diff --git a/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json b/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json index 9ad9ed7c52..58ec4d9a2a 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json +++ b/arm/Microsoft.Compute/diskEncryptionSets/.parameters/parameters.json @@ -5,11 +5,11 @@ "name": { "value": "<>-az-des-x-001" }, - "keyVaultId": { + "keyVaultResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" }, - "keyUrl": { - "value": "https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys + "keyName": { + "value": "keyEncryptionKey" }, "roleAssignments": { "value": [ diff --git a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep index ac7150174a..69ec97c6d6 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep +++ b/arm/Microsoft.Compute/diskEncryptionSets/deploy.bicep @@ -5,10 +5,13 @@ param name string param location string = resourceGroup().location @description('Required. Resource ID of the KeyVault containing the key or secret.') -param keyVaultId string +param keyVaultResourceId string @description('Required. Key URL (with version) pointing to a key or secret in KeyVault.') -param keyUrl string +param keyName string + +@description('Optional. The version of the customer managed key to reference for encryption. If not provided, the latest key version is used.') +param keyVersion string = '' @description('Optional. The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys.') @allowed([ @@ -41,6 +44,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } +resource keyVaultKey 'Microsoft.KeyVault/vaults/keys@2021-10-01' existing = { + name: '${last(split(keyVaultResourceId, '/'))}/${keyName}' + scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) +} + resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { name: name location: location @@ -51,9 +59,9 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { properties: { activeKey: { sourceVault: { - id: keyVaultId + id: keyVaultResourceId } - keyUrl: keyUrl + keyUrl: !empty(keyVersion) ? '${keyVaultKey.properties.keyUri}/${keyVersion}' : keyVaultKey.properties.keyUriWithVersion } encryptionType: encryptionType rotationToLatestKeyVersionEnabled: rotationToLatestKeyVersionEnabled @@ -63,7 +71,7 @@ resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/deploy.bicep' = { name: '${uniqueString(deployment().name, location)}-DiskEncrSet-KVAccessPolicies' params: { - keyVaultName: last(split(keyVaultId, '/')) + keyVaultName: last(split(keyVaultResourceId, '/')) accessPolicies: [ { tenantId: subscription().tenantId @@ -81,7 +89,7 @@ module keyVaultAccessPolicies '../../Microsoft.KeyVault/vaults/accessPolicies/de ] } // This is to support access policies to KV in different subscription and resource group than the disk encryption set. - scope: resourceGroup(split(keyVaultId, '/')[2], split(keyVaultId, '/')[4]) + scope: resourceGroup(split(keyVaultResourceId, '/')[2], split(keyVaultResourceId, '/')[4]) } module diskEncryptionSet_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { @@ -108,7 +116,7 @@ output resourceGroupName string = resourceGroup().name output systemAssignedPrincipalId string = diskEncryptionSet.identity.principalId @description('The name of the key vault with the disk encryption key.') -output keyVaultName string = last(split(keyVaultId, '/')) +output keyVaultName string = last(split(keyVaultResourceId, '/')) @description('The location the resource was deployed into.') output location string = diskEncryptionSet.location diff --git a/arm/Microsoft.Compute/diskEncryptionSets/readme.md b/arm/Microsoft.Compute/diskEncryptionSets/readme.md index 6817572cc6..7e22cabc31 100644 --- a/arm/Microsoft.Compute/diskEncryptionSets/readme.md +++ b/arm/Microsoft.Compute/diskEncryptionSets/readme.md @@ -22,8 +22,8 @@ This template deploys a disk encryption set. **Required parameters** | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `keyUrl` | string | Key URL (with version) pointing to a key or secret in KeyVault. | -| `keyVaultId` | string | Resource ID of the KeyVault containing the key or secret. | +| `keyName` | string | Key URL (with version) pointing to a key or secret in KeyVault. | +| `keyVaultResourceId` | string | Resource ID of the KeyVault containing the key or secret. | | `name` | string | The name of the disk encryption set that is being created. | **Optional parameters** @@ -31,6 +31,7 @@ This template deploys a disk encryption set. | :-- | :-- | :-- | :-- | :-- | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | | `encryptionType` | string | `'EncryptionAtRestWithPlatformAndCustomerKeys'` | `[EncryptionAtRestWithCustomerKey, EncryptionAtRestWithPlatformAndCustomerKeys]` | The type of key used to encrypt the data of the disk. For security reasons, it is recommended to set encryptionType to EncryptionAtRestWithPlatformAndCustomerKeys. | +| `keyVersion` | string | `''` | | The version of the customer managed key to reference for encryption. If not provided, the latest key version is used. | | `location` | string | `[resourceGroup().location]` | | Resource location. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | | `rotationToLatestKeyVersionEnabled` | bool | `False` | | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | @@ -164,11 +165,11 @@ tags: { "name": { "value": "<>-az-des-x-001" }, - "keyVaultId": { + "keyVaultResourceId": { "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001" }, - "keyUrl": { - "value": "https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys + "keyName": { + "value": "keyEncryptionKey" }, "roleAssignments": { "value": [ @@ -195,8 +196,8 @@ module diskEncryptionSets './Microsoft.Compute/diskEncryptionSets/deploy.bicep' name: '${uniqueString(deployment().name)}-diskEncryptionSets' params: { name: '<>-az-des-x-001' - keyVaultId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' - keyUrl: 'https://adp-<>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5' + keyVaultResourceId: '/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<>-az-kv-x-001' + keyName: 'keyEncryptionKey' roleAssignments: [ { roleDefinitionIdOrName: 'Reader'