Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = {
scope: resourceSymbolicName or scope
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
___location: 'string'
name: 'string'
properties: {
activeKey: {
keyUrl: 'string'
sourceVault: {
id: 'string'
}
}
encryptionType: 'string'
federatedClientId: 'string'
rotationToLatestKeyVersionEnabled: bool
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Compute/diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| ___location | Resource ___location | string (required) |
| name | The resource name | string (required) |
| properties | EncryptionSetProperties | |
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
| userAssignedIdentities | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | UserAssignedIdentities |
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | 'ConfidentialVmEncryptedWithCustomerKey' 'EncryptionAtRestWithCustomerKey' 'EncryptionAtRestWithPlatformAndCustomerKeys' |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
ResourceTags
| Name | Description | Value |
|---|
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentitiesValue
| Name | Description | Value |
|---|
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Disk Encryption Set | AVM Resource Module for Disk Encryption Set |
ARM template resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following JSON to your template.
{
"type": "Microsoft.Compute/diskEncryptionSets",
"apiVersion": "2022-07-02",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"___location": "string",
"properties": {
"activeKey": {
"keyUrl": "string",
"sourceVault": {
"id": "string"
}
},
"encryptionType": "string",
"federatedClientId": "string",
"rotationToLatestKeyVersionEnabled": "bool"
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Compute/diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2022-07-02' |
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| ___location | Resource ___location | string (required) |
| name | The resource name | string (required) |
| properties | EncryptionSetProperties | |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.Compute/diskEncryptionSets' |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
| userAssignedIdentities | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | UserAssignedIdentities |
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | 'ConfidentialVmEncryptedWithCustomerKey' 'EncryptionAtRestWithCustomerKey' 'EncryptionAtRestWithPlatformAndCustomerKeys' |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
ResourceTags
| Name | Description | Value |
|---|
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentitiesValue
| Name | Description | Value |
|---|
Usage Examples
Terraform (AzAPI provider) resource definition
The diskEncryptionSets resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Compute/diskEncryptionSets resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Compute/diskEncryptionSets@2022-07-02"
name = "string"
parent_id = "string"
identity {
type = "string"
identity_ids = [
"string"
]
}
___location = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
activeKey = {
keyUrl = "string"
sourceVault = {
id = "string"
}
}
encryptionType = "string"
federatedClientId = "string"
rotationToLatestKeyVersionEnabled = bool
}
}
}
Property Values
Microsoft.Compute/diskEncryptionSets
| Name | Description | Value |
|---|---|---|
| identity | The managed identity for the disk encryption set. It should be given permission on the key vault before it can be used to encrypt disks. | EncryptionSetIdentity |
| ___location | Resource ___location | string (required) |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| properties | EncryptionSetProperties | |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.Compute/diskEncryptionSets@2022-07-02" |
EncryptionSetIdentity
| Name | Description | Value |
|---|---|---|
| type | The type of Managed Identity used by the DiskEncryptionSet. Only SystemAssigned is supported for new creations. Disk Encryption Sets can be updated with Identity type None during migration of subscription to a new Azure Active Directory tenant; it will cause the encrypted resources to lose access to the keys. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' |
| userAssignedIdentities | The list of user identities associated with the disk encryption set. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | UserAssignedIdentities |
EncryptionSetProperties
| Name | Description | Value |
|---|---|---|
| activeKey | The key vault key which is currently used by this disk encryption set. | KeyForDiskEncryptionSet |
| encryptionType | The type of key used to encrypt the data of the disk. | 'ConfidentialVmEncryptedWithCustomerKey' 'EncryptionAtRestWithCustomerKey' 'EncryptionAtRestWithPlatformAndCustomerKeys' |
| federatedClientId | Multi-tenant application client id to access key vault in a different tenant. Setting the value to 'None' will clear the property. | string |
| rotationToLatestKeyVersionEnabled | Set this flag to true to enable auto-updating of this disk encryption set to the latest key version. | bool |
KeyForDiskEncryptionSet
| Name | Description | Value |
|---|---|---|
| keyUrl | Fully versioned Key Url pointing to a key in KeyVault. Version segment of the Url is required regardless of rotationToLatestKeyVersionEnabled value. | string (required) |
| sourceVault | Resource id of the KeyVault containing the key or secret. This property is optional and cannot be used if the KeyVault subscription is not the same as the Disk Encryption Set subscription. | SourceVault |
ResourceTags
| Name | Description | Value |
|---|
SourceVault
| Name | Description | Value |
|---|---|---|
| id | Resource Id | string |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentitiesValue
| Name | Description | Value |
|---|
Usage Examples
Terraform Samples
A basic example of deploying Disk Encryption Set.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
azurerm = {
source = "hashicorp/azurerm"
}
}
}
provider "azurerm" {
features {
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "___location" {
type = string
default = "westeurope"
}
data "azurerm_client_config" "current" {
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
___location = var.___location
}
resource "azapi_resource" "vault" {
type = "Microsoft.KeyVault/vaults@2023-02-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
___location = var.___location
body = {
properties = {
sku = {
family = "A"
name = "standard"
}
accessPolicies = []
enableSoftDelete = true
tenantId = data.azurerm_client_config.current.tenant_id
}
}
schema_validation_enabled = false
response_export_values = ["*"]
lifecycle {
ignore_changes = [body.properties.accessPolicies]
}
}
data "azapi_resource_id" "key" {
type = "Microsoft.KeyVault/vaults/keys@2023-02-01"
parent_id = azapi_resource.vault.id
name = var.resource_name
}
resource "azapi_resource_action" "key" {
type = "Microsoft.KeyVault/vaults/keys@2023-02-01"
resource_id = data.azapi_resource_id.key.id
method = "PUT"
body = {
properties = {
keySize = 2048
kty = "RSA"
keyOps = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
}
}
response_export_values = ["*"]
}
resource "azapi_resource" "diskEncryptionSet" {
type = "Microsoft.Compute/diskEncryptionSets@2022-03-02"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
___location = var.___location
identity {
type = "SystemAssigned"
identity_ids = []
}
body = {
properties = {
activeKey = {
keyUrl = azapi_resource_action.key.output.properties.keyUriWithVersion
sourceVault = {
id = azapi_resource.vault.id
}
}
encryptionType = "EncryptionAtRestWithCustomerKey"
rotationToLatestKeyVersionEnabled = false
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Disk Encryption Set | AVM Resource Module for Disk Encryption Set |