Disk
Manages a Disk Encryption Set.
NOTE: At this time the Key Vault used to store the Active Key for this Disk Encryption Set must have both Soft Delete & Purge Protection enabled - which are not yet supported by this provider.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "des-example-keyvault",
location: example.location,
resourceGroupName: example.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const exampleKey = new azure.keyvault.Key("example", {
name: "des-example-key",
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
name: "des",
resourceGroupName: example.name,
location: example.location,
keyVaultKeyId: exampleKey.id,
identity: {
type: "SystemAssigned",
},
});
const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="des-example-keyvault",
location=example.location,
resource_group_name=example.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_key = azure.keyvault.Key("example",
name="des-example-key",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
])
example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
name="des",
resource_group_name=example.name,
location=example.location,
key_vault_key_id=example_key.id,
identity=azure.compute.DiskEncryptionSetIdentityArgs(
type="SystemAssigned",
))
example_disk = azure.keyvault.AccessPolicy("example-disk",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_disk_assignment = azure.authorization.Assignment("example-disk",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "des-example-keyvault",
Location = example.Location,
ResourceGroupName = example.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var exampleKey = new Azure.KeyVault.Key("example", new()
{
Name = "des-example-key",
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
{
Name = "des",
ResourceGroupName = example.Name,
Location = example.Location,
KeyVaultKeyId = exampleKey.Id,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("des-example-keyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
Name: pulumi.String("des-example-key"),
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
})
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
Name: pulumi.String("des"),
ResourceGroupName: example.Name,
Location: example.Location,
KeyVaultKeyId: exampleKey.ID(),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput),
ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("des-example-keyvault")
.location(example.location())
.resourceGroupName(example.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.name("des-example-key")
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.name("des")
.resourceGroupName(example.name())
.location(example.location())
.keyVaultKeyId(exampleKey.id())
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: des-example-keyvault
location: ${example.location}
resourceGroupName: ${example.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
name: example
properties:
name: des-example-key
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
name: example
properties:
name: des
resourceGroupName: ${example.name}
location: ${example.location}
keyVaultKeyId: ${exampleKey.id}
identity:
type: SystemAssigned
example-disk:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
name: example-disk
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}Content copied to clipboard
With Automatic Key Rotation Enabled
import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
const current = azure.core.getClientConfig({});
const example = new azure.core.ResourceGroup("example", {
name: "example-resources",
location: "West Europe",
});
const exampleKeyVault = new azure.keyvault.KeyVault("example", {
name: "des-example-keyvault",
location: example.location,
resourceGroupName: example.name,
tenantId: current.then(current => current.tenantId),
skuName: "premium",
enabledForDiskEncryption: true,
purgeProtectionEnabled: true,
});
const exampleKey = new azure.keyvault.Key("example", {
name: "des-example-key",
keyVaultId: exampleKeyVault.id,
keyType: "RSA",
keySize: 2048,
keyOpts: [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
],
});
const exampleDiskEncryptionSet = new azure.compute.DiskEncryptionSet("example", {
name: "des",
resourceGroupName: example.name,
location: example.location,
keyVaultKeyId: exampleKey.versionlessId,
autoKeyRotationEnabled: true,
identity: {
type: "SystemAssigned",
},
});
const example_disk = new azure.keyvault.AccessPolicy("example-disk", {
keyVaultId: exampleKeyVault.id,
tenantId: exampleDiskEncryptionSet.identity.apply(identity => identity.tenantId),
objectId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
],
});
const example_user = new azure.keyvault.AccessPolicy("example-user", {
keyVaultId: exampleKeyVault.id,
tenantId: current.then(current => current.tenantId),
objectId: current.then(current => current.objectId),
keyPermissions: [
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
],
});
const example_diskAssignment = new azure.authorization.Assignment("example-disk", {
scope: exampleKeyVault.id,
roleDefinitionName: "Key Vault Crypto Service Encryption User",
principalId: exampleDiskEncryptionSet.identity.apply(identity => identity.principalId),
});Content copied to clipboard
import pulumi
import pulumi_azure as azure
current = azure.core.get_client_config()
example = azure.core.ResourceGroup("example",
name="example-resources",
location="West Europe")
example_key_vault = azure.keyvault.KeyVault("example",
name="des-example-keyvault",
location=example.location,
resource_group_name=example.name,
tenant_id=current.tenant_id,
sku_name="premium",
enabled_for_disk_encryption=True,
purge_protection_enabled=True)
example_key = azure.keyvault.Key("example",
name="des-example-key",
key_vault_id=example_key_vault.id,
key_type="RSA",
key_size=2048,
key_opts=[
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
])
example_disk_encryption_set = azure.compute.DiskEncryptionSet("example",
name="des",
resource_group_name=example.name,
location=example.location,
key_vault_key_id=example_key.versionless_id,
auto_key_rotation_enabled=True,
identity=azure.compute.DiskEncryptionSetIdentityArgs(
type="SystemAssigned",
))
example_disk = azure.keyvault.AccessPolicy("example-disk",
key_vault_id=example_key_vault.id,
tenant_id=example_disk_encryption_set.identity.tenant_id,
object_id=example_disk_encryption_set.identity.principal_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
])
example_user = azure.keyvault.AccessPolicy("example-user",
key_vault_id=example_key_vault.id,
tenant_id=current.tenant_id,
object_id=current.object_id,
key_permissions=[
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
])
example_disk_assignment = azure.authorization.Assignment("example-disk",
scope=example_key_vault.id,
role_definition_name="Key Vault Crypto Service Encryption User",
principal_id=example_disk_encryption_set.identity.principal_id)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Azure = Pulumi.Azure;
return await Deployment.RunAsync(() =>
{
var current = Azure.Core.GetClientConfig.Invoke();
var example = new Azure.Core.ResourceGroup("example", new()
{
Name = "example-resources",
Location = "West Europe",
});
var exampleKeyVault = new Azure.KeyVault.KeyVault("example", new()
{
Name = "des-example-keyvault",
Location = example.Location,
ResourceGroupName = example.Name,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
SkuName = "premium",
EnabledForDiskEncryption = true,
PurgeProtectionEnabled = true,
});
var exampleKey = new Azure.KeyVault.Key("example", new()
{
Name = "des-example-key",
KeyVaultId = exampleKeyVault.Id,
KeyType = "RSA",
KeySize = 2048,
KeyOpts = new[]
{
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
},
});
var exampleDiskEncryptionSet = new Azure.Compute.DiskEncryptionSet("example", new()
{
Name = "des",
ResourceGroupName = example.Name,
Location = example.Location,
KeyVaultKeyId = exampleKey.VersionlessId,
AutoKeyRotationEnabled = true,
Identity = new Azure.Compute.Inputs.DiskEncryptionSetIdentityArgs
{
Type = "SystemAssigned",
},
});
var example_disk = new Azure.KeyVault.AccessPolicy("example-disk", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.TenantId),
ObjectId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
},
});
var example_user = new Azure.KeyVault.AccessPolicy("example-user", new()
{
KeyVaultId = exampleKeyVault.Id,
TenantId = current.Apply(getClientConfigResult => getClientConfigResult.TenantId),
ObjectId = current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
KeyPermissions = new[]
{
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy",
},
});
var example_diskAssignment = new Azure.Authorization.Assignment("example-disk", new()
{
Scope = exampleKeyVault.Id,
RoleDefinitionName = "Key Vault Crypto Service Encryption User",
PrincipalId = exampleDiskEncryptionSet.Identity.Apply(identity => identity.PrincipalId),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/compute"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/keyvault"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := core.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
Name: pulumi.String("example-resources"),
Location: pulumi.String("West Europe"),
})
if err != nil {
return err
}
exampleKeyVault, err := keyvault.NewKeyVault(ctx, "example", &keyvault.KeyVaultArgs{
Name: pulumi.String("des-example-keyvault"),
Location: example.Location,
ResourceGroupName: example.Name,
TenantId: pulumi.String(current.TenantId),
SkuName: pulumi.String("premium"),
EnabledForDiskEncryption: pulumi.Bool(true),
PurgeProtectionEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
exampleKey, err := keyvault.NewKey(ctx, "example", &keyvault.KeyArgs{
Name: pulumi.String("des-example-key"),
KeyVaultId: exampleKeyVault.ID(),
KeyType: pulumi.String("RSA"),
KeySize: pulumi.Int(2048),
KeyOpts: pulumi.StringArray{
pulumi.String("decrypt"),
pulumi.String("encrypt"),
pulumi.String("sign"),
pulumi.String("unwrapKey"),
pulumi.String("verify"),
pulumi.String("wrapKey"),
},
})
if err != nil {
return err
}
exampleDiskEncryptionSet, err := compute.NewDiskEncryptionSet(ctx, "example", &compute.DiskEncryptionSetArgs{
Name: pulumi.String("des"),
ResourceGroupName: example.Name,
Location: example.Location,
KeyVaultKeyId: exampleKey.VersionlessId,
AutoKeyRotationEnabled: pulumi.Bool(true),
Identity: &compute.DiskEncryptionSetIdentityArgs{
Type: pulumi.String("SystemAssigned"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-disk", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.TenantId, nil
}).(pulumi.StringPtrOutput),
ObjectId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
},
})
if err != nil {
return err
}
_, err = keyvault.NewAccessPolicy(ctx, "example-user", &keyvault.AccessPolicyArgs{
KeyVaultId: exampleKeyVault.ID(),
TenantId: pulumi.String(current.TenantId),
ObjectId: pulumi.String(current.ObjectId),
KeyPermissions: pulumi.StringArray{
pulumi.String("Create"),
pulumi.String("Delete"),
pulumi.String("Get"),
pulumi.String("Purge"),
pulumi.String("Recover"),
pulumi.String("Update"),
pulumi.String("List"),
pulumi.String("Decrypt"),
pulumi.String("Sign"),
pulumi.String("GetRotationPolicy"),
},
})
if err != nil {
return err
}
_, err = authorization.NewAssignment(ctx, "example-disk", &authorization.AssignmentArgs{
Scope: exampleKeyVault.ID(),
RoleDefinitionName: pulumi.String("Key Vault Crypto Service Encryption User"),
PrincipalId: exampleDiskEncryptionSet.Identity.ApplyT(func(identity compute.DiskEncryptionSetIdentity) (*string, error) {
return &identity.PrincipalId, nil
}).(pulumi.StringPtrOutput),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azure.core.CoreFunctions;
import com.pulumi.azure.core.ResourceGroup;
import com.pulumi.azure.core.ResourceGroupArgs;
import com.pulumi.azure.keyvault.KeyVault;
import com.pulumi.azure.keyvault.KeyVaultArgs;
import com.pulumi.azure.keyvault.Key;
import com.pulumi.azure.keyvault.KeyArgs;
import com.pulumi.azure.compute.DiskEncryptionSet;
import com.pulumi.azure.compute.DiskEncryptionSetArgs;
import com.pulumi.azure.compute.inputs.DiskEncryptionSetIdentityArgs;
import com.pulumi.azure.keyvault.AccessPolicy;
import com.pulumi.azure.keyvault.AccessPolicyArgs;
import com.pulumi.azure.authorization.Assignment;
import com.pulumi.azure.authorization.AssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = CoreFunctions.getClientConfig();
var example = new ResourceGroup("example", ResourceGroupArgs.builder()
.name("example-resources")
.location("West Europe")
.build());
var exampleKeyVault = new KeyVault("exampleKeyVault", KeyVaultArgs.builder()
.name("des-example-keyvault")
.location(example.location())
.resourceGroupName(example.name())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.skuName("premium")
.enabledForDiskEncryption(true)
.purgeProtectionEnabled(true)
.build());
var exampleKey = new Key("exampleKey", KeyArgs.builder()
.name("des-example-key")
.keyVaultId(exampleKeyVault.id())
.keyType("RSA")
.keySize(2048)
.keyOpts(
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey")
.build());
var exampleDiskEncryptionSet = new DiskEncryptionSet("exampleDiskEncryptionSet", DiskEncryptionSetArgs.builder()
.name("des")
.resourceGroupName(example.name())
.location(example.location())
.keyVaultKeyId(exampleKey.versionlessId())
.autoKeyRotationEnabled(true)
.identity(DiskEncryptionSetIdentityArgs.builder()
.type("SystemAssigned")
.build())
.build());
var example_disk = new AccessPolicy("example-disk", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.tenantId()))
.objectId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign")
.build());
var example_user = new AccessPolicy("example-user", AccessPolicyArgs.builder()
.keyVaultId(exampleKeyVault.id())
.tenantId(current.applyValue(getClientConfigResult -> getClientConfigResult.tenantId()))
.objectId(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.keyPermissions(
"Create",
"Delete",
"Get",
"Purge",
"Recover",
"Update",
"List",
"Decrypt",
"Sign",
"GetRotationPolicy")
.build());
var example_diskAssignment = new Assignment("example-diskAssignment", AssignmentArgs.builder()
.scope(exampleKeyVault.id())
.roleDefinitionName("Key Vault Crypto Service Encryption User")
.principalId(exampleDiskEncryptionSet.identity().applyValue(identity -> identity.principalId()))
.build());
}
}Content copied to clipboard
resources:
example:
type: azure:core:ResourceGroup
properties:
name: example-resources
location: West Europe
exampleKeyVault:
type: azure:keyvault:KeyVault
name: example
properties:
name: des-example-keyvault
location: ${example.location}
resourceGroupName: ${example.name}
tenantId: ${current.tenantId}
skuName: premium
enabledForDiskEncryption: true
purgeProtectionEnabled: true
exampleKey:
type: azure:keyvault:Key
name: example
properties:
name: des-example-key
keyVaultId: ${exampleKeyVault.id}
keyType: RSA
keySize: 2048
keyOpts:
- decrypt
- encrypt
- sign
- unwrapKey
- verify
- wrapKey
exampleDiskEncryptionSet:
type: azure:compute:DiskEncryptionSet
name: example
properties:
name: des
resourceGroupName: ${example.name}
location: ${example.location}
keyVaultKeyId: ${exampleKey.versionlessId}
autoKeyRotationEnabled: true
identity:
type: SystemAssigned
example-disk:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${exampleDiskEncryptionSet.identity.tenantId}
objectId: ${exampleDiskEncryptionSet.identity.principalId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
example-user:
type: azure:keyvault:AccessPolicy
properties:
keyVaultId: ${exampleKeyVault.id}
tenantId: ${current.tenantId}
objectId: ${current.objectId}
keyPermissions:
- Create
- Delete
- Get
- Purge
- Recover
- Update
- List
- Decrypt
- Sign
- GetRotationPolicy
example-diskAssignment:
type: azure:authorization:Assignment
name: example-disk
properties:
scope: ${exampleKeyVault.id}
roleDefinitionName: Key Vault Crypto Service Encryption User
principalId: ${exampleDiskEncryptionSet.identity.principalId}
variables:
current:
fn::invoke:
Function: azure:core:getClientConfig
Arguments: {}Content copied to clipboard
Import
Disk Encryption Sets can be imported using the resource id, e.g.
$ pulumi import azure:compute/diskEncryptionSet:DiskEncryptionSet example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.Compute/diskEncryptionSets/encryptionSet1Content copied to clipboard
Properties
Link copied to clipboard
Link copied to clipboard
The type of key used to encrypt the data of the disk. Possible values are EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys and ConfidentialVmEncryptedWithCustomerKey. Defaults to EncryptionAtRestWithCustomerKey. Changing this forces a new resource to be created.
Link copied to clipboard
Multi-tenant application client id to access key vault in a different tenant.
Link copied to clipboard
An identity block as defined below.
Link copied to clipboard
Specifies the URL to a Key Vault Key (either from a Key Vault Key, or the Key URL for the Key Vault Secret).
Link copied to clipboard
The URL for the Key Vault Key or Key Vault Secret that is currently being used by the service.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Specifies the name of the Resource Group where the Disk Encryption Set should exist. Changing this forces a new resource to be created.