Add encryption_settings to managed disks

builtin/providers/azurerm/encryption_settings.go

@@ -2,6 +2,7 @@ package azurerm
 
 import (
 	"github.com/Azure/azure-sdk-for-go/arm/compute"
+	"github.com/Azure/azure-sdk-for-go/arm/disk"
 	"github.com/hashicorp/terraform/helper/schema"
 )
 
@@ -24,7 +25,7 @@ func encryptionSettingsSchema() *schema.Schema {
 
 				"disk_encryption_key": {
 					Type:     schema.TypeList,
-					Required: true,
+					Optional: true,
 					MaxItems: 1,
 					Elem: &schema.Resource{
 						Schema: map[string]*schema.Schema{
@@ -63,7 +64,25 @@ func encryptionSettingsSchema() *schema.Schema {
 	}
 }
 
-func flattenRmDiskEncryptionSettings(encryptionSettings *compute.DiskEncryptionSettings) map[string]interface{} {
+func flattenVmDiskEncryptionSettings(encryptionSettings *compute.DiskEncryptionSettings) map[string]interface{} {
+	return map[string]interface{}{
+		"enabled": *encryptionSettings.Enabled,
+		"disk_encryption_key": []interface{}{
+			map[string]interface{}{
+				"secret_url":      *encryptionSettings.DiskEncryptionKey.SecretURL,
+				"source_vault_id": *encryptionSettings.DiskEncryptionKey.SourceVault.ID,
+			},
+		},
+		"key_encryption_key": []interface{}{
+			map[string]interface{}{
+				"key_url":         *encryptionSettings.KeyEncryptionKey.KeyURL,
+				"source_vault_id": *encryptionSettings.KeyEncryptionKey.SourceVault.ID,
+			},
+		},
+	}
+}
+
+func flattenManagedDiskEncryptionSettings(encryptionSettings *disk.EncryptionSettings) map[string]interface{} {
 	return map[string]interface{}{
 		"enabled": *encryptionSettings.Enabled,
 		"disk_encryption_key": []interface{}{
@@ -81,7 +100,7 @@ func flattenRmDiskEncryptionSettings(encryptionSettings *compute.DiskEncryptionS
 	}
 }
 
-func expandAzureRmDiskEncryptionSettings(settings map[string]interface{}) *compute.DiskEncryptionSettings {
+func expandVmDiskEncryptionSettings(settings map[string]interface{}) *compute.DiskEncryptionSettings {
 	enabled := settings["enabled"].(bool)
 	config := &compute.DiskEncryptionSettings{
 		Enabled: &enabled,
@@ -111,3 +130,34 @@ func expandAzureRmDiskEncryptionSettings(settings map[string]interface{}) *compu
 
 	return config
 }
+
+func expandManagedDiskEncryptionSettings(settings map[string]interface{}) *disk.EncryptionSettings {
+	enabled := settings["enabled"].(bool)
+	config := &disk.EncryptionSettings{
+		Enabled: &enabled,
+	}
+
+	if v := settings["disk_encryption_key"].([]interface{}); len(v) > 0 {
+		dek := v[0].(map[string]interface{})
+
+		secretURL := dek["secret_url"].(string)
+		sourceVaultId := dek["source_vault_id"].(string)
+		config.DiskEncryptionKey = &disk.KeyVaultAndSecretReference{
+			SecretURL:   &secretURL,
+			SourceVault: &disk.SourceVault{ID: &sourceVaultId},
+		}
+	}
+
+	if v := settings["key_encryption_key"].([]interface{}); len(v) > 0 {
+		kek := v[0].(map[string]interface{})
+
+		secretURL := kek["key_url"].(string)
+		sourceVaultId := kek["source_vault_id"].(string)
+		config.KeyEncryptionKey = &disk.KeyVaultAndKeyReference{
+			KeyURL:      &secretURL,
+			SourceVault: &disk.SourceVault{ID: &sourceVaultId},
+		}
+	}
+
+	return config
+}

builtin/providers/azurerm/resource_arm_managed_disk.go

@@ -2,12 +2,13 @@ package azurerm
 
 import (
 	"fmt"
-	"github.com/Azure/azure-sdk-for-go/arm/disk"
-	"github.com/hashicorp/terraform/helper/schema"
-	"github.com/hashicorp/terraform/helper/validation"
 	"log"
 	"net/http"
 	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/arm/disk"
+	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
 )
 
 func resourceArmManagedDisk() *schema.Resource {
@@ -83,6 +84,8 @@ func resourceArmManagedDisk() *schema.Resource {
 				ValidateFunc: validateDiskSizeGB,
 			},
 
+			"encryption_settings": encryptionSettingsSchema(),
+
 			"tags": tagsSchema(),
 		},
 	}
@@ -127,6 +130,13 @@ func resourceArmManagedDiskCreate(d *schema.ResourceData, meta interface{}) erro
 		diskSize := int32(v.(int))
 		createDisk.Properties.DiskSizeGB = &diskSize
 	}
+
+	if v := d.Get("encryption_settings").([]interface{}); len(v) > 0 {
+		encryptionSettings := v[0].(map[string]interface{})
+		es := expandManagedDiskEncryptionSettings(encryptionSettings)
+		createDisk.Properties.EncryptionSettings = es
+	}
+
 	createOption := d.Get("create_option").(string)
 
