diff --git a/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go b/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go index 186f4b70b3aa1..819097fd5df85 100644 --- a/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go +++ b/azurerm/internal/services/compute/resource_arm_virtual_machine_scale_set.go @@ -595,6 +595,12 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource { Type: schema.TypeString, Required: true, }, + + "managed_disk_encryption_set_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateResourceID, + }, }, }, Set: resourceArmVirtualMachineScaleSetStorageProfileOsDiskHash, @@ -638,6 +644,12 @@ func resourceArmVirtualMachineScaleSet() *schema.Resource { string(compute.StorageAccountTypesStandardSSDLRS), }, true), }, + + "managed_disk_encryption_set_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateResourceID, + }, }, }, }, @@ -982,6 +994,7 @@ func resourceArmVirtualMachineScaleSetRead(d *schema.ResourceData, meta interfac } if properties := resp.VirtualMachineScaleSetProperties; properties != nil { + if upgradePolicy := properties.UpgradePolicy; upgradePolicy != nil { d.Set("upgrade_policy_mode", upgradePolicy.Mode) if policy := upgradePolicy.AutomaticOSUpgradePolicy; policy != nil { @@ -1444,6 +1457,9 @@ func flattenAzureRmVirtualMachineScaleSetStorageProfileOSDisk(profile *compute.V if profile.ManagedDisk != nil { result["managed_disk_type"] = string(profile.ManagedDisk.StorageAccountType) + if profile.ManagedDisk.DiskEncryptionSet != nil && profile.ManagedDisk.DiskEncryptionSet.ID != nil { + result["managed_disk_encryption_set_id"] = *profile.ManagedDisk.DiskEncryptionSet.ID + } } result["caching"] = profile.Caching @@ -1459,6 +1475,9 @@ func flattenAzureRmVirtualMachineScaleSetStorageProfileDataDisk(disks *[]compute l := make(map[string]interface{}) if disk.ManagedDisk != nil { l["managed_disk_type"] = string(disk.ManagedDisk.StorageAccountType) + if disk.ManagedDisk.DiskEncryptionSet != nil && disk.ManagedDisk.DiskEncryptionSet.ID != nil { + l["managed_disk_encryption_set_id"] = *disk.ManagedDisk.DiskEncryptionSet.ID + } } l["create_option"] = disk.CreateOption @@ -1870,6 +1889,7 @@ func expandAzureRmVirtualMachineScaleSetNetworkProfile(d *schema.ResourceData) * Name: &publicIPConfigName, VirtualMachineScaleSetPublicIPAddressConfigurationProperties: &prop, } + ipConfiguration.PublicIPAddressConfiguration = &config } } @@ -2006,6 +2026,7 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileOsDisk(d *schema.Resource osType := osDiskConfig["os_type"].(string) createOption := osDiskConfig["create_option"].(string) managedDiskType := osDiskConfig["managed_disk_type"].(string) + managedDiskEncryptionSetId := osDiskConfig["managed_disk_encryption_set_id"].(string) if managedDiskType == "" && name == "" { return nil, fmt.Errorf("[ERROR] `name` must be set in `storage_profile_os_disk` for unmanaged disk") @@ -2045,6 +2066,12 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileOsDisk(d *schema.Resource osDisk.ManagedDisk = managedDisk } + if managedDiskEncryptionSetId != "" { + managedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{ + ID: utils.String(managedDiskEncryptionSetId), + } + } + //BEGIN: code to be removed after GH-13016 is merged if image != "" && managedDiskType != "" { return nil, fmt.Errorf("[ERROR] Conflict between `image` and `managed_disk_type` on `storage_profile_os_disk` (only one or the other can be used)") @@ -2066,6 +2093,7 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileDataDisk(d *schema.Resour createOption := config["create_option"].(string) managedDiskType := config["managed_disk_type"].(string) + managedDiskEncryptionSetId := config["managed_disk_encryption_set_id"].(string) lun := int32(config["lun"].(int)) dataDisk := compute.VirtualMachineScaleSetDataDisk{ @@ -2081,6 +2109,12 @@ func expandAzureRMVirtualMachineScaleSetsStorageProfileDataDisk(d *schema.Resour managedDiskVMSS.StorageAccountType = compute.StorageAccountTypes(compute.StandardLRS) } + if managedDiskEncryptionSetId != "" { + managedDiskVMSS.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{ + ID: utils.String(managedDiskEncryptionSetId), + } + } + // assume that data disks in VMSS can only be Managed Disks dataDisk.ManagedDisk = managedDiskVMSS if v := config["caching"].(string); v != "" { diff --git a/azurerm/internal/services/compute/virtual_machine_scale_set.go b/azurerm/internal/services/compute/virtual_machine_scale_set.go index 1f9b716320a44..1e85daf19cd3c 100644 --- a/azurerm/internal/services/compute/virtual_machine_scale_set.go +++ b/azurerm/internal/services/compute/virtual_machine_scale_set.go @@ -837,6 +837,12 @@ func VirtualMachineScaleSetDataDiskSchema() *schema.Schema { Optional: true, Default: false, }, + + "managed_disk_encryption_set_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateResourceID, + }, }, }, } @@ -861,6 +867,12 @@ func ExpandVirtualMachineScaleSetDataDisk(input []interface{}) *[]compute.Virtua CreateOption: compute.DiskCreateOptionTypesEmpty, } + if id := raw["managed_disk_encryption_set_id"].