Home > Net >  How to enable the server-side encryption with customer-managed keys stored in Managed HSM for manage
How to enable the server-side encryption with customer-managed keys stored in Managed HSM for manage

Time:01-07

I have created and activated Managed HSM using the following terraform script:

main.tf

data "azurerm_client_config" "current" {}

## Create a Resource Group
resource "azurerm_resource_group" "resource_group" {
  name     = var.resource_group_name
  location = var.location
}

## Create a Key Vault Managed Hardware Security Module
resource "azurerm_key_vault_managed_hardware_security_module" "kv_hsm" {
  name                       = var.kv_hsm_name
  resource_group_name        = azurerm_resource_group.resource_group.name
  location                   = azurerm_resource_group.resource_group.location
  sku_name                   = var.sku_name
  purge_protection_enabled   = true
  soft_delete_retention_days = 90
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  admin_object_ids           = [data.azurerm_client_config.current.object_id]
  tags                       = var.tags

  depends_on = [
    azurerm_resource_group.resource_group
  ]
}

## Use openssl to generate 3 self signed certificate
resource "null_resource" "OPENSSLCERT" {
  count = 3
  provisioner "local-exec" {
    command = <<EOT
     cd  "C:\Program Files\Git\usr\bin"
    ./openssl.exe req -newkey rsa:2048 -nodes -keyout ${var.KeyName[count.index]}  -x509 -days 365 -out ${var.CertName[count.index]} -subj "/C=IN/ST=XX/L=XX/O=abc ltd/OU=Stack/CN=abc.com"
    EOT
    interpreter = [
      "PowerShell", "-Command"
    ]
  }
}

## Use the az keyvault security-domain download command to download the security domain and activate your managed HSM.
resource "null_resource" "securityDomain" {
  provisioner "local-exec" {
    command = <<EOT
    az keyvault security-domain download --hsm-name ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name} --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ${azurerm_key_vault_managed_hardware_security_module.kv_hsm.name}-SD.json
    EOT
    interpreter = [
      "PowerShell", "-Command"
    ]
  }
  depends_on = [
    null_resource.OPENSSLCERT,
    azurerm_key_vault_managed_hardware_security_module.kv_hsm
  ]
}

I have followed enter image description here

enter image description here

enter image description here

Page link:https//www.codepudding.com/net/253366.html

Prev:Fetching big SQL table in the web app session
Next:How can i schedule a job between 04:00 and 21:00 on every 5 minutes with Azure Web Job
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding