import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Disk Encryption Set. * * > **NOTE:** At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "des-example-keyvault", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "premium", * enabledForDiskEncryption: true, * purgeProtectionEnabled: true, * }); * const example_user = new azure.keyvault.AccessPolicy("example-user", { * keyVaultId: exampleKeyVault.id, * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * "GetRotationPolicy", * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "des-example-key", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }, { * dependsOn: [example_user], * }); * const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", { * name: "des", * resourceGroupName: example.name, * location: example.location, * keyVaultKeyId: exampleKey.id, * identity: { * type: "SystemAssigned", * }, * }); * const example_disk = new azure.keyvault.AccessPolicy("example-disk", { * keyVaultId: exampleKeyVault.id, * tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId), * objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * ], * }); * const example_diskAssignment = new azure.authorization.Assignment("example-disk", { * scope: exampleKeyVault.id, * roleDefinitionName: "Key Vault Crypto Service Encryption User", * principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId), * }); * ``` * * ### With Automatic Key Rotation Enabled * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const current = azure.core.getClientConfig({}); * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKeyVault = new azure.keyvault.KeyVault("example", { * name: "des-example-keyvault", * location: example.location, * resourceGroupName: example.name, * tenantId: current.then(current => current.tenantId), * skuName: "premium", * enabledForDiskEncryption: true, * purgeProtectionEnabled: true, * }); * const example_user = new azure.keyvault.AccessPolicy("example-user", { * keyVaultId: exampleKeyVault.id, * tenantId: current.then(current => current.tenantId), * objectId: current.then(current => current.objectId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * "GetRotationPolicy", * ], * }); * const exampleKey = new azure.keyvault.Key("example", { * name: "des-example-key", * keyVaultId: exampleKeyVault.id, * keyType: "RSA", * keySize: 2048, * keyOpts: [ * "decrypt", * "encrypt", * "sign", * "unwrapKey", * "verify", * "wrapKey", * ], * }, { * dependsOn: [example_user], * }); * const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", { * name: "des", * resourceGroupName: example.name, * location: example.location, * keyVaultKeyId: exampleKey.versionlessId, * autoKeyRotationEnabled: true, * identity: { * type: "SystemAssigned", * }, * }); * const example_disk = new azure.keyvault.AccessPolicy("example-disk", { * keyVaultId: exampleKeyVault.id, * tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId), * objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId), * keyPermissions: [ * "Create", * "Delete", * "Get", * "Purge", * "Recover", * "Update", * "List", * "Decrypt", * "Sign", * ], * }); * const example_diskAssignment = new azure.authorization.Assignment("example-disk", { * scope: exampleKeyVault.id, * roleDefinitionName: "Key Vault Crypto Service Encryption User", * principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId), * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Compute` - 2022-03-02 * * ## Import * * Disk Encryption Sets can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1 * ``` */ export declare class DiskEncryptionSet extends pulumi.CustomResource { /** * Get an existing DiskEncryptionSet resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: DiskEncryptionSetState, opts?: pulumi.CustomResourceOptions): DiskEncryptionSet; /** * Returns true if the given object is an instance of DiskEncryptionSet. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is DiskEncryptionSet; /** * Boolean flag to specify whether Azure Disk Encryption Set automatically rotates the encryption Key to latest version or not. Possible values are `true` or `false`. Defaults to `false`. * * > **Note:** When `autoKeyRotationEnabled` is set to `true` the `keyVaultKeyId` or `managedHsmKeyId` must use the `versionlessId`. * * > **Note:** To validate which Key Vault Key version is currently being used by the service it is recommended that you use the `azure.compute.DiskEncryptionSet` data source or run a `terraform refresh` command and check the value of the exported `keyVaultKeyUrl` or `managedHsmKeyId` field. * * > **Note:** It may take between 10 to 20 minutes for the service to update the Key Vault Key URL once the keys have been rotated. */ readonly autoKeyRotationEnabled: pulumi.Output; /** * The type of key used to encrypt the data of the disk. Possible values are `EncryptionAtRestWithCustomerKey`, `EncryptionAtRestWithPlatformAndCustomerKeys` and `ConfidentialVmEncryptedWithCustomerKey`. Defaults to `EncryptionAtRestWithCustomerKey`. Changing this forces a new resource to be created. */ readonly encryptionType: pulumi.Output; /** * Multi-tenant application client id to access key vault in a different tenant. */ readonly federatedClientId: pulumi.Output; /** * An `identity` block as defined below. */ readonly identity: pulumi.Output; /** * Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. * * > **Note:** Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/azure/virtual-machines/linux/disk-encryption). * * > **Note:** A KeyVault or Managed HSM using enableRbacAuthorization requires to use `azure.authorization.Assignment` to assign the role `Key Vault Crypto Service Encryption User` to this Disk Encryption Set. * In this case, `azure.keyvault.AccessPolicy` is not needed. */ readonly keyVaultKeyId: pulumi.Output; /** * The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service. */ readonly keyVaultKeyUrl: pulumi.Output; /** * Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * Key ID of a key in a managed HSM. Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. */ readonly managedHsmKeyId: pulumi.Output; /** * The name of the Disk Encryption Set. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * A mapping of tags to assign to the Disk Encryption Set. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * Create a DiskEncryptionSet resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: DiskEncryptionSetArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering DiskEncryptionSet resources. */ export interface DiskEncryptionSetState { /** * Boolean flag to specify whether Azure Disk Encryption Set automatically rotates the encryption Key to latest version or not. Possible values are `true` or `false`. Defaults to `false`. * * > **Note:** When `autoKeyRotationEnabled` is set to `true` the `keyVaultKeyId` or `managedHsmKeyId` must use the `versionlessId`. * * > **Note:** To validate which Key Vault Key version is currently being used by the service it is recommended that you use the `azure.compute.DiskEncryptionSet` data source or run a `terraform refresh` command and check the value of the exported `keyVaultKeyUrl` or `managedHsmKeyId` field. * * > **Note:** It may take between 10 to 20 minutes for the service to update the Key Vault Key URL once the keys have been rotated. */ autoKeyRotationEnabled?: pulumi.Input; /** * The type of key used to encrypt the data of the disk. Possible values are `EncryptionAtRestWithCustomerKey`, `EncryptionAtRestWithPlatformAndCustomerKeys` and `ConfidentialVmEncryptedWithCustomerKey`. Defaults to `EncryptionAtRestWithCustomerKey`. Changing this forces a new resource to be created. */ encryptionType?: pulumi.Input; /** * Multi-tenant application client id to access key vault in a different tenant. */ federatedClientId?: pulumi.Input; /** * An `identity` block as defined below. */ identity?: pulumi.Input; /** * Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. * * > **Note:** Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/azure/virtual-machines/linux/disk-encryption). * * > **Note:** A KeyVault or Managed HSM using enableRbacAuthorization requires to use `azure.authorization.Assignment` to assign the role `Key Vault Crypto Service Encryption User` to this Disk Encryption Set. * In this case, `azure.keyvault.AccessPolicy` is not needed. */ keyVaultKeyId?: pulumi.Input; /** * The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service. */ keyVaultKeyUrl?: pulumi.Input; /** * Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Key ID of a key in a managed HSM. Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. */ managedHsmKeyId?: pulumi.Input; /** * The name of the Disk Encryption Set. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * A mapping of tags to assign to the Disk Encryption Set. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; } /** * The set of arguments for constructing a DiskEncryptionSet resource. */ export interface DiskEncryptionSetArgs { /** * Boolean flag to specify whether Azure Disk Encryption Set automatically rotates the encryption Key to latest version or not. Possible values are `true` or `false`. Defaults to `false`. * * > **Note:** When `autoKeyRotationEnabled` is set to `true` the `keyVaultKeyId` or `managedHsmKeyId` must use the `versionlessId`. * * > **Note:** To validate which Key Vault Key version is currently being used by the service it is recommended that you use the `azure.compute.DiskEncryptionSet` data source or run a `terraform refresh` command and check the value of the exported `keyVaultKeyUrl` or `managedHsmKeyId` field. * * > **Note:** It may take between 10 to 20 minutes for the service to update the Key Vault Key URL once the keys have been rotated. */ autoKeyRotationEnabled?: pulumi.Input; /** * The type of key used to encrypt the data of the disk. Possible values are `EncryptionAtRestWithCustomerKey`, `EncryptionAtRestWithPlatformAndCustomerKeys` and `ConfidentialVmEncryptedWithCustomerKey`. Defaults to `EncryptionAtRestWithCustomerKey`. Changing this forces a new resource to be created. */ encryptionType?: pulumi.Input; /** * Multi-tenant application client id to access key vault in a different tenant. */ federatedClientId?: pulumi.Input; /** * An `identity` block as defined below. */ identity: pulumi.Input; /** * Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret). Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. * * > **Note:** Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/azure/virtual-machines/linux/disk-encryption). * * > **Note:** A KeyVault or Managed HSM using enableRbacAuthorization requires to use `azure.authorization.Assignment` to assign the role `Key Vault Crypto Service Encryption User` to this Disk Encryption Set. * In this case, `azure.keyvault.AccessPolicy` is not needed. */ keyVaultKeyId?: pulumi.Input; /** * Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * Key ID of a key in a managed HSM. Exactly one of `managedHsmKeyId`, `keyVaultKeyId` must be specified. */ managedHsmKeyId?: pulumi.Input; /** * The name of the Disk Encryption Set. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * A mapping of tags to assign to the Disk Encryption Set. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; }