(string); id != "" { + disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{ + ID: utils.String(id), + } + } + disks = append(disks, disk) } @@ -895,13 +907,23 @@ func FlattenVirtualMachineScaleSetDataDisk(input *[]compute.VirtualMachineScaleS writeAcceleratorEnabled = *v.WriteAcceleratorEnabled } - output = append(output, map[string]interface{}{ + item := map[string]interface{}{ "caching": string(v.Caching), "lun": lun, "disk_size_gb": diskSizeGb, "storage_account_type": storageAccountType, "write_accelerator_enabled": writeAcceleratorEnabled, - }) + } + + if disk := v.ManagedDisk; disk != nil { + if set := disk.DiskEncryptionSet; set != nil { + if id := set.ID; id != nil { + item["managed_disk_encryption_set_id"] = *id + } + } + } + + output = append(output, item) } return output @@ -967,6 +989,12 @@ func VirtualMachineScaleSetOSDiskSchema() *schema.Schema { Optional: true, Default: false, }, + + "managed_disk_encryption_set_id": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: azure.ValidateResourceID, + }, }, }, } @@ -986,6 +1014,12 @@ func ExpandVirtualMachineScaleSetOSDisk(input []interface{}, osType compute.Oper OsType: osType, } + if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" { + disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{ + ID: utils.String(diskEncryptionSetId), + } + } + if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 { disk.DiskSizeGB = utils.Int32(int32(osDiskSize)) } @@ -1010,6 +1044,12 @@ func ExpandVirtualMachineScaleSetOSDiskUpdate(input []interface{}) *compute.Virt WriteAcceleratorEnabled: utils.Bool(raw["write_accelerator_enabled"].(bool)), } + if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" { + disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{ + ID: utils.String(diskEncryptionSetId), + } + } + if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 { disk.DiskSizeGB = utils.Int32(int32(osDiskSize)) } @@ -1043,15 +1083,22 @@ func FlattenVirtualMachineScaleSetOSDisk(input *compute.VirtualMachineScaleSetOS if input.WriteAcceleratorEnabled != nil { writeAcceleratorEnabled = *input.WriteAcceleratorEnabled } - return []interface{}{ - map[string]interface{}{ - "caching": string(input.Caching), - "disk_size_gb": diskSizeGb, - "diff_disk_settings": diffDiskSettings, - "storage_account_type": storageAccountType, - "write_accelerator_enabled": writeAcceleratorEnabled, - }, + + result := map[string]interface{}{ + "caching": string(input.Caching), + "disk_size_gb": diskSizeGb, + "diff_disk_settings": diffDiskSettings, + "storage_account_type": storageAccountType, + "write_accelerator_enabled": writeAcceleratorEnabled, + } + if disk := input.ManagedDisk; disk != nil { + if set := disk.DiskEncryptionSet; set != nil { + if id := set.ID; id != nil { + result["managed_disk_encryption_set_id"] = *id + } + } } + return []interface{}{result} } func VirtualMachineScaleSetSourceImageReferenceSchema() *schema.Schema { diff --git a/website/docs/r/linux_virtual_machine_scale_set.html.markdown b/website/docs/r/linux_virtual_machine_scale_set.html.markdown index 4394006de0f12..f7679b9b1a7b3 100644 --- a/website/docs/r/linux_virtual_machine_scale_set.html.markdown +++ b/website/docs/r/linux_virtual_machine_scale_set.html.markdown @@ -243,6 +243,10 @@ A `data_disk` block supports the following: -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). + --- A `diff_disk_settings` block supports the following: @@ -335,6 +339,10 @@ A `os_disk` block supports the following: -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). + --- A `public_ip_address` block supports the following: diff --git a/website/docs/r/virtual_machine_scale_set.html.markdown b/website/docs/r/virtual_machine_scale_set.html.markdown index e8d58cb4bd630..743c825940b17 100644 --- a/website/docs/r/virtual_machine_scale_set.html.markdown +++ b/website/docs/r/virtual_machine_scale_set.html.markdown @@ -470,6 +470,10 @@ output "principal_id" { When setting this field `os_type` needs to be specified. Cannot be used when `vhd_containers`, `managed_disk_type` or `storage_profile_image_reference` are specified. * `os_type` - (Optional) Specifies the operating system Type, valid values are windows, linux. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). + `storage_profile_data_disk` supports the following: * `lun` - (Required) Specifies the Logical Unit Number of the disk in each virtual machine in the scale set. @@ -477,6 +481,9 @@ output "principal_id" { * `caching` - (Optional) Specifies the caching requirements. Possible values include: `None` (default), `ReadOnly`, `ReadWrite`. * `disk_size_gb` - (Optional) Specifies the size of the disk in GB. This element is required when creating an empty disk. * `managed_disk_type` - (Optional) Specifies the type of managed disk to create. Value must be either `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS`. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). `storage_profile_image_reference` supports the following: diff --git a/website/docs/r/windows_virtual_machine_scale_set.html.markdown b/website/docs/r/windows_virtual_machine_scale_set.html.markdown index 55f88fd5a0efa..a4fa3af08c2d3 100644 --- a/website/docs/r/windows_virtual_machine_scale_set.html.markdown +++ b/website/docs/r/windows_virtual_machine_scale_set.html.markdown @@ -235,6 +235,10 @@ A `data_disk` block supports the following: -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). + --- A `diff_disk_settings` block supports the following: @@ -327,6 +331,10 @@ A `os_disk` block supports the following: -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`. +* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest. + +-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption). + --- A `public_ip_address` block supports the following: