azurerm_machine_learning_workspace - encryption block (hashicorp#14120)

Support Customer-managed key data encryption

Author: xuzhang3

internal/services/machinelearning/machine_learning_workspace_resource.go

@@ -141,6 +141,27 @@ func resourceMachineLearningWorkspace() *pluginsdk.Resource {
 				Optional: true,
 			},
 
+			"encryption": {
+				Type:     pluginsdk.TypeList,
+				Optional: true,
+				ForceNew: true,
+				MaxItems: 1,
+				Elem: &pluginsdk.Resource{
+					Schema: map[string]*pluginsdk.Schema{
+						"key_vault_id": {
+							Type:         pluginsdk.TypeString,
+							Required:     true,
+							ValidateFunc: keyVaultValidate.VaultID,
+						},
+						"key_id": {
+							Type:         pluginsdk.TypeString,
+							Required:     true,
+							ValidateFunc: validation.IsURLWithHTTPorHTTPS,
+						},
+					},
+				},
+			},
+
 			"friendly_name": {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
@@ -204,6 +225,7 @@ func resourceMachineLearningWorkspaceCreate(d *pluginsdk.ResourceData, meta inte
 			ApplicationInsights:             utils.String(d.Get("application_insights_id").(string)),
 			KeyVault:                        utils.String(d.Get("key_vault_id").(string)),
 			AllowPublicAccessWhenBehindVnet: utils.Bool(d.Get("public_network_access_enabled").(bool)),
+			Encryption:                      expandMachineLearningWorkspaceEncryption(d.Get("encryption").([]interface{})),
 		},
 	}
 
@@ -290,6 +312,10 @@ func resourceMachineLearningWorkspaceRead(d *pluginsdk.ResourceData, meta interf
 		return fmt.Errorf("flattening identity on Workspace %q (Resource Group %q): %+v", id.Name, id.ResourceGroup, err)
 	}
 
+	if err := d.Set("encryption", flattenMachineLearningWorkspaceEncryption(resp.Encryption)); err != nil {
+		return fmt.Errorf("flattening encryption on Workspace %q (Resource Group %q): %+v", id.Name, id.ResourceGroup, err)
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }
 
@@ -391,3 +417,34 @@ func flattenMachineLearningWorkspaceIdentity(identity *machinelearningservices.I
 		},
 	}
 }
+
+func expandMachineLearningWorkspaceEncryption(input []interface{}) *machinelearningservices.EncryptionProperty {
+	if len(input) == 0 || input[0] == nil {
+		return nil
+	}
+
+	raw := input[0].(map[string]interface{})
+	encryption := &machinelearningservices.EncryptionProperty{
+		Status: machinelearningservices.EncryptionStatusEnabled,
+	}
+
+	encryption.KeyVaultProperties = &machinelearningservices.KeyVaultProperties{
+		KeyVaultArmID: utils.String(raw["key_vault_id"].(string)),
+		KeyIdentifier: utils.String(raw["key_id"].(string)),
+	}
+
+	return encryption
+}
+
+func flattenMachineLearningWorkspaceEncryption(encryption *machinelearningservices.EncryptionProperty) []interface{} {
+	if encryption == nil {
+		return []interface{}{}
+	}
+
+	return []interface{}{
+		map[string]interface{}{
+			"key_vault_id": *encryption.KeyVaultProperties.KeyVaultArmID,
+			"key_id":       *encryption.KeyVaultProperties.KeyIdentifier,
+		},
+	}
+}

internal/services/machinelearning/machine_learning_workspace_resource_test.go

@@ -209,6 +209,24 @@ resource "azurerm_container_registry" "test" {
   admin_enabled       = true
 }
 
+resource "azurerm_key_vault_key" "test" {
+  name         = "acctest-kv-key-%[2]d"
+  key_vault_id = azurerm_key_vault.test.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [azurerm_key_vault.test, azurerm_key_vault_access_policy.test]
+}
+
 resource "azurerm_machine_learning_workspace" "test" {
   name                          = "acctest-MLW-%[2]d"
   location                      = azurerm_resource_group.test.location
@@ -228,6 +246,12 @@ resource "azurerm_machine_learning_workspace" "test" {
     type = "SystemAssigned"
   }
 
+  encryption {
+    key_vault_id = azurerm_key_vault.test.id
+    key_id       = azurerm_key_vault_key.test.id
+  }
+
+
   tags = {
     ENV = "Test"
   }
@@ -248,6 +272,24 @@ resource "azurerm_container_registry" "test" {
   admin_enabled       = true
 }
 
+resource "azurerm_key_vault_key" "test" {
+  name         = "acctest-kv-key-%[2]d"
+  key_vault_id = azurerm_key_vault.test.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [azurerm_key_vault.test, azurerm_key_vault_access_policy.test]
+}
+
 resource "azurerm_machine_learning_workspace" "test" {
   name                          = "acctest-MLW-%[2]d"
   location                      = azurerm_resource_group.test.location
@@ -267,6 +309,11 @@ resource "azurerm_machine_learning_workspace" "test" {
     type = "SystemAssigned"
   }
 
+  encryption {
+    key_vault_id = azurerm_key_vault.test.id
+    key_id       = azurerm_key_vault_key.test.id
+  }
+
   tags = {
     ENV = "Test"
     FOO = "Updated"
@@ -298,7 +345,11 @@ resource "azurerm_machine_learning_workspace" "import" {
 func (r WorkspaceResource) template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
-  features {}
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+  }
 }
 
 data "azurerm_client_config" "current" {}
@@ -326,6 +377,19 @@ resource "azurerm_key_vault" "test" {
   purge_protection_enabled = true
 }
 
+resource "azurerm_key_vault_access_policy" "test" {
+  key_vault_id = azurerm_key_vault.test.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Get",
+    "Delete",
+    "Purge",
+  ]
+}
+
 resource "azurerm_storage_account" "test" {
   name                     = "acctestsa%[4]d"
   location                 = azurerm_resource_group.test.location

website/docs/r/machine_learning_workspace.html.markdown

@@ -60,6 +60,99 @@ resource "azurerm_machine_learning_workspace" "example" {
 }
 ```
 
+## Example Usage with Data encryption
+
+~> **NOTE:** The Key Vault must enable purge protection.
+
+```hcl
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+  }
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "example" {
+  name     = "example-resources"
+  location = "West Europe"
+}
+
+resource "azurerm_application_insights" "example" {
+  name                = "workspace-example-ai"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  application_type    = "web"
+}
+
+resource "azurerm_key_vault" "example" {
+  name                     = "workspaceexamplekeyvault"
+  location                 = azurerm_resource_group.example.location
+  resource_group_name      = azurerm_resource_group.example.name
+  tenant_id                = data.azurerm_client_config.current.tenant_id
+  sku_name                 = "premium"
+  purge_protection_enabled = true
+}
+resource "azurerm_key_vault_access_policy" "example" {
+  key_vault_id = azurerm_key_vault.example.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Create",
+    "Get",
+    "Delete",
+    "Purge",
+  ]
+}
+
+resource "azurerm_storage_account" "example" {
+  name                     = "workspacestorageaccount"
+  location                 = azurerm_resource_group.example.location
+  resource_group_name      = azurerm_resource_group.example.name
+  account_tier             = "Standard"
+  account_replication_type = "GRS"
+}
+
+resource "azurerm_key_vault_key" "example" {
+  name         = "workspaceexamplekeyvaultkey"
+  key_vault_id = azurerm_key_vault.example.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+    "sign",
+    "unwrapKey",
+    "verify",
+    "wrapKey",
+  ]
+
+  depends_on = [azurerm_key_vault.example, azurerm_key_vault_access_policy.example]
+}
+
+resource "azurerm_machine_learning_workspace" "example" {
+  name                    = "example-workspace"
+  location                = azurerm_resource_group.example.location
+  resource_group_name     = azurerm_resource_group.example.name
+  application_insights_id = azurerm_application_insights.example.id
+  key_vault_id            = azurerm_key_vault.example.id
+  storage_account_id      = azurerm_storage_account.example.id
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  encryption {
+    key_vault_id = azurerm_key_vault.example.id
+    key_id       = azurerm_key_vault_key.example.id
+  }
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -108,6 +201,14 @@ An `identity` block supports the following:
 
 * `type` - (Required) The Type of Identity which should be used for this Disk Encryption Set. At this time the only possible value is `SystemAssigned`.
 
+---
+
+An `encryption` block supports the following:
+
+* `key_vault_id` - (Required) The ID of the keyVault where the customer owned encryption key is present.
+
+* `key_id` - (Required) The Key Vault URI to access the encryption key.
+
 ## Attributes Reference
 
 The following attributes are exported: