Share via

Microsoft.Compute diskEncryptionSets 2020-06-30

Bicep resource definition

The diskEncryptionSets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Compute/diskEncryptionSets resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Compute/diskEncryptionSets@2020-06-30' = {
  identity: {
    type: 'string'
  }
  location: 'string'
  name: 'string'
  properties: {
    activeKey: {
      keyUrl: 'string'
      sourceVault: {
        id: 'string'
      }
    }
    encryptionType: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.Compute/diskEncryptionSets

Name Description Value
identity The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. EncryptionSetIdentity
location Resource location string (required)
name The resource name string (required)
properties EncryptionSetProperties
tags Resource tags Dictionary of tag names and values. See Tags in templates

EncryptionSetIdentity

Name Description Value
type The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported. 'SystemAssigned'

EncryptionSetProperties

Name Description Value
activeKey The key vault key which is currently used by this disk encryption set. KeyVaultAndKeyReference
encryptionType The type of key used to encrypt the data of the disk. 'EncryptionAtRestWithCustomerKey'
'EncryptionAtRestWithPlatformAndCustomerKeys'

KeyVaultAndKeyReference

Name Description Value
keyUrl Url pointing to a key or secret in KeyVault string (required)
sourceVault Resource id of the KeyVault containing the key or secret SourceVault (required)

ResourceTags

Name Description Value

SourceVault

Name Description Value
id Resource Id string

Usage Examples

Bicep Samples

A basic example of deploying Disk Encryption Set.

param resourceName string = 'acctest0001'
param location string = 'westeurope'

resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-03-02' = {
  name: resourceName
  location: location
  properties: {
    activeKey: {
      keyUrl: key.properties.keyUriWithVersion
      sourceVault: {
        id: vault.id
      }
    }
    encryptionType: 'EncryptionAtRestWithCustomerKey'
    rotationToLatestKeyVersionEnabled: false
  }
}

resource vault 'Microsoft.KeyVault/vaults@2023-02-01' = {
  name: resourceName
  location: location
  properties: {
    accessPolicies: []
    enableSoftDelete: true
    sku: {
      family: 'A'
      name: 'standard'
    }
    tenantId: deployer().tenantId
  }
}

resource key 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {
  parent: vault
  name: resourceName
  properties: {
    keyOps: [
      'encrypt'
      'decrypt'
      'sign'
      'verify'
      'wrapKey'
      'unwrapKey'
    ]
    keySize: 2048
    kty: 'RSA'
  }
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Disk Encryption Set AVM Resource Module for Disk Encryption Set

ARM template resource definition

The diskEncryptionSets resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Compute/diskEncryptionSets resource, add the following JSON to your template.

{
  "type": "Microsoft.Compute/diskEncryptionSets",
  "apiVersion": "2020-06-30",
  "name": "string",
  "identity": {
    "type": "string"
  },
  "location": "string",
  "properties": {
    "activeKey": {
      "keyUrl": "string",
      "sourceVault": {
        "id": "string"
      }
    },
    "encryptionType": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.Compute/diskEncryptionSets

Name Description Value
apiVersion The api version '2020-06-30'
identity The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. EncryptionSetIdentity
location Resource location string (required)
name The resource name string (required)
properties EncryptionSetProperties
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Compute/diskEncryptionSets'

EncryptionSetIdentity

Name Description Value
type The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported. 'SystemAssigned'

EncryptionSetProperties

Name Description Value
activeKey The key vault key which is currently used by this disk encryption set. KeyVaultAndKeyReference
encryptionType The type of key used to encrypt the data of the disk. 'EncryptionAtRestWithCustomerKey'
'EncryptionAtRestWithPlatformAndCustomerKeys'

KeyVaultAndKeyReference

Name Description Value
keyUrl Url pointing to a key or secret in KeyVault string (required)
sourceVault Resource id of the KeyVault containing the key or secret SourceVault (required)

ResourceTags

Name Description Value

SourceVault

Name Description Value
id Resource Id string

Usage Examples

Terraform (AzAPI provider) resource definition

The diskEncryptionSets resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Compute/diskEncryptionSets resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Compute/diskEncryptionSets@2020-06-30"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      activeKey = {
        keyUrl = "string"
        sourceVault = {
          id = "string"
        }
      }
      encryptionType = "string"
    }
  }
}

Property Values

Microsoft.Compute/diskEncryptionSets

Name Description Value
identity The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. EncryptionSetIdentity
location Resource location string (required)
name The resource name string (required)
properties EncryptionSetProperties
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Compute/diskEncryptionSets@2020-06-30"

EncryptionSetIdentity

Name Description Value
type The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported. 'SystemAssigned'

EncryptionSetProperties

Name Description Value
activeKey The key vault key which is currently used by this disk encryption set. KeyVaultAndKeyReference
encryptionType The type of key used to encrypt the data of the disk. 'EncryptionAtRestWithCustomerKey'
'EncryptionAtRestWithPlatformAndCustomerKeys'

KeyVaultAndKeyReference

Name Description Value
keyUrl Url pointing to a key or secret in KeyVault string (required)
sourceVault Resource id of the KeyVault containing the key or secret SourceVault (required)

ResourceTags

Name Description Value

SourceVault

Name Description Value
id Resource Id string

Usage Examples

Terraform Samples

A basic example of deploying Disk Encryption Set.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
}

provider "azurerm" {
  features {
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "location" {
  type    = string
  default = "westeurope"
}

data "azurerm_client_config" "current" {
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  location = var.location
}

resource "azapi_resource" "vault" {
  type      = "Microsoft.KeyVault/vaults@2023-02-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  body = {
    properties = {
      sku = {
        family = "A"
        name   = "standard"
      }
      accessPolicies   = []
      enableSoftDelete = true
      tenantId         = data.azurerm_client_config.current.tenant_id
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  lifecycle {
    ignore_changes = [body.properties.accessPolicies]
  }
}

data "azapi_resource_id" "key" {
  type      = "Microsoft.KeyVault/vaults/keys@2023-02-01"
  parent_id = azapi_resource.vault.id
  name      = var.resource_name
}

resource "azapi_resource_action" "key" {
  type        = "Microsoft.KeyVault/vaults/keys@2023-02-01"
  resource_id = data.azapi_resource_id.key.id
  method      = "PUT"
  body = {
    properties = {
      keySize = 2048
      kty     = "RSA"
      keyOps  = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
    }
  }
  response_export_values = ["*"]
}

resource "azapi_resource" "diskEncryptionSet" {
  type      = "Microsoft.Compute/diskEncryptionSets@2022-03-02"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  location  = var.location
  identity {
    type         = "SystemAssigned"
    identity_ids = []
  }
  body = {
    properties = {
      activeKey = {
        keyUrl = azapi_resource_action.key.output.properties.keyUriWithVersion
        sourceVault = {
          id = azapi_resource.vault.id
        }
      }
      encryptionType                    = "EncryptionAtRestWithCustomerKey"
      rotationToLatestKeyVersionEnabled = false
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
Disk Encryption Set AVM Resource Module for Disk Encryption Set
  • Last updated on