Resolve azure policy sql server should use customer managed keys to encrypt for bicep script
The following bicep script should create a SQL Server. However, due to Azure policy violation it fails, and requires that I use customer-managed keys to encrypt data. See Error:
Here's the code block to encrypt protection for SQL Server. Still getting the error above (not sure why it won't work):
resource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {
location: location
name: name
properties: {
administratorLogin: adminUsername
administratorLoginPassword: adminPassword
publicNetworkAccess: publicNetworkAccess
}
}
resource encryptProtectSQLServer 'Microsoft.Sql/servers/encryptionProtector@2021-11-01' = {
name: 'current'
parent: sqlServer
properties: {
autoRotationEnabled: true
serverKeyName: 'key-adf-cdis-devtest-va'
serverKeyType: 'AzureKeyVault'
}
}
When I add keyId:
resource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {
location: location
name: name
properties: {
administratorLogin: adminUsername
administratorLoginPassword: adminPassword
publicNetworkAccess: publicNetworkAccess
keyId: 'https://kvinfratestva.vault.usgovcloudapi.net/keys/key-pcr-sqlserver/654aa7c96d51450cassaassa15fce3ff26'
}
}
I get the following error:
The first issue here is that you need to give the SQL Server RBAC permission to the KeyVault via a RoleAssignment. I personally prefer a User Assigned Managed Identity as it can be independently lifecycled (created in advance of your SQL Server by someone with permissions if your organisation has a tight security policy).
By default, TDE in Azure SQL uses the primary user-assigned managed identity set on the server for key vault access. If no user-assigned identities have been assigned to the server, then the system-assigned managed identity of the server is used for key vault access. When using a user-assigned managed identity for TDE with CMK, assign the identity to the server and set it as the primary identity for the server
The primary user-assigned managed identity requires continuous key vault access (get, wrapKey, unwrapKey permissions). If the identity's access to key vault is revoked or sufficient permissions aren't provided, the database will move to Inaccessible state
The second issue you could have is if the KeyVault is firewalled to only accept connections from connected Virtual Networks. I notice that you're using the US Gov Cloud (usgovcloudapi.net). So you could be might well have fun here given this restriction.
The Allow Trusted Microsoft Services to bypass this firewall option is currently not available in National clouds.
Good luck! 🤓
- Add a grouping column to keep time entries together based on on its value, then repeat the id until the next value occurs
- How to generate EF Core migrations script when ConnectionString is only known after ARM template deployment?
- Is there a way to get the allocated storage data percentage metric from Azure SQL database resource for creating an alert?
- ODBC Driver 18 Not Found in Azure Function Using Python 3.11
- Azure SQL Server Auditing EventHub Bicep
- Aggregating IDs within a PARTITION BY query
- Optimizing Stored Procedure Query
- SQL PERFORMANCE - alternative to OR statement
- How to create index to optimize a "Key Lookup"
- Only members of the sysadmin fixed server role can perform this operation. Azure SQL Server Database vs SQL Server Database
- Prevent Role with limited SELECT access discovering object names in Azure SQL or SQL Server
- Azure SQL Partition existing table with an integer field as partition field
- Show only one database on SQL Server
- How can I quickly detect and resolve SQL Server Index fragmentation for a database?
- sp_execute_remote only outputs one result set?
- Azure SQL Insert Failure
- How to import a transactionally-inconsistent bacpac
- How to query a JSON column (or a varchar column containing JSON) when the value is an array
- Error: Explicit Conversion from Data Type ntext to vector Not Allowed in Azure SQL Database
- Add Azure Active Directory User to Azure SQL Database
- Azure sql database export to storage blob failed
- Azure DB to timezone does not convert
- Use User Managed Identity (UMI) to authenticate Azure App Service (Python) to SQL Database
- Azure ArmClient Rename & Copy DB Operations
- Connecting to an Azure SQL database with a VPN (Point-to-Site)
- Poweshell to set Azure SQL Auditing
- SQL Server Error "AADSTS500133: Assertion is not within its valid time range" for Managed Identity
- How to set Azure SQL database instance with Min 0,5 vCores with Terraform?
- Anonymize data in dataflow pipeline gen2
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?