1. Packages
  2. Azure Classic
  3. API Docs
  4. compute
  5. DiskEncryptionSet

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

azure.compute.DiskEncryptionSet

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Manages a Disk Encryption Set.

    NOTE: At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const current = azure.core.getClientConfig({});
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKeyVault = new azure.keyvault.KeyVault("example", {
        name: "des-example-keyvault",
        location: example.location,
        resourceGroupName: example.name,
        tenantId: current.then(current => current.tenantId),
        skuName: "premium",
        enabledForDiskEncryption: true,
        purgeProtectionEnabled: true,
    });
    const exampleKey = new azure.keyvault.Key("example", {
        name: "des-example-key",
        keyVaultId: exampleKeyVault.id,
        keyType: "RSA",
        keySize: 2048,
        keyOpts: [
            "decrypt",
            "encrypt",
            "sign",
            "unwrapKey",
            "verify",
            "wrapKey",
        ],
    });
    const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
        name: "des",
        resourceGroupName: example.name,
        location: example.location,
        keyVaultKeyId: exampleKey.id,
        identity: {
            type: "SystemAssigned",
        },
    });
    const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
        keyVaultId: exampleKeyVault.id,
        tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
        objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
        keyPermissions: [
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
        ],
    });
    const example_user = new azure.keyvault.AccessPolicy("example-user", {
        keyVaultId: exampleKeyVault.id,
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: [
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
            "GetRotationPolicy",
        ],
    });
    const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
        scope: exampleKeyVault.id,
        roleDefinitionName: "Key Vault Crypto Service Encryption User",
        principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    current = azure.core.get_client_config()
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_key_vault = azure.keyvault.KeyVault("example",
        name="des-example-keyvault",
        location=example.location,
        resource_group_name=example.name,
        tenant_id=current.tenant_id,
        sku_name="premium",
        enabled_for_disk_encryption=True,
        purge_protection_enabled=True)
    example_key = azure.keyvault.Key("example",
        name="des-example-key",
        key_vault_id=example_key_vault.id,
        key_type="RSA",
        key_size=2048,
        key_opts=[
            "decrypt",
            "encrypt",
            "sign",
            "unwrapKey",
            "verify",
            "wrapKey",
        ])
    example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
        name="des",
        resource_group_name=example.name,
        location=example.location,
        key_vault_key_id=example_key.id,
        identity=azure.compute.DiskEncryptionSetIdentityArgs(
            type="SystemAssigned",
        ))
    example_disk = azure.keyvault.AccessPolicy("example-disk",
        key_vault_id=example_key_vault.id,
        tenant_id=example_disk_encryption_set.identity.tenant_id,
        object_id=example_disk_encryption_set.identity.principal_id,
        key_permissions=[
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
        ])
    example_user = azure.keyvault.AccessPolicy("example-user",
        key_vault_id=example_key_vault.id,
        tenant_id=current.tenant_id,
        object_id=current.object_id,
        key_permissions=[
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
            "GetRotationPolicy",
        ])
    example_disk_assignment = azure.authorization.Assignment("example-disk",
        scope=example_key_vault.id,
        role_definition_name="Key Vault Crypto Service Encryption User",
        principal_id=example_disk_encryption_set.identity.principal_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
    			Name:                     pulumi.String("des-example-keyvault"),
    			Location:                 example.Location,
    			ResourceGroupName:        example.Name,
    			TenantId:                 pulumi.String(current.TenantId),
    			SkuName:                  pulumi.String("premium"),
    			EnabledForDiskEncryption: pulumi.Bool(true),
    			PurgeProtectionEnabled:   pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
    			Name:       pulumi.String("des-example-key"),
    			KeyVaultId: exampleKeyVault.ID(),
    			KeyType:    pulumi.String("RSA"),
    			KeySize:    pulumi.Int(2048),
    			KeyOpts: pulumi.StringArray{
    				pulumi.String("decrypt"),
    				pulumi.String("encrypt"),
    				pulumi.String("sign"),
    				pulumi.String("unwrapKey"),
    				pulumi.String("verify"),
    				pulumi.String("wrapKey"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
    			Name:              pulumi.String("des"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    			KeyVaultKeyId:     exampleKey.ID(),
    			Identity: &compute.DiskEncryptionSetIdentityArgs{
    				Type: pulumi.String("SystemAssigned"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.TenantId, nil
    			}).(pulumi.StringPtrOutput),
    			ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.PrincipalId, nil
    			}).(pulumi.StringPtrOutput),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Create"),
    				pulumi.String("Delete"),
    				pulumi.String("Get"),
    				pulumi.String("Purge"),
    				pulumi.String("Recover"),
    				pulumi.String("Update"),
    				pulumi.String("List"),
    				pulumi.String("Decrypt"),
    				pulumi.String("Sign"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId:   pulumi.String(current.TenantId),
    			ObjectId:   pulumi.String(current.ObjectId),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Create"),
    				pulumi.String("Delete"),
    				pulumi.String("Get"),
    				pulumi.String("Purge"),
    				pulumi.String("Recover"),
    				pulumi.String("Update"),
    				pulumi.String("List"),
    				pulumi.String("Decrypt"),
    				pulumi.String("Sign"),
    				pulumi.String("GetRotationPolicy"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
    			Scope:              exampleKeyVault.ID(),
    			RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
    			PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.PrincipalId, nil
    			}).(pulumi.StringPtrOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Azure.Core.GetClientConfig.Invoke();
    