 	creationData := &disk.CreationData{
@@ -228,6 +238,9 @@ func flattenAzureRmManagedDiskProperties(d *schema.ResourceData, properties *dis
 	if properties.OsType != "" {
 		d.Set("os_type", string(properties.OsType))
 	}
+	if es := properties.EncryptionSettings; es != nil {
+		d.Set("encryption_settings", flattenManagedDiskEncryptionSettings(es))
+	}
 }
 
 func flattenAzureRmManagedDiskCreationData(d *schema.ResourceData, creationData *disk.CreationData) {

builtin/providers/azurerm/resource_arm_virtual_machine.go

@@ -220,7 +220,6 @@ func resourceArmVirtualMachine() *schema.Resource {
 						"managed_disk_id": {
 							Type:          schema.TypeString,
 							Optional:      true,
-							ForceNew:      true,
 							Computed:      true,
 							ConflictsWith: []string{"storage_data_disk.vhd_uri"},
 						},
@@ -1077,7 +1076,7 @@ func flattenAzureRmVirtualMachineOsDisk(disk *compute.OSDisk) []interface{} {
 	}
 
 	if es := disk.EncryptionSettings; es != nil {
-		result["encryption_settings"] = []interface{}{flattenRmDiskEncryptionSettings(es)}
+		result["encryption_settings"] = []interface{}{flattenVmDiskEncryptionSettings(es)}
 	}
 
 	return []interface{}{result}
@@ -1339,7 +1338,7 @@ func expandAzureRmVirtualMachineDataDisk(d *schema.ResourceData) ([]compute.Data
 		}
 		//END: code to be removed after GH-13016 is merged
 		if managedDiskID == "" && strings.EqualFold(string(data_disk.CreateOption), string(compute.Attach)) {
-			return nil, fmt.Errorf("[ERROR] Must specify managed disk id to attach to")
+			return nil, fmt.Errorf("[ERROR] If create_option is 'Attach', must specify the managed disk id to attach to")
 		}
 
 		if v := config["caching"].(string); v != "" {
@@ -1464,7 +1463,7 @@ func expandAzureRmVirtualMachineOsDisk(d *schema.ResourceData) (*compute.OSDisk,
 	}
 	//END: code to be removed after GH-13016 is merged
 	if managedDiskID == "" && strings.EqualFold(string(osDisk.CreateOption), string(compute.Attach)) {
-		return nil, fmt.Errorf("[ERROR] Must specify which disk to attach")
+		return nil, fmt.Errorf("[ERROR] If create_option is 'Attach', must specify the managed disk id to attach to")
 	}
 
 	if v := config["image_uri"].(string); v != "" {
@@ -1494,7 +1493,7 @@ func expandAzureRmVirtualMachineOsDisk(d *schema.ResourceData) (*compute.OSDisk,
 
 	if v := config["encryption_settings"].([]interface{}); len(v) > 0 {
 		encryptionSettings := v[0].(map[string]interface{})
-		es := expandAzureRmDiskEncryptionSettings(encryptionSettings)
+		es := expandVmDiskEncryptionSettings(encryptionSettings)
 		osDisk.EncryptionSettings = es
 	}
 

website/source/docs/providers/azurerm/r/managed_disk.html.markdown

@@ -90,8 +90,23 @@ The following arguments are supported:
     operation targets a source that contains an operating system. Valid values are `Linux` or `Windows`
 * `disk_size_gb` - (Required) Specifies the size of the managed disk to create in gigabytes.
     If `create_option` is `Copy`, then the value must be equal to or greater than the source's size.
+* `encryption_settings` - (Optional) Species the encryption settings for the disk as documented below. See [Azure Disk Encryption for Windows and Linux IaaS vms](https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption) for more information.
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
+`encryption_settings` supports the following:
+
+* `enabled` - (Required) Specifies if the encryption is enabled. If false, disk_encryption_key and key_encryption_key must not be specified.
+* `disk_encryption_key` - (Optional) Specifies the location of the disk encryption key using `secret_url` and `source_vault_id` subproperties. Must be specified if enabled is true.
+* `key_encryption_key` - (Optional) Specifies the location of the key encryption key using `key_url` and `source_vault_id` subproperties.
+
+~> **Note:** An example `disk_encryption_key` could look like:
+```hcl
+disk_encryption_key {
+  secret_url = "https://{keyvaultname}.vault.azure.net/secrets/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+  source_vault_id = "/subscriptions/{subscription id}/resourceGroups/{resource group}/providers/Microsoft.KeyVault/vaults/{vault name}"
+}
+```
+
 For more information on managed disks, such as sizing options and pricing, please check out the
 [azure documentation](https://docs.microsoft.com/en-us/azure/storage/storage-managed-disks-overview).
 

website/source/docs/providers/azurerm/r/virtual_machine.html.markdown

@@ -354,8 +354,8 @@ For more information on the different example configurations, please check out t
 
 `encryption_settings` supports the following:
 
-* `enabled` - (Required) Specifies if the encryption is enabled.
-* `disk_encryption_key` - (Required) Specifies the location of the disk encryption key using `secret_url` and `source_vault_id` subproperties.
+* `enabled` - (Required) Specifies if the encryption is enabled. If false, disk_encryption_key and key_encryption_key must not be specified.
+* `disk_encryption_key` - (Optional) Specifies the location of the disk encryption key using `secret_url` and `source_vault_id` subproperties. Must be specified if enabled is true.
 * `key_encryption_key` - (Optional) Specifies the location of the key encryption key using `key_url` and `source_vault_id` subproperties.
 
 ~> **Note:** An example `disk_encryption_key` could look like: