diff --git a/internal/services/recoveryservices/recovery_services_vault_resource.go b/internal/services/recoveryservices/recovery_services_vault_resource.go index 8938f9d1b2fc..ec9f289fa9b9 100644 --- a/internal/services/recoveryservices/recovery_services_vault_resource.go +++ b/internal/services/recoveryservices/recovery_services_vault_resource.go @@ -277,8 +277,12 @@ func resourceRecoveryServicesVaultCreate(d *pluginsdk.ResourceData, meta interfa // `encryption` needs to be set before `cross_region_restore_enabled` is set. Or the service will return an error. "If CRR is enabled for the Vault, the storage state will be locked and it will interfere with further operations" // recovery vault's encryption config cannot be set while creation, so a standalone update is required. if _, ok := d.GetOk("encryption"); ok { + encryption, err := expandEncryption(d) + if err != nil { + return err + } requireAdditionalUpdate = true - updatePatch.Properties.Encryption = expandEncryption(d) + updatePatch.Properties.Encryption = encryption } if requireAdditionalUpdate { @@ -414,7 +418,10 @@ func resourceRecoveryServicesVaultUpdate(d *pluginsdk.ResourceData, meta interfa VaultName: id.VaultName, } - encryption := expandEncryption(d) + encryption, err := expandEncryption(d) + if err != nil { + return err + } existing, err := client.Get(ctx, id) if err != nil { return fmt.Errorf("checking for presence of existing Recovery Service %s: %+v", id.String(), err) @@ -800,14 +807,14 @@ func validateIdentityUpdate(origin identity.SystemAndUserAssignedMap, target ide return true } -func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncryption { +func expandEncryption(d *pluginsdk.ResourceData) (*vaults.VaultPropertiesEncryption, error) { encryptionRaw := d.Get("encryption") if encryptionRaw == nil { - return nil + return nil, nil } settings := encryptionRaw.([]interface{}) if len(settings) == 0 { - return nil + return nil, nil } encryptionMap := settings[0].(map[string]interface{}) keyUri := encryptionMap["key_id"].(string) @@ -826,9 +833,12 @@ func expandEncryption(d *pluginsdk.ResourceData) *vaults.VaultPropertiesEncrypti InfrastructureEncryption: &infraEncryptionState, } if v, ok := encryptionMap["user_assigned_identity_id"].(string); ok && v != "" { + if *encryption.KekIdentity.UseSystemAssignedIdentity { + return nil, fmt.Errorf(" `use_system_assigned_identity` must be disabled when `user_assigned_identity_id` is set.") + } encryption.KekIdentity.UserAssignedIdentity = utils.String(v) } - return encryption + return encryption, nil } func flattenVaultEncryption(model vaults.Vault) interface{} { diff --git a/website/docs/r/recovery_services_vault.html.markdown b/website/docs/r/recovery_services_vault.html.markdown index 1172703ca4fd..c82917be5aac 100644 --- a/website/docs/r/recovery_services_vault.html.markdown +++ b/website/docs/r/recovery_services_vault.html.markdown @@ -86,7 +86,7 @@ An `encryption` block supports the following: * `user_assigned_identity_id` - (Optional) Specifies the user assigned identity ID to be used. -* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. +* `use_system_assigned_identity` - (Optional) Indicate that system assigned identity should be used or not. Defaults to `true`. Must be set to `false` when `user_assigned_identity_id` is set. !> **Note:** `use_system_assigned_identity` only be able to set to `false` for **new** vaults. Any vaults containing existing items registered or attempted to be registered to it are not supported. Details can be found in [the document](https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal#before-you-start)