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
        {
            Name = "des-example-keyvault",
            Location = example.Location,
            ResourceGroupName = example.Name,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            SkuName = "premium",
            EnabledForDiskEncryption = true,
            PurgeProtectionEnabled = true,
        });
    
        var exampleKey = new Azure.KeyVault.Key("example", new()
        {
            Name = "des-example-key",
            KeyVaultId = exampleKeyVault.Id,
            KeyType = "RSA",
            KeySize = 2048,
            KeyOpts = new[]
            {
                "decrypt",
                "encrypt",
                "sign",
                "unwrapKey",
                "verify",
                "wrapKey",
            },
        });
    
        var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
        {
            Name = "des",
            ResourceGroupName = example.Name,
            Location = example.Location,
            KeyVaultKeyId = exampleKey.Id,
            Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
            {
                Type = "SystemAssigned",
            },
        });
    
        var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
            ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
            KeyPermissions = new[]
            {
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign",
            },
        });
    
        var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            KeyPermissions = new[]
            {
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign",
                "GetRotationPolicy",
            },
        });
    
        var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
        {
            Scope = exampleKeyVault.Id,
            RoleDefinitionName = "Key Vault Crypto Service Encryption User",
            PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.keyvault.KeyVault;
    import com.pulumi.azure.keyvault.KeyVaultArgs;
    import com.pulumi.azure.keyvault.Key;
    import com.pulumi.azure.keyvault.KeyArgs;
    import com.pulumi.azure.compute.DiskEncryptionSet;
    import com.pulumi.azure.compute.DiskEncryptionSetArgs;
    import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
    import com.pulumi.azure.keyvault.AccessPolicy;
    import com.pulumi.azure.keyvault.AccessPolicyArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = CoreFunctions.getClientConfig();
    
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()        
                .name("des-example-keyvault")
                .location(example.location())
                .resourceGroupName(example.name())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .skuName("premium")
                .enabledForDiskEncryption(true)
                .purgeProtectionEnabled(true)
                .build());
    
            var exampleKey = new Key("exampleKey", KeyArgs.builder()        
                .name("des-example-key")
                .keyVaultId(exampleKeyVault.id())
                .keyType("RSA")
                .keySize(2048)
                .keyOpts(            
                    "decrypt",
                    "encrypt",
                    "sign",
                    "unwrapKey",
                    "verify",
                    "wrapKey")
                .build());
    
            var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()        
                .name("des")
                .resourceGroupName(example.name())
                .location(example.location())
                .keyVaultKeyId(exampleKey.id())
                .identity(DiskEncryptionSetIdentityArgs.builder()
                    .type("SystemAssigned")
                    .build())
                .build());
    
            var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()        
                .keyVaultId(exampleKeyVault.id())
                .tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
                .objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
                .keyPermissions(            
                    "Create",
                    "Delete",
                    "Get",
                    "Purge",
                    "Recover",
                    "Update",
                    "List",
                    "Decrypt",
                    "Sign")
                .build());
    
            var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()        
                .keyVaultId(exampleKeyVault.id())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .keyPermissions(            
                    "Create",
                    "Delete",
                    "Get",
                    "Purge",
                    "Recover",
                    "Update",
                    "List",
                    "Decrypt",
                    "Sign",
                    "GetRotationPolicy")
                .build());
    
            var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()        
                .scope(exampleKeyVault.id())
                .roleDefinitionName("Key Vault Crypto Service Encryption User")
                .principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleKeyVault:
        type: azure:keyvault:KeyVault
        name: example
        properties:
          name: des-example-keyvault
          location: ${example.location}
          resourceGroupName: ${example.name}
          tenantId: ${current.tenantId}
          skuName: premium
          enabledForDiskEncryption: true
          purgeProtectionEnabled: true
      exampleKey:
        type: azure:keyvault:Key
        name: example
        properties:
          name: des-example-key
          keyVaultId: ${exampleKeyVault.id}
          keyType: RSA
          keySize: 2048
          keyOpts:
            - decrypt
            - encrypt
            - sign
            - unwrapKey
            - verify
            - wrapKey
      exampleDiskEncryptionSet:
        type: azure:compute:DiskEncryptionSet
        name: example
        properties:
          name: des
          resourceGroupName: ${example.name}
          location: ${example.location}
          keyVaultKeyId: ${exampleKey.id}
          identity:
            type: SystemAssigned
      example-disk:
        type: azure:keyvault:AccessPolicy
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
          objectId: ${exampleDiskEncryptionSet.identity.principalId}
          keyPermissions:
            - Create
            - Delete
            - Get
            - Purge
            - Recover
            - Update
            - List
            - Decrypt
            - Sign
      example-user:
        type: azure:keyvault:AccessPolicy
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${current.tenantId}
          objectId: ${current.objectId}
          keyPermissions:
            - Create
            - Delete
            - Get
            - Purge
            - Recover
            - Update
            - List
            - Decrypt
            - Sign
            - GetRotationPolicy
      example-diskAssignment:
        type: azure:authorization:Assignment
        name: example-disk
        properties:
          scope: ${exampleKeyVault.id}
          roleDefinitionName: Key Vault Crypto Service Encryption User
          principalId: ${exampleDiskEncryptionSet.identity.principalId}
    variables:
      current:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    With Automatic Key Rotation Enabled

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const current = azure.core.getClientConfig({});
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKeyVault = new azure.keyvault.KeyVault("example", {
        name: "des-example-keyvault",
        location: example.location,
        resourceGroupName: example.name,
        tenantId: current.then(current => current.tenantId),
        skuName: "premium",
        enabledForDiskEncryption: true,
        purgeProtectionEnabled: true,
    });
    const exampleKey = new azure.keyvault.Key("example", {
        name: "des-example-key",
        keyVaultId: exampleKeyVault.id,
        keyType: "RSA",
        keySize: 2048,
        keyOpts: [
            "decrypt",
            "encrypt",
            "sign",
            "unwrapKey",
            "verify",
            "wrapKey",
        ],
    });
    const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
        name: "des",
        resourceGroupName: example.name,
        location: example.location,
        keyVaultKeyId: exampleKey.versionlessId,
        autoKeyRotationEnabled: true,
        identity: {
            type: "SystemAssigned",
        },
    });
    const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
        keyVaultId: exampleKeyVault.id,
        tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
        objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
        keyPermissions: [
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
        ],
    });
    const example_user = new azure.keyvault.AccessPolicy("example-user", {
        keyVaultId: exampleKeyVault.id,
        tenantId: current.then(current => current.tenantId),
        objectId: current.then(current => current.objectId),
        keyPermissions: [
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
            "GetRotationPolicy",
        ],
    });
    const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
        scope: exampleKeyVault.id,
        roleDefinitionName: "Key Vault Crypto Service Encryption User",
        principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
    });
    
