Docs
PackagesWe recommend using Azure Native.
azure.compute.DiskEncryptionSet
Explore with Pulumi AI
Manages a Disk Encryption Set.
NOTE: At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider.
Example Usage
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
{
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new()
{
Location = exampleResourceGroup.Location,
ResourceGroupName = exampleResourceGroup.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var exampleKey = new Azure.KeyVault.Key("exampleKey", new()
{
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
example_user,
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("exampleDiskEncryptionSet", new()
{
ResourceGroupName = exampleResourceGroup.Name,
Location = exampleResourceGroup.Location,
KeyVaultKeyId = exampleKey.Id,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_diskAccessPolicy = new Azure.KeyVault.AccessPolicy("example-diskAccessPolicy", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-diskAssignment", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
Location: exampleResourceGroup.Location,
ResourceGroupName: exampleResourceGroup.Name,
TenantId: *pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: *pulumi.String(current.TenantId),
ObjectId: *pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "exampleKey", &keyvault.KeyArgs{
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example_user,
}))
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "exampleDiskEncryptionSet", &compute.DiskEncryptionSetArgs{
ResourceGroupName: exampleResourceGroup.Name,
Location: exampleResourceGroup.Location,
KeyVaultKeyId: exampleKey.ID(),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-diskAccessPolicy", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput),
ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-diskAssignment", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build(), CustomResourceOptions.builder()
.dependsOn(example_user)
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.resourceGroupName(exampleResourceGroup.name())
.location(exampleResourceGroup.location())
.keyVaultKeyId(exampleKey.id())
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_diskAccessPolicy = new AccessPolicy("example-diskAccessPolicy", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
location=example_resource_group.location,
resource_group_name=example_resource_group.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_key = azure.keyvault.Key("exampleKey",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
opts=pulumi.ResourceOptions(depends_on=[example_user]))
example_disk_encryption_set = azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet",
resource_group_name=example_resource_group.name,
location=example_resource_group.location,
key_vault_key_id=example_key.id,
identity=azure.compute.DiskEncryptionSetIdentityArgs(
type="SystemAssigned",
))
example_disk_access_policy = azure.keyvault.AccessPolicy("example-diskAccessPolicy",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_disk_assignment = azure.authorization.Assignment("example-diskAssignment",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
location: exampleResourceGroup.location,
resourceGroupName: exampleResourceGroup.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const exampleKey = new azure.keyvault.Key("exampleKey", {
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
}, {
dependsOn: [example_user],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet", {
resourceGroupName: exampleResourceGroup.name,
location: exampleResourceGroup.location,
keyVaultKeyId: exampleKey.id,
identity: {
type: "SystemAssigned",
},
});
const example_diskAccessPolicy = new azure.keyvault.AccessPolicy("example-diskAccessPolicy", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-diskAssignment", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});
resources:
exampleResourceGroup:
type: azure:core:ResourceGroup
properties:
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
properties:
location: ${exampleResourceGroup.location}
resourceGroupName: ${exampleResourceGroup.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
properties:
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
options:
dependson:
- ${["example-user"]}
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
properties:
resourceGroupName: ${exampleResourceGroup.name}
location: ${exampleResourceGroup.location}
keyVaultKeyId: ${exampleKey.id}
identity:
type: SystemAssigned
example-diskAccessPolicy:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
With Automatic Key Rotation Enabled
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
{
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new()
{
Location = exampleResourceGroup.Location,
ResourceGroupName = exampleResourceGroup.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var exampleKey = new Azure.KeyVault.Key("exampleKey", new()
{
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
}, new CustomResourceOptions
{
DependsOn = new[]
{
example_user,
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("exampleDiskEncryptionSet", new()
{
ResourceGroupName = exampleResourceGroup.Name,
Location = exampleResourceGroup.Location,
KeyVaultKeyId = exampleKey.VersionlessId,
AutoKeyRotationEnabled = true,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_diskAccessPolicy = new Azure.KeyVault.AccessPolicy("example-diskAccessPolicy", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-diskAssignment", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
Location: exampleResourceGroup.Location,
ResourceGroupName: exampleResourceGroup.Name,
TenantId: *pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: *pulumi.String(current.TenantId),
ObjectId: *pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "exampleKey", &keyvault.KeyArgs{
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
}, pulumi.DependsOn([]pulumi.Resource{
example_user,
}))
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "exampleDiskEncryptionSet", &compute.DiskEncryptionSetArgs{
ResourceGroupName: exampleResourceGroup.Name,
Location: exampleResourceGroup.Location,
KeyVaultKeyId: exampleKey.VersionlessId,
AutoKeyRotationEnabled: pulumi.Bool(true),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-diskAccessPolicy", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput),
ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-diskAssignment", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.location(exampleResourceGroup.location())
.resourceGroupName(exampleResourceGroup.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build(), CustomResourceOptions.builder()
.dependsOn(example_user)
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.resourceGroupName(exampleResourceGroup.name())
.location(exampleResourceGroup.location())
.keyVaultKeyId(exampleKey.versionlessId())
.autoKeyRotationEnabled(true)
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_diskAccessPolicy = new AccessPolicy("example-diskAccessPolicy", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
location=example_resource_group.location,
resource_group_name=example_resource_group.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_key = azure.keyvault.Key("exampleKey",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
opts=pulumi.ResourceOptions(depends_on=[example_user]))
example_disk_encryption_set = azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet",
resource_group_name=example_resource_group.name,
location=example_resource_group.location,
key_vault_key_id=example_key.versionless_id,
auto_key_rotation_enabled=True,
identity=azure.compute.DiskEncryptionSetIdentityArgs(
type="SystemAssigned",
))
example_disk_access_policy = azure.keyvault.AccessPolicy("example-diskAccessPolicy",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_disk_assignment = azure.authorization.Assignment("example-diskAssignment",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
location: exampleResourceGroup.location,
resourceGroupName: exampleResourceGroup.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const exampleKey = new azure.keyvault.Key("exampleKey", {
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
}, {
dependsOn: [example_user],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet", {
resourceGroupName: exampleResourceGroup.name,
location: exampleResourceGroup.location,
keyVaultKeyId: exampleKey.versionlessId,
autoKeyRotationEnabled: true,
identity: {
type: "SystemAssigned",
},
});
const example_diskAccessPolicy = new azure.keyvault.AccessPolicy("example-diskAccessPolicy", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-diskAssignment", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});
resources:
exampleResourceGroup:
type: azure:core:ResourceGroup
properties:
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
properties:
location: ${exampleResourceGroup.location}
resourceGroupName: ${exampleResourceGroup.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
properties:
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
options:
dependson:
- ${["example-user"]}
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
properties:
resourceGroupName: ${exampleResourceGroup.name}
location: ${exampleResourceGroup.location}
keyVaultKeyId: ${exampleKey.versionlessId}
autoKeyRotationEnabled: true
identity:
type: SystemAssigned
example-diskAccessPolicy:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}
Create DiskEncryptionSet Resource
new DiskEncryptionSet(name: string, args: DiskEncryptionSetArgs, opts?: CustomResourceOptions);@overload
def DiskEncryptionSet(resource_name: str,
opts: Optional[ResourceOptions] = None,
auto_key_rotation_enabled: Optional[bool] = None,
encryption_type: Optional[str] = None,
federated_client_id: Optional[str] = None,
identity: Optional[DiskEncryptionSetIdentityArgs] = None,
key_vault_key_id: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
resource_group_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)
@overload
def DiskEncryptionSet(resource_name: str,
args: DiskEncryptionSetArgs,
opts: Optional[ResourceOptions] = None)func NewDiskEncryptionSet(ctx *Context, name string, args DiskEncryptionSetArgs, opts ...ResourceOption) (*DiskEncryptionSet, error)public DiskEncryptionSet(string name, DiskEncryptionSetArgs args, CustomResourceOptions? opts = null)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args, CustomResourceOptions options)
type: azure:compute:DiskEncryptionSet
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args DiskEncryptionSetArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
DiskEncryptionSet Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The DiskEncryptionSet resource accepts the following input properties:
- Identity
Disk
Encryption Set Identity An
identityblock as defined below.- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Auto
Key boolRotation Enabled - Encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- Federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- Location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Dictionary<string, string>
A mapping of tags to assign to the Disk Encryption Set.
- Identity
Disk
Encryption Set Identity Args An
identityblock as defined below.- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Auto
Key boolRotation Enabled - Encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- Federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- Location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- map[string]string
A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity An
identityblock as defined below.- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- resource
Group StringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key BooleanRotation Enabled - encryption
Type String The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client StringId Multi-tenant application client id to access key vault in a different tenant.
- location String
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name String
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Map<String,String>
A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity An
identityblock as defined below.- key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key booleanRotation Enabled - encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- {[key: string]: string}
A mapping of tags to assign to the Disk Encryption Set.
- identity
Disk
Encryption Set Identity Args An
identityblock as defined below.- key_
vault_ strkey_ id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- resource_
group_ strname Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto_
key_ boolrotation_ enabled - encryption_
type str The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated_
client_ strid Multi-tenant application client id to access key vault in a different tenant.
- location str
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name str
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Mapping[str, str]
A mapping of tags to assign to the Disk Encryption Set.
- identity Property Map
An
identityblock as defined below.- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- resource
Group StringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- auto
Key BooleanRotation Enabled - encryption
Type String The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client StringId Multi-tenant application client id to access key vault in a different tenant.
- location String
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name String
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Map<String>
A mapping of tags to assign to the Disk Encryption Set.
Outputs
All input properties are implicitly available as output properties. Additionally, the DiskEncryptionSet resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Id string
The provider-assigned unique ID for this managed resource.
- Key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id String
The provider-assigned unique ID for this managed resource.
- key
Vault StringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id string
The provider-assigned unique ID for this managed resource.
- key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id str
The provider-assigned unique ID for this managed resource.
- key_
vault_ strkey_ url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- id String
The provider-assigned unique ID for this managed resource.
