From 4c1fa50970faabf57aefe1fa6cff9e2d5fa4da99 Mon Sep 17 00:00:00 2001
From: Steph <steph@hashicorp.com>
Date: Tue, 11 Apr 2023 19:11:50 +0200
Subject: [PATCH 1/2] set value of host encryption on node pool when resizing

---
 ...ubernetes_cluster_scaling_resource_test.go | 39 ++++++++++++++++++-
 .../containers/kubernetes_nodepool.go         |  1 +
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go
index aa7e749b3819..a852dfd5396a 100644
--- a/internal/services/containers/kubernetes_cluster_scaling_resource_test.go
+++ b/internal/services/containers/kubernetes_cluster_scaling_resource_test.go
@@ -21,7 +21,7 @@ func TestAccKubernetesCluster_updateVmSize(t *testing.T) {
 
 	data.ResourceTest(t, r, []acceptance.TestStep{
 		{
-			Config: r.basic(data),
+			Config: r.withHostEncryption(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
 			),
@@ -422,6 +422,42 @@ resource "azurerm_kubernetes_cluster" "test" {
 `, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
 }
 
+func (KubernetesClusterResource) withHostEncryption(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-aks-%d"
+  location = "%s"
+}
+
+resource "azurerm_kubernetes_cluster" "test" {
+  name                = "acctestaks%d"
+  location            = azurerm_resource_group.test.location
+  resource_group_name = azurerm_resource_group.test.name
+  dns_prefix          = "acctestaks%d"
+
+  default_node_pool {
+    name                   = "default"
+    node_count             = 1
+    vm_size                = "Standard_DS2_v2"
+    enable_host_encryption = true
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  network_profile {
+    network_plugin    = "kubenet"
+    load_balancer_sku = "standard"
+  }
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
+}
+
 func (KubernetesClusterResource) basicWithTempName(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
@@ -480,6 +516,7 @@ resource "azurerm_kubernetes_cluster" "test" {
     temporary_name_for_rotation = "temp"
     node_count                  = 1
     vm_size                     = "%s"
+    enable_host_encryption      = true
   }
 
   identity {
diff --git a/internal/services/containers/kubernetes_nodepool.go b/internal/services/containers/kubernetes_nodepool.go
index 79fd288105b4..8ff3922733f2 100644
--- a/internal/services/containers/kubernetes_nodepool.go
+++ b/internal/services/containers/kubernetes_nodepool.go
@@ -671,6 +671,7 @@ func ConvertDefaultNodePoolToAgentPool(input *[]managedclusters.ManagedClusterAg
 			MinCount:                  defaultCluster.MinCount,
 			EnableAutoScaling:         defaultCluster.EnableAutoScaling,
 			EnableCustomCATrust:       defaultCluster.EnableCustomCATrust,
+			EnableEncryptionAtHost:    defaultCluster.EnableEncryptionAtHost,
 			EnableFIPS:                defaultCluster.EnableFIPS,
 			OrchestratorVersion:       defaultCluster.OrchestratorVersion,
 			ProximityPlacementGroupID: defaultCluster.ProximityPlacementGroupID,

From 8eeaf24a34dc7aec38845ad99257aef8a92666df Mon Sep 17 00:00:00 2001
From: Steph <steph@hashicorp.com>
Date: Wed, 12 Apr 2023 09:42:20 +0200
Subject: [PATCH 2/2] add preview note for enable_host_encryption

---
 website/docs/r/kubernetes_cluster.html.markdown | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/website/docs/r/kubernetes_cluster.html.markdown b/website/docs/r/kubernetes_cluster.html.markdown
index 440a23423f03..802e22ca6344 100644
--- a/website/docs/r/kubernetes_cluster.html.markdown
+++ b/website/docs/r/kubernetes_cluster.html.markdown
@@ -374,6 +374,8 @@ A `default_node_pool` block supports the following:
 
 * `enable_host_encryption` - (Optional) Should the nodes in the Default Node Pool have host encryption enabled? Changing this forces a new resource to be created.
 
+-> **Note:** This requires that the Preview Feature `Microsoft.ContainerService/EnableEncryptionAtHostPreview` is enabled and the Resource Provider is re-registered.
+
 * `enable_node_public_ip` - (Optional) Should nodes in this Node Pool have a Public IP Address? Changing this forces a new resource to be created.
 
 * `host_group_id` - (Optional) Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.