Skip to content

Commit 1fd2170

Browse files
committed
Editing the data encryption arm template
1 parent d383f20 commit 1fd2170

File tree

2 files changed

+230
-0
lines changed

2 files changed

+230
-0
lines changed

articles/mysql/howto-data-encryption-portal.md

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,122 @@ After Azure Database for MySQL is encrypted with a customer's managed key stored
8989
9090
![Screenshot of Azure Database for MySQL, showing restored functionality](media/concepts-data-access-and-security-data-encryption/restore-successful.png)
9191
92+
93+
## Using an Azure Resource Manager template to enable data encryption on an existing server
94+
You can use ARM templates to enable data encryption on your existing Azure database for MySQL servers.
95+
96+
* Pass the URI of the Azure Key Vault key that you copied earlier under the keyVaultKeyUri property in the properties object.
97+
98+
* Use *2020-01-01-preview* as the API version.
99+
100+
```json
101+
{
102+
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
103+
"contentVersion": "1.0.0.0",
104+
"parameters": {
105+
"location": {
106+
"type": "string"
107+
},
108+
"serverName": {
109+
"type": "string"
110+
},
111+
"keyVaultName": {
112+
"type": "string",
113+
"metadata": {
114+
"description": "Key vault name where the key to use is stored"
115+
}
116+
},
117+
"keyVaultResourceGroupName": {
118+
"type": "string",
119+
"metadata": {
120+
"description": "Key vault resource group name where it is stored"
121+
}
122+
},
123+
"keyName": {
124+
"type": "string",
125+
"metadata": {
126+
"description": "Key name in the key vault to use as encryption protector"
127+
}
128+
},
129+
"keyVersion": {
130+
"type": "string",
131+
"metadata": {
132+
"description": "Version of the key in the key vault to use as encryption protector"
133+
}
134+
}
135+
},
136+
"variables": {
137+
"serverKeyName": "[concat(parameters('keyVaultName'), '_', parameters('keyName'), '_', parameters('keyVersion'))]"
138+
},
139+
"resources": [
140+
{
141+
"type": "Microsoft.DBforMySQL/servers",
142+
"apiVersion": "2017-12-01",
143+
"kind": "",
144+
"location": "[parameters('location')]",
145+
"identity": {
146+
"type": "SystemAssigned"
147+
},
148+
"name": "[parameters('serverName')]",
149+
"properties": {
150+
}
151+
},
152+
{
153+
"type": "Microsoft.Resources/deployments",
154+
"apiVersion": "2019-05-01",
155+
"name": "addAccessPolicy",
156+
"resourceGroup": "[parameters('keyVaultResourceGroupName')]",
157+
"dependsOn": [
158+
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
159+
],
160+
"properties": {
161+
"mode": "Incremental",
162+
"template": {
163+
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
164+
"contentVersion": "1.0.0.0",
165+
"resources": [
166+
{
167+
"type": "Microsoft.KeyVault/vaults/accessPolicies",
168+
"name": "[concat(parameters('keyVaultName'), '/add')]",
169+
"apiVersion": "2018-02-14-preview",
170+
"properties": {
171+
"accessPolicies": [
172+
{
173+
"tenantId": "[subscription().tenantId]",
174+
"objectId": "[reference(resourceId('Microsoft.DBforMySQL/servers/', parameters('serverName')), '2017-12-01', 'Full').identity.principalId]",
175+
"permissions": {
176+
"keys": [
177+
"get",
178+
"wrapKey",
179+
"unwrapKey"
180+
]
181+
}
182+
}
183+
]
184+
}
185+
}
186+
]
187+
}
188+
}
189+
},
190+
{
191+
"name": "[concat(parameters('serverName'), '/', variables('serverKeyName'))]",
192+
"type": "Microsoft.DBforMySQL/servers/keys",
193+
"apiVersion": "2020-01-01-preview",
194+
"dependsOn": [
195+
"addAccessPolicy",
196+
"[resourceId('Microsoft.DBforMySQL/servers', parameters('serverName'))]"
197+
],
198+
"properties": {
199+
"serverKeyType": "AzureKeyVault",
200+
"uri": "[concat(reference(resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName')), '2018-02-14-preview', 'Full').properties.vaultUri, 'keys/', parameters('keyName'), '/', parameters('keyVersion'))]"
201+
}
202+
}
203+
]
204+
}
205+
206+
```
207+
92208
## Next steps
93209

94210
To learn more about data encryption, see [Azure Database for MySQL data encryption with customer-managed key](concepts-data-encryption-mysql.md).

articles/postgresql/howto-data-encryption-portal.md

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,120 @@ After Azure Database for PostgreSQL Single server is encrypted with a customer's
8989
9090
![Screenshot of Azure Database for PostgreSQL, showing restored functionality](media/concepts-data-access-and-security-data-encryption/restore-successful.png)
9191
92+
## Using an Azure Resource Manager template to enable data encryption on an existing server
93+
You can use ARM templates to enable data encryption on your existing Azure database for PostgreSQL Single servers.
94+
95+
* Pass the URI of the Azure Key Vault key that you copied earlier under the keyVaultKeyUri property in the properties object.
96+
97+
* Use *2020-01-01-preview* as the API version.
98+
99+
```json
100+
{
101+
"$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
102+
"contentVersion": "1.0.0.0",
103+
"parameters": {
104+
"location": {
105+
"type": "string"
106+
},
107+
"serverName": {
108+
"type": "string"
109+
},
110+
"keyVaultName": {
111+
"type": "string",
112+
"metadata": {
113+
"description": "Key vault name where the key to use is stored"
114+
}
115+
},
116+
"keyVaultResourceGroupName": {
117+
"type": "string",
118+
"metadata": {
119+
"description": "Key vault resource group name where it is stored"
120+
}
121+
},
122+
"keyName": {
123+
"type": "string",
124+
"metadata": {
125+
"description": "Key name in the key vault to use as encryption protector"
126+
}
127+
},
128+
"keyVersion": {
129+
"type": "string",
130+
"metadata": {
131+
"description": "Version of the key in the key vault to use as encryption protector"
132+
}
133+
}
134+
},
135+
"variables": {
136+
"serverKeyName": "[concat(parameters('keyVaultName'), '_', parameters('keyName'), '_', parameters('keyVersion'))]"
137+
},
138+
"resources": [
139+
{
140+
"type": "Microsoft.DBforPostgreSQL/servers",
141+
"apiVersion": "2017-12-01",
142+
"kind": "",
143+
"location": "[parameters('location')]",
144+
"identity": {
145+
"type": "SystemAssigned"
146+
},
147+
"name": "[parameters('serverName')]",
148+
"properties": {
149+
}
150+
},
151+
{
152+
"type": "Microsoft.Resources/deployments",
153+
"apiVersion": "2019-05-01",
154+
"name": "addAccessPolicy",
155+
"resourceGroup": "[parameters('keyVaultResourceGroupName')]",
156+
"dependsOn": [
157+
"[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('serverName'))]"
158+
],
159+
"properties": {
160+
"mode": "Incremental",
161+
"template": {
162+
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
163+
"contentVersion": "1.0.0.0",
164+
"resources": [
165+
{
166+
"type": "Microsoft.KeyVault/vaults/accessPolicies",
167+
"name": "[concat(parameters('keyVaultName'), '/add')]",
168+
"apiVersion": "2018-02-14-preview",
169+
"properties": {
170+
"accessPolicies": [
171+
{
172+
"tenantId": "[subscription().tenantId]",
173+
"objectId": "[reference(resourceId('Microsoft.DBforPostgreSQL/servers/', parameters('serverName')), '2017-12-01', 'Full').identity.principalId]",
174+
"permissions": {
175+
"keys": [
176+
"get",
177+
"wrapKey",
178+
"unwrapKey"
179+
]
180+
}
181+
}
182+
]
183+
}
184+
}
185+
]
186+
}
187+
}
188+
},
189+
{
190+
"name": "[concat(parameters('serverName'), '/', variables('serverKeyName'))]",
191+
"type": "Microsoft.DBforPostgreSQL/servers/keys",
192+
"apiVersion": "2020-01-01-preview",
193+
"dependsOn": [
194+
"addAccessPolicy",
195+
"[resourceId('Microsoft.DBforPostgreSQL/servers', parameters('serverName'))]"
196+
],
197+
"properties": {
198+
"serverKeyType": "AzureKeyVault",
199+
"uri": "[concat(reference(resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName')), '2018-02-14-preview', 'Full').properties.vaultUri, 'keys/', parameters('keyName'), '/', parameters('keyVersion'))]"
200+
}
201+
}
202+
]
203+
}
204+
```
205+
92206
## Next steps
93207

94208
To learn more about data encryption, see [Azure Database for PostgreSQL Single server data encryption with customer-managed key](concepts-data-encryption-postgresql.md).

0 commit comments

Comments
 (0)