azure logo
Azure Classic v5.43.0, May 6 23

azure.compute.DiskEncryptionSet

Explore with Pulumi AI

Manages a Disk Encryption Set.

NOTE: At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider.

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;

return await Deployment.RunAsync(() => 
{
    var current = Azure.Core.GetClientConfig.Invoke();

    var exampleResourceGroup = new Azure.Core.ResourceGroup("exampleResourceGroup", new()
    {
        Location = "West Europe",
    });

    var exampleKeyVault = new Azure.KeyVault.KeyVault("exampleKeyVault", new()
    {
        Location = exampleResourceGroup.Location,
        ResourceGroupName = exampleResourceGroup.Name,
        TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
        SkuName = "premium",
        EnabledForDiskEncryption = true,
        PurgeProtectionEnabled = true,
    });

    var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
    {
        KeyVaultId = exampleKeyVault.Id,
        TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
        ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        KeyPermissions = new[]
        {
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
            "GetRotationPolicy",
        },
    });

    var exampleKey = new Azure.KeyVault.Key("exampleKey", new()
    {
        KeyVaultId = exampleKeyVault.Id,
        KeyType = "RSA",
        KeySize = 2048,
        KeyOpts = new[]
        {
            "decrypt",
            "encrypt",
            "sign",
            "unwrapKey",
            "verify",
            "wrapKey",
        },
    }, new CustomResourceOptions
    {
        DependsOn = new[]
        {
            example_user,
        },
    });

    var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("exampleDiskEncryptionSet", new()
    {
        ResourceGroupName = exampleResourceGroup.Name,
        Location = exampleResourceGroup.Location,
        KeyVaultKeyId = exampleKey.Id,
        Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
        {
            Type = "SystemAssigned",
        },
    });

    var example_diskAccessPolicy = new Azure.KeyVault.AccessPolicy("example-diskAccessPolicy", new()
    {
        KeyVaultId = exampleKeyVault.Id,
        TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
        ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
        KeyPermissions = new[]
        {
            "Create",
            "Delete",
            "Get",
            "Purge",
            "Recover",
            "Update",
            "List",
            "Decrypt",
            "Sign",
        },
    });

    var example_diskAssignment = new Azure.Authorization.Assignment("example-diskAssignment", new()
    {
        Scope = exampleKeyVault.Id,
        RoleDefinitionName = "Key Vault Crypto Service Encryption User",
        PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
    });

});
package main

import (
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := core.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleResourceGroup, err := core.NewResourceGroup(ctx, "exampleResourceGroup", &core.ResourceGroupArgs{
			Location: pulumi.String("West Europe"),
		})
		if err != nil {
			return err
		}
		exampleKeyVault, err := keyvault.NewKeyVault(ctx, "exampleKeyVault", &keyvault.KeyVaultArgs{
			Location:                 exampleResourceGroup.Location,
			ResourceGroupName:        exampleResourceGroup.Name,
			TenantId:                 *pulumi.String(current.TenantId),
			SkuName:                  pulumi.String("premium"),
			EnabledForDiskEncryption: pulumi.Bool(true),
			PurgeProtectionEnabled:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
			KeyVaultId: exampleKeyVault.ID(),
			TenantId:   *pulumi.String(current.TenantId),
			ObjectId:   *pulumi.String(current.ObjectId),
			KeyPermissions: pulumi.StringArray{
				pulumi.String("Create"),
				pulumi.String("Delete"),
				pulumi.String("Get"),
				pulumi.String("Purge"),
				pulumi.String("Recover"),
				pulumi.String("Update"),
				pulumi.String("List"),
				pulumi.String("Decrypt"),
				pulumi.String("Sign"),
				pulumi.String("GetRotationPolicy"),
			},
		})
		if err != nil {
			return err
		}
		exampleKey, err := keyvault.NewKey(ctx, "exampleKey", &keyvault.KeyArgs{
			KeyVaultId: exampleKeyVault.ID(),
			KeyType:    pulumi.String("RSA"),
			KeySize:    pulumi.Int(2048),
			KeyOpts: pulumi.StringArray{
				pulumi.String("decrypt"),
				pulumi.String("encrypt"),
				pulumi.String("sign"),
				pulumi.String("unwrapKey"),
				pulumi.String("verify"),
				pulumi.String("wrapKey"),
			},
		}, pulumi.DependsOn([]pulumi.Resource{
			example_user,
		}))
		if err != nil {
			return err
		}
		exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "exampleDiskEncryptionSet", &compute.DiskEncryptionSetArgs{
			ResourceGroupName: exampleResourceGroup.Name,
			Location:          exampleResourceGroup.Location,
			KeyVaultKeyId:     exampleKey.ID(),
			Identity: &compute.DiskEncryptionSetIdentityArgs{
				Type: pulumi.String("SystemAssigned"),
			},
		})
		if err != nil {
			return err
		}
		_, err = keyvault.NewAccessPolicy(ctx, "example-diskAccessPolicy", &keyvault.AccessPolicyArgs{
			KeyVaultId: exampleKeyVault.ID(),
			TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
				return &identity.TenantId, nil
			}).(pulumi.StringPtrOutput),
			ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
				return &identity.PrincipalId, nil
			}).(pulumi.StringPtrOutput),
			KeyPermissions: pulumi.StringArray{
				pulumi.String("Create"),
				pulumi.String("Delete"),
				pulumi.String("Get"),
				pulumi.String("Purge"),
				pulumi.String("Recover"),
				pulumi.String("Update"),
				pulumi.String("List"),
				pulumi.String("Decrypt"),
				pulumi.String("Sign"),
			},
		})
		if err != nil {
			return err
		}
		_, err = authorization.NewAssignment(ctx, "example-diskAssignment", &authorization.AssignmentArgs{
			Scope:              exampleKeyVault.ID(),
			RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
			PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
				return &identity.PrincipalId, nil
			}).(pulumi.StringPtrOutput),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = CoreFunctions.getClientConfig();

        var exampleResourceGroup = new ResourceGroup("exampleResourceGroup", ResourceGroupArgs.builder()        
            .location("West Europe")
            .build());

        var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()        
            .location(exampleResourceGroup.location())
            .resourceGroupName(exampleResourceGroup.name())
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .skuName("premium")
            .enabledForDiskEncryption(true)
            .purgeProtectionEnabled(true)
            .build());

        var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()        
            .keyVaultId(exampleKeyVault.id())
            .tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
            .objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .keyPermissions(            
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign",
                "GetRotationPolicy")
            .build());

        var exampleKey = new Key("exampleKey", KeyArgs.builder()        
            .keyVaultId(exampleKeyVault.id())
            .keyType("RSA")
            .keySize(2048)
            .keyOpts(            
                "decrypt",
                "encrypt",
                "sign",
                "unwrapKey",
                "verify",
                "wrapKey")
            .build(), CustomResourceOptions.builder()
                .dependsOn(example_user)
                .build());

        var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()        
            .resourceGroupName(exampleResourceGroup.name())
            .location(exampleResourceGroup.location())
            .keyVaultKeyId(exampleKey.id())
            .identity(DiskEncryptionSetIdentityArgs.builder()
                .type("SystemAssigned")
                .build())
            .build());

        var example_diskAccessPolicy = new AccessPolicy("example-diskAccessPolicy", AccessPolicyArgs.builder()        
            .keyVaultId(exampleKeyVault.id())
            .tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
            .objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
            .keyPermissions(            
                "Create",
                "Delete",
                "Get",
                "Purge",
                "Recover",
                "Update",
                "List",
                "Decrypt",
                "Sign")
            .build());

        var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()        
            .scope(exampleKeyVault.id())
            .roleDefinitionName("Key Vault Crypto Service Encryption User")
            .principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
            .build());

    }
}
import pulumi
import pulumi_azure as azure

current = azure.core.get_client_config()
example_resource_group = azure.core.ResourceGroup("exampleResourceGroup", location="West Europe")
example_key_vault = azure.keyvault.KeyVault("exampleKeyVault",
    location=example_resource_group.location,
    resource_group_name=example_resource_group.name,
    tenant_id=current.tenant_id,
    sku_name="premium",
    enabled_for_disk_encryption=True,
    purge_protection_enabled=True)
example_user = azure.keyvault.AccessPolicy("example-user",
    key_vault_id=example_key_vault.id,
    tenant_id=current.tenant_id,
    object_id=current.object_id,
    key_permissions=[
        "Create",
        "Delete",
        "Get",
        "Purge",
        "Recover",
        "Update",
        "List",
        "Decrypt",
        "Sign",
        "GetRotationPolicy",
    ])
example_key = azure.keyvault.Key("exampleKey",
    key_vault_id=example_key_vault.id,
    key_type="RSA",
    key_size=2048,
    key_opts=[
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
    ],
    opts=pulumi.ResourceOptions(depends_on=[example_user]))
example_disk_encryption_set = azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet",
    resource_group_name=example_resource_group.name,
    location=example_resource_group.location,
    key_vault_key_id=example_key.id,
    identity=azure.compute.DiskEncryptionSetIdentityArgs(
        type="SystemAssigned",
    ))
example_disk_access_policy = azure.keyvault.AccessPolicy("example-diskAccessPolicy",
    key_vault_id=example_key_vault.id,
    tenant_id=example_disk_encryption_set.identity.tenant_id,
    object_id=example_disk_encryption_set.identity.principal_id,
    key_permissions=[
        "Create",
        "Delete",
        "Get",
        "Purge",
        "Recover",
        "Update",
        "List",
        "Decrypt",
        "Sign",
    ])
example_disk_assignment = azure.authorization.Assignment("example-diskAssignment",
    scope=example_key_vault.id,
    role_definition_name="Key Vault Crypto Service Encryption User",
    principal_id=example_disk_encryption_set.identity.principal_id)
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";

const current = azure.core.getClientConfig({});
const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {location: "West Europe"});
const exampleKeyVault = new azure.keyvault.KeyVault("exampleKeyVault", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    tenantId: current.then(current => current.tenantId),
    skuName: "premium",
    enabledForDiskEncryption: true,
    purgeProtectionEnabled: true,
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
    keyVaultId: exampleKeyVault.id,
    tenantId: current.then(current => current.tenantId),
    objectId: current.then(current => current.objectId),
    keyPermissions: [
        "Create",
        "Delete",
        "Get",
        "Purge",
        "Recover",
        "Update",
        "List",
        "Decrypt",
        "Sign",
        "GetRotationPolicy",
    ],
});
const exampleKey = new azure.keyvault.Key("exampleKey", {
    keyVaultId: exampleKeyVault.id,
    keyType: "RSA",
    keySize: 2048,
    keyOpts: [
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
    ],
}, {
    dependsOn: [example_user],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("exampleDiskEncryptionSet", {
    resourceGroupName: exampleResourceGroup.name,
    location: exampleResourceGroup.location,
    keyVaultKeyId: exampleKey.id,
    identity: {
        type: "SystemAssigned",
    },
});
const example_diskAccessPolicy = new azure.keyvault.AccessPolicy("example-diskAccessPolicy", {
    keyVaultId: exampleKeyVault.id,
    tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
    objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
    keyPermissions: [
        "Create",
        "Delete",
        "Get",
        "Purge",
        "Recover",
        "Update",
        "List",
        "Decrypt",
        "Sign",
    ],
});
const example_diskAssignment = new azure.authorization.Assignment("example-diskAssignment", {
    scope: exampleKeyVault.id,
    roleDefinitionName: "Key Vault Crypto Service Encryption User",
    principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});
resources:
  exampleResourceGroup:
    type: azure:core:ResourceGroup
    properties:
      location: West Europe
  exampleKeyVault:
    type: azure:keyvault:KeyVault
    properties:
      location: ${exampleResourceGroup.location}
      resourceGroupName: ${exampleResourceGroup.name}
      tenantId: ${current.tenantId}
      skuName: premium
      enabledForDiskEncryption: true
      purgeProtectionEnabled: true
  exampleKey:
    type: azure:keyvault:Key
    properties:
      keyVaultId: ${exampleKeyVault.id}
      keyType: RSA
      keySize: 2048
      keyOpts:
        - decrypt
        - encrypt
        - sign
        - unwrapKey
        - verify
        - wrapKey
    options:
      dependson:
        - ${["example-user"]}
  exampleDiskEncryptionSet:
    type: azure:compute:DiskEncryptionSet
    properties:
      resourceGroupName: ${exampleResourceGroup.name}
      location: ${exampleResourceGroup.location}
      keyVaultKeyId: ${exampleKey.id}
      identity:
        type: SystemAssigned
  example-diskAccessPolicy:
    type: azure:keyvault:AccessPolicy
    properties:
      keyVaultId: ${exampleKeyVault.id}
      tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
      objectId: ${exampleDiskEncryptionSet.identity.principalId}
      keyPermissions:
        - Create
        - Delete
        - Get
        - Purge
        - Recover
        - Update
        - List
        - Decrypt
        - Sign
  example-user:
    type: azure:keyvault:AccessPolicy
    properties:
      keyVaultId: ${exampleKeyVault.id}
      tenantId: ${current.tenantId}
      objectId: ${current.objectId}
      keyPermissions:
        - Create
        - Delete
        - Get
        - Purge
        - Recover
        - Update
        - List
        - Decrypt
        - Sign
        - GetRotationPolicy
  example-diskAssignment:
    type: azure:authorization:Assignment
    properties:
      scope: ${exampleKeyVault.id}
      roleDefinitionName: Key Vault Crypto Service Encryption User
      principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
  current:
    fn::invoke:
      Function: azure:core:getClientConfig
      Arguments: {}

Create DiskEncryptionSet Resource

new DiskEncryptionSet(name: string, args: DiskEncryptionSetArgs, opts?: CustomResourceOptions);
@overload
def DiskEncryptionSet(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      auto_key_rotation_enabled: Optional[bool] = None,
                      encryption_type: Optional[str] = None,
                      federated_client_id: Optional[str] = None,
                      identity: Optional[DiskEncryptionSetIdentityArgs] = None,
                      key_vault_key_id: Optional[str] = None,
                      location: Optional[str] = None,
                      name: Optional[str] = None,
                      resource_group_name: Optional[str] = None,
                      tags: Optional[Mapping[str, str]] = None)
@overload
def DiskEncryptionSet(resource_name: str,
                      args: DiskEncryptionSetArgs,
                      opts: Optional[ResourceOptions] = None)
func NewDiskEncryptionSet(ctx *Context, name string, args DiskEncryptionSetArgs, opts ...ResourceOption) (*DiskEncryptionSet, error)
public DiskEncryptionSet(string name, DiskEncryptionSetArgs args, CustomResourceOptions? opts = null)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args)
public DiskEncryptionSet(String name, DiskEncryptionSetArgs args, CustomResourceOptions options)
type: azure:compute:DiskEncryptionSet
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args DiskEncryptionSetArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args DiskEncryptionSetArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args DiskEncryptionSetArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args DiskEncryptionSetArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args DiskEncryptionSetArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

DiskEncryptionSet Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The DiskEncryptionSet resource accepts the following input properties:

Identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

KeyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

ResourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

AutoKeyRotationEnabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

EncryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

FederatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

Location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

Name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

Tags Dictionary<string, string>

A mapping of tags to assign to the Disk Encryption Set.

Identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

KeyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

ResourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

AutoKeyRotationEnabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

EncryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

FederatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

Location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

Name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

Tags map[string]string

A mapping of tags to assign to the Disk Encryption Set.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

keyVaultKeyId String

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

resourceGroupName String

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

autoKeyRotationEnabled Boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType String

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId String

Multi-tenant application client id to access key vault in a different tenant.

location String

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name String

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

tags Map<String,String>

A mapping of tags to assign to the Disk Encryption Set.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

keyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

resourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

autoKeyRotationEnabled boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

tags {[key: string]: string}

A mapping of tags to assign to the Disk Encryption Set.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

key_vault_key_id str

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

resource_group_name str

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

auto_key_rotation_enabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryption_type str

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federated_client_id str

Multi-tenant application client id to access key vault in a different tenant.

location str

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name str

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

tags Mapping[str, str]

A mapping of tags to assign to the Disk Encryption Set.

identity Property Map

An identity block as defined below.

keyVaultKeyId String

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

resourceGroupName String

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

autoKeyRotationEnabled Boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType String

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId String

Multi-tenant application client id to access key vault in a different tenant.

location String

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name String

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

tags Map<String>

A mapping of tags to assign to the Disk Encryption Set.

Outputs

All input properties are implicitly available as output properties. Additionally, the DiskEncryptionSet resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

Id string

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

id string

The provider-assigned unique ID for this managed resource.

id str

The provider-assigned unique ID for this managed resource.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing DiskEncryptionSet Resource

Get an existing DiskEncryptionSet resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: DiskEncryptionSetState, opts?: CustomResourceOptions): DiskEncryptionSet
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        auto_key_rotation_enabled: Optional[bool] = None,
        encryption_type: Optional[str] = None,
        federated_client_id: Optional[str] = None,
        identity: Optional[DiskEncryptionSetIdentityArgs] = None,
        key_vault_key_id: Optional[str] = None,
        location: Optional[str] = None,
        name: Optional[str] = None,
        resource_group_name: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None) -> DiskEncryptionSet
func GetDiskEncryptionSet(ctx *Context, name string, id IDInput, state *DiskEncryptionSetState, opts ...ResourceOption) (*DiskEncryptionSet, error)
public static DiskEncryptionSet Get(string name, Input<string> id, DiskEncryptionSetState? state, CustomResourceOptions? opts = null)
public static DiskEncryptionSet get(String name, Output<String> id, DiskEncryptionSetState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AutoKeyRotationEnabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

EncryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

FederatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

Identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

KeyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

Location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

Name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

ResourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

Tags Dictionary<string, string>

A mapping of tags to assign to the Disk Encryption Set.

AutoKeyRotationEnabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

EncryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

FederatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

Identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

KeyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

Location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

Name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

ResourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

Tags map[string]string

A mapping of tags to assign to the Disk Encryption Set.

autoKeyRotationEnabled Boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType String

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId String

Multi-tenant application client id to access key vault in a different tenant.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

keyVaultKeyId String

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

location String

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name String

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

resourceGroupName String

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

tags Map<String,String>

A mapping of tags to assign to the Disk Encryption Set.

autoKeyRotationEnabled boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType string

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId string

Multi-tenant application client id to access key vault in a different tenant.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

keyVaultKeyId string

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

location string

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name string

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

resourceGroupName string

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

tags {[key: string]: string}

A mapping of tags to assign to the Disk Encryption Set.

auto_key_rotation_enabled bool

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryption_type str

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federated_client_id str

Multi-tenant application client id to access key vault in a different tenant.

identity DiskEncryptionSetIdentityArgs

An identity block as defined below.

key_vault_key_id str

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

location str

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name str

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

resource_group_name str

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

tags Mapping[str, str]

A mapping of tags to assign to the Disk Encryption Set.

autoKeyRotationEnabled Boolean

Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version.

encryptionType String

The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.

federatedClientId String

Multi-tenant application client id to access key vault in a different tenant.

identity Property Map

An identity block as defined below.

keyVaultKeyId String

Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).

location String

Specifies the Azure Region where the Disk Encryption Set exists. Changing this forces a new resource to be created.

name String

The name of the Disk Encryption Set. Changing this forces a new resource to be created.

resourceGroupName String

Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.

tags Map<String>

A mapping of tags to assign to the Disk Encryption Set.

Supporting Types

DiskEncryptionSetIdentity

Type string

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

IdentityIds List<string>

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

PrincipalId string

The (Client) ID of the Service Principal.

TenantId string

The ID of the Tenant the Service Principal is assigned in.

Type string

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

IdentityIds []string

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

PrincipalId string

The (Client) ID of the Service Principal.

TenantId string

The ID of the Tenant the Service Principal is assigned in.

type String

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

identityIds List<String>

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

principalId String

The (Client) ID of the Service Principal.

tenantId String

The ID of the Tenant the Service Principal is assigned in.

type string

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

identityIds string[]

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

principalId string

The (Client) ID of the Service Principal.

tenantId string

The ID of the Tenant the Service Principal is assigned in.

type str

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

identity_ids Sequence[str]

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

principal_id str

The (Client) ID of the Service Principal.

tenant_id str

The ID of the Tenant the Service Principal is assigned in.

type String

The type of Managed Service Identity that is configured on this Disk Encryption Set. Possible values are SystemAssigned, UserAssigned, SystemAssigned, UserAssigned (to enable both).

identityIds List<String>

A list of User Assigned Managed Identity IDs to be assigned to this Disk Encryption Set.

principalId String

The (Client) ID of the Service Principal.

tenantId String

The ID of the Tenant the Service Principal is assigned in.

Import

Disk Encryption Sets can be imported using the resource id, e.g.

 $ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1

Package Details

Repository
Azure Classic pulumi/pulumi-azure
License
Apache-2.0
Notes

This Pulumi package is based on the azurerm Terraform Provider.