Merge pull request #13747 from Tbohunek/desautorotate

`azurerm_disk_encryption_set` support for `enable_auto_key_rotation`

Author: stephybun

internal/services/compute/disk_encryption_set_data_source.go

@@ -32,6 +32,11 @@ func dataSourceDiskEncryptionSet() *pluginsdk.Resource {
 
 			"resource_group_name": azure.SchemaResourceGroupNameForDataSource(),
 
+			"auto_key_rotation_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Computed: true,
+			},
+
 			"tags": tags.SchemaDataSource(),
 		},
 	}
@@ -61,5 +66,9 @@ func dataSourceDiskEncryptionSetRead(d *pluginsdk.ResourceData, meta interface{}
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 
+	if props := resp.EncryptionSetProperties; props != nil {
+		d.Set("auto_key_rotation_enabled", props.RotationToLatestKeyVersionEnabled)
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }

internal/services/compute/disk_encryption_set_data_source_test.go

@@ -17,11 +17,26 @@ func TestAccDataSourceDiskEncryptionSet_basic(t *testing.T) {
 	data.DataSourceTest(t, []acceptance.TestStep{
 		{
 			Config: r.basic(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("location").Exists(),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("false"),
+			),
 		},
+	})
+}
+
+func TestAccDataSourceDiskEncryptionSet_update(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_disk_encryption_set", "test")
+	r := DiskEncryptionSetDataSource{}
+	data.DataSourceTest(t, []acceptance.TestStep{
 		{
 			Config: r.basic(data),
+		},
+		{
+			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).Key("location").Exists(),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("true"),
 			),
 		},
 	})
@@ -37,3 +52,14 @@ data "azurerm_disk_encryption_set" "test" {
 }
 `, DiskEncryptionSetResource{}.basic(data))
 }
+
+func (DiskEncryptionSetDataSource) complete(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+data "azurerm_disk_encryption_set" "test" {
+  name                = azurerm_disk_encryption_set.test.name
+  resource_group_name = azurerm_disk_encryption_set.test.resource_group_name
+}
+`, DiskEncryptionSetResource{}.complete(data))
+}

internal/services/compute/disk_encryption_set_resource.go

@@ -60,6 +60,11 @@ func resourceDiskEncryptionSet() *pluginsdk.Resource {
 				ValidateFunc: keyVaultValidate.NestedItemId,
 			},
 
+			"auto_key_rotation_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+			},
+
 			"identity": {
 				Type: pluginsdk.TypeList,
 				// whilst the API Documentation shows optional - attempting to send nothing returns:
@@ -126,6 +131,7 @@ func resourceDiskEncryptionSetCreate(d *pluginsdk.ResourceData, meta interface{}
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
+	rotationToLatestKeyVersionEnabled := d.Get("auto_key_rotation_enabled").(bool)
 	identityRaw := d.Get("identity").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
 
@@ -138,6 +144,7 @@ func resourceDiskEncryptionSetCreate(d *pluginsdk.ResourceData, meta interface{}
 					ID: utils.String(keyVaultDetails.keyVaultId),
 				},
 			},
+			RotationToLatestKeyVersionEnabled: utils.Bool(rotationToLatestKeyVersionEnabled),
 		},
 		Identity: expandDiskEncryptionSetIdentity(identityRaw),
 		Tags:     tags.Expand(t),
@@ -195,6 +202,7 @@ func resourceDiskEncryptionSetRead(d *pluginsdk.ResourceData, meta interface{})
 			keyVaultKeyId = *props.ActiveKey.KeyURL
 		}
 		d.Set("key_vault_key_id", keyVaultKeyId)
+		d.Set("auto_key_rotation_enabled", props.RotationToLatestKeyVersionEnabled)
 	}
 
 	if err := d.Set("identity", flattenDiskEncryptionSetIdentity(resp.Identity)); err != nil {
@@ -243,6 +251,14 @@ func resourceDiskEncryptionSetUpdate(d *pluginsdk.ResourceData, meta interface{}
 		}
 	}
 
+	if d.HasChange("auto_key_rotation_enabled") {
+		if update.DiskEncryptionSetUpdateProperties == nil {
+			update.DiskEncryptionSetUpdateProperties = &compute.DiskEncryptionSetUpdateProperties{}
+		}
+
+		update.DiskEncryptionSetUpdateProperties.RotationToLatestKeyVersionEnabled = utils.Bool(d.Get("auto_key_rotation_enabled").(bool))
+	}
+
 	future, err := client.Update(ctx, id.ResourceGroup, id.Name, update)
 	if err != nil {
 		return fmt.Errorf("updating Disk Encryption Set %q (Resource Group %q): %+v", id.Name, id.ResourceGroup, err)

internal/services/compute/disk_encryption_set_resource_test.go

@@ -94,16 +94,6 @@ func TestAccDiskEncryptionSet_keyRotate(t *testing.T) {
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
-		data.ImportStep(),
-		// we have to first grant the permission for DiskEncryptionSet to access the KeyVault
-		{
-			Config: r.grantAccessToKeyVault(data),
-			Check: acceptance.ComposeTestCheckFunc(
-				check.That(data.ResourceName).ExistsInAzure(r),
-			),
-		},
-		data.ImportStep(),
-		// after the access is granted, we can rotate the key in DiskEncryptionSet
 		{
 			Config: r.keyRotate(data),
 			Check: acceptance.ComposeTestCheckFunc(
@@ -194,6 +184,20 @@ resource "azurerm_key_vault_key" "test" {
 
   depends_on = ["azurerm_key_vault_access_policy.service-principal"]
 }
+
+resource "azurerm_key_vault_access_policy" "disk-encryption" {
+  key_vault_id = azurerm_key_vault.test.id
+
+  key_permissions = [
+    "Get",
+    "WrapKey",
+    "UnwrapKey",
+  ]
+
+  tenant_id = azurerm_disk_encryption_set.test.identity.0.tenant_id
+  object_id = azurerm_disk_encryption_set.test.identity.0.principal_id
+}
+
 `, data.RandomInteger, data.Locations.Primary, data.RandomString)
 }
 
@@ -236,10 +240,11 @@ func (r DiskEncryptionSetResource) complete(data acceptance.TestData) string {
 %s
 
 resource "azurerm_disk_encryption_set" "test" {
-  name                = "acctestDES-%d"
-  resource_group_name = azurerm_resource_group.test.name
-  location            = azurerm_resource_group.test.location
-  key_vault_key_id    = azurerm_key_vault_key.test.id
+  name                      = "acctestDES-%d"
+  resource_group_name       = azurerm_resource_group.test.name
+  location                  = azurerm_resource_group.test.location
+  key_vault_key_id          = azurerm_key_vault_key.test.id
+  auto_key_rotation_enabled = true
 
   identity {
     type = "SystemAssigned"
@@ -252,36 +257,6 @@ resource "azurerm_disk_encryption_set" "test" {
 `, r.dependencies(data), data.RandomInteger)
 }
 
-func (r DiskEncryptionSetResource) grantAccessToKeyVault(data acceptance.TestData) string {
-	return fmt.Sprintf(`
-%s
-
-resource "azurerm_key_vault_access_policy" "disk-encryption" {
-  key_vault_id = azurerm_key_vault.test.id
-
-  key_permissions = [
-    "Get",
-    "WrapKey",
-    "UnwrapKey",
-  ]
-
-  tenant_id = azurerm_disk_encryption_set.test.identity.0.tenant_id
-  object_id = azurerm_disk_encryption_set.test.identity.0.principal_id
-}
-
-resource "azurerm_disk_encryption_set" "test" {
-  name                = "acctestDES-%d"
-  resource_group_name = azurerm_resource_group.test.name
-  location            = azurerm_resource_group.test.location
-  key_vault_key_id    = azurerm_key_vault_key.test.id
-
-  identity {
-    type = "SystemAssigned"
-  }
-}
-`, r.dependencies(data), data.RandomInteger)
-}
-
 func (r DiskEncryptionSetResource) keyRotate(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
@@ -304,24 +279,12 @@ resource "azurerm_key_vault_key" "new" {
   depends_on = ["azurerm_key_vault_access_policy.service-principal"]
 }
 
-resource "azurerm_key_vault_access_policy" "disk-encryption" {
-  key_vault_id = azurerm_key_vault.test.id
-
-  key_permissions = [
-    "Get",
-    "WrapKey",
-    "UnwrapKey",
-  ]
-
-  tenant_id = azurerm_disk_encryption_set.test.identity.0.tenant_id
-  object_id = azurerm_disk_encryption_set.test.identity.0.principal_id
-}
-
 resource "azurerm_disk_encryption_set" "test" {
-  name                = "acctestDES-%d"
-  resource_group_name = azurerm_resource_group.test.name
-  location            = azurerm_resource_group.test.location
-  key_vault_key_id    = azurerm_key_vault_key.new.id
+  name                      = "acctestDES-%d"
+  resource_group_name       = azurerm_resource_group.test.name
+  location                  = azurerm_resource_group.test.location
+  key_vault_key_id          = azurerm_key_vault_key.new.id
+  auto_key_rotation_enabled = true
 
   identity {
     type = "SystemAssigned"

website/docs/d/disk_encryption_set.html.markdown

@@ -26,6 +26,8 @@ The following attributes are exported:
 
 * `location` - The location where the Disk Encryption Set exists.
 
+* `auto_key_rotation_enabled` - Is the Azure Disk Encryption Set Key automatically rotated to latest version?
+
 * `tags` - A mapping of tags assigned to the Disk Encryption Set.
 
 ## Timeouts

website/docs/r/disk_encryption_set.html.markdown

@@ -105,6 +105,8 @@ The following arguments are supported:
 
 -> **NOTE** Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
 
+* `auto_key_rotation_enabled` - (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version. Defaults to `false`.
+
 * `identity` - (Required) A `identity` block defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the Disk Encryption Set.