Updaet VMSS 2.0 for SSE-CMK feature

hashicorp · Dec 25, 2019 · ee1f6ee · ee1f6ee
1 parent 82d660c
commit ee1f6ee
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 10 deletions.
diff --git a/azurerm/internal/services/compute/virtual_machine_scale_set.go b/azurerm/internal/services/compute/virtual_machine_scale_set.go
@@ -837,6 +837,12 @@ func VirtualMachineScaleSetDataDiskSchema() *schema.Schema {
 					Optional: true,
 					Default:  false,
 				},
+
+				"managed_disk_encryption_set_id": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					ValidateFunc: azure.ValidateResourceID,
+				},
 			},
 		},
 	}
@@ -861,6 +867,12 @@ func ExpandVirtualMachineScaleSetDataDisk(input []interface{}) *[]compute.Virtua
 			CreateOption: compute.DiskCreateOptionTypesEmpty,
 		}
 
+		if id := raw["managed_disk_encryption_set_id"].(string); id != "" {
+			disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+				ID: utils.String(id),
+			}
+		}
+
 		disks = append(disks, disk)
 	}
 
@@ -895,13 +907,23 @@ func FlattenVirtualMachineScaleSetDataDisk(input *[]compute.VirtualMachineScaleS
 			writeAcceleratorEnabled = *v.WriteAcceleratorEnabled
 		}
 
-		output = append(output, map[string]interface{}{
+		item := map[string]interface{}{
 			"caching":                   string(v.Caching),
 			"lun":                       lun,
 			"disk_size_gb":              diskSizeGb,
 			"storage_account_type":      storageAccountType,
 			"write_accelerator_enabled": writeAcceleratorEnabled,
-		})
+		}
+
+		if disk := v.ManagedDisk; disk != nil {
+			if set := disk.DiskEncryptionSet; set != nil {
+				if id := set.ID; id != nil {
+					item["managed_disk_encryption_set_id"] = *id
+				}
+			}
+		}
+
+		output = append(output, item)
 	}
 
 	return output
@@ -967,6 +989,12 @@ func VirtualMachineScaleSetOSDiskSchema() *schema.Schema {
 					Optional: true,
 					Default:  false,
 				},
+
+				"managed_disk_encryption_set_id": {
+					Type:         schema.TypeString,
+					Optional:     true,
+					ValidateFunc: azure.ValidateResourceID,
+				},
 			},
 		},
 	}
@@ -986,6 +1014,12 @@ func ExpandVirtualMachineScaleSetOSDisk(input []interface{}, osType compute.Oper
 		OsType:       osType,
 	}
 
+	if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" {
+		disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+			ID: utils.String(diskEncryptionSetId),
+		}
+	}
+
 	if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 {
 		disk.DiskSizeGB = utils.Int32(int32(osDiskSize))
 	}
@@ -1010,6 +1044,12 @@ func ExpandVirtualMachineScaleSetOSDiskUpdate(input []interface{}) *compute.Virt
 		WriteAcceleratorEnabled: utils.Bool(raw["write_accelerator_enabled"].(bool)),
 	}
 
+	if diskEncryptionSetId := raw["managed_disk_encryption_set_id"].(string); diskEncryptionSetId != "" {
+		disk.ManagedDisk.DiskEncryptionSet = &compute.DiskEncryptionSetParameters{
+			ID: utils.String(diskEncryptionSetId),
+		}
+	}
+
 	if osDiskSize := raw["disk_size_gb"].(int); osDiskSize > 0 {
 		disk.DiskSizeGB = utils.Int32(int32(osDiskSize))
 	}
@@ -1043,15 +1083,22 @@ func FlattenVirtualMachineScaleSetOSDisk(input *compute.VirtualMachineScaleSetOS
 	if input.WriteAcceleratorEnabled != nil {
 		writeAcceleratorEnabled = *input.WriteAcceleratorEnabled
 	}
-	return []interface{}{
-		map[string]interface{}{
-			"caching":                   string(input.Caching),
-			"disk_size_gb":              diskSizeGb,
-			"diff_disk_settings":        diffDiskSettings,
-			"storage_account_type":      storageAccountType,
-			"write_accelerator_enabled": writeAcceleratorEnabled,
-		},
+
+	result := map[string]interface{}{
+		"caching":                   string(input.Caching),
+		"disk_size_gb":              diskSizeGb,
+		"diff_disk_settings":        diffDiskSettings,
+		"storage_account_type":      storageAccountType,
+		"write_accelerator_enabled": writeAcceleratorEnabled,
+	}
+	if disk := input.ManagedDisk; disk != nil {
+		if set := disk.DiskEncryptionSet; set != nil {
+			if id := set.ID; id != nil {
+				result["managed_disk_encryption_set_id"] = *id
+			}
+		}
 	}
+	return []interface{}{result}
 }
 
 func VirtualMachineScaleSetSourceImageReferenceSchema() *schema.Schema {

diff --git a/website/docs/r/linux_virtual_machine_scale_set.html.markdown b/website/docs/r/linux_virtual_machine_scale_set.html.markdown
@@ -243,6 +243,10 @@ A `data_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `diff_disk_settings` block supports the following:
@@ -335,6 +339,10 @@ A `os_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `public_ip_address` block supports the following:

diff --git a/website/docs/r/windows_virtual_machine_scale_set.html.markdown b/website/docs/r/windows_virtual_machine_scale_set.html.markdown
@@ -235,6 +235,10 @@ A `data_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a data disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `diff_disk_settings` block supports the following:
@@ -327,6 +331,10 @@ A `os_disk` block supports the following:
 
 -> **NOTE:** This requires that the `storage_account_type` is set to `Premium_LRS` and that `caching` is set to `None`.
 
+* `managed_disk_encryption_set_id` - (Optional) ID of the disk encryption set to use for enabling encryption at rest.
+
+-> **NOTE** To associate a custom Disk Encryption Set to a OS disk in VMSS, you must grant access of the KeyVault for the Disk Encryption Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
+
 ---
 
 A `public_ip_address` block supports the following: