Manages a Disk Encryption Set.
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "des-example-keyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "des-example-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
depends_on = [
azurerm_key_vault_access_policy.example-user
]
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "des"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
key_vault_key_id = azurerm_key_vault_key.example.id
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "example-disk" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = azurerm_disk_encryption_set.example.identity[0].tenant_id
object_id = azurerm_disk_encryption_set.example.identity[0].principal_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
]
}
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
]
}
resource "azurerm_role_assignment" "example-disk" {
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = azurerm_disk_encryption_set.example.identity[0].principal_id
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "des-example-keyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
sku_name = "premium"
enabled_for_disk_encryption = true
purge_protection_enabled = true
}
resource "azurerm_key_vault_key" "example" {
name = "des-example-key"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
depends_on = [
azurerm_key_vault_access_policy.example-user
]
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
resource "azurerm_disk_encryption_set" "example" {
name = "des"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
key_vault_key_id = azurerm_key_vault_key.example.versionless_id
auto_key_rotation_enabled = true
identity {
type = "SystemAssigned"
}
}
resource "azurerm_key_vault_access_policy" "example-disk" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = azurerm_disk_encryption_set.example.identity[0].tenant_id
object_id = azurerm_disk_encryption_set.example.identity[0].principal_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
]
}
resource "azurerm_key_vault_access_policy" "example-user" {
key_vault_id = azurerm_key_vault.example.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
key_permissions = [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
]
}
resource "azurerm_role_assignment" "example-disk" {
scope = azurerm_key_vault.example.id
role_definition_name = "Key Vault Crypto Service Encryption User"
principal_id = azurerm_disk_encryption_set.example.identity[0].principal_id
}
The following arguments are supported:
name
- (Required) The name of the Disk Encryption Set. Changing this forces a new resource to be created.
resource_group_name
- (Required) Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
location
- (Required) Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
key_vault_key_id
- (Required) Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
auto_key_rotation_enabled
- (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates the encryption Key to latest version or not. Possible values are true
or false
. Defaults to false
.encryption_type
- (Optional) The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey
, EncryptionAtRestWithPlatformAndCustomerKeys
and ConfidentialVmEncryptedWithCustomerKey
. Defaults to EncryptionAtRestWithCustomerKey
. Changing this forces a new resource to be created.
federated_client_id
- (Optional) Multi-tenant application client id to access key vault in a different tenant.
identity
- (Required) An identity
block as defined below.
tags
- (Optional) A mapping of tags to assign to the Disk Encryption Set.
An identity
block supports the following:
type
- (Required) The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned
, UserAssigned
, SystemAssigned, UserAssigned
(to enable both).
identity_ids
- (Optional) A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Disk Encryption Set.
key_vault_key_url
- The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
An identity
block exports the following:
principal_id
- The (Client) ID of the Service Principal.
tenant_id
- The ID of the Tenant the Service Principal is assigned in.
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the Disk Encryption Set.update
- (Defaults to 60 minutes) Used when updating the Disk Encryption Set.read
- (Defaults to 5 minutes) Used when retrieving the Disk Encryption Set.delete
- (Defaults to 60 minutes) Used when deleting the Disk Encryption Set.Disk Encryption Sets can be imported using the resource id
, e.g.
terraform import azurerm_disk_encryption_set.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1