    import pulumi
    import pulumi_azure as azure
    
    current = azure.core.get_client_config()
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_key_vault = azure.keyvault.KeyVault("example",
        name="des-example-keyvault",
        location=example.location,
        resource_group_name=example.name,
        tenant_id=current.tenant_id,
        sku_name="premium",
        enabled_for_disk_encryption=True,
        purge_protection_enabled=True)
    example_key = azure.keyvault.Key("example",
        name="des-example-key",
        key_vault_id=example_key_vault.id,
        key_type="RSA",
        key_size=2048,
        key_opts=[
            "decrypt",
            "encrypt",
            "sign",
            "unwrapKey",
            "verify",
            "wrapKey",
        ])
    example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
        name="des",
        resource_group_name=example.name,
        location=example.location,
        key_vault_key_id=example_key.versionless_id,
        auto_key_rotation_enabled=True,
        identity=azure.compute.DiskEncryptionSetIdentityArgs(
            type="SystemAssigned",
        ))
    example_disk = azure.keyvault.AccessPolicy("example-disk",
        key_vault_id=example_key_vault.id,
        tenant_id=example_disk_encryption_set.identity.tenant_id,
        object_id=example_disk_encryption_set.identity.principal_id,
        key_permissions=[
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
        ])
    example_user = azure.keyvault.AccessPolicy("example-user",
        key_vault_id=example_key_vault.id,
        tenant_id=current.tenant_id,
        object_id=current.object_id,
        key_permissions=[
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
            "GetRotationPolicy",
        ])
    example_disk_assignment = azure.authorization.Assignment("example-disk",
        scope=example_key_vault.id,
        role_definition_name="Key Vault Crypto Service Encryption User",
        principal_id=example_disk_encryption_set.identity.principal_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := core.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
    			Name:                     pulumi.String("des-example-keyvault"),
    			Location:                 example.Location,
    			ResourceGroupName:        example.Name,
    			TenantId:                 pulumi.String(current.TenantId),
    			SkuName:                  pulumi.String("premium"),
    			EnabledForDiskEncryption: pulumi.Bool(true),
    			PurgeProtectionEnabled:   pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
    			Name:       pulumi.String("des-example-key"),
    			KeyVaultId: exampleKeyVault.ID(),
    			KeyType:    pulumi.String("RSA"),
    			KeySize:    pulumi.Int(2048),
    			KeyOpts: pulumi.StringArray{
    				pulumi.String("decrypt"),
    				pulumi.String("encrypt"),
    				pulumi.String("sign"),
    				pulumi.String("unwrapKey"),
    				pulumi.String("verify"),
    				pulumi.String("wrapKey"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
    			Name:                   pulumi.String("des"),
    			ResourceGroupName:      example.Name,
    			Location:               example.Location,
    			KeyVaultKeyId:          exampleKey.VersionlessId,
    			AutoKeyRotationEnabled: pulumi.Bool(true),
    			Identity: &compute.DiskEncryptionSetIdentityArgs{
    				Type: pulumi.String("SystemAssigned"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.TenantId, nil
    			}).(pulumi.StringPtrOutput),
    			ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.PrincipalId, nil
    			}).(pulumi.StringPtrOutput),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Create"),
    				pulumi.String("Delete"),
    				pulumi.String("Get"),
    				pulumi.String("Purge"),
    				pulumi.String("Recover"),
    				pulumi.String("Update"),
    				pulumi.String("List"),
    				pulumi.String("Decrypt"),
    				pulumi.String("Sign"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
    			KeyVaultId: exampleKeyVault.ID(),
    			TenantId:   pulumi.String(current.TenantId),
    			ObjectId:   pulumi.String(current.ObjectId),
    			KeyPermissions: pulumi.StringArray{
    				pulumi.String("Create"),
    				pulumi.String("Delete"),
    				pulumi.String("Get"),
    				pulumi.String("Purge"),
    				pulumi.String("Recover"),
    				pulumi.String("Update"),
    				pulumi.String("List"),
    				pulumi.String("Decrypt"),
    				pulumi.String("Sign"),
    				pulumi.String("GetRotationPolicy"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
    			Scope:              exampleKeyVault.ID(),
    			RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
    			PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
    				return &identity.PrincipalId, nil
    			}).(pulumi.StringPtrOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Azure.Core.GetClientConfig.Invoke();
    
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
        {
            Name = "des-example-keyvault",
            Location = example.Location,
            ResourceGroupName = example.Name,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            SkuName = "premium",
            EnabledForDiskEncryption = true,
            PurgeProtectionEnabled = true,
        });
    
        var exampleKey = new Azure.KeyVault.Key("example", new()
        {
            Name = "des-example-key",
            KeyVaultId = exampleKeyVault.Id,
            KeyType = "RSA",
            KeySize = 2048,
            KeyOpts = new[]
            {
                "decrypt",
                "encrypt",
                "sign",
                "unwrapKey",
                "verify",
                "wrapKey",
            },
        });
    
        var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
        {
            Name = "des",
            ResourceGroupName = example.Name,
            Location = example.Location,
            KeyVaultKeyId = exampleKey.VersionlessId,
            AutoKeyRotationEnabled = true,
            Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
            {
                Type = "SystemAssigned",
            },
        });
    
        var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
            ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
            KeyPermissions = new[]
            {
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign",
            },
        });
    
        var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
        {
            KeyVaultId = exampleKeyVault.Id,
            TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
            ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            KeyPermissions = new[]
            {
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign",
                "GetRotationPolicy",
            },
        });
    
        var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
        {
            Scope = exampleKeyVault.Id,
            RoleDefinitionName = "Key Vault Crypto Service Encryption User",
            PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.CoreFunctions;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.keyvault.KeyVault;
    import com.pulumi.azure.keyvault.KeyVaultArgs;
    import com.pulumi.azure.keyvault.Key;
    import com.pulumi.azure.keyvault.KeyArgs;
    import com.pulumi.azure.compute.DiskEncryptionSet;
    import com.pulumi.azure.compute.DiskEncryptionSetArgs;
    import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
    import com.pulumi.azure.keyvault.AccessPolicy;
    import com.pulumi.azure.keyvault.AccessPolicyArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = CoreFunctions.getClientConfig();
    
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()        
                .name("des-example-keyvault")
                .location(example.location())
                .resourceGroupName(example.name())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .skuName("premium")
                .enabledForDiskEncryption(true)
                .purgeProtectionEnabled(true)
                .build());
    
            var exampleKey = new Key("exampleKey", KeyArgs.builder()        
                .name("des-example-key")
                .keyVaultId(exampleKeyVault.id())
                .keyType("RSA")
                .keySize(2048)
                .keyOpts(            
                    "decrypt",
                    "encrypt",
                    "sign",
                    "unwrapKey",
                    "verify",
                    "wrapKey")
                .build());
    
            var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()        
                .name("des")
                .resourceGroupName(example.name())
                .location(example.location())
                .keyVaultKeyId(exampleKey.versionlessId())
                .autoKeyRotationEnabled(true)
                .identity(DiskEncryptionSetIdentityArgs.builder()
                    .type("SystemAssigned")
                    .build())
                .build());
    
