Docs Home
We recommend using Azure Native.
Azure v6.21.0 published on Friday, Mar 7, 2025 by Pulumi
azure.compute.DiskEncryptionSet
Explore with Pulumi AI
Manages a Disk Encryption Set.
NOTE: At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "des-example-keyvault",
location: example.location,
resourceGroupName: example.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const exampleKey = new azure.keyvault.Key("example", {
name: "des-example-key",
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
}, {
dependsOn: [example_user],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
name: "des",
resourceGroupName: example.name,
location: example.location,
keyVaultKeyId: exampleKey.id,
identity: {
type: "SystemAssigned",
},
});
const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="des-example-keyvault",
location=example.location,
resource_group_name=example.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_key = azure.keyvault.Key("example",
name="des-example-key",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
opts = pulumi.ResourceOptions(depends_on=[example_user]))
example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
name="des",
resource_group_name=example.name,
location=example.location,
key_vault_key_id=example_key.id,
identity={
"type": "SystemAssigned",
})
example_disk = azure.keyvault.AccessPolicy("example-disk",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_disk_assignment = azure.authorization.Assignment("example-disk",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("des-example-keyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
example_user, err := keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
Name: pulumi.String("des-example-key"),
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example_user,
}))
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
Name: pulumi.String("des"),
ResourceGroupName: example.Name,
Location: example.Location,
KeyVaultKeyId: exampleKey.ID(),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput)),
ObjectId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput)),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "des-example-keyvault",
Location = example.Location,
ResourceGroupName = example.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var exampleKey = new Azure.KeyVault.Key("example", new()
{
Name = "des-example-key",
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
}, new CustomResourceOptions
{
DependsOn =
{
example_user,
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
{
Name = "des",
ResourceGroupName = example.Name,
Location = example.Location,
KeyVaultKeyId = exampleKey.Id,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("des-example-keyvault")
.location(example.location())
.resourceGroupName(example.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.name("des-example-key")
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build(), CustomResourceOptions.builder()
.dependsOn(example_user)
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.name("des")
.resourceGroupName(example.name())
.location(example.location())
.keyVaultKeyId(exampleKey.id())
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: des-example-keyvault
location: ${example.location}
resourceGroupName: ${example.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
name: example
properties:
name: des-example-key
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
options:
dependsOn:
- ${["example-user"]}
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
name: example
properties:
name: des
resourceGroupName: ${example.name}
location: ${example.location}
keyVaultKeyId: ${exampleKey.id}
identity:
type: SystemAssigned
example-disk:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
name: example-disk
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
With Automatic Key Rotation Enabled
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "des-example-keyvault",
location: example.location,
resourceGroupName: example.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const exampleKey = new azure.keyvault.Key("example", {
name: "des-example-key",
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
}, {
dependsOn: [example_user],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
name: "des",
resourceGroupName: example.name,
location: example.location,
keyVaultKeyId: exampleKey.versionlessId,
autoKeyRotationEnabled: true,
identity: {
type: "SystemAssigned",
},
});
const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="des-example-keyvault",
location=example.location,
resource_group_name=example.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_key = azure.keyvault.Key("example",
name="des-example-key",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
opts = pulumi.ResourceOptions(depends_on=[example_user]))
example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
name="des",
resource_group_name=example.name,
location=example.location,
key_vault_key_id=example_key.versionless_id,
auto_key_rotation_enabled=True,
identity={
"type": "SystemAssigned",
})
example_disk = azure.keyvault.AccessPolicy("example-disk",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_disk_assignment = azure.authorization.Assignment("example-disk",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v6/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("des-example-keyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
example_user, err := keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
Name: pulumi.String("des-example-key"),
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example_user,
}))
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
Name: pulumi.String("des"),
ResourceGroupName: example.Name,
Location: example.Location,
KeyVaultKeyId: exampleKey.VersionlessId,
AutoKeyRotationEnabled: pulumi.Bool(true),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput)),
ObjectId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput)),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: pulumi.String(exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "des-example-keyvault",
Location = example.Location,
ResourceGroupName = example.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var exampleKey = new Azure.KeyVault.Key("example", new()
{
Name = "des-example-key",
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
}, new CustomResourceOptions
{
DependsOn =
{
example_user,
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
{
Name = "des",
ResourceGroupName = example.Name,
Location = example.Location,
KeyVaultKeyId = exampleKey.VersionlessId,
AutoKeyRotationEnabled = true,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("des-example-keyvault")
.location(example.location())
.resourceGroupName(example.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.name("des-example-key")
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build(), CustomResourceOptions.builder()
.dependsOn(example_user)
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.name("des")
.resourceGroupName(example.name())
.location(example.location())
.keyVaultKeyId(exampleKey.versionlessId())
.autoKeyRotationEnabled(true)
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: des-example-keyvault
location: ${example.location}
resourceGroupName: ${example.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
name: example
properties:
name: des-example-key
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
options:
dependsOn:
- ${["example-user"]}
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
name: example
properties:
name: des
resourceGroupName: ${example.name}
location: ${example.location}
keyVaultKeyId: ${exampleKey.versionlessId}
autoKeyRotationEnabled: true
identity:
type: SystemAssigned
example-disk:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
name: example-disk
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
function: azure:core:getClientConfig
arguments: {}
Create DiskEncryptionSet Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new DiskEncryptionSet(name: string, args: DiskEncryptionSetArgs, opts?: CustomResourceOptions);@overload
def DiskEncryptionSet(resource_name: str,
args: DiskEncryptionSetArgs,
opts: Optional[ResourceOptions] = None)
@overload
def DiskEncryptionSet(resource_name: str,
opts: Optional[ResourceOptions] = None,
identity: Optional[DiskEncryptionSetIdentityArgs] = None,
resource_group_name: Optional[str] = None,
auto_key_rotation_enabled: Optional[bool] = None,
encryption_type: Optional[str] = None,
federated_client_id: Optional[str] = None,
key_vault_key_id: Optional[str] = None,
location: Optional[str] = None,
managed_hsm_key_id: Optional[str] = None,
name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)func NewDiskEncryptionSet(ctx *Context, name string, args DiskEncryptionSetArgs, opts ...ResourceOption) (*DiskEncryptionSet, error)public DiskEncryptionSet(string name, DiskEncryptionSetArgs args, CustomResourceOptions? opts = null)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args, CustomResourceOptions options)
type: azure:compute:DiskEncryptionSet
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var diskEncryptionSetResource = new Azure.Compute.DiskEncryptionSet("diskEncryptionSetResource", new()
{
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "string",
IdentityIds = new[]
{
"string",
},
PrincipalId = "string",
TenantId = "string",
},
ResourceGroupName = "string",
AutoKeyRotationEnabled = false,
EncryptionType = "string",
FederatedClientId = "string",
KeyVaultKeyId = "string",
Location = "string",
ManagedHsmKeyId = "string",
Name = "string",
Tags =
{
{ "string", "string" },
},
});
example, err := compute.NewDiskEncryptionSet(ctx, "diskEncryptionSetResource", &compute.DiskEncryptionSetArgs{
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("string"),
IdentityIds: pulumi.StringArray{
pulumi.String("string"),
},
PrincipalId: pulumi.String("string"),
TenantId: pulumi.String("string"),
},
ResourceGroupName: pulumi.String("string"),
AutoKeyRotationEnabled: pulumi.Bool(false),
EncryptionType: pulumi.String("string"),
FederatedClientId: pulumi.String("string"),
KeyVaultKeyId: pulumi.String("string"),
Location: pulumi.String("string"),
ManagedHsmKeyId: pulumi.String("string"),
Name: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var diskEncryptionSetResource = new DiskEncryptionSet("diskEncryptionSetResource", DiskEncryptionSetArgs.builder()
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("string")
.identityIds("string")
.principalId("string")
.tenantId("string")
.build())
.resourceGroupName("string")
.autoKeyRotationEnabled(false)
.encryptionType("string")
.federatedClientId("string")
.keyVaultKeyId("string")
.location("string")
.managedHsmKeyId("string")
.name("string")
.tags(Map.of("string", "string"))
.build());
disk_encryption_set_resource = azure.compute.DiskEncryptionSet("diskEncryptionSetResource",
identity={
"type": "string",
"identity_ids": ["string"],
"principal_id": "string",
"tenant_id": "string",
},
resource_group_name="string",
auto_key_rotation_enabled=False,
encryption_type="string",
federated_client_id="string",
key_vault_key_id="string",
location="string",
managed_hsm_key_id="string",
name="string",
tags={
"string": "string",
})
const diskEncryptionSetResource = new azure.compute.DiskEncryptionSet("diskEncryptionSetResource", {
identity: {
type: "string",
identityIds: ["string"],
principalId: "string",
tenantId: "string",
},
resourceGroupName: "string",
autoKeyRotationEnabled: false,
encryptionType: "string",
federatedClientId: "string",
keyVaultKeyId: "string",
location: "string",
managedHsmKeyId: "string",
name: "string",
tags: {
string: "string",
},
});
type: azure:compute:DiskEncryptionSet
properties:
autoKeyRotationEnabled: false
encryptionType: string
federatedClientId: string
identity:
identityIds:
- string
principalId: string
tenantId: string
type: string
keyVaultKeyId: string
location: string
managedHsmKeyId: string
name: string
resourceGroupName: string
tags:
string: string
DiskEncryptionSet Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The DiskEncryptionSet resource accepts the following input properties:
- Identity
Disk
Encryption Set Identity - An
identityblock as defined below. - Resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Auto
Key boolRotation Enabled - Encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - Federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - Name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Dictionary<string, string>
- A mapping of tags to assign to the Disk Encryption Set.
- Identity
Disk
Encryption Set Identity Args - An
identityblock as defined below. - Resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Auto
Key boolRotation Enabled - Encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - Federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - Name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- map[string]string
- A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity - An
identityblock as defined below. - resource
Group StringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key BooleanRotation Enabled - encryption
Type String - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client StringId - Multi-tenant application client id to access key vault in a different tenant.
- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- location String
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm StringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name String
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Map<String,String>
- A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity - An
identityblock as defined below. - resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key booleanRotation Enabled - encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- {[key: string]: string}
- A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity Args - An
identityblock as defined below. - resource_
group_ strname - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto_
key_ boolrotation_ enabled - encryption_
type str - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated_
client_ strid - Multi-tenant application client id to access key vault in a different tenant.
- key_
vault_ strkey_ id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- location str
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed_
hsm_ strkey_ id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name str
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Mapping[str, str]
- A mapping of tags to assign to the Disk Encryption Set.
- identity Property Map
- An
identityblock as defined below. - resource
Group StringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key BooleanRotation Enabled - encryption
Type String - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client StringId - Multi-tenant application client id to access key vault in a different tenant.
- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- location String
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm StringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name String
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Map<String>
- A mapping of tags to assign to the Disk Encryption Set.
Outputs
All input properties are implicitly available as output properties. Additionally, the DiskEncryptionSet resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Id string
- The provider-assigned unique ID for this managed resource.
- Key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Vault StringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id string
- The provider-assigned unique ID for this managed resource.
- key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id str
- The provider-assigned unique ID for this managed resource.
- key_
vault_ strkey_ url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id String
- The provider-assigned unique ID for this managed resource.
- key
Vault StringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
Look up Existing DiskEncryptionSet Resource
Get an existing DiskEncryptionSet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DiskEncryptionSetState, opts?: CustomResourceOptions): DiskEncryptionSet@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
auto_key_rotation_enabled: Optional[bool] = None,
encryption_type: Optional[str] = None,
federated_client_id: Optional[str] = None,
identity: Optional[DiskEncryptionSetIdentityArgs] = None,
key_vault_key_id: Optional[str] = None,
key_vault_key_url: Optional[str] = None,
location: Optional[str] = None,
managed_hsm_key_id: Optional[str] = None,
name: Optional[str] = None,
resource_group_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None) -> DiskEncryptionSetfunc GetDiskEncryptionSet(ctx *Context, name string, id IDInput, state *DiskEncryptionSetState, opts ...ResourceOption) (*DiskEncryptionSet, error)public static DiskEncryptionSet Get(string name, Input<string> id, DiskEncryptionSetState? state, CustomResourceOptions? opts = null)public static DiskEncryptionSet get(String name, Output<String> id, DiskEncryptionSetState state, CustomResourceOptions options)resources: _: type: azure:compute:DiskEncryptionSet get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Auto
Key boolRotation Enabled - Encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - Federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- Identity
Disk
Encryption Set Identity - An
identityblock as defined below. - Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - Name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Dictionary<string, string>
- A mapping of tags to assign to the Disk Encryption Set.
- Auto
Key boolRotation Enabled - Encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - Federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- Identity
Disk
Encryption Set Identity Args - An
identityblock as defined below. - Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - Name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- map[string]string
- A mapping of tags to assign to the Disk Encryption Set.
- auto
Key BooleanRotation Enabled - encryption
Type String - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client StringId - Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity - An
identityblock as defined below. - key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault StringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location String
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm StringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name String
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group StringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Map<String,String>
- A mapping of tags to assign to the Disk Encryption Set.
- auto
Key booleanRotation Enabled - encryption
Type string - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client stringId - Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity - An
identityblock as defined below. - key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault stringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location string
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm stringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name string
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group stringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- {[key: string]: string}
- A mapping of tags to assign to the Disk Encryption Set.
- auto_
key_ boolrotation_ enabled - encryption_
type str - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated_
client_ strid - Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity Args - An
identityblock as defined below. - key_
vault_ strkey_ id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key_
vault_ strkey_ url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location str
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed_
hsm_ strkey_ id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name str
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource_
group_ strname - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Mapping[str, str]
- A mapping of tags to assign to the Disk Encryption Set.
- auto
Key BooleanRotation Enabled - encryption
Type String - The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created. - federated
Client StringId - Multi-tenant application client id to access key vault in a different tenant.
- identity Property Map
- An
identityblock as defined below. - key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified.NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault or Managed HSM using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assign the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault StringKey Url - The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location String
- Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- managed
Hsm StringKey Id - Key ID of a key in a managed HSM. Exactly one of
managed_hsm_key_id,key_vault_key_idmust be specified. - name String
- The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group StringName - Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Map<String>
- A mapping of tags to assign to the Disk Encryption Set.
Supporting Types
DiskEncryptionSetIdentity, DiskEncryptionSetIdentityArgs
- Type string
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - Identity
Ids List<string> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- Principal
Id string - The (Client) ID of the Service Principal.
- Tenant
Id string - The ID of the Tenant the Service Principal is assigned in.
- Type string
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - Identity
Ids []string A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- Principal
Id string - The (Client) ID of the Service Principal.
- Tenant
Id string - The ID of the Tenant the Service Principal is assigned in.
- type String
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - identity
Ids List<String> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id String - The (Client) ID of the Service Principal.
- tenant
Id String - The ID of the Tenant the Service Principal is assigned in.
- type string
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - identity
Ids string[] A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id string - The (Client) ID of the Service Principal.
- tenant
Id string - The ID of the Tenant the Service Principal is assigned in.
- type str
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - identity_
ids Sequence[str] A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal_
id str - The (Client) ID of the Service Principal.
- tenant_
id str - The ID of the Tenant the Service Principal is assigned in.
- type String
- The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both). - identity
Ids List<String> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id String - The (Client) ID of the Service Principal.
- tenant
Id String - The ID of the Tenant the Service Principal is assigned in.
Import
Disk Encryption Sets can be imported using the resource id, e.g.
$ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azurermTerraform Provider.