azurermDiskEncryptionSet
Manages a Disk Encryption Set.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
this,
"example_2",
{
enabled_for_disk_encryption: true,
location: azurermResourceGroupExample.location,
name: "des-example-keyvault",
purge_protection_enabled: true,
resource_group_name: azurermResourceGroupExample.name,
sku_name: "premium",
tenant_id: dataAzurermClientConfigCurrent.tenantId,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExampleUser =
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example-user", {
key_permissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: dataAzurermClientConfigCurrent.objectId,
tenant_id: dataAzurermClientConfigCurrent.tenantId,
});
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
this,
"example_4",
{
depends_on: [`\${${azurermKeyVaultAccessPolicyExampleUser.fqn}}`],
key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
key_size: 2048,
key_type: "RSA",
key_vault_id: azurermKeyVaultExample.id,
name: "des-example-key",
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermDiskEncryptionSetExample =
new azurerm.diskEncryptionSet.DiskEncryptionSet(this, "example_5", {
identity: [
{
type: "SystemAssigned",
},
],
key_vault_key_id: azurermKeyVaultKeyExample.id,
location: azurermResourceGroupExample.location,
name: "des",
resource_group_name: azurermResourceGroupExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermDiskEncryptionSetExample.overrideLogicalId("example");
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example-disk", {
key_permissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
key_vault_id: azurermKeyVaultExample.id,
object_id: `\${${azurermDiskEncryptionSetExample.identity}.0.principal_id}`,
tenant_id: `\${${azurermDiskEncryptionSetExample.identity}.0.tenant_id}`,
});
const azurermRoleAssignmentExampleDisk =
new azurerm.roleAssignment.RoleAssignment(this, "example-disk_7", {
principal_id: `\${${azurermDiskEncryptionSetExample.identity}.0.principal_id}`,
role_definition_name: "Key Vault Crypto Service Encryption User",
scope: azurermKeyVaultExample.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRoleAssignmentExampleDisk.overrideLogicalId("example-disk");
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the Disk Encryption Set. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created. -
location
- (Required) Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created. -
keyVaultKeyId
- (Required) Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
-> NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
-> NOTE A KeyVault using enable_rbac_authorization requires to use azurermRoleAssignment
to assigne the role keyVaultCryptoServiceEncryptionUser
to this Disk Encryption Set. In this case, azurermKeyVaultAccessPolicy
is not needed.
-
autoKeyRotationEnabled
- (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version. -
encryptionType
- (Optional) The type of key used to encrypt the data of the disk. Possible values areencryptionAtRestWithCustomerKey
,encryptionAtRestWithPlatformAndCustomerKeys
andconfidentialVmEncryptedWithCustomerKey
. Defaults toencryptionAtRestWithCustomerKey
. Changing this forces a new resource to be created. -
federatedClientId
- (Optional) Multi-tenant application client id to access key vault in a different tenant. -
identity
- (Required) Anidentity
block as defined below. -
tags
- (Optional) A mapping of tags to assign to the Disk Encryption Set.
An identity
block supports the following:
-
type
- (Required) The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values aresystemAssigned
,userAssigned
,systemAssigned,UserAssigned
(to enable both). -
identityIds
- (Optional) A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
\~> NOTE: This is required when type
is set to userAssigned
or systemAssigned,UserAssigned
.
Attributes Reference
The following attributes are exported:
id
- The ID of the Disk Encryption Set.
An identity
block exports the following:
-
principalId
- The (Client) ID of the Service Principal. -
tenantId
- The ID of the Tenant the Service Principal is assigned in.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the Disk Encryption Set.update
- (Defaults to 60 minutes) Used when updating the Disk Encryption Set.read
- (Defaults to 5 minutes) Used when retrieving the Disk Encryption Set.delete
- (Defaults to 60 minutes) Used when deleting the Disk Encryption Set.
Import
Disk Encryption Sets can be imported using the resourceId
, e.g.