            var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()        
                .keyVaultId(exampleKeyVault.id())
                .tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
                .objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
                .keyPermissions(            
                    "Create",
                    "Delete",
                    "Get",
                    "Purge",
                    "Recover",
                    "Update",
                    "List",
                    "Decrypt",
                    "Sign")
                .build());
    
            var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()        
                .keyVaultId(exampleKeyVault.id())
                .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
                .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .keyPermissions(            
                    "Create",
                    "Delete",
                    "Get",
                    "Purge",
                    "Recover",
                    "Update",
                    "List",
                    "Decrypt",
                    "Sign",
                    "GetRotationPolicy")
                .build());
    
            var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()        
                .scope(exampleKeyVault.id())
                .roleDefinitionName("Key Vault Crypto Service Encryption User")
                .principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleKeyVault:
        type: azure:keyvault:KeyVault
        name: example
        properties:
          name: des-example-keyvault
          location: ${example.location}
          resourceGroupName: ${example.name}
          tenantId: ${current.tenantId}
          skuName: premium
          enabledForDiskEncryption: true
          purgeProtectionEnabled: true
      exampleKey:
        type: azure:keyvault:Key
        name: example
        properties:
          name: des-example-key
          keyVaultId: ${exampleKeyVault.id}
          keyType: RSA
          keySize: 2048
          keyOpts:
            - decrypt
            - encrypt
            - sign
            - unwrapKey
            - verify
            - wrapKey
      exampleDiskEncryptionSet:
        type: azure:compute:DiskEncryptionSet
        name: example
        properties:
          name: des
          resourceGroupName: ${example.name}
          location: ${example.location}
          keyVaultKeyId: ${exampleKey.versionlessId}
          autoKeyRotationEnabled: true
          identity:
            type: SystemAssigned
      example-disk:
        type: azure:keyvault:AccessPolicy
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
          objectId: ${exampleDiskEncryptionSet.identity.principalId}
          keyPermissions:
            - Create
            - Delete
            - Get
            - Purge
            - Recover
            - Update
            - List
            - Decrypt
            - Sign
      example-user:
        type: azure:keyvault:AccessPolicy
        properties:
          keyVaultId: ${exampleKeyVault.id}
          tenantId: ${current.tenantId}
          objectId: ${current.objectId}
          keyPermissions:
            - Create
            - Delete
            - Get
            - Purge
            - Recover
            - Update
            - List
            - Decrypt
            - Sign
            - GetRotationPolicy
      example-diskAssignment:
        type: azure:authorization:Assignment
        name: example-disk
        properties:
          scope: ${exampleKeyVault.id}
          roleDefinitionName: Key Vault Crypto Service Encryption User
          principalId: ${exampleDiskEncryptionSet.identity.principalId}
    variables:
      current:
        fn::invoke:
          Function: azure:core:getClientConfig
          Arguments: {}
    

    Create DiskEncryptionSet Resource

    new DiskEncryptionSet(name: string, args: DiskEncryptionSetArgs, opts?: CustomResourceOptions);
    @overload
    def DiskEncryptionSet(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          auto_key_rotation_enabled: Optional[bool] = None,
                          encryption_type: Optional[str] = None,
                          federated_client_id: Optional[str] = None,
                          identity: Optional[DiskEncryptionSetIdentityArgs] = None,
                          key_vault_key_id: Optional[str] = None,
                          location: Optional[str] = None,
                          name: Optional[str] = None,
                          resource_group_name: Optional[str] = None,
                          tags: Optional[Mapping[str, str]] = None)
    @overload
    def DiskEncryptionSet(resource_name: str,
                          args: DiskEncryptionSetArgs,
                          opts: Optional[ResourceOptions] = None)
    func NewDiskEncryptionSet(ctx *Context, name string, args DiskEncryptionSetArgs, opts ...ResourceOption) (*DiskEncryptionSet, error)
    public DiskEncryptionSet(string name, DiskEncryptionSetArgs args, CustomResourceOptions? opts = null)
    public DiskEncryptionSet(String name, DiskEncryptionSetArgs args)
    public DiskEncryptionSet(String name, DiskEncryptionSetArgs args, CustomResourceOptions options)
    
    type: azure:compute:DiskEncryptionSet
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args DiskEncryptionSetArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args DiskEncryptionSetArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args DiskEncryptionSetArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args DiskEncryptionSetArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args DiskEncryptionSetArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    DiskEncryptionSet Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The DiskEncryptionSet resource accepts the following input properties:

    Identity DiskEncryptionSetIdentity
    An identity block as defined below.
    KeyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    ResourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    AutoKeyRotationEnabled bool
    EncryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    FederatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    Location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    Name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the Disk Encryption Set.
    Identity DiskEncryptionSetIdentityArgs
    An identity block as defined below.
    KeyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    ResourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    AutoKeyRotationEnabled bool
    EncryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    FederatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    Location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    Name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    Tags map[string]string
    A mapping of tags to assign to the Disk Encryption Set.
    identity DiskEncryptionSetIdentity
    An identity block as defined below.
    keyVaultKeyId String

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    resourceGroupName String
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    autoKeyRotationEnabled Boolean
    encryptionType String
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId String
    Multi-tenant application client id to access key vault in a different tenant.
    location String
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name String
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    tags Map<String,String>
    A mapping of tags to assign to the Disk Encryption Set.
    identity DiskEncryptionSetIdentity
    An identity block as defined below.
    keyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    resourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    autoKeyRotationEnabled boolean
    encryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    tags {[key: string]: string}
    A mapping of tags to assign to the Disk Encryption Set.
    identity DiskEncryptionSetIdentityArgs
    An identity block as defined below.
    key_vault_key_id str

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    resource_group_name str
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    auto_key_rotation_enabled bool
    encryption_type str
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federated_client_id str
    Multi-tenant application client id to access key vault in a different tenant.
    location str
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name str
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    tags Mapping[str, str]
    A mapping of tags to assign to the Disk Encryption Set.
    identity Property Map
    An identity block as defined below.
    keyVaultKeyId String

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    resourceGroupName String
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    autoKeyRotationEnabled Boolean
    encryptionType String
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId String
    Multi-tenant application client id to access key vault in a different tenant.
    location String
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name String
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    tags Map<String>
    A mapping of tags to assign to the Disk Encryption Set.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the DiskEncryptionSet resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    KeyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    Id string
    The provider-assigned unique ID for this managed resource.
    KeyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    id String
    The provider-assigned unique ID for this managed resource.
    keyVaultKeyUrl String
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    id string
    The provider-assigned unique ID for this managed resource.
    keyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    id str
    The provider-assigned unique ID for this managed resource.
    key_vault_key_url str
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    id String
    The provider-assigned unique ID for this managed resource.
    keyVaultKeyUrl String
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.

    Look up Existing DiskEncryptionSet Resource

    Get an existing DiskEncryptionSet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: DiskEncryptionSetState, opts?: CustomResourceOptions): DiskEncryptionSet
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            auto_key_rotation_enabled: Optional[bool] = None,
            encryption_type: Optional[str] = None,
            federated_client_id: Optional[str] = None,
            identity: Optional[DiskEncryptionSetIdentityArgs] = None,
            key_vault_key_id: Optional[str] = None,
            key_vault_key_url: Optional[str] = None,
            location: Optional[str] = None,
            name: Optional[str] = None,
            resource_group_name: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None) -> DiskEncryptionSet
    func GetDiskEncryptionSet(ctx *Context, name string, id IDInput, state *DiskEncryptionSetState, opts ...ResourceOption) (*DiskEncryptionSet, error)
    public static DiskEncryptionSet Get(string name, Input<string> id, DiskEncryptionSetState? state, CustomResourceOptions? opts = null)
    public static DiskEncryptionSet get(String name, Output<String> id, DiskEncryptionSetState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AutoKeyRotationEnabled bool
    EncryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    FederatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    Identity DiskEncryptionSetIdentity
    An identity block as defined below.
    KeyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    KeyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    Location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    Name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    ResourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the Disk Encryption Set.
    AutoKeyRotationEnabled bool
    EncryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    FederatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    Identity DiskEncryptionSetIdentityArgs
    An identity block as defined below.
    KeyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    KeyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    Location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    Name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    ResourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    Tags map[string]string
    A mapping of tags to assign to the Disk Encryption Set.
    autoKeyRotationEnabled Boolean
    encryptionType String
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId String
    Multi-tenant application client id to access key vault in a different tenant.
    identity DiskEncryptionSetIdentity
    An identity block as defined below.
    keyVaultKeyId String

