Add SSE-CMK feature for VMSS

hashicorp · Dec 25, 2019 · 8e41245 · 8e41245
1 parent 82d660c
commit 8e41245
Show file tree

Hide file tree

Showing 5 changed files with 114 additions and 10 deletions.
diff --git a/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go b/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go
@@ -595,6 +595,12 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource {
 							Type:     schema.TypeString,
 							Required: true,
 						},
+
+						"managed_disk_encryption_set_id": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: azure.ValidateResourceID,
+						},
 					},
 				},
 				Set: resourceArmVirtualMachineScaleSetStorageProfileOsDiskHash,
@@ -638,6 +644,12 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource {
 								string(compute.StorageAccountTypesStandardSSDLRS),
 							}, true),
 						},
+
+						"managed_disk_encryption_set_id": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ValidateFunc: azure.ValidateResourceID,
+						},
 					},
 				},
 			},
@@ -982,6 +994,7 @@ func resourceArmVirtualMachineScaleSetRead(d *schema.ResourceData, meta interfac
 	}
 
 	if properties := resp.VirtualMachineScaleSetProperties; properties != nil {
+
 		if upgradePolicy := properties.UpgradePolicy; upgradePolicy != nil {
 			d.Set("upgrade_policy_mode", upgradePolicy.Mode)
 			if policy := upgradePolicy.AutomaticOSUpgradePolicy; policy != nil {
@@ -1444,6 +1457,9 @@ func flattenAzureRmVirtualMachineScaleSetStorageProfileOSDisk(profile *compute.V
 
 	if profile.ManagedDisk != nil {
 		result["managed_disk_type"] = string(profile.ManagedDisk.StorageAccountType)
+		if profile.ManagedDisk.DiskEncryptionSet != nil && profile.ManagedDisk.DiskEncryptionSet.ID != nil {
+			result["managed_disk_encryption_set_id"] = *profile.ManagedDisk.DiskEncryptionSet.ID
+		}
 	}
 
 	result["caching"] = profile.Caching
@@ -1459,6 +1475,9 @@ func flattenAzureRmVirtualMachineScaleSetStorageProfileDataDisk(disks *[]compute
 		l := make(map[string]interface{})
 		if disk.ManagedDisk != nil {
 			l["managed_disk_type"] = string(disk.ManagedDisk.StorageAccountType)
+			if disk.ManagedDisk.DiskEncryptionSet != nil && disk.ManagedDisk.DiskEncryptionSet.ID != nil {
+				l["managed_disk_encryption_set_id"] = *disk.ManagedDisk.DiskEncryptionSet.ID
+			}
 		}
 
 		l["create_option"] = disk.CreateOption
@@ -1870,6 +1889,7 @@ func expandAzureRmVirtualMachineScaleSetNetworkProfile(d *schema.ResourceData) *
 						Name: &publicIPConfigName,
 						VirtualMachineScaleSetPublicIPAddressConfigurationProperties: &prop,
 					}
+
 					ipConfiguration.PublicIPAddressConfiguration = &config
 				}
 			}
@@ -2006,6 +2026,7 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileOsDisk(d *schema.Resource
 	osType := osDiskConfig["os_type"].(string)
 	createOption := osDiskConfig["create_option"].(string)
 	managedDiskType := osDiskConfig["managed_disk_type"].(string)
+	managedDiskEncryptionSetId := osDiskConfig["managed_disk_encryption_set_id"].(string)
 
 	if managedDiskType == "" && name == "" {
 		return nil, fmt.Errorf("[ERROR] `name` must be set in `storage_profile_os_disk` for unmanaged disk")
@@ -2045,6 +2066,12 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileOsDisk(d *schema.Resource
 		osDisk.ManagedDisk = managedDisk
 	}
 
+	if managedDiskEncryptionSetId != "" {
+		managedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+			ID: utils.String(managedDiskEncryptionSetId),
+		}
+	}
+
 	//BEGIN: code to be removed after GH-13016 is merged
 	if image != "" && managedDiskType != "" {
 		return nil, fmt.Errorf("[ERROR] Conflict between `image` and `managed_disk_type` on `storage_profile_os_disk` (only one or the other can be used)")
@@ -2066,6 +2093,7 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileDataDisk(d *schema.Resour
 
 		createOption := config["create_option"].(string)
 		managedDiskType := config["managed_disk_type"].(string)
+		managedDiskEncryptionSetId := config["managed_disk_encryption_set_id"].(string)
 		lun := int32(config["lun"].(int))
 
 		dataDisk := compute.VirtualMachineScaleSetDataDisk{
@@ -2081,6 +2109,12 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileDataDisk(d *schema.Resour
 			managedDiskVMSS.StorageAccountType = compute.StorageAccountTypes(compute.StandardLRS)
 		}
 
+		if managedDiskEncryptionSetId != "" {
+			managedDiskVMSS.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+				ID: utils.String(managedDiskEncryptionSetId),
+			}
+		}
+
 		// assume that data disks in VMSS can only be Managed Disks
 		dataDisk.ManagedDisk = managedDiskVMSS
 		if v := config["caching"].(string); v != "" {

diff --git a/azurerm/internal/services/compute/virtual_machine_scale_set.go b/azurerm/internal/services/compute/virtual_machine_scale_set.go
@@ -837,6 +837,12 @@ func VirtualMachineScaleSetDataDiskSchema() *schema.Schema {
 					Optional: true,
 					Default:  false,
 				},
+
+				"managed_disk_encryption_set_id": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					ValidateFunc: azure.ValidateResourceID,
+				},
 			},
 		},
 	}
@@ -861,6 +867,12 @@ func ExpandVirtualMachineScaleSetDataDisk(input []interface{}) *[]compute.Virtua
 			CreateOption: compute.DiskCreateOptionTypesEmpty,
 		}
 
+		if id := raw["managed_disk_encryption_set_id"].(string); id != "" {
+			disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+				ID: utils.String(id),
+			}
+		}
+
 		disks = append(disks, disk)
 	}
 
@@ -895,13 +907,23 @@ func FlattenVirtualMachineScaleSetDataDisk(input *[]compute.VirtualMachineScaleS
 			writeAcceleratorEnabled = *v.WriteAcceleratorEnabled
 		}
 
-		output = append(output, map[string]interface{}{
+		item := map[string]interface{}{
 			"caching":                   string(v.Caching),
 			"lun":                       lun,
 			"disk_size_gb":              diskSizeGb,
 			"storage_account_type":      storageAccountType,
 			"write_accelerator_enabled": writeAcceleratorEnabled,
-		})
+		}
+
+		if disk := v.ManagedDisk; disk != nil {
+			if set := disk.DiskEncryptionSet; set != nil {
+				if id := set.ID; id != nil {
+					item["managed_disk_encryption_set_id"] = *id
+				}
+			}
+		}
+
+		output = append(output, item)
 	}
 
 	return output
@@ -967,6 +989,12 @@ func VirtualMachineScaleSetOSDiskSchema() *schema.Schema {
 					Optional: true,
 					Default:  false,
 				},
+
+				"managed_disk_encryption_set_id": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					ValidateFunc: azure.ValidateResourceID,
+				},
 			},
 		},
 	}
@@ -986,6 +1014,12 @@ func ExpandVirtualMachineScaleSetOSDisk(input []interface{}, osType compute.Oper
 		OsType:       osType,
 	}
 
+	if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" {
+		disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+			ID: utils.String(diskEncryptionSetId),
+		}
+	}
+
 	if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 {
 		disk.DiskSizeGB = utils.Int32(int32(osDiskSize))
 	}
@@ -1010,6 +1044,12 @@ func ExpandVirtualMachineScaleSetOSDiskUpdate(input []interface{}) *compute.Virt
 		WriteAcceleratorEnabled: utils.Bool(raw["write_accelerator_enabled"].(bool)),
 	}
 
+	if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" {
+		disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+			ID: utils.String(diskEncryptionSetId),
+		}
+	}
+
 	if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 {
 		disk.DiskSizeGB = utils.Int32(int32(osDiskSize))
 	}
@@ -1043,15 +1083,22 @@ func FlattenVirtualMachineScaleSetOSDisk(input *compute.VirtualMachineScaleSetOS
 	if input.WriteAcceleratorEnabled != nil {
 		writeAcceleratorEnabled = *input.WriteAcceleratorEnabled
 	}
-	return []interface{}{
-		map[string]interface{}{
-			"caching":                   string(input.Caching),
-			"disk_size_gb":              diskSizeGb,
-			"diff_disk_settings":        diffDiskSettings,
-			"storage_account_type":      storageAccountType,
-			"write_accelerator_enabled": writeAcceleratorEnabled,
-		},
+
+	result := map[string]interface{}{
+		"caching":                   string(input.Caching),
+		"disk_size_gb":              diskSizeGb,
+		"diff_disk_settings":        diffDiskSettings,
+		"storage_account_type":      storageAccountType,
+		"write_accelerator_enabled": writeAcceleratorEnabled,
+	}
+	if disk := input.ManagedDisk; disk != nil {
+		if set := disk.DiskEncryptionSet; set != nil {
+			if id := set.ID; id != nil {
+				result["managed_disk_encryption_set_id"] = *id
+			}
+		}
 	}
+	return []interface{}{result}
 }
 
 func VirtualMachineScaleSetSourceImageReferenceSchema() *schema.Schema {

diff --git a/website/docs/r/linux_virtual_machine_scale_set.html.markdown b/website/docs/r/linux_virtual_machine_scale_set.html.markdown
@@ -243,6 +243,10 @@ A `data_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `diff_disk_settings` block supports the following:
@@ -335,6 +339,10 @@ A `os_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `public_ip_address` block supports the following:

diff --git a/website/docs/r/virtual_machine_scale_set.html.markdown b/website/docs/r/virtual_machine_scale_set.html.markdown
@@ -470,13 +470,20 @@ output "principal_id" {
                        When setting this field `os_type` needs to be specified. Cannot be used when `vhd_containers`, `managed_disk_type` or `storage_profile_image_reference` are specified.
 * `os_type` - (Optional) Specifies the operating system Type, valid values are windows, linux.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 `storage_profile_data_disk` supports the following:
 
 * `lun` - (Required) Specifies the Logical Unit Number of the disk in each virtual machine in the scale set.
 * `create_option` - (Optional) Specifies how the data disk should be created. The only possible options are `FromImage` and `Empty`.
 * `caching` - (Optional) Specifies the caching requirements. Possible values include: `None` (default), `ReadOnly`, `ReadWrite`.
 * `disk_size_gb` - (Optional) Specifies the size of the disk in GB. This element is required when creating an empty disk.
 * `managed_disk_type` - (Optional) Specifies the type of managed disk to create. Value must be either `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS`.
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
 
 `storage_profile_image_reference` supports the following:
 

diff --git a/website/docs/r/windows_virtual_machine_scale_set.html.markdown b/website/docs/r/windows_virtual_machine_scale_set.html.markdown
@@ -235,6 +235,10 @@ A `data_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `diff_disk_settings` block supports the following:
@@ -327,6 +331,10 @@ A `os_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `public_ip_address` block supports the following: