Search code examples
azureterraformterraform-provider-azureazure-virtual-machine

Issue generating a valid Key Vault Key URL in azurerm_key_vault_key to be used in azurerm_disk_encryption_set

I am trying to create a VM with encrypted disk. I have terraform code as below

resource "azurerm_key_vault_key" "example" {
  name         = "des-example-key"
  key_vault_id = azurerm_key_vault.example.id   // --> existing Key Vault ID
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

Creating Disk Encryption Set (DES)

resource "azurerm_disk_encryption_set" "example" {
  name                = "des"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  key_vault_key_id    = azurerm_key_vault_key.example.id

  identity {
    type = "SystemAssigned"
  }
}

As per the documentation here, I have to add azurerm_key_vault_key.example.id but i am getting an error like.

performing Update: unexpected status 400 (400 Bad Request) with error: InvalidParameter: https://keyvault-dev-re-001.vault.azure.net/keys/dek-gt-data-dev-jumpbox01-001/bbfeda5d3dc8470ba578f67fc870c65a" is not a valid versioned Key Vault Key URL. It should be in the format https://<vaultEndpoint>/keys/<keyName>/<keyVersion>

provider: azurerm v4.18

Code structure:

modules
├───disk_encryption_set 
├───jumpbox (machine creation)
├───keyvault
├───mssql_server
├───network-security-group
├───route-table
├───storage-account
├───subn
└───vnet
Solution

  • Issue generating a valid Key Vault Key URL in azurerm_key_vault_key to be used in azurerm_disk_encryption_set

    Issue seems to be with the permission issue for managed identity of Disk Encryption Set. To have access for the DES to fetch and rotate the key you need to grant its managed identity permission on that key.

    And also use depends on so that the keyvault URL for the Key creation will be provisioned completely and readily available for key creation.

    Demo configuration:

    modules/keyvault/main.tf:

    resource "azurerm_resource_group" "example" {
  name     = var.resource_group_name
  location = var.location
}

resource "azurerm_key_vault" "example" {
  name                        = "example-keyvault"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  sku_name                    = "standard"
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  purge_protection_enabled    = false
  soft_delete_retention_days  = 7
}

resource "azurerm_key_vault_key" "example" {
  name         = "des-encryption-key"
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
}

    modules/disk_encryption_set/main.tf:

    data "azurerm_key_vault_key" "example" {
  name         = "des-encryption-key"
  key_vault_id = var.key_vault_id
}

resource "azurerm_disk_encryption_set" "example" {
  name                = "des-example"
  resource_group_name = var.resource_group_name
  location            = var.location
  key_vault_key_id    = data.azurerm_key_vault_key.example.id

  identity {
    type = "SystemAssigned"
  }
}

    Here because of modular structure, you need to call the key version input to disk encryption as data plugin this will make sure the key version which we call as input for disk encryption will be latest one

    Deployment:

    enter image description here

    enter image description here

    enter image description here

    Refer:

    virtual machine - Error while provisioning Azure VMs with azurerm_disk_encryption_set using Terraform - Stack Overflow answered by me