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    keyVaultKeyUrl String
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    location String
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name String
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    resourceGroupName String
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    tags Map<String,String>
    A mapping of tags to assign to the Disk Encryption Set.
    autoKeyRotationEnabled boolean
    encryptionType string
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId string
    Multi-tenant application client id to access key vault in a different tenant.
    identity DiskEncryptionSetIdentity
    An identity block as defined below.
    keyVaultKeyId string

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    keyVaultKeyUrl string
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    location string
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name string
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    resourceGroupName string
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    tags {[key: string]: string}
    A mapping of tags to assign to the Disk Encryption Set.
    auto_key_rotation_enabled bool
    encryption_type str
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federated_client_id str
    Multi-tenant application client id to access key vault in a different tenant.
    identity DiskEncryptionSetIdentityArgs
    An identity block as defined below.
    key_vault_key_id str

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    key_vault_key_url str
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    location str
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name str
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    resource_group_name str
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    tags Mapping[str, str]
    A mapping of tags to assign to the Disk Encryption Set.
    autoKeyRotationEnabled Boolean
    encryptionType String
    The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
    federatedClientId String
    Multi-tenant application client id to access key vault in a different tenant.
    identity Property Map
    An identity block as defined below.
    keyVaultKeyId String

    Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

    NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.

    NOTE A KeyVault using enable_rbac_authorization requires to use azure.authorization.Assignment to assigne the role Key Vault Crypto Service Encryption User to this Disk Encryption Set. In this case, azure.keyvault.AccessPolicy is not needed.

    keyVaultKeyUrl String
    The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
    location String
    Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
    name String
    The name of the Disk Encryption Set. Changing this forces a new resource to be created.
    resourceGroupName String
    Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
    tags Map<String>
    A mapping of tags to assign to the Disk Encryption Set.

    Supporting Types

    DiskEncryptionSetIdentity, DiskEncryptionSetIdentityArgs

    Type string
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    IdentityIds List<string>

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    PrincipalId string
    The (Client) ID of the Service Principal.
    TenantId string
    The ID of the Tenant the Service Principal is assigned in.
    Type string
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    IdentityIds []string

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    PrincipalId string
    The (Client) ID of the Service Principal.
    TenantId string
    The ID of the Tenant the Service Principal is assigned in.
    type String
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    identityIds List<String>

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    principalId String
    The (Client) ID of the Service Principal.
    tenantId String
    The ID of the Tenant the Service Principal is assigned in.
    type string
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    identityIds string[]

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    principalId string
    The (Client) ID of the Service Principal.
    tenantId string
    The ID of the Tenant the Service Principal is assigned in.
    type str
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    identity_ids Sequence[str]

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    principal_id str
    The (Client) ID of the Service Principal.
    tenant_id str
    The ID of the Tenant the Service Principal is assigned in.
    type String
    The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).
    identityIds List<String>

    A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

    NOTE: This is required when type is set to UserAssigned or SystemAssigned, UserAssigned.

    principalId String
    The (Client) ID of the Service Principal.
    tenantId String
    The ID of the Tenant the Service Principal is assigned in.

    Import

    Disk Encryption Sets can be imported using the resource id, e.g.

    $ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1
    

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi