I 'd ask for some help to make works the failover vm from WE to NE , configured with terraform in azure.
This is the testing scenario:
I have 2 windows vm, created in the same way, with os disk encrypted with AzureDiskEncryption extension, with exactly the same parameters on both cases on WE region.KeyVaults are the same on both VM 's so the permissions are ok. Difference is that on the vm#1 the secret is not created by terraform (it'
s created automatically from Azure when DR is configured from portal) and in the vm #2 I had to create it (copy from the target) on the NE region because it's required for the configuration parameters on target_disk_encryption (param: secret_url).
vm 1 : I configured the disaster recovery manually from azure portal and failover test to NE region worked successfully.
vm 2 : I configured the disaster recovery through the azurerm_site_recovery_replicated_vm resource, I created through terraform a new secret on NE keyvault with the same name and value than in WE kv, because it's required by target_disk_encryption parameter, and when I test the failover to NE region I get the following error:
Virtual machine 'vm-02' could not be created under resource group 'RG_DR' due to the following error: 'Unwrap of secret https://ne-kv-01.vault.azure.net/secrets/xxxxx-xxxx-xxxx-xxx-xxxx/xxxxxx value using key https://ne-kv-01.vault.azure.net/keys/we-enc-key-test-01/xxxxx failed.' Possible causes Unwrap operation on the secret for disk encryption key failed. Recommendation Ensure that you have the appropriate permission (Unwrap Key) to unwrap the secret.
This is the test code:
VM creation:
windows_virtual_machine_params = {
win_vm_02 = {
name = local.vm02
resource_group_name = module.resource_group .0.resource_groups\["rg_01"\].name
location = module.resource_group .0.resource_groups\["rg_01"\].location
admin_username = "admin"
admin_password = "${data.azurerm_key_vault_secret.sec-kv.value}"
network_interface_ids = \ [module.network .0.network_interfaces\["ni02"\].id\]
size = "Standard_D4ds_v5"
tags = module.tagging.module_tags
identity = [{
type = "SystemAssigned"
identity_ids = []
}]
os_disk = [{
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
diff_disk_settings = []
disk_encryption_set_id = null
disk_size_gb = null`your text`
name = "test-`your text`osdisk-02"
secure_vm_disk_encryption_set_id = null
security_encryption_type = null
write_accelerator_enabled = null
}]
source_image_reference = [{
publisher = "MicrosoftWindowsServer"
offer = "WindowsServer"
sku = "2019-Datacenter"
version = "latest"
}]
}
winvm_ext02 = {
name = "AzureDiskEncryption"
virtual_machine_id = module.virtualmachinewindows .0.windows_virtual_machines\["win_vm_02"\].id
publisher = "Microsoft.Azure.Security"
type = "AzureDiskEncryption"
type_handler_version = "2.2"
auto_upgrade_minor_version = true
automatic_upgrade_enabled = null
settings = \ < \ < SETTINGS {
"EncryptionOperation": "EnableEncryption",
"KeyVaultURL": "${data.azurerm_key_vault.enc_kv.vault_uri}",
"KeyVaultResourceId": "${data.azurerm_key_vault.enc_kv.id}",
"KeyEncryptionKeyURL": "${data.azurerm_key_vault_key.enc_kv.id}",
"KekVaultResourceId": "${data.azurerm_key_vault.enc_kv.id}",
"KeyEncryptionAlgorithm": "RSA-OAEP",
"VolumeType": "All"
}
SETTINGS
protected_settings = null
tags = module.tagging.module_tags
depends_on = [
module.virtualmachinewindows .0.windows_virtual_machines["win_vm_02"]
]
}
Site Recovery Settings
site_recovery_replicated_vm_params = {
srrvmp_01 = {
name = local.vm02 - asr
resource_group_name = data.azurerm_resource_group.asr.name
recovery_vault_name = data.azurerm_recovery_services_vault.vault.name
recovery_replication_policy_id = data.azurerm_site_recovery_replication_policy.policy.id
source_recovery_fabric_name = data.azurerm_site_recovery_fabric.we.name
source_vm_id = module.virtualmachinewindows .0.windows_virtual_machines\["win_vm_02"\].id
source_recovery_protection_container_name = data.azurerm_site_recovery_protection_container.we.name
target_resource_group_id = module.resource_group_dr .0.resource_groups["rg_dr_01"].id
target_recovery_fabric_id = data.azurerm_site_recovery_fabric.ne.id
