hashicorp · stephybun · Oct 20, 2021 · Oct 15, 2021 · Oct 15, 2021 · Oct 16, 2021
@@ -31,6 +31,11 @@ func dataSourceDiskEncryptionSet() *pluginsdk.Resource {
 			"location": azure.SchemaLocationForDataSource(),
 
 			"resource_group_name": azure.SchemaResourceGroupNameForDataSource(),
+
+			"auto_key_rotation_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Computed: true,  
+			},
 
 			"tags": tags.SchemaDataSource(),
 		},
@@ -61,5 +66,9 @@ func dataSourceDiskEncryptionSetRead(d *pluginsdk.ResourceData, meta interface{}
 		d.Set("location", azure.NormalizeLocation(*location))
 	}
 
+	if props := resp.Properties; props != nil {
+		d.Set("auto_key_rotation_enabled", props.rotationToLatestKeyVersionEnabled)
+	}
+
 	return tags.FlattenAndSet(d, resp.Tags)
 }
@@ -27,6 +27,30 @@ func TestAccDataSourceDiskEncryptionSet_basic(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceDiskEncryptionSet_update(t *testing.T) {
+	data := acceptance.BuildTestData(t, "data.azurerm_disk_encryption_set", "test")
+	r := DiskEncryptionSetDataSource{}
+	data.DataSourceTest(t, []acceptance.TestStep{
+		{
+			Config: r.update(data),
+		},
+		{
+			Config: r.update(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("location").Exists(),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("true"),
+			),
+		},
+		{
+			Config: r.update(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).Key("location").Exists(),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("false"),
+			),
+		},
+	})
+}
+
 func (DiskEncryptionSetDataSource) basic(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 %s
@@ -37,3 +61,14 @@ data "azurerm_disk_encryption_set" "test" {
 }
 `, DiskEncryptionSetResource{}.basic(data))
 }
+
+func (DiskEncryptionSetDataSource) update(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+data "azurerm_disk_encryption_set" "test" {
+  name                = azurerm_disk_encryption_set.test.name
+  resource_group_name = azurerm_disk_encryption_set.test.resource_group_name
+}
+`, DiskEncryptionSetResource{}.update(data))
+}
@@ -60,6 +60,11 @@ func resourceDiskEncryptionSet() *pluginsdk.Resource {
 				ValidateFunc: keyVaultValidate.NestedItemId,
 			},
 
+			"auto_key_rotation_enabled": {
+				Type:     pluginsdk.TypeBool,
+				Optional: true,
+			},
+
 			"identity": {
 				Type: pluginsdk.TypeList,
 				// whilst the API Documentation shows optional - attempting to send nothing returns:
@@ -126,6 +131,7 @@ func resourceDiskEncryptionSetCreate(d *pluginsdk.ResourceData, meta interface{}
 	}
 
 	location := azure.NormalizeLocation(d.Get("location").(string))
+	rotationToLatestKeyVersionEnabled := d.Get("auto_key_rotation_enabled").(bool)
 	identityRaw := d.Get("identity").([]interface{})
 	t := d.Get("tags").(map[string]interface{})
 
@@ -197,6 +203,8 @@ func resourceDiskEncryptionSetRead(d *pluginsdk.ResourceData, meta interface{})
 		d.Set("key_vault_key_id", keyVaultKeyId)
 	}
 
+	d.Set("auto_key_rotation_enabled", props.rotationToLatestKeyVersionEnabled)
+
 	if err := d.Set("identity", flattenDiskEncryptionSetIdentity(resp.Identity)); err != nil {
 		return fmt.Errorf("setting `identity`: %+v", err)
 	}
@@ -243,6 +251,14 @@ func resourceDiskEncryptionSetUpdate(d *pluginsdk.ResourceData, meta interface{}
 		}
 	}
 
+	if d.HasChange("auto_key_rotation_enabled") {
+		if update.DiskEncryptionSetUpdateProperties == nil {
+			update.DiskEncryptionSetUpdateProperties = &compute.DiskEncryptionSetUpdateProperties{}
+		}
+
+		update.DiskEncryptionSetUpdateProperties.rotationToLatestKeyVersionEnabled = utils.Bool(d.Get("auto_key_rotation_enabled").(bool))
+	}
+
 	future, err := client.Update(ctx, id.ResourceGroup, id.Name, update)
 	if err != nil {
 		return fmt.Errorf("updating Disk Encryption Set %q (Resource Group %q): %+v", id.Name, id.ResourceGroup, err)

@@ -55,6 +55,15 @@ func TestAccDiskEncryptionSet_complete(t *testing.T) {
 			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("true"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.complete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("false"),
 			),
 		},
 		data.ImportStep(),
@@ -77,6 +86,15 @@ func TestAccDiskEncryptionSet_update(t *testing.T) {
 			Config: r.complete(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("true"),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.complete(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("false"),
 			),
 		},
 		data.ImportStep(),
@@ -108,6 +126,7 @@ func TestAccDiskEncryptionSet_keyRotate(t *testing.T) {
 			Config: r.keyRotate(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("auto_key_rotation_enabled").HasValue("true"),
 			),
 		},
 		data.ImportStep(),
@@ -240,6 +259,7 @@ resource "azurerm_disk_encryption_set" "test" {
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
   key_vault_key_id    = azurerm_key_vault_key.test.id
+  auto_key_rotation_enabled = true
 
   identity {
     type = "SystemAssigned"
@@ -322,6 +342,7 @@ resource "azurerm_disk_encryption_set" "test" {
   resource_group_name = azurerm_resource_group.test.name
   location            = azurerm_resource_group.test.location
   key_vault_key_id    = azurerm_key_vault_key.new.id
+  auto_key_rotation_enabled = true
 
   identity {
     type = "SystemAssigned"

@@ -26,6 +26,8 @@ The following attributes are exported:
 
 * `location` - The location where the Disk Encryption Set exists.
 
+* `auto_key_rotation_enabled` - Is the Azure Disk Encryption Set Key automatically rotated to latest version?
+
 * `tags` - A mapping of tags assigned to the Disk Encryption Set.
 
 ## Timeouts

@@ -105,6 +105,8 @@ The following arguments are supported:
 
 -> **NOTE** Access to the KeyVault must be granted for this Disk Encryption Set, if you want to further use this Disk Encryption Set in a Managed Disk or Virtual Machine, or Virtual Machine Scale Set. For instructions, please refer to the doc of [Server side encryption of Azure managed disks](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption).
 
+* `auto_key_rotation_enabled` - (Optional) Boolean flag to specify whether Azure Disk Encryption Set automatically rotates encryption Key to latest version. Defaults to `false`.
+
 * `identity` - (Required) A `identity` block defined below.
 
 * `tags` - (Optional) A mapping of tags to assign to the Disk Encryption Set.