Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
4 contributors

Users who have contributed to this file

@SudhakaraReddyEvuri @aravindthoram @singhkays @bmoore-msft
146 lines (145 sloc) 4.94 KB
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string",
"metadata": {
"description": "Name of the virtual machine"
}
},
"aadClientID": {
"type": "string",
"metadata": {
"description": "Client ID of AAD app which has permissions to KeyVault"
}
},
"aadClientSecret": {
"type": "securestring",
"metadata": {
"description": "Client Secret of AAD app which has permissions to KeyVault"
}
},
"keyVaultName": {
"type": "string",
"metadata": {
"description": "Name of the KeyVault to place the volume encryption key"
}
},
"keyVaultResourceGroup": {
"type": "string",
"metadata": {
"description": "Resource group of the KeyVault"
}
},
"useExistingKek": {
"type": "string",
"defaultValue": "nokek",
"allowedValues": [
"nokek",
"kek"
],
"metadata": {
"description": "Select kek if the secret should be encrypted with a key encryption key and pass explicit keyEncryptionKeyURL. For nokek, you can keep keyEncryptionKeyURL empty."
}
},
"keyEncryptionKeyURL": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "URL of the KeyEncryptionKey used to encrypt the volume encryption key"
}
},
"volumeType": {
"type": "string",
"defaultValue": "All",
"metadata": {
"description": "Type of the volume OS or Data to perform encryption operation"
}
},
"sequenceVersion": {
"type": "string",
"defaultValue": "1.0",
"metadata": {
"description": "Pass in an unique value like a GUID everytime the operation needs to be force run"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"extensionName": "AzureDiskEncryption",
"extensionVersion": "1.1",
"encryptionOperation": "EnableEncryption",
"keyEncryptionAlgorithm": "RSA-OAEP",
"updateVmUrl": "[concat('https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/201-encrypt-running-windows-vm/updatevm-',parameters('useExistingKek'),'.json')]",
"keyVaultURL": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net/')]",
"keyVaultResourceID": "[concat(subscription().id,'/resourceGroups/',parameters('keyVaultResourceGroup'),'/providers/Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters('vmName'),'/', variables('extensionName'))]",
"apiVersion": "2016-04-30-preview",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Azure.Security",
"type": "AzureDiskEncryption",
"typeHandlerVersion": "[variables('extensionVersion')]",
"autoUpgradeMinorVersion": true,
"forceUpdateTag": "[parameters('sequenceVersion')]",
"settings": {
"AADClientID": "[parameters('aadClientID')]",
"KeyVaultURL": "[variables('keyVaultURL')]",
"KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]",
"KeyEncryptionAlgorithm": "[variables('keyEncryptionAlgorithm')]",
"VolumeType": "[parameters('volumeType')]",
"EncryptionOperation": "[variables('encryptionOperation')]"
},
"protectedSettings": {
"AADClientSecret": "[parameters('aadClientSecret')]"
}
}
},
{
"name": "updatevm",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2015-01-01",
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('updateVmUrl')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"vmName": {
"value": "[parameters('vmName')]"
},
"keyVaultResourceID": {
"value": "[variables('keyVaultResourceID')]"
},
"keyVaultSecretUrl": {
"value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))).instanceView.statuses[0].message]"
},
"keyEncryptionKeyURL": {
"value": "[parameters('keyEncryptionKeyURL')]"
}
}
}
}
],
"outputs": {
"BitLockerKey": {
"type": "string",
"value": "[reference(resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'), variables('extensionName'))).instanceView.statuses[0].message]"
}
}
}
You can’t perform that action at this time.