target_recovery_protection_container_id = data.azurerm_site_recovery_protection_container.ne.id
target_availability_set_id = null
target_zone = null
target_edge_zone = null
target_proximity_placement_group_id = null
target_boot_diagnostic_storage_account_id = null
target_capacity_reservation_group_id = null
target_virtual_machine_scale_set_id = null
target_network_id = data.azurerm_virtual_network.ne.id
test_network_id = data.azurerm_virtual_network.ne.id
multi_vm_group_name = null
managed_disk = [{
disk_id = data.azurerm_managed_disk.osdisk_02.id
staging_storage_account_id = data.azurerm_storage_account.rsv.id
target_resource_group_id = module.resource_group_dr .0.resource_groups["rg_dr_01"].id
target_disk_type = module.virtualmachinewindows .0.windows_virtual_machines["win_vm_02"].os_disk[0].storage_account_type
target_replica_disk_type = module.virtualmachinewindows .0.windows_virtual_machines["win_vm_02"].os_disk[0].storage_account_type
target_disk_encryption_set_id = null
target_disk_encryption = [{
disk_encryption_key = [{
secret_url = module.keyvault.secrets["disk_02_replica"].id
vault_id = "${data.azurerm_key_vault.asr_enc_kv.id}"
}]
key_encryption_key = [{
key_url = "${data.azurerm_key_vault_key.asr_enc_kv.id}"
vault_id = "${data.azurerm_key_vault.asr_enc_kv.id}"
}]
}]
}]
unmanaged_disk = []
network_interface = [{
source_network_interface_id = module.network .0.network_interfaces["ni02"].id
target_static_ip = null
target_subnet_name = data.azurerm_subnet.subnet_ne.name
recovery_public_ip_address_id = null
failover_test_static_ip = null
failover_test_subnet_name = data.azurerm_subnet.subnet_ne.name
failover_test_public_ip_address_id = null
}]
}
}
Data sources
Key Vaults Definitions
data "azurerm_key_vault"
"enc_kv" {
name = "we-kv-test-01"
resource_group_name = "RG_TEST_01"
}
data "azurerm_key_vault"
"asr_enc_kv" {
name = "we-kv-test-01-asr"
resource_group_name = "RG_TEST_01_asr"
}
data "azurerm_key_vault_key"
"enc_kv" {
name = "we-enc-key-test-01"
key_vault_id = data.azurerm_key_vault.enc_kv.id
}
data "azurerm_key_vault_key"
"asr_enc_kv" {
name = "we-enc-key-test-01"
key_vault_id = data.azurerm_key_vault.asr_enc_kv.id
}
data "azurerm_key_vault_secret"
"enc_kv_02" {
name = split("/", data.azurerm_managed_disk.osdisk_02.encryption_settings\[0\].disk_encryption_key\[0\].secret_url)\[4\]
key_vault_id = data.azurerm_key_vault.enc_kv.id
depends_on = \ [
module.virtualmachinewindows\
]
}
Also I created the secret from the failover vm copying the target secret into source region:
disk_02_replica = {
name = data.azurerm_key_vault_secret.enc_kv_02.name
key_vault_id = data.azurerm_key_vault.asr_enc_kv.id
value = data.azurerm_key_vault_secret.enc_kv_02.value
content_type = "Wrapped BEK"
not_before_date = null
expiration_date = null
tags = {
DiskEncryptionKeyFileName = "${data.azurerm_key_vault_secret.enc_kv_02.name}.BEK"
VolumeLetter = "C:\\"
VolumeLabel = "Windows"
MachineName = local.vm02
DiskEncryptionKeyEncryptionKeyURL = "${data.azurerm_key_vault.enc_kv.vault_uri}"
DiskEncryptionKeyEncryptionAlgorithm = "RSA-OAEP"
}
Excuse meif is not very clear but I 'm not sure which other information I can provide for clarifications, but any suggestions are much appreciated.
in summary: Someone has used before the terraform resource site_recovery_replicated_vm and target_disk_encryption option with OS encrypted disks ? Please could provide me an example ? Thanks!
The reason for the above error is that you encountered
insufficient privilegesto decrypt the wrapped key from theKey VaultThis process ensures that only authorized entities with the necessary permissions can access and use the disk encryption key.
In order to resolve the issue, you should check and adjust the permissions associated with the identity or service attempting the unwrap operation in
Azure Key Vault.If you are using an access policy, make sure you have Unwrap Key selected for the wrapping operation. If you are using
Azure role-based access control, you need the Key Vault Crypto User role. Follow the Ms Doc for more details.Terraform Code:
Terraform Apply: