVaultPolicyError\",\r\n    \"message\": \"Keyvault policy recoverable is not set\"\r\n  }\r\n}"}]}}
4

1 回答 1

1

我假设已创建密钥保管库并使用访问策略。

如果您想使用客户管理的密钥创建存储,则存储需要在创建之前访问密钥保管库,因此我在示例中使用用户分配的身份。

以下是步骤:

  • 创建托管标识并授予对密钥保管库的密钥权限
  • 在密钥保管库中创建两个密钥
  • 创建存储、分配托管标识并使用密钥进行加密
// Default values I'm using to test 
param keyVaultName string = 'kvthomastest'
param managedIdentityName string = 'mi-storage-encryption-thomas-test'

param tenantCodes array = [
  'dsec'
  'sdre'
]

// I'm using prefix so I dont need to create additional arrays
var keyVaultKeyPrefix = 'Client-Key-'
var storagePrefix = 'stthomastest'

// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
  name: keyVaultName
}

// Create a managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: managedIdentityName
  location: resourceGroup().location
}

// Grant permissions to key vault
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
  name: '${keyVault.name}/add'
  properties: {
    accessPolicies: [
      {
        tenantId: subscription().tenantId
        objectId: managedIdentity.properties.principalId
        permissions: {
          // minimum required permissions
          keys: [
            'get'
            'unwrapKey'
            'wrapKey'
          ]
        }
      }
    ]
  }
}

// Create key vault keys
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
  name: '${keyVault.name}/${keyVaultKeyPrefix}${tenantCode}'
  properties: {
    keySize: 2048
    kty: 'RSA'
    // storage key should only needs these operations
    keyOps: [
      'unwrapKey'
      'wrapKey'
    ]
  }
}]

// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = [for tenantCode in tenantCodes: {
  name: '${storagePrefix}${tenantCode}'
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_RAGRS'
  }
  // Assign the identity
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedIdentity.id}': {}
    }
  }
  properties: {
    allowCrossTenantReplication: true
    minimumTlsVersion: 'TLS1_2'
    allowBlobPublicAccess: false
    allowSharedKeyAccess: true
    networkAcls: {
      bypass: 'AzureServices'
      virtualNetworkRules: []
      ipRules: []
      defaultAction: 'Allow'
    }
    supportsHttpsTrafficOnly: true
    encryption: {
      identity: {
        // specify which identity to use
        userAssignedIdentity: managedIdentity.id
      }
      keySource: 'Microsoft.Keyvault'
      keyvaultproperties: {
        keyname: '${keyVaultKeyPrefix}${tenantCode}'
        keyvaulturi: keyVault.properties.vaultUri
      }
      services: {
        file: {
          keyType: 'Account'
          enabled: true
        }
        blob: {
          keyType: 'Account'
          enabled: true
        }
      }
    }
    accessTier: 'Cool'
  }
}]
于 2021-10-22T07:28:32.240 回答