Skip to content

azurermDiskEncryptionSet

Manages a Disk Encryption Set.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const dataAzurermClientConfigCurrent =
  new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
    this,
    "current",
    {}
  );
const azurermKeyVaultExample = new azurerm.keyVault.KeyVault(
  this,
  "example_2",
  {
    enabled_for_disk_encryption: true,
    location: azurermResourceGroupExample.location,
    name: "des-example-keyvault",
    purge_protection_enabled: true,
    resource_group_name: azurermResourceGroupExample.name,
    sku_name: "premium",
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultExample.overrideLogicalId("example");
const azurermKeyVaultAccessPolicyExampleUser =
  new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example-user", {
    key_permissions: [
      "Create",
      "Delete",
      "Get",
      "Purge",
      "Recover",
      "Update",
      "List",
      "Decrypt",
      "Sign",
      "GetRotationPolicy",
    ],
    key_vault_id: azurermKeyVaultExample.id,
    object_id: dataAzurermClientConfigCurrent.objectId,
    tenant_id: dataAzurermClientConfigCurrent.tenantId,
  });
const azurermKeyVaultKeyExample = new azurerm.keyVaultKey.KeyVaultKey(
  this,
  "example_4",
  {
    depends_on: [`\${${azurermKeyVaultAccessPolicyExampleUser.fqn}}`],
    key_opts: ["decrypt", "encrypt", "sign", "unwrapKey", "verify", "wrapKey"],
    key_size: 2048,
    key_type: "RSA",
    key_vault_id: azurermKeyVaultExample.id,
    name: "des-example-key",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermKeyVaultKeyExample.overrideLogicalId("example");
const azurermDiskEncryptionSetExample =
  new azurerm.diskEncryptionSet.DiskEncryptionSet(this, "example_5", {
    identity: [
      {
        type: "SystemAssigned",
      },
    ],
    key_vault_key_id: azurermKeyVaultKeyExample.id,
    location: azurermResourceGroupExample.location,
    name: "des",
    resource_group_name: azurermResourceGroupExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermDiskEncryptionSetExample.overrideLogicalId("example");
new azurerm.keyVaultAccessPolicy.KeyVaultAccessPolicy(this, "example-disk", {
  key_permissions: [
    "Create",
    "Delete",
    "Get",
    "Purge",
    "Recover",
    "Update",
    "List",
    "Decrypt",
    "Sign",
  ],
  key_vault_id: azurermKeyVaultExample.id,
  object_id: `\${${azurermDiskEncryptionSetExample.identity}.0.principal_id}`,
  tenant_id: `\${${azurermDiskEncryptionSetExample.identity}.0.tenant_id}`,
});
const azurermRoleAssignmentExampleDisk =
  new azurerm.roleAssignment.RoleAssignment(this, "example-disk_7", {
    principal_id: `\${${azurermDiskEncryptionSetExample.identity}.0.principal_id}`,
    role_definition_name: "Key Vault Crypto Service Encryption User",
    scope: azurermKeyVaultExample.id,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermRoleAssignmentExampleDisk.overrideLogicalId("example-disk");

Argument Reference

The following arguments are supported:

  • name - (Required) The name of the Disk Encryption Set. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

  • location - (Required) Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

  • keyVaultKeyId - (Required) Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

-> NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

-> NOTE A KeyVault using enable_rbac_authorization requires to use azurermRoleAssignment to assigne the role keyVaultCryptoServiceEncryptionUser to this Disk Encryption Set. In this case, azurermKeyVaultAccessPolicy is not needed.

  • autoKeyRotationEnabled - (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

  • encryptionType - (Optional) The type of key used to encrypt the data of the disk. Possible values are encryptionAtRestWithCustomerKey, encryptionAtRestWithPlatformAndCustomerKeys and confidentialVmEncryptedWithCustomerKey. Defaults to encryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

  • federatedClientId - (Optional) Multi-tenant application client id to access key vault in a different tenant.

  • identity - (Required) An identity block as defined below.

  • tags - (Optional) A mapping of tags to assign to the Disk Encryption Set.

An identity block supports the following:

  • type - (Required) The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are systemAssigned, userAssigned, systemAssigned,UserAssigned (to enable both).

  • identityIds - (Optional) A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

\~> NOTE: This is required when type is set to userAssigned or systemAssigned,UserAssigned.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Disk Encryption Set.

An identity block exports the following:

  • principalId - The (Client) ID of the Service Principal.

  • tenantId - The ID of the Tenant the Service Principal is assigned in.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Disk Encryption Set.
  • update - (Defaults to 60 minutes) Used when updating the Disk Encryption Set.
  • read - (Defaults to 5 minutes) Used when retrieving the Disk Encryption Set.
  • delete - (Defaults to 60 minutes) Used when deleting the Disk Encryption Set.

Import

Disk Encryption Sets can be imported using the resourceId, e.g.

terraform import azurerm_disk_encryption_set.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1