- key
Vault StringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
Look up Existing DiskEncryptionSet Resource
Get an existing DiskEncryptionSet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: DiskEncryptionSetState, opts?: CustomResourceOptions): DiskEncryptionSet@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
auto_key_rotation_enabled: Optional[bool] = None,
encryption_type: Optional[str] = None,
federated_client_id: Optional[str] = None,
identity: Optional[DiskEncryptionSetIdentityArgs] = None,
key_vault_key_id: Optional[str] = None,
key_vault_key_url: Optional[str] = None,
location: Optional[str] = None,
name: Optional[str] = None,
resource_group_name: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None) -> DiskEncryptionSetfunc GetDiskEncryptionSet(ctx *Context, name string, id IDInput, state *DiskEncryptionSetState, opts ...ResourceOption) (*DiskEncryptionSet, error)public static DiskEncryptionSet Get(string name, Input<string> id, DiskEncryptionSetState? state, CustomResourceOptions? opts = null)public static DiskEncryptionSet get(String name, Output<String> id, DiskEncryptionSetState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Auto
Key boolRotation Enabled - Encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- Federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- Identity
Disk
Encryption Set Identity An
identityblock as defined below.- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Dictionary<string, string>
A mapping of tags to assign to the Disk Encryption Set.
- Auto
Key boolRotation Enabled - Encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- Federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- Identity
Disk
Encryption Set Identity Args An
identityblock as defined below.- Key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- Key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- Location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- Name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- Resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- map[string]string
A mapping of tags to assign to the Disk Encryption Set.
- auto
Key BooleanRotation Enabled - encryption
Type String The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client StringId Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity An
identityblock as defined below.- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault StringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location String
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name String
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group StringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Map<String,String>
A mapping of tags to assign to the Disk Encryption Set.
- auto
Key booleanRotation Enabled - encryption
Type string The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client stringId Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity An
identityblock as defined below.- key
Vault stringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault stringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location string
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name string
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group stringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- {[key: string]: string}
A mapping of tags to assign to the Disk Encryption Set.
- auto_
key_ boolrotation_ enabled - encryption_
type str The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated_
client_ strid Multi-tenant application client id to access key vault in a different tenant.
- identity
Disk
Encryption Set Identity Args An
identityblock as defined below.- key_
vault_ strkey_ id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key_
vault_ strkey_ url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location str
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name str
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource_
group_ strname Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Mapping[str, str]
A mapping of tags to assign to the Disk Encryption Set.
- auto
Key BooleanRotation Enabled - encryption
Type String The type of key used to encrypt the data of the disk. Possible values are
EncryptionAtRestWithCustomerKey,EncryptionAtRestWithPlatformAndCustomerKeysandConfidentialVmEncryptedWithCustomerKey. Defaults toEncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.- federated
Client StringId Multi-tenant application client id to access key vault in a different tenant.
- identity Property Map
An
identityblock as defined below.- key
Vault StringKey Id Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
NOTE Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of Server side encryption of Azure managed disks.
NOTE A KeyVault using enable_rbac_authorization requires to use
azure.authorization.Assignmentto assigne the roleKey Vault Crypto Service Encryption Userto this Disk Encryption Set. In this case,azure.keyvault.AccessPolicyis not needed.- key
Vault StringKey Url The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
- location String
Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.
- name String
The name of the Disk Encryption Set. Changing this forces a new resource to be created.
- resource
Group StringName Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.
- Map<String>
A mapping of tags to assign to the Disk Encryption Set.
Supporting Types
DiskEncryptionSetIdentity, DiskEncryptionSetIdentityArgs
- Type string
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- Identity
Ids List<string> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- Principal
Id string The (Client) ID of the Service Principal.
- Tenant
Id string The ID of the Tenant the Service Principal is assigned in.
- Type string
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- Identity
Ids []string A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- Principal
Id string The (Client) ID of the Service Principal.
- Tenant
Id string The ID of the Tenant the Service Principal is assigned in.
- type String
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- identity
Ids List<String> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id String The (Client) ID of the Service Principal.
- tenant
Id String The ID of the Tenant the Service Principal is assigned in.
- type string
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- identity
Ids string[] A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id string The (Client) ID of the Service Principal.
- tenant
Id string The ID of the Tenant the Service Principal is assigned in.
- type str
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- identity_
ids Sequence[str] A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal_
id str The (Client) ID of the Service Principal.
- tenant_
id str The ID of the Tenant the Service Principal is assigned in.
- type String
The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are
SystemAssigned,UserAssigned,SystemAssigned, UserAssigned(to enable both).- identity
Ids List<String> A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.
NOTE: This is required when
typeis set toUserAssignedorSystemAssigned, UserAssigned.- principal
Id String The (Client) ID of the Service Principal.
- tenant
Id String The ID of the Tenant the Service Principal is assigned in.
Import
Disk Encryption Sets can be imported using the resource id, e.g.
$ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1
Package Details
- Repository
- Azure Classic pulumi/pulumi-azure
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azurermTerraform Provider.