From 49ec15f89b17c12825061200fd36abc05b2f9463 Mon Sep 17 00:00:00 2001 From: kbudzyk Date: Fri, 20 Mar 2020 22:25:05 +0000 Subject: [PATCH 1/3] remove ForceNew from disk_encryption_set_id schema --- azurerm/internal/services/compute/resource_arm_managed_disk.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/azurerm/internal/services/compute/resource_arm_managed_disk.go b/azurerm/internal/services/compute/resource_arm_managed_disk.go index 7e212c7c8f10..abac41ced559 100644 --- a/azurerm/internal/services/compute/resource_arm_managed_disk.go +++ b/azurerm/internal/services/compute/resource_arm_managed_disk.go @@ -134,9 +134,6 @@ func resourceArmManagedDisk() *schema.Resource { "disk_encryption_set_id": { Type: schema.TypeString, Optional: true, - // Support for rotating the Disk Encryption Set is (apparently) coming a few months following GA - // Code="PropertyChangeNotAllowed" Message="Changing property 'encryption.diskEncryptionSetId' is not allowed." - ForceNew: true, // TODO: make this case-sensitive once this bug in the Azure API has been fixed: // https://github.com/Azure/azure-rest-api-specs/issues/8132 DiffSuppressFunc: suppress.CaseDifference, From 2bdf3c9335c8fa34b2ecc893658a4d4448a5fa84 Mon Sep 17 00:00:00 2001 From: kbudzyk Date: Fri, 20 Mar 2020 23:17:40 +0000 Subject: [PATCH 2/3] implement disk_encryption_set_id modification for resourceArmManagedDiskUpdate --- .../services/compute/resource_arm_managed_disk.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/azurerm/internal/services/compute/resource_arm_managed_disk.go b/azurerm/internal/services/compute/resource_arm_managed_disk.go index abac41ced559..a3a7f25c90b7 100644 --- a/azurerm/internal/services/compute/resource_arm_managed_disk.go +++ b/azurerm/internal/services/compute/resource_arm_managed_disk.go @@ -361,6 +361,17 @@ func resourceArmManagedDiskUpdate(d *schema.ResourceData, meta interface{}) erro } } + if d.HasChange("disk_encryption_set_id") { + if diskEncryptionSetId := d.Get("disk_encryption_set_id").(string); diskEncryptionSetId != "" { + diskUpdate.Encryption = &compute.Encryption{ + Type: compute.EncryptionAtRestWithCustomerKey, + DiskEncryptionSetID: utils.String(diskEncryptionSetId), + } + } else { + return fmt.Errorf("Once a customer-managed key is used, you can’t change the selection back to a platform-managed key") + } + } + // if we are attached to a VM we bring down the VM as necessary for the operations which are not allowed while it's online if disk.ManagedBy != nil { virtualMachine, err := ParseVirtualMachineID(*disk.ManagedBy) From 3be60e58c483ef7194d5ff6a48da13ce0b8ff55a Mon Sep 17 00:00:00 2001 From: kbudzyk Date: Sat, 21 Mar 2020 03:01:34 +0000 Subject: [PATCH 3/3] add test for disk_encryption_set_id modification, update docs --- .../tests/resource_arm_managed_disk_test.go | 47 +++++++++++++++++-- website/docs/r/managed_disk.html.markdown | 2 +- 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go b/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go index 9bad68ae1311..f4320ecb73c5 100644 --- a/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go +++ b/azurerm/internal/services/compute/tests/resource_arm_managed_disk_test.go @@ -324,7 +324,41 @@ func TestAccAzureRMManagedDisk_diskEncryptionSet(t *testing.T) { ), }, { - Config: testAccAzureRMManagedDisk_diskEncryptionSet(data), + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, true), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), + ), + }, + data.ImportStep(), + }, + }) +} + +func TestAccAzureRMManagedDisk_diskEncryptionSet_update(t *testing.T) { + data := acceptance.BuildTestData(t, "azurerm_managed_disk", "test") + var d compute.Disk + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { acceptance.PreCheck(t) }, + Providers: acceptance.SupportedProviders, + CheckDestroy: testCheckAzureRMManagedDiskDestroy, + Steps: []resource.TestStep{ + { + // TODO: After applying soft-delete and purge-protection in keyVault, this extra step can be removed. + Config: testAccAzureRMManagedDisk_diskEncryptionSetDependencies(data), + Check: resource.ComposeTestCheckFunc( + enableSoftDeleteAndPurgeProtectionForKeyVault("azurerm_key_vault.test"), + ), + }, + { + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, false), + Check: resource.ComposeTestCheckFunc( + testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), + ), + }, + data.ImportStep(), + { + Config: testAccAzureRMManagedDisk_diskEncryptionSet(data, true), Check: resource.ComposeTestCheckFunc( testCheckAzureRMManagedDiskExists(data.ResourceName, &d, true), ), @@ -947,8 +981,13 @@ resource "azurerm_key_vault_key" "test" { `, data.RandomInteger, location, data.RandomString) } -func testAccAzureRMManagedDisk_diskEncryptionSet(data acceptance.TestData) string { +func testAccAzureRMManagedDisk_diskEncryptionSet(data acceptance.TestData, complete bool) string { template := testAccAzureRMManagedDisk_diskEncryptionSetDependencies(data) + diskEncryptionSetLine := "" + if complete { + diskEncryptionSetLine = "disk_encryption_set_id = azurerm_disk_encryption_set.test.id" + } + return fmt.Sprintf(` %s @@ -989,14 +1028,14 @@ resource "azurerm_managed_disk" "test" { storage_account_type = "Standard_LRS" create_option = "Empty" disk_size_gb = 1 - disk_encryption_set_id = azurerm_disk_encryption_set.test.id + %s depends_on = [ "azurerm_role_assignment.disk-encryption-read-keyvault", "azurerm_key_vault_access_policy.disk-encryption", ] } -`, template, data.RandomInteger, data.RandomInteger) +`, template, data.RandomInteger, data.RandomInteger, diskEncryptionSetLine) } func testAccAzureRMManagedDisk_managedDiskAttached(data acceptance.TestData, diskSize int) string { diff --git a/website/docs/r/managed_disk.html.markdown b/website/docs/r/managed_disk.html.markdown index 177b37a5849c..f74382342930 100644 --- a/website/docs/r/managed_disk.html.markdown +++ b/website/docs/r/managed_disk.html.markdown @@ -91,7 +91,7 @@ The following arguments are supported: --- -* `disk_encryption_set_id` - (Optional) The ID of a Disk Encryption Set which should be used to encrypt this Managed Disk. Changing this forces a new resource to be created. +* `disk_encryption_set_id` - (Optional) The ID of a Disk Encryption Set which should be used to encrypt this Managed Disk. -> **NOTE:** The Disk Encryption Set must have the `Reader` Role Assignment scoped on the Key Vault - in addition to an Access Policy to the Key Vault